summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2015-12-12 11:42:12 +0100
committerLudovic Courtès <ludo@gnu.org>2015-12-12 11:48:46 +0100
commite82e55e58c67b0215e768c4612ca542bc670f633 (patch)
tree856c4512fa1fbde59c1d9845c5a763ef8c4a14b4 /gnu/packages/patches
parent98bd851ee891ca4a84e061fe1e78ba78c292b096 (diff)
parente35dff973375266db253747140ddf25084ecddc2 (diff)
downloadguix-e82e55e58c67b0215e768c4612ca542bc670f633.tar.gz
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/bluez-tests.patch25
-rw-r--r--gnu/packages/patches/byobu-writable-status.patch13
-rw-r--r--gnu/packages/patches/dbus-helper-search-path.patch18
-rw-r--r--gnu/packages/patches/dbus-localstatedir.patch30
-rw-r--r--gnu/packages/patches/devil-fix-libpng.patch36
-rw-r--r--gnu/packages/patches/dico-libtool-deterministic.patch15
-rw-r--r--gnu/packages/patches/eudev-rules-directory.patch18
-rw-r--r--gnu/packages/patches/evilwm-lost-focus-bug.patch18
-rw-r--r--gnu/packages/patches/glib-tests-desktop.patch18
-rw-r--r--gnu/packages/patches/gsl-poly-test-fix-pt1.patch84
-rw-r--r--gnu/packages/patches/gsl-poly-test-fix-pt2.patch27
-rw-r--r--gnu/packages/patches/hwloc-gather-topology-lstopo.patch13
-rw-r--r--gnu/packages/patches/jasper-CVE-2008-3522.patch14
-rw-r--r--gnu/packages/patches/libdrm-symbol-check.patch195
-rw-r--r--gnu/packages/patches/librsvg-tests.patch27
-rw-r--r--gnu/packages/patches/libsndfile-CVE-2014-9496.patch55
-rw-r--r--gnu/packages/patches/libsndfile-CVE-2015-7805.patch95
-rw-r--r--gnu/packages/patches/libxslt-CVE-2015-7995.patch29
-rw-r--r--gnu/packages/patches/lua52-liblua-so.patch78
-rw-r--r--gnu/packages/patches/matplotlib-setupext-tk.patch34
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch569
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch65
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2696.patch736
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2697.patch55
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch43
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch132
-rw-r--r--gnu/packages/patches/mit-krb5-init-fix.patch18
-rw-r--r--gnu/packages/patches/mupen64plus-ui-console-notice.patch34
-rw-r--r--gnu/packages/patches/preseq-1.0.2-install-to-PREFIX.patch37
-rw-r--r--gnu/packages/patches/preseq-1.0.2-link-with-libbam.patch33
-rw-r--r--gnu/packages/patches/python-2-deterministic-build-info.patch17
-rw-r--r--gnu/packages/patches/python-2.7-source-date-epoch.patch33
-rw-r--r--gnu/packages/patches/python-3-deterministic-build-info.patch17
-rw-r--r--gnu/packages/patches/python-configobj-setuptools.patch30
-rw-r--r--gnu/packages/patches/scribus-qobject.patch17
-rw-r--r--gnu/packages/patches/synfig-build-fix.patch61
-rw-r--r--gnu/packages/patches/tcl-mkindex-deterministic.patch29
-rw-r--r--gnu/packages/patches/tinyxml-use-stl.patch41
-rw-r--r--gnu/packages/patches/tk-find-library.patch29
-rw-r--r--gnu/packages/patches/torsocks-dns-test.patch18
-rw-r--r--gnu/packages/patches/weechat-python.patch40
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch32
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch51
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch54
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch34
-rw-r--r--gnu/packages/patches/xfce4-session-fix-xflock4.patch31
46 files changed, 2843 insertions, 255 deletions
diff --git a/gnu/packages/patches/bluez-tests.patch b/gnu/packages/patches/bluez-tests.patch
new file mode 100644
index 0000000000..608ded9be2
--- /dev/null
+++ b/gnu/packages/patches/bluez-tests.patch
@@ -0,0 +1,25 @@
+From 484ad8c9263bb524051a999ce19a994960e69572 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= <iyzsong@gmail.com>
+Date: Fri, 23 Oct 2015 20:48:57 +0800
+Subject: [PATCH] unit/test-gobex-header: Fix duplicate test names
+
+---
+ unit/test-gobex-header.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/unit/test-gobex-header.c b/unit/test-gobex-header.c
+index 6f49312..8705892 100644
+--- a/unit/test-gobex-header.c
++++ b/unit/test-gobex-header.c
+@@ -554,7 +554,7 @@ int main(int argc, char *argv[])
+ 					test_header_encode_name_umlaut);
+ 	g_test_add_func("/gobex/test_header_encode_body",
+ 						test_header_encode_body);
+-	g_test_add_func("/gobex/test_header_encode_connid",
++	g_test_add_func("/gobex/test_header_encode_actionid",
+ 						test_header_encode_actionid);
+ 	g_test_add_func("/gobex/test_header_encode_apparam",
+ 						test_header_encode_apparam);
+-- 
+2.5.0
+
diff --git a/gnu/packages/patches/byobu-writable-status.patch b/gnu/packages/patches/byobu-writable-status.patch
new file mode 100644
index 0000000000..2858280273
--- /dev/null
+++ b/gnu/packages/patches/byobu-writable-status.patch
@@ -0,0 +1,13 @@
+Skeleton status files are installed read-only.  When copying to the config dir
+upon initialization, make sure they end up writable.
+
+--- byobu-5.98/usr/bin/byobu-janitor.in
++++ byobu-5.98/usr/bin/byobu-janitor.in
+@@ -82,6 +82,7 @@
+ 	if [ ! -r "$BYOBU_CONFIG_DIR/$f" ]; then
+ 		# Copy from skeleton, if possible
+ 		cp -f "$BYOBU_PREFIX/share/$PKG/status/$f" "$BYOBU_CONFIG_DIR/$f"
++		chmod +w "$BYOBU_CONFIG_DIR/$f"
+ 		# Enable ec2_cost, if we're in ec2 and seeding a new setup
+ 		if metadata_available; then
+ 			$BYOBU_SED_INLINE -e "s/#ec2_cost/ec2_cost/g" "$($BYOBU_READLINK -f $BYOBU_CONFIG_DIR/$f)"
diff --git a/gnu/packages/patches/dbus-helper-search-path.patch b/gnu/packages/patches/dbus-helper-search-path.patch
new file mode 100644
index 0000000000..30c142312b
--- /dev/null
+++ b/gnu/packages/patches/dbus-helper-search-path.patch
@@ -0,0 +1,18 @@
+The setuid helper of D-Bus is responsible for "service activation".
+It looks for '.service' files in fixed locations, but the default locations
+make no sense (see below), so replace them with /etc/dbus-1/system-services.
+
+--- dbus-1.10.0/dbus/dbus-sysdeps-util-unix.c	2015-10-22 00:07:03.829251854 +0200
++++ dbus-1.10.0/dbus/dbus-sysdeps-util-unix.c	2015-10-22 00:07:14.893445175 +0200
+@@ -1410,10 +1410,7 @@ _dbus_get_standard_system_servicedirs (D
+    * be available.
+    */
+   static const char standard_search_path[] =
+-    "/usr/local/share:"
+-    "/usr/share:"
+-    DBUS_DATADIR ":"
+-    "/lib";
++    "/etc";
+   DBusString servicedir_path;
+ 
+   _dbus_string_init_const (&servicedir_path, standard_search_path);
diff --git a/gnu/packages/patches/dbus-localstatedir.patch b/gnu/packages/patches/dbus-localstatedir.patch
deleted file mode 100644
index 61bed91b5c..0000000000
--- a/gnu/packages/patches/dbus-localstatedir.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Do not try to create $localstatedir and $sysconfdir since we cannot do this
-when they are /var and /etc.
-
---- dbus-1.6.4/bus/Makefile.in	2013-09-11 16:15:13.000000000 +0200
-+++ dbus-1.6.4/bus/Makefile.in	2013-09-11 16:15:15.000000000 +0200
-@@ -1510,9 +1510,6 @@ clean-local:
- 	/bin/rm *.bb *.bbg *.da *.gcov || true
- 
- install-data-hook:
--	$(mkinstalldirs) $(DESTDIR)$(localstatedir)/run/dbus
--	$(mkinstalldirs) $(DESTDIR)$(configdir)/system.d
--	$(mkinstalldirs) $(DESTDIR)$(configdir)/session.d
- 	$(mkinstalldirs) $(DESTDIR)$(datadir)/dbus-1/services
- 	$(mkinstalldirs) $(DESTDIR)$(datadir)/dbus-1/system-services
- # Install dbus.socket as default implementation of a D-Bus stack.
-
---- dbus-1.6.4/tools/Makefile.in	2013-09-11 16:10:31.000000000 +0200
-+++ dbus-1.6.4/tools/Makefile.in	2013-09-11 16:10:32.000000000 +0200
-@@ -757,11 +757,6 @@ uninstall-am: uninstall-binPROGRAMS
- 
- 
- # create the /var/lib/dbus directory for dbus-uuidgen
--install-data-local:
--	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/dbus
--
--installcheck-local:
--	test -d $(DESTDIR)$(localstatedir)/lib/dbus
- 
- # Tell versions [3.59,3.63) of GNU make to not export all variables.
- # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/gnu/packages/patches/devil-fix-libpng.patch b/gnu/packages/patches/devil-fix-libpng.patch
new file mode 100644
index 0000000000..a8e90333a3
--- /dev/null
+++ b/gnu/packages/patches/devil-fix-libpng.patch
@@ -0,0 +1,36 @@
+From 724194d7a9a91221a564579f64bdd6f0abd64219 Mon Sep 17 00:00:00 2001
+From: Noah Mayr <max96at@gmail.com>
+Date: Sun, 1 Mar 2015 10:10:56 +0100
+Subject: [PATCH] Fixed deprecated libpng API usage.
+
+---
+ src-IL/src/il_icon.c | 2 +-
+ src-IL/src/il_png.c  | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src-IL/src/il_icon.c b/src-IL/src/il_icon.c
+index 2ccb1a3..fd9475d 100644
+--- a/src-IL/src/il_icon.c
++++ b/src-IL/src/il_icon.c
+@@ -525,7 +525,7 @@ ILboolean ico_readpng_get_image(ICOIMAGE *Icon, ILdouble display_exponent)
+
+ 	// Expand low-bit-depth grayscale images to 8 bits
+ 	if (ico_color_type == PNG_COLOR_TYPE_GRAY && bit_depth < 8) {
+-		png_set_gray_1_2_4_to_8(ico_png_ptr);
++		png_set_expand_gray_1_2_4_to_8(ico_png_ptr);
+ 	}
+
+ 	// Expand RGB images with transparency to full alpha channels
+diff --git a/src-IL/src/il_png.c b/src-IL/src/il_png.c
+index da9517d..2866508 100644
+--- a/src-IL/src/il_png.c
++++ b/src-IL/src/il_png.c
+@@ -277,7 +277,7 @@ ILboolean readpng_get_image(ILdouble display_exponent)
+
+ 	// Expand low-bit-depth grayscale images to 8 bits
+ 	if (png_color_type == PNG_COLOR_TYPE_GRAY && bit_depth < 8) {
+-		png_set_gray_1_2_4_to_8(png_ptr);
++		png_set_expand_gray_1_2_4_to_8(png_ptr);
+ 	}
+
+ 	// Expand RGB images with transparency to full alpha channels
diff --git a/gnu/packages/patches/dico-libtool-deterministic.patch b/gnu/packages/patches/dico-libtool-deterministic.patch
new file mode 100644
index 0000000000..957fc79786
--- /dev/null
+++ b/gnu/packages/patches/dico-libtool-deterministic.patch
@@ -0,0 +1,15 @@
+Dico 2.2 uses an old Libtool (2.2.7a) that did not sort the output
+of 'find', thereby leading to non-deterministic file name ordering
+in the arguments passed to 'ar rcu' for libdico.a & co.
+
+--- dico-2.2/build-aux/ltmain.sh	1970-01-01 01:00:00.000000000 +0100
++++ dico-2.2/build-aux/ltmain.sh	2015-11-25 09:39:30.826169050 +0100
+@@ -2926,7 +2926,7 @@ func_extract_archives ()
+         func_extract_an_archive "$my_xdir" "$my_xabs"
+ 	;;
+       esac
+-      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
++      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP`
+     done
+ 
+     func_extract_archives_result="$my_oldobjs"
diff --git a/gnu/packages/patches/eudev-rules-directory.patch b/gnu/packages/patches/eudev-rules-directory.patch
index 9173e22f76..54fc01c6d5 100644
--- a/gnu/packages/patches/eudev-rules-directory.patch
+++ b/gnu/packages/patches/eudev-rules-directory.patch
@@ -4,9 +4,9 @@ The old udev 182 supported $UDEV_CONFIG_FILE, which in turn allowed
 the search path to be customized, but eudev no longer has this, hence
 this hack.
 
---- eudev-1.9/src/udev/udev-rules.c	2014-09-13 10:21:59.615980259 +0200
-+++ eudev-1.9/src/udev/udev-rules.c	2014-09-13 10:24:13.839976335 +0200
-@@ -46,15 +46,11 @@
+--- eudev-3.1.5/src/udev/udev-rules.c	2015-10-13 06:22:14.000000000 +0800
++++ eudev-3.1.5/src/udev/udev-rules.c	2015-10-16 20:45:38.491934336 +0800
+@@ -47,15 +47,11 @@
          };
  };
  
@@ -14,23 +14,23 @@ this hack.
 +static const char* rules_dirs[] = {
          UDEV_CONF_DIR "/rules.d",
          UDEV_RULES_DIR,
--        "/run/udev/rules.d",
+-        UDEV_ROOT_RUN "/udev/rules.d",
          UDEV_LIBEXEC_DIR "/rules.d",
 -#ifdef HAVE_SPLIT_USR
 -        "/lib/udev/rules.d",
 -        "/usr/lib/udev/rules.d",
 -#endif
-+	NULL,			  /* placeholder for $EUDEV_RULES_DIRECTORY */
++        NULL,			/* placeholder for $EUDEV_RULES_DIRECTORY */
          NULL};
  
  struct udev_rules {
-@@ -1637,6 +1633,9 @@
+@@ -1704,6 +1700,9 @@
  
          udev_rules_check_timestamp(rules);
  
-+	/* Allow the user to specify an additional rules directory.  */
-+	rules_dirs[3] = getenv("EUDEV_RULES_DIRECTORY");
++        /* Allow the user to specify an additional rules directory.  */
++        rules_dirs[3] = getenv("EUDEV_RULES_DIRECTORY");
 +
          r = conf_files_list_strv(&files, ".rules", NULL, rules_dirs);
          if (r < 0) {
-                 log_error("failed to enumerate rules files: %s", strerror(-r));
+                 log_error_errno(r, "failed to enumerate rules files: %m");
diff --git a/gnu/packages/patches/evilwm-lost-focus-bug.patch b/gnu/packages/patches/evilwm-lost-focus-bug.patch
new file mode 100644
index 0000000000..af24af8fe9
--- /dev/null
+++ b/gnu/packages/patches/evilwm-lost-focus-bug.patch
@@ -0,0 +1,18 @@
+evilwm may sometimes lose focus after closing a window.  This means that
+evilwm stops responding to keyboard shortcuts, and if no other window is open
+which the mouse can be moved over to regain focus evilwm becomes unusable and
+has to be restarted.
+
+Patch derived from discussion at
+https://wiki.archlinux.org/index.php/Evilwm#Lost_focus_bug_fix
+
+--- evilwm-1.1.1/client.c
++++ evilwm-1.1.1/client.c
+@@ -172,6 +172,7 @@
+ 	 *  _NET_WM_STATE) */
+ 	if (c->remove) {
+ 		LOG_DEBUG("setting WithdrawnState\n");
++		XSetInputFocus(dpy, PointerRoot, RevertToPointerRoot, CurrentTime);
+ 		set_wm_state(c, WithdrawnState);
+ 		ewmh_withdraw_client(c);
+ 	} else {
diff --git a/gnu/packages/patches/glib-tests-desktop.patch b/gnu/packages/patches/glib-tests-desktop.patch
index 61f48607f7..642234ebbc 100644
--- a/gnu/packages/patches/glib-tests-desktop.patch
+++ b/gnu/packages/patches/glib-tests-desktop.patch
@@ -56,11 +56,12 @@ database, the `update-desktop-database' program, which we don't provide.
 
 -----------------------------
 The hunk below removes tests that depend on `gdbus-testserver.py',
-because that script depends on python-gobject.
+because that script depends on python-gobject.  The second hunk
+disables a test that expects /etc/machine-id in the build environment.
  
---- glib-2.39.1/gio/tests/Makefile.in	2014-01-20 00:18:16.000000000 +0100
-+++ glib-2.39.1/gio/tests/Makefile.in	2014-01-20 00:18:47.000000000 +0100
-@@ -171,20 +171,13 @@ check_PROGRAMS = $(am__EXEEXT_14)
+--- glib-2.46.0/gio/tests/Makefile.in	2015-10-14 14:11:00.928809504 +0200
++++ glib-2.46.0/gio/tests/Makefile.in	2015-10-14 14:12:13.157291092 +0200
+@@ -186,20 +186,13 @@ check_PROGRAMS = $(am__EXEEXT_16)
  @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@	gdbus-auth				\
  @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@	gdbus-bz627724				\
  @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@	gdbus-close-pending			\
@@ -79,7 +80,16 @@ because that script depends on python-gobject.
  @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@	gdbus-test-codegen-old			\
 -@HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@	gdbus-threading				\
  @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@	gmenumodel				\
+ @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@	gnotification				\
  @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@	$(NULL)
+@@ -321,8 +314,7 @@ libresourceplugin_la_LINK = $(LIBTOOL) $
+ am__EXEEXT_1 =
+ @OS_UNIX_TRUE@am__EXEEXT_2 = contenttype$(EXEEXT) file$(EXEEXT) \
+ @OS_UNIX_TRUE@	gdbus-peer-object-manager$(EXEEXT) \
+-@OS_UNIX_TRUE@	gdbus-unix-addresses$(EXEEXT) \
+ @OS_UNIX_TRUE@	live-g-file$(EXEEXT) socket-address$(EXEEXT) \
+ @OS_UNIX_TRUE@	stream-rw_all$(EXEEXT) unix-fd$(EXEEXT) \
+ @OS_UNIX_TRUE@	unix-streams$(EXEEXT) $(am__EXEEXT_1) \
   
 
 The test below depends on the availability /etc/passwd to dbus-daemon.
diff --git a/gnu/packages/patches/gsl-poly-test-fix-pt1.patch b/gnu/packages/patches/gsl-poly-test-fix-pt1.patch
deleted file mode 100644
index 3d1ed4243c..0000000000
--- a/gnu/packages/patches/gsl-poly-test-fix-pt1.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 9cc12d0377dd634b1b97954d076b715f982853b7 Mon Sep 17 00:00:00 2001
-From: Patrick Alken <alken@colorado.edu>
-Date: Fri, 4 Apr 2014 13:36:16 -0600
-Subject: [PATCH] bug fix in sorting of complex numbers (bug #39055)
-
----
- poly/test.c | 49 ++++++++++++++++++++++++++++++-------------------
- 1 file changed, 30 insertions(+), 19 deletions(-)
-
-diff --git a/poly/test.c b/poly/test.c
-index 9c147f6..d090802 100644
---- a/poly/test.c
-+++ b/poly/test.c
-@@ -25,11 +25,21 @@
- #include <gsl/gsl_poly.h>
- #include <gsl/gsl_heapsort.h>
- 
-+/* sort by Re(z) then by Im(z) */
- static int
- cmp_cplx(const double *a, const double *b)
- {
--	double t = (a[0] * a[0] + a[1] * a[1]) - (b[0] * b[0] + b[1] * b[1]);
--	return t < 0.0 ? -1 : t > 0.0 ? 1 : 0;
-+  double r = a[0] - b[0];
-+
-+  if (r == 0.0)
-+    {
-+      double t = a[1] - b[1];
-+	    return t < 0.0 ? -1 : t > 0.0 ? 1 : 0;
-+    }
-+  else if (r < 0.0)
-+    return -1;
-+  else
-+    return 1;
- }
- 
- int
-@@ -534,25 +544,26 @@ main (void)
-        Problem reported by Munagala Ramanath (bug #39055)
-     */
- 
--    double a[16] = { 32, -48, -8, 28, -8, 16, -16, 12, -16, 6, 10, -17, 10, 2, -4, 1 };
-+    double a[16] = { 32, -48, -8, 28, -8, 16, -16, 12,
-+                    -16, 6, 10, -17, 10, 2, -4, 1 };
-     double z[16*2];
- 
--    double expected[16*20] = {
--	   1.0000000000000000,  0.00000000000000000,
--	   1.0000000000000000,  0.00000000000000000,
--	  -1.0000000000000000,  0.00000000000000000,
--	 -0.65893856175240950,  0.83459757287426684,
--	 -0.65893856175240950, -0.83459757287426684,
--	-0.070891117403341281,  -1.1359249087587791,
--	-0.070891117403341281,   1.1359249087587791,
--	   1.1142366961812986, -0.48083981203389980,
--	   1.1142366961812986,  0.48083981203389980,
--	  -1.3066982484920768,  0.00000000000000000,
--	  0.57284747839410854,   1.1987808988289705,
--	  0.57284747839410854,  -1.1987808988289705,
--	  -1.6078107423472359,  0.00000000000000000,
--	   2.0000000000000000,  0.00000000000000000,
--	   2.0000000000000000,  0.00000000000000000 };
-+    double expected[16*2] = {
-+     -1.6078107423472359,    0.00000000000000000,
-+     -1.3066982484920768,    0.00000000000000000,
-+     -1.0000000000000000,    0.00000000000000000,
-+     -0.65893856175240950,  -0.83459757287426684,
-+     -0.65893856175240950,   0.83459757287426684,
-+     -0.070891117403341281, -1.1359249087587791,
-+     -0.070891117403341281,  1.1359249087587791,
-+      0.57284747839410854,  -1.1987808988289705,
-+      0.57284747839410854,   1.1987808988289705,
-+      1.0000000000000000,    0.00000000000000000,
-+      1.0000000000000000,    0.00000000000000000,
-+      1.1142366961812986,   -0.48083981203389980,
-+      1.1142366961812986,    0.48083981203389980,
-+      2.0000000000000000,    0.00000000000000000,
-+      2.0000000000000000,    0.00000000000000000 };
- 
-     int i;
- 
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/gsl-poly-test-fix-pt2.patch b/gnu/packages/patches/gsl-poly-test-fix-pt2.patch
deleted file mode 100644
index 0e6fcf1a53..0000000000
--- a/gnu/packages/patches/gsl-poly-test-fix-pt2.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 0466df8660a7b6ddf2e082a1ec38bc6ea25a3c5c Mon Sep 17 00:00:00 2001
-From: Patrick Alken <alken@colorado.edu>
-Date: Mon, 7 Apr 2014 10:59:58 -0600
-Subject: [PATCH] change error test for 15th degree polynomial (bug #39055)
-
----
- poly/test.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/poly/test.c b/poly/test.c
-index d090802..f6a7e3f 100644
---- a/poly/test.c
-+++ b/poly/test.c
-@@ -579,8 +579,8 @@ main (void)
- 
-     for (i = 0; i<15; i++)
-       {
--        gsl_test_abs (z[2*i], expected[2*i], 1e-7, "z%d.real, 15th-order polynomial", i);
--        gsl_test_abs (z[2*i+1], expected[2*i+1], 1e-7, "z%d.imag, 15th-order polynomial", i);
-+        gsl_test_rel (z[2*i], expected[2*i], 1e-7, "z%d.real, 15th-order polynomial", i);
-+        gsl_test_rel (z[2*i+1], expected[2*i+1], 1e-7, "z%d.imag, 15th-order polynomial", i);
-       }
-   }
- 
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/hwloc-gather-topology-lstopo.patch b/gnu/packages/patches/hwloc-gather-topology-lstopo.patch
deleted file mode 100644
index 06f47aecaa..0000000000
--- a/gnu/packages/patches/hwloc-gather-topology-lstopo.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Derived from upstream commit 0a32f719c.
-
---- hwloc-1.10.1/tests/linux/Makefile.in	2015-01-26 03:37:52.000000000 -0600
-+++ hwloc-1.10.1/tests/linux/Makefile.in	2015-06-15 11:21:49.824842511 -0500
-@@ -1633,7 +1633,7 @@
- 
- 
- install-exec-hook:
--	$(SED) -e 's/HWLOC_top_builddir\/utils/bindir/' -e '/HWLOC_top_builddir/d' $(DESTDIR)$(bindir)/hwloc-gather-topology > $(DESTDIR)$(bindir)/hwloc-gather-topology.tmp && mv -f $(DESTDIR)$(bindir)/hwloc-gather-topology.tmp $(DESTDIR)$(bindir)/hwloc-gather-topology
-+	$(SED) -e 's/HWLOC_top_builddir\/utils\/lstopo/bindir/' -e '/HWLOC_top_builddir/d' $(DESTDIR)$(bindir)/hwloc-gather-topology > $(DESTDIR)$(bindir)/hwloc-gather-topology.tmp && mv -f $(DESTDIR)$(bindir)/hwloc-gather-topology.tmp $(DESTDIR)$(bindir)/hwloc-gather-topology
- 	chmod +x $(DESTDIR)$(bindir)/hwloc-gather-topology
- 
- # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/gnu/packages/patches/jasper-CVE-2008-3522.patch b/gnu/packages/patches/jasper-CVE-2008-3522.patch
new file mode 100644
index 0000000000..10cfec99a5
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2008-3522.patch
@@ -0,0 +1,14 @@
+Fix CVE-2008-3522 (buffer overflow in 'jas_stream_printf').
+Patch from <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3522>.
+
+--- jasper-1.900.1/src/libjasper/base/jas_stream.c	2008-09-08 14:56:01.000000000 +0200
++++ jasper-1.900.1/src/libjasper/base/jas_stream.c	2008-09-08 14:58:16.000000000 +0200
+@@ -553,7 +553,7 @@ int jas_stream_printf(jas_stream_t *stre
+ 	int ret;
+ 
+ 	va_start(ap, fmt);
+-	ret = vsprintf(buf, fmt, ap);
++	ret = vsnprintf(buf, sizeof buf, fmt, ap);
+ 	jas_stream_puts(stream, buf);
+ 	va_end(ap);
+ 	return ret;
diff --git a/gnu/packages/patches/libdrm-symbol-check.patch b/gnu/packages/patches/libdrm-symbol-check.patch
new file mode 100644
index 0000000000..676024beb4
--- /dev/null
+++ b/gnu/packages/patches/libdrm-symbol-check.patch
@@ -0,0 +1,195 @@
+Augment the list of expected symbols to fix the symbol-check tests on
+mips64el-linux and armhf-linux.
+
+--- libdrm-2.4.65/freedreno/freedreno-symbol-check.orig	2015-09-04 11:07:40.000000000 -0400
++++ libdrm-2.4.65/freedreno/freedreno-symbol-check	2015-10-18 23:57:15.288416229 -0400
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-# The following symbols (past the first five) are taken from the public headers.
++# The following symbols (past the first 12) are taken from the public headers.
+ # A list of the latter should be available Makefile.sources/LIBDRM_FREEDRENO_H_FILES
+ 
+ FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_freedreno.so} | awk '{print $3}'| while read func; do
+@@ -10,6 +10,13 @@
+ _end
+ _fini
+ _init
++_fbss
++_fdata
++_ftext
++__bss_start__
++__bss_end__
++_bss_end__
++__end__
+ fd_bo_cpu_fini
+ fd_bo_cpu_prep
+ fd_bo_del
+--- libdrm-2.4.65/nouveau/nouveau-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
++++ libdrm-2.4.65/nouveau/nouveau-symbol-check	2015-10-18 23:55:26.078327118 -0400
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-# The following symbols (past the first five) are taken from the public headers.
++# The following symbols (past the first 12) are taken from the public headers.
+ # A list of the latter should be available Makefile.sources/LIBDRM_NOUVEAU_H_FILES
+ 
+ FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_nouveau.so} | awk '{print $3}'| while read func; do
+@@ -10,6 +10,13 @@
+ _end
+ _fini
+ _init
++_fbss
++_fdata
++_ftext
++__bss_start__
++__bss_end__
++_bss_end__
++__end__
+ nouveau_bo_map
+ nouveau_bo_name_get
+ nouveau_bo_name_ref
+--- libdrm-2.4.65/libkms/kms-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
++++ libdrm-2.4.65/libkms/kms-symbol-check	2015-10-18 23:46:10.683869471 -0400
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-# The following symbols (past the first five) are taken from the public headers.
++# The following symbols (past the first 12) are taken from the public headers.
+ # A list of the latter should be available Makefile.sources/LIBKMS_H_FILES
+ 
+ FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libkms.so} | awk '{print $3}'| while read func; do
+@@ -10,6 +10,13 @@
+ _end
+ _fini
+ _init
++_fbss
++_fdata
++_ftext
++__bss_start__
++__bss_end__
++_bss_end__
++__end__
+ kms_bo_create
+ kms_bo_destroy
+ kms_bo_get_prop
+--- libdrm-2.4.65/intel/intel-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
++++ libdrm-2.4.65/intel/intel-symbol-check	2015-10-18 23:55:53.309558508 -0400
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-# The following symbols (past the first five) are taken from the public headers.
++# The following symbols (past the first 12) are taken from the public headers.
+ # A list of the latter should be available Makefile.sources/LIBDRM_INTEL_H_FILES
+ 
+ FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_intel.so} | awk '{print $3}' | while read func; do
+@@ -10,6 +10,13 @@
+ _end
+ _fini
+ _init
++_fbss
++_fdata
++_ftext
++__bss_start__
++__bss_end__
++_bss_end__
++__end__
+ drm_intel_bo_alloc
+ drm_intel_bo_alloc_for_render
+ drm_intel_bo_alloc_tiled
+--- libdrm-2.4.65/amdgpu/amdgpu-symbol-check.orig	2015-08-17 10:08:11.000000000 -0400
++++ libdrm-2.4.65/amdgpu/amdgpu-symbol-check	2015-10-18 23:56:10.606917723 -0400
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-# The following symbols (past the first five) are taken from the public headers.
++# The following symbols (past the first 12) are taken from the public headers.
+ # A list of the latter should be available Makefile.am/libdrm_amdgpuinclude_HEADERS
+ 
+ FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_amdgpu.so} | awk '{print $3}' | while read func; do
+@@ -10,6 +10,13 @@
+ _end
+ _fini
+ _init
++_fbss
++_fdata
++_ftext
++__bss_start__
++__bss_end__
++_bss_end__
++__end__
+ amdgpu_bo_alloc
+ amdgpu_bo_cpu_map
+ amdgpu_bo_cpu_unmap
+--- libdrm-2.4.65/exynos/exynos-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
++++ libdrm-2.4.65/exynos/exynos-symbol-check	2015-10-18 23:56:32.025486153 -0400
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-# The following symbols (past the first five) are taken from the public headers.
++# The following symbols (past the first 12) are taken from the public headers.
+ # A list of the latter should be available Makefile.am/libdrm_exynos*_HEADERS
+ 
+ FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_exynos.so} | awk '{print $3}'| while read func; do
+@@ -10,6 +10,13 @@
+ _end
+ _fini
+ _init
++_fbss
++_fdata
++_ftext
++__bss_start__
++__bss_end__
++_bss_end__
++__end__
+ exynos_bo_create
+ exynos_bo_destroy
+ exynos_bo_from_name
+--- libdrm-2.4.65/omap/omap-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
++++ libdrm-2.4.65/omap/omap-symbol-check	2015-10-18 23:56:44.834438626 -0400
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-# The following symbols (past the first five) are taken from the public headers.
++# The following symbols (past the first 12) are taken from the public headers.
+ # A list of the latter should be available Makefile.am/libdrm_omap*HEADERS
+ 
+ FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_omap.so} | awk '{print $3}'| while read func; do
+@@ -10,6 +10,13 @@
+ _end
+ _fini
+ _init
++_fbss
++_fdata
++_ftext
++__bss_start__
++__bss_end__
++_bss_end__
++__end__
+ omap_bo_cpu_fini
+ omap_bo_cpu_prep
+ omap_bo_del
+--- libdrm-2.4.65/tegra/tegra-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
++++ libdrm-2.4.65/tegra/tegra-symbol-check	2015-10-18 23:57:00.756759698 -0400
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-# The following symbols (past the first five) are taken from the public headers.
++# The following symbols (past the first 12) are taken from the public headers.
+ # A list of the latter should be available Makefile.sources/LIBDRM_FREEDRENO_H_FILES
+ 
+ FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_tegra.so} | awk '{print $3}'| while read func; do
+@@ -10,6 +10,13 @@
+ _end
+ _fini
+ _init
++_fbss
++_fdata
++_ftext
++__bss_start__
++__bss_end__
++_bss_end__
++__end__
+ drm_tegra_bo_get_flags
+ drm_tegra_bo_get_handle
+ drm_tegra_bo_get_tiling
diff --git a/gnu/packages/patches/librsvg-tests.patch b/gnu/packages/patches/librsvg-tests.patch
new file mode 100644
index 0000000000..dc5b94e185
--- /dev/null
+++ b/gnu/packages/patches/librsvg-tests.patch
@@ -0,0 +1,27 @@
+From e06fc71a57156123e4e50a39957100a651ab632b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= <iyzsong@gmail.com>
+Date: Sat, 17 Oct 2015 10:20:33 +0800
+Subject: [PATCH] tests/styles: Don't duplicate test names.
+
+---
+ tests/styles.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/styles.c b/tests/styles.c
+index d09b1f2..a938835 100644
+--- a/tests/styles.c
++++ b/tests/styles.c
+@@ -97,8 +97,8 @@ static const FixtureData fixtures[] =
+     {"/styles/selectors/2 or more selectors (stroke)", "592207", "styles/bug592207.svg", "#target", "stroke", .expected.color = 0xff0000ff},
+     {"/styles/svg-element-style", "615701", "styles/svg-class.svg", "#svg", "fill", .expected.color = 0xff0000ff},
+     {"/styles/presentation attribute in svg element", "620693", "styles/bug620693.svg", "#svg", "stroke", .expected.color = 0xffff0000},
+-    {"/styles/!important", "379629", "styles/bug379629.svg", "#base_shadow", "stroke", .expected.color = 0xffffc0cb /* pink */},
+-    {"/styles/!important", "379629", "styles/bug379629.svg", "#base_shadow", "stroke-width", .expected.length = {POINTS_LENGTH(5.), 'i'}},
++    {"/styles/!important/1", "379629", "styles/bug379629.svg", "#base_shadow", "stroke", .expected.color = 0xffffc0cb /* pink */},
++    {"/styles/!important/2", "379629", "styles/bug379629.svg", "#base_shadow", "stroke-width", .expected.length = {POINTS_LENGTH(5.), 'i'}},
+     {"/styles/!important/class", "614606", "styles/bug614606.svg", "#path6306", "fill", .expected.color = 0xffff0000 /* red */ },
+     {"/styles/!important/element", "614606", "styles/bug614606.svg", "#path6308", "fill", .expected.color = 0xff000000},
+     {"/styles/!important/#id prior than class", NULL, "styles/important.svg", "#red", "fill", .expected.color = 0xffff0000 },
+-- 
+2.5.0
+
diff --git a/gnu/packages/patches/libsndfile-CVE-2014-9496.patch b/gnu/packages/patches/libsndfile-CVE-2014-9496.patch
new file mode 100644
index 0000000000..87d42955fb
--- /dev/null
+++ b/gnu/packages/patches/libsndfile-CVE-2014-9496.patch
@@ -0,0 +1,55 @@
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/libsndfile.git/plain/libsndfile-1.0.25-cve2014_9496.patch
+
+diff -up libsndfile-1.0.25/src/sd2.c.cve2014_9496 libsndfile-1.0.25/src/sd2.c
+--- libsndfile-1.0.25/src/sd2.c.cve2014_9496	2011-01-19 11:10:36.000000000 +0100
++++ libsndfile-1.0.25/src/sd2.c	2015-01-13 17:00:35.920285526 +0100
+@@ -395,6 +395,21 @@ read_marker (const unsigned char * data,
+ 		return 0x666 ;
+ } /* read_marker */
+ 
++static inline int
++read_rsrc_marker (const SD2_RSRC *prsrc, int offset)
++{	const unsigned char * data = prsrc->rsrc_data ;
++
++	if (offset < 0 || offset + 3 >= prsrc->rsrc_len)
++		return 0 ;
++
++	if (CPU_IS_BIG_ENDIAN)
++		return (((uint32_t) data [offset]) << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ;
++	if (CPU_IS_LITTLE_ENDIAN)
++		return data [offset] + (data [offset + 1] << 8) + (data [offset + 2] << 16) + (((uint32_t) data [offset + 3]) << 24) ;
++
++	return 0 ;
++} /* read_rsrc_marker */
++
+ static void
+ read_str (const unsigned char * data, int offset, char * buffer, int buffer_len)
+ {	int k ;
+@@ -496,6 +511,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
+ 
+ 	rsrc.type_offset = rsrc.map_offset + 30 ;
+ 
++	if (rsrc.map_offset + 28 > rsrc.rsrc_len)
++	{       psf_log_printf (psf, "Bad map offset.\n") ;
++		goto parse_rsrc_fork_cleanup ;
++		} ;
++
+ 	rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ;
+ 	if (rsrc.type_count < 1)
+ 	{	psf_log_printf (psf, "Bad type count.\n") ;
+@@ -512,7 +532,12 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
+ 
+ 	rsrc.str_index = -1 ;
+ 	for (k = 0 ; k < rsrc.type_count ; k ++)
+-	{	marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
++	{	if (rsrc.type_offset + k * 8 > rsrc.rsrc_len)
++		{	psf_log_printf (psf, "Bad rsrc marker.\n") ;
++			goto parse_rsrc_fork_cleanup ;
++			} ;
++
++		marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ;
+ 
+ 		if (marker == STR_MARKER)
+ 		{	rsrc.str_index = k ;
diff --git a/gnu/packages/patches/libsndfile-CVE-2015-7805.patch b/gnu/packages/patches/libsndfile-CVE-2015-7805.patch
new file mode 100644
index 0000000000..d617f81e5c
--- /dev/null
+++ b/gnu/packages/patches/libsndfile-CVE-2015-7805.patch
@@ -0,0 +1,95 @@
+Slightly modified to apply cleanly to libsndfile-1.0.25.
+
+From d2a87385c1ca1d72918e9a2875d24f202a5093e8 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Sat, 7 Feb 2015 15:45:10 +1100
+Subject: [PATCH] src/common.c : Fix a header parsing bug.
+
+When the file header is bigger that SF_HEADER_LEN, the code would seek
+instead of reading causing file parse errors.
+
+The current header parsing and writing code *badly* needs a re-write.
+---
+ src/common.c | 27 +++++++++++----------------
+ 1 file changed, 11 insertions(+), 16 deletions(-)
+
+diff --git a/src/common.c b/src/common.c
+index dd4edb7..c6b88cc 100644
+--- a/src/common.c
++++ b/src/common.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 1999-2011 Erik de Castro Lopo <erikd@mega-nerd.com>
++** Copyright (C) 1999-2015 Erik de Castro Lopo <erikd@mega-nerd.com>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+ ** it under the terms of the GNU Lesser General Public License as published by
+@@ -800,21 +800,16 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes)
+ {	int count = 0 ;
+ 
+ 	if (psf->headindex >= SIGNED_SIZEOF (psf->header))
+-	{	memset (ptr, 0, SIGNED_SIZEOF (psf->header) - psf->headindex) ;
+-
+-		/* This is the best that we can do. */
+-		psf_fseek (psf, bytes, SEEK_CUR) ;
+-		return bytes ;
+-		} ;
++		return psf_fread (ptr, 1, bytes, psf) ;
+ 
+ 	if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header))
+ 	{	int most ;
+ 
+ 		most = SIGNED_SIZEOF (psf->header) - psf->headindex ;
+ 		psf_fread (psf->header + psf->headend, 1, most, psf) ;
+-		memset ((char *) ptr + most, 0, bytes - most) ;
+-
+-		psf_fseek (psf, bytes - most, SEEK_CUR) ;
++		memcpy (ptr, psf->header + psf->headend, most) ;
++		psf->headend = psf->headindex += most ;
++		psf_fread ((char *) ptr + most, bytes - most, 1, psf) ;
+ 		return bytes ;
+ 		} ;
+ 
+@@ -822,7 +817,7 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes)
+ 	{	count = psf_fread (psf->header + psf->headend, 1, bytes - (psf->headend - psf->headindex), psf) ;
+ 		if (count != bytes - (int) (psf->headend - psf->headindex))
+ 		{	psf_log_printf (psf, "Error : psf_fread returned short count.\n") ;
+-			return 0 ;
++			return count ;
+ 			} ;
+ 		psf->headend += count ;
+ 		} ;
+@@ -836,7 +831,6 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes)
+ static void
+ header_seek (SF_PRIVATE *psf, sf_count_t position, int whence)
+ {
+-
+ 	switch (whence)
+ 	{	case SEEK_SET :
+ 			if (position > SIGNED_SIZEOF (psf->header))
+@@ -885,8 +879,7 @@ header_seek (SF_PRIVATE *psf, sf_count_t position, int whence)
+ 
+ static int
+ header_gets (SF_PRIVATE *psf, char *ptr, int bufsize)
+-{
+-	int		k ;
++{	int		k ;
+ 
+ 	for (k = 0 ; k < bufsize - 1 ; k++)
+ 	{	if (psf->headindex < psf->headend)
+@@ -1073,8 +1066,10 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 			case 'j' :
+ 					/* Get the seek position first. */
+ 					count = va_arg (argptr, size_t) ;
+-					header_seek (psf, count, SEEK_CUR) ;
+-					byte_count += count ;
++					if (count)
++					{	header_seek (psf, count, SEEK_CUR) ;
++						byte_count += count ;
++						} ;
+ 					break ;
+ 
+ 			default :
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxslt-CVE-2015-7995.patch b/gnu/packages/patches/libxslt-CVE-2015-7995.patch
new file mode 100644
index 0000000000..f291d5b387
--- /dev/null
+++ b/gnu/packages/patches/libxslt-CVE-2015-7995.patch
@@ -0,0 +1,29 @@
+From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 29 Oct 2015 19:33:23 +0800
+Subject: [PATCH] Fix for type confusion in preprocessing attributes
+
+CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
+We need to check that the parent node is an element before dereferencing
+its namespace
+---
+ libxslt/preproc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/preproc.c b/libxslt/preproc.c
+index 0eb80a0..7f69325 100644
+--- a/libxslt/preproc.c
++++ b/libxslt/preproc.c
+@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) {
+ 	} else if (IS_XSLT_NAME(inst, "attribute")) {
+ 	    xmlNodePtr parent = inst->parent;
+ 
+-	    if ((parent == NULL) || (parent->ns == NULL) ||
++	    if ((parent == NULL) ||
++	        (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
+ 		((parent->ns != inst->ns) &&
+ 		 (!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
+ 		(!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/lua52-liblua-so.patch b/gnu/packages/patches/lua52-liblua-so.patch
new file mode 100644
index 0000000000..2e6b39ae79
--- /dev/null
+++ b/gnu/packages/patches/lua52-liblua-so.patch
@@ -0,0 +1,78 @@
+From 7a1b4e0829124976878ca2765a8e546667a92ceb Mon Sep 17 00:00:00 2001
+From: Leo Famulari <leo@famulari.name>
+Date: Fri, 30 Oct 2015 19:11:31 -0400
+Subject: [PATCH] apply existing non-executable library patch and install
+ libraries as executable
+
+---
+ Makefile     | 6 +++---
+ src/Makefile | 8 +++++++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 1aea8e6..bfcfed9 100644
+--- a/Makefile
++++ b/Makefile
+@@ -44,7 +44,7 @@ INTERPRETER= lua
+ COMPILER= luac
+ TO_BIN= $(INTERPRETER) $(COMPILER)
+ TO_INC= lua.h luaconf.h lualib.h lauxlib.h lua.hpp
+-TO_LIB= liblua.a
++TO_LIB= liblua.a liblua.so liblua.so.${V}
+ TO_PC=  lua-$(V).pc
+ TO_MAN= lua.1 luac.1
+ 
+@@ -56,7 +56,7 @@ R= $V.3
+ all:	$(PLAT)
+ 
+ $(PLATS):
+-	cd src && $(MAKE) $@
++	cd src && $(MAKE) $@ V=$(V) R=$(R)
+ 
+ clean:
+ 	cd src && $(MAKE) $@
+@@ -69,7 +69,7 @@ install: dummy $(TO_PC)
+ 	cd src && $(MKDIR) $(INSTALL_BIN) $(INSTALL_INC) $(INSTALL_LIB) $(INSTALL_PC) $(INSTALL_MAN) $(INSTALL_LMOD) $(INSTALL_CMOD)
+ 	cd src && $(INSTALL_EXEC) $(TO_BIN) $(INSTALL_BIN)
+ 	cd src && $(INSTALL_DATA) $(TO_INC) $(INSTALL_INC)
+-	cd src && $(INSTALL_DATA) $(TO_LIB) $(INSTALL_LIB)
++	cd src && $(INSTALL_EXEC) $(TO_LIB) $(INSTALL_LIB)
+ 	cd src && $(INSTALL_DATA) ../$(TO_PC) $(INSTALL_PC)
+ 	cd doc && $(INSTALL_DATA) $(TO_MAN) $(INSTALL_MAN)
+ 
+diff --git a/src/Makefile b/src/Makefile
+index 7b4b2b7..c86476e 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -29,6 +29,7 @@ MYOBJS=
+ PLATS= aix ansi bsd freebsd generic linux macosx mingw posix solaris
+ 
+ LUA_A=	liblua.a
++LUA_SO= liblua.so
+ CORE_O=	lapi.o lcode.o lctype.o ldebug.o ldo.o ldump.o lfunc.o lgc.o llex.o \
+ 	lmem.o lobject.o lopcodes.o lparser.o lstate.o lstring.o ltable.o \
+ 	ltm.o lundump.o lvm.o lzio.o
+@@ -43,7 +44,7 @@ LUAC_T=	luac
+ LUAC_O=	luac.o
+ 
+ ALL_O= $(BASE_O) $(LUA_O) $(LUAC_O)
+-ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T)
++ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T) $(LUA_SO)
+ ALL_A= $(LUA_A)
+ 
+ # Targets start here.
+@@ -55,6 +56,11 @@ o:	$(ALL_O)
+ 
+ a:	$(ALL_A)
+ 
++$(LUA_SO): $(CORE_O) $(LIB_O)
++	$(CC) -shared -ldl -Wl,-soname,$(LUA_SO).$(V) -o $@.$(R) $? -lm $(MYLDFLAGS)
++	ln -sf $(LUA_SO).$(R) $(LUA_SO).$(V)
++	ln -sf $(LUA_SO).$(R) $(LUA_SO)
++
+ $(LUA_A): $(BASE_O)
+ 	$(AR) $@ $(BASE_O)
+ 	$(RANLIB) $@
+-- 
+2.6.1
+
diff --git a/gnu/packages/patches/matplotlib-setupext-tk.patch b/gnu/packages/patches/matplotlib-setupext-tk.patch
new file mode 100644
index 0000000000..37c3d686e0
--- /dev/null
+++ b/gnu/packages/patches/matplotlib-setupext-tk.patch
@@ -0,0 +1,34 @@
+Use 'pkg-config' instead of heuristics to find 'tk' flags.
+
+--- matplotlib-1.4.3/setupext.py.orig	2015-12-01 14:21:19.554417453 +0100
++++ matplotlib-1.4.3/setupext.py	2015-12-02 10:39:47.282363530 +0100
+@@ -1457,7 +1457,7 @@
+             p = subprocess.Popen(
+                 '. %s ; eval echo ${%s}' % (file, varname),
+                 shell=True,
+-                executable="/bin/sh",
++                executable="sh",
+                 stdout=subprocess.PIPE)
+             result = p.communicate()[0]
+             return result.decode('ascii')
+@@ -1601,8 +1601,19 @@
+             #      of distros.
+ 
+             # Query Tcl/Tk system for library paths and version string
++            def getoutput(s):
++                ret = os.popen(s).read().strip()
++                return ret
+             try:
+-                tcl_lib_dir, tk_lib_dir, tk_ver = self.query_tcltk()
++                pkg_config_libs = getoutput('pkg-config --libs-only-L tk').split()
++                # drop '-L' part of strings
++                pkg_config_libs = [s[2:] for s in pkg_config_libs]
++                pkg_config_ver = getoutput('pkg-config --modversion tk')
++                tk_ver = re.match(r"(\d+.\d+)[\d.]*", pkg_config_ver).group(1)
++                tcl_lib_dir = next(s for s in pkg_config_libs
++                                   if re.match(r".*-tcl-.*", s)) + '/tcl' + tk_ver
++                tk_lib_dir = next(s for s in pkg_config_libs
++                                  if re.match(r".*-tk-.*", s)) + '/tk' + tk_ver
+             except:
+                 tk_ver = ''
+                 result = self.hardcoded_tcl_config()
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch
new file mode 100644
index 0000000000..0f5603e228
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch
@@ -0,0 +1,569 @@
+Copied from Debian.
+
+From b813d5811432faed844a2dfd3daecde914978f2c Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@twosigma.com>
+Date: Mon, 14 Sep 2015 12:27:52 -0400
+Subject: Fix SPNEGO context aliasing bugs [CVE-2015-2695]
+
+The SPNEGO mechanism currently replaces its context handle with the
+mechanism context handle upon establishment, under the assumption that
+most GSS functions are only called after context establishment.  This
+assumption is incorrect, and can lead to aliasing violations for some
+programs.  Maintain the SPNEGO context structure after context
+establishment and refer to it in all GSS methods.  Add initiate and
+opened flags to the SPNEGO context structure for use in
+gss_inquire_context() prior to context establishment.
+
+CVE-2015-2695:
+
+In MIT krb5 1.5 and later, applications which call
+gss_inquire_context() on a partially-established SPNEGO context can
+cause the GSS-API library to read from a pointer using the wrong type,
+generally causing a process crash.  This bug may go unnoticed, because
+the most common SPNEGO authentication scenario establishes the context
+after just one call to gss_accept_sec_context().  Java server
+applications using the native JGSS provider are vulnerable to this
+bug.  A carefully crafted SPNEGO packet might allow the
+gss_inquire_context() call to succeed with attacker-determined
+results, but applications should not make access control decisions
+based on gss_inquire_context() results prior to context establishment.
+
+    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+[ghudson@mit.edu: several bugfixes, style changes, and edge-case
+behavior changes; commit message and CVE description]
+
+ticket: 8244
+target_version: 1.14
+tags: pullup
+
+(cherry picked from commit b51b33f2bc5d1497ddf5bd107f791c101695000d)
+Patch-Category: upstream
+---
+ src/lib/gssapi/spnego/gssapiP_spnego.h |   2 +
+ src/lib/gssapi/spnego/spnego_mech.c    | 254 ++++++++++++++++++++++++---------
+ 2 files changed, 192 insertions(+), 64 deletions(-)
+
+diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h
+index bc23f56..8e05736 100644
+--- a/src/lib/gssapi/spnego/gssapiP_spnego.h
++++ b/src/lib/gssapi/spnego/gssapiP_spnego.h
+@@ -102,6 +102,8 @@ typedef struct {
+ 	int firstpass;
+ 	int mech_complete;
+ 	int nego_done;
++	int initiate;
++	int opened;
+ 	OM_uint32 ctx_flags;
+ 	gss_name_t internal_name;
+ 	gss_OID actual_mech;
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 6e39c37..a1072b0 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -104,7 +104,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t,
+ 				      gss_cred_usage_t, gss_OID_set *);
+ static void release_spnego_ctx(spnego_gss_ctx_id_t *);
+ static void check_spnego_options(spnego_gss_ctx_id_t);
+-static spnego_gss_ctx_id_t create_spnego_ctx(void);
++static spnego_gss_ctx_id_t create_spnego_ctx(int);
+ static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf);
+ static int put_input_token(unsigned char **, gss_buffer_t, unsigned int);
+ static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int);
+@@ -442,7 +442,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx)
+ }
+ 
+ static spnego_gss_ctx_id_t
+-create_spnego_ctx(void)
++create_spnego_ctx(int initiate)
+ {
+ 	spnego_gss_ctx_id_t spnego_ctx = NULL;
+ 	spnego_ctx = (spnego_gss_ctx_id_t)
+@@ -465,6 +465,8 @@ create_spnego_ctx(void)
+ 	spnego_ctx->mic_rcvd = 0;
+ 	spnego_ctx->mech_complete = 0;
+ 	spnego_ctx->nego_done = 0;
++	spnego_ctx->opened = 0;
++	spnego_ctx->initiate = initiate;
+ 	spnego_ctx->internal_name = GSS_C_NO_NAME;
+ 	spnego_ctx->actual_mech = GSS_C_NO_OID;
+ 
+@@ -630,7 +632,7 @@ init_ctx_new(OM_uint32 *minor_status,
+ 	OM_uint32 ret;
+ 	spnego_gss_ctx_id_t sc = NULL;
+ 
+-	sc = create_spnego_ctx();
++	sc = create_spnego_ctx(1);
+ 	if (sc == NULL)
+ 		return GSS_S_FAILURE;
+ 
+@@ -647,10 +649,7 @@ init_ctx_new(OM_uint32 *minor_status,
+ 		ret = GSS_S_FAILURE;
+ 		goto cleanup;
+ 	}
+-	/*
+-	 * The actual context is not yet determined, set the output
+-	 * context handle to refer to the spnego context itself.
+-	 */
++
+ 	sc->ctx_handle = GSS_C_NO_CONTEXT;
+ 	*ctx = (gss_ctx_id_t)sc;
+ 	sc = NULL;
+@@ -1091,16 +1090,11 @@ cleanup:
+ 	}
+ 	gss_release_buffer(&tmpmin, &mechtok_out);
+ 	if (ret == GSS_S_COMPLETE) {
+-		/*
+-		 * Now, switch the output context to refer to the
+-		 * negotiated mechanism's context.
+-		 */
+-		*context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle;
++		spnego_ctx->opened = 1;
+ 		if (actual_mech != NULL)
+ 			*actual_mech = spnego_ctx->actual_mech;
+ 		if (ret_flags != NULL)
+ 			*ret_flags = spnego_ctx->ctx_flags;
+-		release_spnego_ctx(&spnego_ctx);
+ 	} else if (ret != GSS_S_CONTINUE_NEEDED) {
+ 		if (spnego_ctx != NULL) {
+ 			gss_delete_sec_context(&tmpmin,
+@@ -1344,7 +1338,7 @@ acc_ctx_hints(OM_uint32 *minor_status,
+ 	if (ret != GSS_S_COMPLETE)
+ 		goto cleanup;
+ 
+-	sc = create_spnego_ctx();
++	sc = create_spnego_ctx(0);
+ 	if (sc == NULL) {
+ 		ret = GSS_S_FAILURE;
+ 		goto cleanup;
+@@ -1426,7 +1420,7 @@ acc_ctx_new(OM_uint32 *minor_status,
+ 		gss_release_buffer(&tmpmin, &sc->DER_mechTypes);
+ 		assert(mech_wanted != GSS_C_NO_OID);
+ 	} else
+-		sc = create_spnego_ctx();
++		sc = create_spnego_ctx(0);
+ 	if (sc == NULL) {
+ 		ret = GSS_S_FAILURE;
+ 		*return_token = NO_TOKEN_SEND;
+@@ -1809,13 +1803,12 @@ cleanup:
+ 			ret = GSS_S_FAILURE;
+ 	}
+ 	if (ret == GSS_S_COMPLETE) {
+-		*context_handle = (gss_ctx_id_t)sc->ctx_handle;
++		sc->opened = 1;
+ 		if (sc->internal_name != GSS_C_NO_NAME &&
+ 		    src_name != NULL) {
+ 			*src_name = sc->internal_name;
+ 			sc->internal_name = GSS_C_NO_NAME;
+ 		}
+-		release_spnego_ctx(&sc);
+ 	} else if (ret != GSS_S_CONTINUE_NEEDED) {
+ 		if (sc != NULL) {
+ 			gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
+@@ -2128,8 +2121,13 @@ spnego_gss_unwrap(
+ 		gss_qop_t *qop_state)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_unwrap(minor_status,
+-			context_handle,
++			sc->ctx_handle,
+ 			input_message_buffer,
+ 			output_message_buffer,
+ 			conf_state,
+@@ -2149,8 +2147,13 @@ spnego_gss_wrap(
+ 		gss_buffer_t output_message_buffer)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap(minor_status,
+-		    context_handle,
++		    sc->ctx_handle,
+ 		    conf_req_flag,
+ 		    qop_req,
+ 		    input_message_buffer,
+@@ -2167,8 +2170,14 @@ spnego_gss_process_context_token(
+ 				const gss_buffer_t token_buffer)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	/* SPNEGO doesn't have its own context tokens. */
++	if (!sc->opened)
++		return (GSS_S_DEFECTIVE_TOKEN);
++
+ 	ret = gss_process_context_token(minor_status,
+-					context_handle,
++					sc->ctx_handle,
+ 					token_buffer);
+ 
+ 	return (ret);
+@@ -2192,19 +2201,9 @@ spnego_gss_delete_sec_context(
+ 	if (*ctx == NULL)
+ 		return (GSS_S_COMPLETE);
+ 
+-	/*
+-	 * If this is still an SPNEGO mech, release it locally.
+-	 */
+-	if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) {
+-		(void) gss_delete_sec_context(minor_status,
+-				    &(*ctx)->ctx_handle,
+-				    output_token);
+-		(void) release_spnego_ctx(ctx);
+-	} else {
+-		ret = gss_delete_sec_context(minor_status,
+-				    context_handle,
+-				    output_token);
+-	}
++	(void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle,
++				      output_token);
++	(void) release_spnego_ctx(ctx);
+ 
+ 	return (ret);
+ }
+@@ -2216,8 +2215,13 @@ spnego_gss_context_time(
+ 			OM_uint32	*time_rec)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_context_time(minor_status,
+-			    context_handle,
++			    sc->ctx_handle,
+ 			    time_rec);
+ 	return (ret);
+ }
+@@ -2229,9 +2233,20 @@ spnego_gss_export_sec_context(
+ 			    gss_buffer_t interprocess_token)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle;
++
++	/* We don't currently support exporting partially established
++	 * contexts. */
++	if (!sc->opened)
++		return GSS_S_UNAVAILABLE;
++
+ 	ret = gss_export_sec_context(minor_status,
+-				    context_handle,
++				    &sc->ctx_handle,
+ 				    interprocess_token);
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT) {
++		release_spnego_ctx(&sc);
++		*context_handle = GSS_C_NO_CONTEXT;
++	}
+ 	return (ret);
+ }
+ 
+@@ -2241,11 +2256,12 @@ spnego_gss_import_sec_context(
+ 	const gss_buffer_t	interprocess_token,
+ 	gss_ctx_id_t		*context_handle)
+ {
+-	OM_uint32 ret;
+-	ret = gss_import_sec_context(minor_status,
+-				    interprocess_token,
+-				    context_handle);
+-	return (ret);
++	/*
++	 * Until we implement partial context exports, there are no SPNEGO
++	 * exported context tokens, only tokens for underlying mechs.  So just
++	 * return an error for now.
++	 */
++	return GSS_S_UNAVAILABLE;
+ }
+ #endif /* LEAN_CLIENT */
+ 
+@@ -2262,16 +2278,48 @@ spnego_gss_inquire_context(
+ 			int		*opened)
+ {
+ 	OM_uint32 ret = GSS_S_COMPLETE;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (src_name != NULL)
++		*src_name = GSS_C_NO_NAME;
++	if (targ_name != NULL)
++		*targ_name = GSS_C_NO_NAME;
++	if (lifetime_rec != NULL)
++		*lifetime_rec = 0;
++	if (mech_type != NULL)
++		*mech_type = (gss_OID)gss_mech_spnego;
++	if (ctx_flags != NULL)
++		*ctx_flags = 0;
++	if (locally_initiated != NULL)
++		*locally_initiated = sc->initiate;
++	if (opened != NULL)
++		*opened = sc->opened;
++
++	if (sc->ctx_handle != GSS_C_NO_CONTEXT) {
++		ret = gss_inquire_context(minor_status, sc->ctx_handle,
++					  src_name, targ_name, lifetime_rec,
++					  mech_type, ctx_flags, NULL, NULL);
++	}
+ 
+-	ret = gss_inquire_context(minor_status,
+-				context_handle,
+-				src_name,
+-				targ_name,
+-				lifetime_rec,
+-				mech_type,
+-				ctx_flags,
+-				locally_initiated,
+-				opened);
++	if (!sc->opened) {
++		/*
++		 * We are still doing SPNEGO negotiation, so report SPNEGO as
++		 * the OID.  After negotiation is complete we will report the
++		 * underlying mechanism OID.
++		 */
++		if (mech_type != NULL)
++			*mech_type = (gss_OID)gss_mech_spnego;
++
++		/*
++		 * Remove flags we don't support with partially-established
++		 * contexts.  (Change this to keep GSS_C_TRANS_FLAG if we add
++		 * support for exporting partial SPNEGO contexts.)
++		 */
++		if (ctx_flags != NULL) {
++			*ctx_flags &= ~GSS_C_PROT_READY_FLAG;
++			*ctx_flags &= ~GSS_C_TRANS_FLAG;
++		}
++	}
+ 
+ 	return (ret);
+ }
+@@ -2286,8 +2334,13 @@ spnego_gss_wrap_size_limit(
+ 	OM_uint32	*max_input_size)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap_size_limit(minor_status,
+-				context_handle,
++				sc->ctx_handle,
+ 				conf_req_flag,
+ 				qop_req,
+ 				req_output_size,
+@@ -2304,8 +2357,13 @@ spnego_gss_get_mic(
+ 		gss_buffer_t message_token)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_get_mic(minor_status,
+-		    context_handle,
++		    sc->ctx_handle,
+ 		    qop_req,
+ 		    message_buffer,
+ 		    message_token);
+@@ -2321,8 +2379,13 @@ spnego_gss_verify_mic(
+ 		gss_qop_t *qop_state)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_verify_mic(minor_status,
+-			    context_handle,
++			    sc->ctx_handle,
+ 			    msg_buffer,
+ 			    token_buffer,
+ 			    qop_state);
+@@ -2337,8 +2400,14 @@ spnego_gss_inquire_sec_context_by_oid(
+ 		gss_buffer_set_t *data_set)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	/* There are no SPNEGO-specific OIDs for this function. */
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_UNAVAILABLE);
++
+ 	ret = gss_inquire_sec_context_by_oid(minor_status,
+-			    context_handle,
++			    sc->ctx_handle,
+ 			    desired_object,
+ 			    data_set);
+ 	return (ret);
+@@ -2407,8 +2476,15 @@ spnego_gss_set_sec_context_option(
+ 		const gss_buffer_t value)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle;
++
++	/* There are no SPNEGO-specific OIDs for this function, and we cannot
++	 * construct an empty SPNEGO context with it. */
++	if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_UNAVAILABLE);
++
+ 	ret = gss_set_sec_context_option(minor_status,
+-			    context_handle,
++			    &sc->ctx_handle,
+ 			    desired_object,
+ 			    value);
+ 	return (ret);
+@@ -2425,8 +2501,13 @@ spnego_gss_wrap_aead(OM_uint32 *minor_status,
+ 		     gss_buffer_t output_message_buffer)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap_aead(minor_status,
+-			    context_handle,
++			    sc->ctx_handle,
+ 			    conf_req_flag,
+ 			    qop_req,
+ 			    input_assoc_buffer,
+@@ -2447,8 +2528,13 @@ spnego_gss_unwrap_aead(OM_uint32 *minor_status,
+ 		       gss_qop_t *qop_state)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_unwrap_aead(minor_status,
+-			      context_handle,
++			      sc->ctx_handle,
+ 			      input_message_buffer,
+ 			      input_assoc_buffer,
+ 			      output_payload_buffer,
+@@ -2467,8 +2553,13 @@ spnego_gss_wrap_iov(OM_uint32 *minor_status,
+ 		    int iov_count)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap_iov(minor_status,
+-			   context_handle,
++			   sc->ctx_handle,
+ 			   conf_req_flag,
+ 			   qop_req,
+ 			   conf_state,
+@@ -2486,8 +2577,13 @@ spnego_gss_unwrap_iov(OM_uint32 *minor_status,
+ 		      int iov_count)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_unwrap_iov(minor_status,
+-			     context_handle,
++			     sc->ctx_handle,
+ 			     conf_state,
+ 			     qop_state,
+ 			     iov,
+@@ -2505,8 +2601,13 @@ spnego_gss_wrap_iov_length(OM_uint32 *minor_status,
+ 			   int iov_count)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap_iov_length(minor_status,
+-				  context_handle,
++				  sc->ctx_handle,
+ 				  conf_req_flag,
+ 				  qop_req,
+ 				  conf_state,
+@@ -2523,8 +2624,13 @@ spnego_gss_complete_auth_token(
+ 		gss_buffer_t input_message_buffer)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_UNAVAILABLE);
++
+ 	ret = gss_complete_auth_token(minor_status,
+-				      context_handle,
++				      sc->ctx_handle,
+ 				      input_message_buffer);
+ 	return (ret);
+ }
+@@ -2776,8 +2882,13 @@ spnego_gss_pseudo_random(OM_uint32 *minor_status,
+ 			 gss_buffer_t prf_out)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_pseudo_random(minor_status,
+-				context,
++				sc->ctx_handle,
+ 				prf_key,
+ 				prf_in,
+ 				desired_output_len,
+@@ -2918,7 +3029,12 @@ spnego_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ 		       gss_qop_t qop_req, gss_iov_buffer_desc *iov,
+ 		       int iov_count)
+ {
+-    return gss_get_mic_iov(minor_status, context_handle, qop_req, iov,
++    spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++    if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++	    return (GSS_S_NO_CONTEXT);
++
++    return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov,
+ 			   iov_count);
+ }
+ 
+@@ -2927,7 +3043,12 @@ spnego_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ 			  gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
+ 			  int iov_count)
+ {
+-    return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov,
++    spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++    if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++	    return (GSS_S_NO_CONTEXT);
++
++    return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov,
+ 			      iov_count);
+ }
+ 
+@@ -2936,7 +3057,12 @@ spnego_gss_get_mic_iov_length(OM_uint32 *minor_status,
+ 			      gss_ctx_id_t context_handle, gss_qop_t qop_req,
+ 			      gss_iov_buffer_desc *iov, int iov_count)
+ {
+-    return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov,
++    spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++    if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++	    return (GSS_S_NO_CONTEXT);
++
++    return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov,
+ 				  iov_count);
+ }
+ 
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch
new file mode 100644
index 0000000000..aa9fcfa0dd
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch
@@ -0,0 +1,65 @@
+Copied from Debian.
+
+From 18c512ebdcc5cacc777e9dbcc6817f83c301ad93 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 4 Nov 2015 21:29:10 -0500
+Subject: Fix SPNEGO context import
+
+The patches for CVE-2015-2695 did not implement a SPNEGO
+gss_import_sec_context() function, under the erroneous belief than an
+exported SPNEGO context would be tagged with the underlying context
+mechanism.  Implement it now to allow SPNEGO contexts to be
+successfully exported and imported after establishment.
+
+ticket: 8273
+(cherry picked from commit fbb565f913c52eba9bea82f1694aba7a8c90e93d)
+
+Patch-Category: upstream
+---
+ src/lib/gssapi/spnego/spnego_mech.c | 33 +++++++++++++++++++++++++++------
+ 1 file changed, 27 insertions(+), 6 deletions(-)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index a1072b0..02284a1 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -2256,12 +2256,33 @@ spnego_gss_import_sec_context(
+ 	const gss_buffer_t	interprocess_token,
+ 	gss_ctx_id_t		*context_handle)
+ {
+-	/*
+-	 * Until we implement partial context exports, there are no SPNEGO
+-	 * exported context tokens, only tokens for underlying mechs.  So just
+-	 * return an error for now.
+-	 */
+-	return GSS_S_UNAVAILABLE;
++	OM_uint32 ret, tmpmin;
++	gss_ctx_id_t mctx;
++	spnego_gss_ctx_id_t sc;
++	int initiate, opened;
++
++	ret = gss_import_sec_context(minor_status, interprocess_token, &mctx);
++	if (ret != GSS_S_COMPLETE)
++		return ret;
++
++	ret = gss_inquire_context(&tmpmin, mctx, NULL, NULL, NULL, NULL, NULL,
++				  &initiate, &opened);
++	if (ret != GSS_S_COMPLETE || !opened) {
++		/* We don't currently support importing partially established
++		 * contexts. */
++		(void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER);
++		return GSS_S_FAILURE;
++	}
++
++	sc = create_spnego_ctx(initiate);
++	if (sc == NULL) {
++		(void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER);
++		return GSS_S_FAILURE;
++	}
++	sc->ctx_handle = mctx;
++	sc->opened = 1;
++	*context_handle = (gss_ctx_id_t)sc;
++	return GSS_S_COMPLETE;
+ }
+ #endif /* LEAN_CLIENT */
+ 
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2696.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2696.patch
new file mode 100644
index 0000000000..7b4b1d71ab
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2696.patch
@@ -0,0 +1,736 @@
+Copied from Debian.
+
+From ebea85358bc72ec20c53130d83acb93f95853b76 Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@twosigma.com>
+Date: Mon, 14 Sep 2015 12:28:36 -0400
+Subject: Fix IAKERB context aliasing bugs [CVE-2015-2696]
+
+The IAKERB mechanism currently replaces its context handle with the
+krb5 mechanism handle upon establishment, under the assumption that
+most GSS functions are only called after context establishment.  This
+assumption is incorrect, and can lead to aliasing violations for some
+programs.  Maintain the IAKERB context structure after context
+establishment and add new IAKERB entry points to refer to it with that
+type.  Add initiate and established flags to the IAKERB context
+structure for use in gss_inquire_context() prior to context
+establishment.
+
+CVE-2015-2696:
+
+In MIT krb5 1.9 and later, applications which call
+gss_inquire_context() on a partially-established IAKERB context can
+cause the GSS-API library to read from a pointer using the wrong type,
+generally causing a process crash.  Java server applications using the
+native JGSS provider are vulnerable to this bug.  A carefully crafted
+IAKERB packet might allow the gss_inquire_context() call to succeed
+with attacker-determined results, but applications should not make
+access control decisions based on gss_inquire_context() results prior
+to context establishment.
+
+    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+[ghudson@mit.edu: several bugfixes, style changes, and edge-case
+behavior changes; commit message and CVE description]
+
+ticket: 8244
+target_version: 1.14
+tags: pullup
+
+(cherry picked from commit e04f0283516e80d2f93366e0d479d13c9b5c8c2a)
+Patch-Category: upstream
+---
+ src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++
+ src/lib/gssapi/krb5/gssapi_krb5.c  | 105 +++++++++--
+ src/lib/gssapi/krb5/iakerb.c       | 351 +++++++++++++++++++++++++++++++++----
+ 3 files changed, 529 insertions(+), 41 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
+index a0e8625..05dc321 100644
+--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
+@@ -620,6 +620,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext
+ );
+ #endif /* LEAN_CLIENT */
+ 
++OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid
++(OM_uint32*,       /* minor_status */
++ const gss_ctx_id_t,
++ /* context_handle */
++ const gss_OID,    /* desired_object */
++ gss_buffer_set_t* /* data_set */
++);
++
++OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option
++(OM_uint32*,       /* minor_status */
++ gss_ctx_id_t*,    /* context_handle */
++ const gss_OID,    /* desired_object */
++ const gss_buffer_t/* value */
++);
++
+ OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token
+ (OM_uint32*,       /* minor_status */
+  gss_ctx_id_t,     /* context_handle */
+@@ -1301,6 +1316,105 @@ OM_uint32 KRB5_CALLCONV
+ krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token,
+                      gss_cred_id_t *cred_handle);
+ 
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_process_context_token(OM_uint32 *minor_status,
++                                 const gss_ctx_id_t context_handle,
++                                 const gss_buffer_t token_buffer);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                        OM_uint32 *time_rec);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_inquire_context(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, gss_name_t *src_name,
++                           gss_name_t *targ_name, OM_uint32 *lifetime_rec,
++                           gss_OID *mech_type, OM_uint32 *ctx_flags,
++                           int *locally_initiated, int *opened);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                   gss_qop_t qop_req, gss_buffer_t message_buffer,
++                   gss_buffer_t message_token);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                       gss_qop_t qop_req, gss_iov_buffer_desc *iov,
++                       int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
++                              gss_ctx_id_t context_handle, gss_qop_t qop_req,
++                              gss_iov_buffer_desc *iov, int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                      gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
++                      gss_qop_t *qop_state);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                          gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
++                          int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                int conf_req_flag, gss_qop_t qop_req,
++                gss_buffer_t input_message_buffer, int *conf_state,
++                gss_buffer_t output_message_buffer);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                    int conf_req_flag, gss_qop_t qop_req, int *conf_state,
++                    gss_iov_buffer_desc *iov, int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, int conf_req_flag,
++                           gss_qop_t qop_req, int *conf_state,
++                           gss_iov_buffer_desc *iov, int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                  gss_buffer_t input_message_buffer,
++                  gss_buffer_t output_message_buffer, int *conf_state,
++                  gss_qop_t *qop_state);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                      int *conf_state, gss_qop_t *qop_state,
++                      gss_iov_buffer_desc *iov, int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, int conf_req_flag,
++                           gss_qop_t qop_req, OM_uint32 req_output_size,
++                           OM_uint32 *max_input_size);
++
++#ifndef LEAN_CLIENT
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_export_sec_context(OM_uint32 *minor_status,
++                              gss_ctx_id_t *context_handle,
++                              gss_buffer_t interprocess_token);
++#endif /* LEAN_CLIENT */
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
++                                      const gss_ctx_id_t context_handle,
++                                      const gss_OID desired_object,
++                                      gss_buffer_set_t *data_set);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
++                                  gss_ctx_id_t *context_handle,
++                                  const gss_OID desired_object,
++                                  const gss_buffer_t value);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                         int prf_key, const gss_buffer_t prf_in,
++                         ssize_t desired_output_len, gss_buffer_t prf_out);
++
+ /* Magic string to identify exported krb5 GSS credentials.  Increment this if
+  * the format changes. */
+ #define CRED_EXPORT_MAGIC "K5C1"
+diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
+index 77b7fff..9a23656 100644
+--- a/src/lib/gssapi/krb5/gssapi_krb5.c
++++ b/src/lib/gssapi/krb5/gssapi_krb5.c
+@@ -345,7 +345,7 @@ static struct {
+     }
+ };
+ 
+-static OM_uint32 KRB5_CALLCONV
++OM_uint32 KRB5_CALLCONV
+ krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
+                                      const gss_ctx_id_t context_handle,
+                                      const gss_OID desired_object,
+@@ -459,7 +459,7 @@ static struct {
+ };
+ #endif
+ 
+-static OM_uint32 KRB5_CALLCONV
++OM_uint32 KRB5_CALLCONV
+ krb5_gss_set_sec_context_option (OM_uint32 *minor_status,
+                                  gss_ctx_id_t *context_handle,
+                                  const gss_OID desired_object,
+@@ -904,20 +904,103 @@ static struct gss_config krb5_mechanism = {
+     krb5_gss_get_mic_iov_length,
+ };
+ 
++/* Functions which use security contexts or acquire creds are IAKERB-specific;
++ * other functions can borrow from the krb5 mech. */
++static struct gss_config iakerb_mechanism = {
++    { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID },
++    NULL,
++    iakerb_gss_acquire_cred,
++    krb5_gss_release_cred,
++    iakerb_gss_init_sec_context,
++#ifdef LEAN_CLIENT
++    NULL,
++#else
++    iakerb_gss_accept_sec_context,
++#endif
++    iakerb_gss_process_context_token,
++    iakerb_gss_delete_sec_context,
++    iakerb_gss_context_time,
++    iakerb_gss_get_mic,
++    iakerb_gss_verify_mic,
++#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE)
++    NULL,
++#else
++    iakerb_gss_wrap,
++#endif
++#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE)
++    NULL,
++#else
++    iakerb_gss_unwrap,
++#endif
++    krb5_gss_display_status,
++    krb5_gss_indicate_mechs,
++    krb5_gss_compare_name,
++    krb5_gss_display_name,
++    krb5_gss_import_name,
++    krb5_gss_release_name,
++    krb5_gss_inquire_cred,
++    NULL,                /* add_cred */
++#ifdef LEAN_CLIENT
++    NULL,
++    NULL,
++#else
++    iakerb_gss_export_sec_context,
++    NULL,
++#endif
++    krb5_gss_inquire_cred_by_mech,
++    krb5_gss_inquire_names_for_mech,
++    iakerb_gss_inquire_context,
++    krb5_gss_internal_release_oid,
++    iakerb_gss_wrap_size_limit,
++    krb5_gss_localname,
++    krb5_gss_authorize_localname,
++    krb5_gss_export_name,
++    krb5_gss_duplicate_name,
++    krb5_gss_store_cred,
++    iakerb_gss_inquire_sec_context_by_oid,
++    krb5_gss_inquire_cred_by_oid,
++    iakerb_gss_set_sec_context_option,
++    krb5_gssspi_set_cred_option,
++    krb5_gssspi_mech_invoke,
++    NULL,                /* wrap_aead */
++    NULL,                /* unwrap_aead */
++    iakerb_gss_wrap_iov,
++    iakerb_gss_unwrap_iov,
++    iakerb_gss_wrap_iov_length,
++    NULL,               /* complete_auth_token */
++    NULL,               /* acquire_cred_impersonate_name */
++    NULL,               /* add_cred_impersonate_name */
++    NULL,               /* display_name_ext */
++    krb5_gss_inquire_name,
++    krb5_gss_get_name_attribute,
++    krb5_gss_set_name_attribute,
++    krb5_gss_delete_name_attribute,
++    krb5_gss_export_name_composite,
++    krb5_gss_map_name_to_any,
++    krb5_gss_release_any_name_mapping,
++    iakerb_gss_pseudo_random,
++    NULL,               /* set_neg_mechs */
++    krb5_gss_inquire_saslname_for_mech,
++    krb5_gss_inquire_mech_for_saslname,
++    krb5_gss_inquire_attrs_for_mech,
++    krb5_gss_acquire_cred_from,
++    krb5_gss_store_cred_into,
++    iakerb_gss_acquire_cred_with_password,
++    krb5_gss_export_cred,
++    krb5_gss_import_cred,
++    NULL,               /* import_sec_context_by_mech */
++    NULL,               /* import_name_by_mech */
++    NULL,               /* import_cred_by_mech */
++    iakerb_gss_get_mic_iov,
++    iakerb_gss_verify_mic_iov,
++    iakerb_gss_get_mic_iov_length,
++};
++
+ #ifdef _GSS_STATIC_LINK
+ #include "mglueP.h"
+ static int gss_iakerbmechglue_init(void)
+ {
+     struct gss_mech_config mech_iakerb;
+-    struct gss_config iakerb_mechanism = krb5_mechanism;
+-
+-    /* IAKERB mechanism mirrors krb5, but with different context SPIs */
+-    iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context;
+-    iakerb_mechanism.gss_init_sec_context   = iakerb_gss_init_sec_context;
+-    iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context;
+-    iakerb_mechanism.gss_acquire_cred       = iakerb_gss_acquire_cred;
+-    iakerb_mechanism.gssspi_acquire_cred_with_password
+-                                    = iakerb_gss_acquire_cred_with_password;
+ 
+     memset(&mech_iakerb, 0, sizeof(mech_iakerb));
+     mech_iakerb.mech = &iakerb_mechanism;
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+index f30de32..4662bd9 100644
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec {
+     gss_ctx_id_t gssc;
+     krb5_data conv;                     /* conversation for checksumming */
+     unsigned int count;                 /* number of round trips */
++    int initiate;
++    int established;
+     krb5_get_init_creds_opt *gic_opts;
+ };
+ 
+@@ -695,7 +697,7 @@ cleanup:
+  * Allocate and initialise an IAKERB context
+  */
+ static krb5_error_code
+-iakerb_alloc_context(iakerb_ctx_id_t *pctx)
++iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate)
+ {
+     iakerb_ctx_id_t ctx;
+     krb5_error_code code;
+@@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx)
+     ctx->magic = KG_IAKERB_CONTEXT;
+     ctx->state = IAKERB_AS_REQ;
+     ctx->count = 0;
++    ctx->initiate = initiate;
++    ctx->established = 0;
+ 
+     code = krb5_gss_init_context(&ctx->k5c);
+     if (code != 0)
+@@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
+                               gss_ctx_id_t *context_handle,
+                               gss_buffer_t output_token)
+ {
+-    OM_uint32 major_status = GSS_S_COMPLETE;
++    iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
+ 
+     if (output_token != GSS_C_NO_BUFFER) {
+         output_token->length = 0;
+@@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
+     }
+ 
+     *minor_status = 0;
++    *context_handle = GSS_C_NO_CONTEXT;
++    iakerb_release_context(iakerb_ctx);
+ 
+-    if (*context_handle != GSS_C_NO_CONTEXT) {
+-        iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
+-
+-        if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) {
+-            iakerb_release_context(iakerb_ctx);
+-            *context_handle = GSS_C_NO_CONTEXT;
+-        } else {
+-            assert(iakerb_ctx->magic == KG_CONTEXT);
+-
+-            major_status = krb5_gss_delete_sec_context(minor_status,
+-                                                       context_handle,
+-                                                       output_token);
+-        }
+-    }
+-
+-    return major_status;
++    return GSS_S_COMPLETE;
+ }
+ 
+ static krb5_boolean
+@@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
+     int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
+ 
+     if (initialContextToken) {
+-        code = iakerb_alloc_context(&ctx);
++        code = iakerb_alloc_context(&ctx, 0);
+         if (code != 0)
+             goto cleanup;
+ 
+@@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
+                                                        time_rec,
+                                                        delegated_cred_handle,
+                                                        &exts);
+-        if (major_status == GSS_S_COMPLETE) {
+-            *context_handle = ctx->gssc;
+-            ctx->gssc = NULL;
+-            iakerb_release_context(ctx);
+-        }
++        if (major_status == GSS_S_COMPLETE)
++            ctx->established = 1;
+         if (mech_type != NULL)
+             *mech_type = (gss_OID)gss_mech_krb5;
+     }
+@@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
+     int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
+ 
+     if (initialContextToken) {
+-        code = iakerb_alloc_context(&ctx);
++        code = iakerb_alloc_context(&ctx, 1);
+         if (code != 0) {
+             *minor_status = code;
+             goto cleanup;
+@@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
+                                                      ret_flags,
+                                                      time_rec,
+                                                      &exts);
+-        if (major_status == GSS_S_COMPLETE) {
+-            *context_handle = ctx->gssc;
+-            ctx->gssc = GSS_C_NO_CONTEXT;
+-            iakerb_release_context(ctx);
+-        }
++        if (major_status == GSS_S_COMPLETE)
++            ctx->established = 1;
+         if (actual_mech_type != NULL)
+             *actual_mech_type = (gss_OID)gss_mech_krb5;
+     } else {
+@@ -1010,3 +995,309 @@ cleanup:
+ 
+     return major_status;
+ }
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                  gss_buffer_t input_message_buffer,
++                  gss_buffer_t output_message_buffer, int *conf_state,
++                  gss_qop_t *qop_state)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer,
++                           output_message_buffer, conf_state, qop_state);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                int conf_req_flag, gss_qop_t qop_req,
++                gss_buffer_t input_message_buffer, int *conf_state,
++                gss_buffer_t output_message_buffer)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req,
++                         input_message_buffer, conf_state,
++                         output_message_buffer);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_process_context_token(OM_uint32 *minor_status,
++                                 const gss_ctx_id_t context_handle,
++                                 const gss_buffer_t token_buffer)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_DEFECTIVE_TOKEN;
++
++    return krb5_gss_process_context_token(minor_status, ctx->gssc,
++                                          token_buffer);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                        OM_uint32 *time_rec)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_context_time(minor_status, ctx->gssc, time_rec);
++}
++
++#ifndef LEAN_CLIENT
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_export_sec_context(OM_uint32 *minor_status,
++                              gss_ctx_id_t *context_handle,
++                              gss_buffer_t interprocess_token)
++{
++    OM_uint32 maj;
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    /* We don't currently support exporting partially established contexts. */
++    if (!ctx->established)
++        return GSS_S_UNAVAILABLE;
++
++    maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc,
++                                      interprocess_token);
++    if (ctx->gssc == GSS_C_NO_CONTEXT) {
++        iakerb_release_context(ctx);
++        *context_handle = GSS_C_NO_CONTEXT;
++    }
++    return maj;
++}
++
++/*
++ * Until we implement partial context exports, there are no SPNEGO exported
++ * context tokens, only tokens for the underlying krb5 context.  So we do not
++ * need to implement an iakerb_gss_import_sec_context() yet; it would be
++ * unreachable except via a manually constructed token.
++ */
++
++#endif /* LEAN_CLIENT */
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_inquire_context(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, gss_name_t *src_name,
++                           gss_name_t *targ_name, OM_uint32 *lifetime_rec,
++                           gss_OID *mech_type, OM_uint32 *ctx_flags,
++                           int *initiate, int *opened)
++{
++    OM_uint32 ret;
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (src_name != NULL)
++        *src_name = GSS_C_NO_NAME;
++    if (targ_name != NULL)
++        *targ_name = GSS_C_NO_NAME;
++    if (lifetime_rec != NULL)
++        *lifetime_rec = 0;
++    if (mech_type != NULL)
++        *mech_type = (gss_OID)gss_mech_iakerb;
++    if (ctx_flags != NULL)
++        *ctx_flags = 0;
++    if (initiate != NULL)
++        *initiate = ctx->initiate;
++    if (opened != NULL)
++        *opened = ctx->established;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_COMPLETE;
++
++    ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name,
++                                   targ_name, lifetime_rec, mech_type,
++                                   ctx_flags, initiate, opened);
++
++    if (!ctx->established) {
++        /* Report IAKERB as the mech OID until the context is established. */
++        if (mech_type != NULL)
++            *mech_type = (gss_OID)gss_mech_iakerb;
++
++        /* We don't support exporting partially-established contexts. */
++        if (ctx_flags != NULL)
++            *ctx_flags &= ~GSS_C_TRANS_FLAG;
++    }
++
++    return ret;
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, int conf_req_flag,
++                           gss_qop_t qop_req, OM_uint32 req_output_size,
++                           OM_uint32 *max_input_size)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag,
++                                    qop_req, req_output_size, max_input_size);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                   gss_qop_t qop_req, gss_buffer_t message_buffer,
++                   gss_buffer_t message_token)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer,
++                            message_token);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                      gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
++                      gss_qop_t *qop_state)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer,
++                               token_buffer, qop_state);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
++                                      const gss_ctx_id_t context_handle,
++                                      const gss_OID desired_object,
++                                      gss_buffer_set_t *data_set)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_UNAVAILABLE;
++
++    return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc,
++                                               desired_object, data_set);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
++                                  gss_ctx_id_t *context_handle,
++                                  const gss_OID desired_object,
++                                  const gss_buffer_t value)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
++
++    if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_UNAVAILABLE;
++
++    return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc,
++                                           desired_object, value);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                    int conf_req_flag, gss_qop_t qop_req, int *conf_state,
++                    gss_iov_buffer_desc *iov, int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req,
++                             conf_state, iov, iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                      int *conf_state, gss_qop_t *qop_state,
++                      gss_iov_buffer_desc *iov, int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state,
++                               iov, iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, int conf_req_flag,
++                           gss_qop_t qop_req, int *conf_state,
++                           gss_iov_buffer_desc *iov, int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag,
++                                    qop_req, conf_state, iov, iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                         int prf_key, const gss_buffer_t prf_in,
++                         ssize_t desired_output_len, gss_buffer_t prf_out)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in,
++                                  desired_output_len, prf_out);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                       gss_qop_t qop_req, gss_iov_buffer_desc *iov,
++                       int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov,
++                                iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                          gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
++                          int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov,
++                                   iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
++                              gss_ctx_id_t context_handle, gss_qop_t qop_req,
++                              gss_iov_buffer_desc *iov, int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov,
++                                       iov_count);
++}
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch
new file mode 100644
index 0000000000..f65ce39623
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch
@@ -0,0 +1,55 @@
+Copied from Debian.
+
+From fcafb522a0509bfd6f4f6b57e4a1e93c0092eeb0 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 25 Sep 2015 12:51:47 -0400
+Subject: Fix build_principal memory bug [CVE-2015-2697]
+
+In build_principal_va(), use k5memdup0() instead of strdup() to make a
+copy of the realm, to ensure that we allocate the correct number of
+bytes and do not read past the end of the input string.  This bug
+affects krb5_build_principal(), krb5_build_principal_va(), and
+krb5_build_principal_alloc_va().  krb5_build_principal_ext() is not
+affected.
+
+CVE-2015-2697:
+
+In MIT krb5 1.7 and later, an authenticated attacker may be able to
+cause a KDC to crash using a TGS request with a large realm field
+beginning with a null byte.  If the KDC attempts to find a referral to
+answer the request, it constructs a principal name for lookup using
+krb5_build_principal() with the requested realm.  Due to a bug in this
+function, the null byte causes only one byte be allocated for the
+realm field of the constructed principal, far less than its length.
+Subsequent operations on the lookup principal may cause a read beyond
+the end of the mapped memory region, causing the KDC process to crash.
+
+CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+ticket: 8252 (new)
+target_version: 1.14
+tags: pullup
+
+(cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789)
+Patch-Category: upstream
+---
+ src/lib/krb5/krb/bld_princ.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
+index ab6fed8..8604268 100644
+--- a/src/lib/krb5/krb/bld_princ.c
++++ b/src/lib/krb5/krb/bld_princ.c
+@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ,
+     data = malloc(size * sizeof(krb5_data));
+     if (!data) { retval = ENOMEM; }
+ 
+-    if (!retval) {
+-        r = strdup(realm);
+-        if (!r) { retval = ENOMEM; }
+-    }
++    if (!retval)
++        r = k5memdup0(realm, rlen, &retval);
+ 
+     while (!retval && (component = va_arg(ap, char *))) {
+         if (count == size) {
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch
new file mode 100644
index 0000000000..67545e4c16
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch
@@ -0,0 +1,43 @@
+Copied from Debian.
+
+From 1a8bdc6d81dcd7dd8a4d42e8de6d2cacf1dd4408 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 27 Oct 2015 00:44:24 -0400
+Subject: Fix two IAKERB comments
+
+The comment explaining why there is no iakerb_gss_import_sec_context()
+erroneously referenced SPNEGO instead of IAKERB (noticed by Ben
+Kaduk).  The comment above iakerb_gss_delete_sec_context() is out of
+date after the last commit.
+
+(cherry picked from commit 92d6dd045dfc06cc03d20b327a6ee7a71e6bc24d)
+
+Patch-Category: upstream
+---
+ src/lib/gssapi/krb5/iakerb.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+index 4662bd9..e25862d 100644
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -727,10 +727,6 @@ cleanup:
+     return code;
+ }
+ 
+-/*
+- * Delete an IAKERB context. This can also accept Kerberos context
+- * handles. The heuristic is similar to SPNEGO's delete_sec_context.
+- */
+ OM_uint32 KRB5_CALLCONV
+ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
+                               gss_ctx_id_t *context_handle,
+@@ -1077,7 +1073,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+ }
+ 
+ /*
+- * Until we implement partial context exports, there are no SPNEGO exported
++ * Until we implement partial context exports, there are no IAKERB exported
+  * context tokens, only tokens for the underlying krb5 context.  So we do not
+  * need to implement an iakerb_gss_import_sec_context() yet; it would be
+  * unreachable except via a manually constructed token.
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch
new file mode 100644
index 0000000000..8725cd4eed
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch
@@ -0,0 +1,132 @@
+Copied from Debian.
+
+From 4b330d5be1f8048be4d079ac3cb38d60c0e99e69 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 4 Nov 2015 21:28:28 -0500
+Subject: Fix IAKERB context export/import [CVE-2015-2698]
+
+The patches for CVE-2015-2696 contained a regression in the newly
+added IAKERB iakerb_gss_export_sec_context() function, which could
+cause it to corrupt memory.  Fix the regression by properly
+dereferencing the context_handle pointer before casting it.
+
+Also, the patches did not implement an IAKERB gss_import_sec_context()
+function, under the erroneous belief than an exported IAKERB context
+would be tagged as a krb5 context.  Implement it now to allow IAKERB
+contexts to be successfully exported and imported after establishment.
+
+CVE-2015-2698:
+
+In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
+application which calls gss_export_sec_context() may experience memory
+corruption if the context was established using the IAKERB mechanism.
+Historically, some vulnerabilities of this nature can be translated
+into remote code execution, though the necessary exploits must be
+tailored to the individual application and are usually quite
+complicated.
+
+    CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
+
+ticket: 8273 (new)
+target_version: 1.14
+tags: pullup
+
+(cherry picked from commit d8b31c874c7d1039be7649362ef11c89f4e14c27)
+
+Patch-Category: upstream
+---
+ src/lib/gssapi/krb5/gssapiP_krb5.h |  5 +++++
+ src/lib/gssapi/krb5/gssapi_krb5.c  |  2 +-
+ src/lib/gssapi/krb5/iakerb.c       | 42 +++++++++++++++++++++++++++++++-------
+ 3 files changed, 41 insertions(+), 8 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
+index 05dc321..ac53662 100644
+--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
+@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV
+ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+                               gss_ctx_id_t *context_handle,
+                               gss_buffer_t interprocess_token);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_import_sec_context(OM_uint32 *minor_status,
++                              const gss_buffer_t interprocess_token,
++                              gss_ctx_id_t *context_handle);
+ #endif /* LEAN_CLIENT */
+ 
+ OM_uint32 KRB5_CALLCONV
+diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
+index 9a23656..d7ba279 100644
+--- a/src/lib/gssapi/krb5/gssapi_krb5.c
++++ b/src/lib/gssapi/krb5/gssapi_krb5.c
+@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = {
+     NULL,
+ #else
+     iakerb_gss_export_sec_context,
+-    NULL,
++    iakerb_gss_import_sec_context,
+ #endif
+     krb5_gss_inquire_cred_by_mech,
+     krb5_gss_inquire_names_for_mech,
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+index e25862d..32a341e 100644
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -1057,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+                               gss_buffer_t interprocess_token)
+ {
+     OM_uint32 maj;
+-    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
+ 
+     /* We don't currently support exporting partially established contexts. */
+     if (!ctx->established)
+@@ -1072,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+     return maj;
+ }
+ 
+-/*
+- * Until we implement partial context exports, there are no IAKERB exported
+- * context tokens, only tokens for the underlying krb5 context.  So we do not
+- * need to implement an iakerb_gss_import_sec_context() yet; it would be
+- * unreachable except via a manually constructed token.
+- */
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_import_sec_context(OM_uint32 *minor_status,
++                              gss_buffer_t interprocess_token,
++                              gss_ctx_id_t *context_handle)
++{
++    OM_uint32 maj, tmpmin;
++    krb5_error_code code;
++    gss_ctx_id_t gssc;
++    krb5_gss_ctx_id_t kctx;
++    iakerb_ctx_id_t ctx;
++
++    maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc);
++    if (maj != GSS_S_COMPLETE)
++        return maj;
++    kctx = (krb5_gss_ctx_id_t)gssc;
++
++    if (!kctx->established) {
++        /* We don't currently support importing partially established
++         * contexts. */
++        krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
++        return GSS_S_FAILURE;
++    }
+ 
++    code = iakerb_alloc_context(&ctx, kctx->initiate);
++    if (code != 0) {
++        krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
++        *minor_status = code;
++        return GSS_S_FAILURE;
++    }
++
++    ctx->gssc = gssc;
++    ctx->established = 1;
++    *context_handle = (gss_ctx_id_t)ctx;
++    return GSS_S_COMPLETE;
++}
+ #endif /* LEAN_CLIENT */
+ 
+ OM_uint32 KRB5_CALLCONV
diff --git a/gnu/packages/patches/mit-krb5-init-fix.patch b/gnu/packages/patches/mit-krb5-init-fix.patch
deleted file mode 100644
index 13e49c2789..0000000000
--- a/gnu/packages/patches/mit-krb5-init-fix.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Fix the early context initialization code to avoid assuming that
-arguments will be evaluated from right to left.
-
-Patch by Mark H Weaver <mhw@netris.org>.
-
---- src/lib/krb5/krb/t_cc_config.c.orig	2012-12-17 21:47:05.000000000 -0500
-+++ src/lib/krb5/krb/t_cc_config.c	2013-10-29 18:19:16.547994590 -0400
-@@ -117,8 +117,8 @@
-     int c;
-     unsigned int i;
- 
--    bail_on_err(context, "Error initializing Kerberos library",
--                krb5_init_context(&context));
-+    ret = krb5_init_context(&context);
-+    bail_on_err(context, "Error initializing Kerberos library", ret);
-     bail_on_err(context, "Error getting location of default ccache",
-                 krb5_cc_default(context, &ccache));
-     server = NULL;
diff --git a/gnu/packages/patches/mupen64plus-ui-console-notice.patch b/gnu/packages/patches/mupen64plus-ui-console-notice.patch
new file mode 100644
index 0000000000..1d0b4c46bb
--- /dev/null
+++ b/gnu/packages/patches/mupen64plus-ui-console-notice.patch
@@ -0,0 +1,34 @@
+Mupen64Plus supports a single data directory and a single plugin directory in
+its configuration, yet we need data and plugin files from a variety of
+packages.  The best way to deal with this is to install all packages from
+which data and plugin files are needed into one's profile, and point the
+configuration there.  Hence, the ui-console package provides propagated inputs
+for packages with the most important data and plugin files, and this patch
+provides the user instructions on what needs to be done in order to have
+Mupen64Plus find the relevant data and plugins.
+
+--- a/src/plugin.c
++++ b/src/plugin.c
+@@ -122,6 +122,22 @@ m64p_error PluginSearchLoad(m64p_handle ConfigUI)
+     {
+         const char *plugindir = (*ConfigGetParamString)(ConfigUI, "PluginDir");
+         lib_filelist = osal_library_search(plugindir);
++        /* Guix specific */
++        if (lib_filelist == NULL)
++        {
++            DebugMessage(M64MSG_ERROR, "No plugins found in PluginDir path: %s", plugindir);
++            DebugMessage(M64MSG_ERROR,
++                         "\n\n"
++                         "*********************************\n"
++                         "*** Notice for GNU Guix users ***\n"
++                         "*********************************\n"
++                         "\n"
++                         "You might want to edit your mupen64plus.cfg (in $XDG_CONFIG_HOME by default)\n"
++                         "and set SharedDataPath to /path/to/my_guix_profile/share/mupen64plus and\n"
++                         "PluginDir to /path/to/my_guix_profile/lib/mupen64plus so that data and plugins\n"
++                         "are found.\n"
++                         "\n");
++        }
+     }
+ 
+     /* if still no plugins found, search some common system folders */
diff --git a/gnu/packages/patches/preseq-1.0.2-install-to-PREFIX.patch b/gnu/packages/patches/preseq-1.0.2-install-to-PREFIX.patch
deleted file mode 100644
index f8318ae0f5..0000000000
--- a/gnu/packages/patches/preseq-1.0.2-install-to-PREFIX.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-This patch has been submitted upstream: https://github.com/smithlabcode/preseq/pull/15
-
-From 65387b0d766e6c06a15cf8d8f9183d9a4ba644bb Mon Sep 17 00:00:00 2001
-From: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>
-Date: Thu, 25 Jun 2015 15:01:53 +0200
-Subject: [PATCH] Install to PREFIX
-
----
- Makefile | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index 4d0367a..e334f2f 100644
---- a/preseq-master/Makefile
-+++ b/preseq-master/Makefile
-@@ -22,6 +22,10 @@ ifndef ROOT
- ROOT = $(shell pwd)
- endif
- 
-+ifndef PREFIX
-+PREFIX = $(ROOT)
-+endif
-+
- ifndef SMITHLAB_CPP
- SMITHLAB_CPP=$(ROOT)/smithlab_cpp/
- endif
-@@ -91,8 +95,8 @@ endif
- 	$(CXX) $(CXXFLAGS) -o $@ $^ $(INCLUDEARGS) $(LIBS)
- 
- install: $(PROGS)
--	@mkdir -p $(ROOT)/bin
--	@install -m 755 $(PROGS) $(ROOT)/bin
-+	@mkdir -p $(PREFIX)/bin
-+	@install -m 755 $(PROGS) $(PREFIX)/bin
- 
- clean:
- 	@-rm -f $(PROGS) *.o *~
diff --git a/gnu/packages/patches/preseq-1.0.2-link-with-libbam.patch b/gnu/packages/patches/preseq-1.0.2-link-with-libbam.patch
deleted file mode 100644
index 035a3b1fe4..0000000000
--- a/gnu/packages/patches/preseq-1.0.2-link-with-libbam.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-This patch has been submitted upstream: https://github.com/smithlabcode/preseq/pull/15
-
-From a937a54d56e8a6ff06237471e568154d1fa5f267 Mon Sep 17 00:00:00 2001
-From: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>
-Date: Thu, 25 Jun 2015 15:02:35 +0200
-Subject: [PATCH] Link with libbam.a if provided via LIBBAM
-
----
- Makefile | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/Makefile b/Makefile
-index e334f2f..de310e4 100644
---- a/preseq-master/Makefile
-+++ b/preseq-master/Makefile
-@@ -83,10 +83,17 @@ $(PROGS): $(addprefix $(SMITHLAB_CPP)/, \
- preseq: continued_fraction.o load_data_for_complexity.o moment_sequence.o
- 
- ifdef SAMTOOLS_DIR
-+ifdef LIBBAM
-+LIBS += -pthread
-+bam2mr preseq: $(addprefix $(SMITHLAB_CPP)/, SAM.o) \
-+        $(LIBBAM)
-+else
- bam2mr preseq: $(addprefix $(SMITHLAB_CPP)/, SAM.o) \
-         $(addprefix $(SAMTOOLS_DIR)/, sam.o bam.o bam_import.o bam_pileup.o \
-         faidx.o bam_aux.o kstring.o knetfile.o sam_header.o razf.o bgzf.o)
- endif
-+endif # SAMTOOLS_DIR
-+
- 
- %.o: %.cpp %.hpp
- 	$(CXX) $(CXXFLAGS) -c -o $@ $< $(INCLUDEARGS)
diff --git a/gnu/packages/patches/python-2-deterministic-build-info.patch b/gnu/packages/patches/python-2-deterministic-build-info.patch
new file mode 100644
index 0000000000..25a079fe90
--- /dev/null
+++ b/gnu/packages/patches/python-2-deterministic-build-info.patch
@@ -0,0 +1,17 @@
+Always provide the same date and time in 'Py_GetBuildInfo'.
+This is the information shown at the REPL and in 'sys.version'.
+We cannot pass it in CPPFLAGS due to whitespace in the DATE string.
+
+--- a/Modules/getbuildinfo.c
++++ b/Modules/getbuildinfo.c
+@@ -4,6 +4,10 @@
+ #include <stdio.h>
+ #endif
+ 
++/* Deterministic date and time.  */
++#define DATE "Jan  1 1970"
++#define TIME "00:00:01"
++
+ #ifndef DATE
+ #ifdef __DATE__
+ #define DATE __DATE__
diff --git a/gnu/packages/patches/python-2.7-source-date-epoch.patch b/gnu/packages/patches/python-2.7-source-date-epoch.patch
new file mode 100644
index 0000000000..be1f8e010e
--- /dev/null
+++ b/gnu/packages/patches/python-2.7-source-date-epoch.patch
@@ -0,0 +1,33 @@
+Honor the 'SOURCE_DATE_EPOCH' environment variable to allow for
+determinitic builds.
+
+--- a/Lib/py_compile.py
++++ b/Lib/py_compile.py
+@@ -105,7 +105,10 @@ def compile(file, cfile=None, dfile=None, doraise=False):
+     """
+     with open(file, 'U') as f:
+         try:
+-            timestamp = long(os.fstat(f.fileno()).st_mtime)
++            if 'SOURCE_DATE_EPOCH' in os.environ:
++                timestamp = long(os.environ['SOURCE_DATE_EPOCH'])
++            else:
++                timestamp = long(os.fstat(f.fileno()).st_mtime)
+         except AttributeError:
+             timestamp = long(os.stat(file).st_mtime)
+         codestring = f.read()
+diff --git a/Python/import.c b/Python/import.c
+index e47ce63..7eecf9c 100644
+--- a/Python/import.c
++++ b/Python/import.c
+@@ -945,6 +945,11 @@ write_compiled_module(PyCodeObject *co, char *cpathname, struct stat *srcstat, t
+     /* Now write the true mtime (as a 32-bit field) */
+     fseek(fp, 4L, 0);
+     assert(mtime <= 0xFFFFFFFF);
++    if (Py_GETENV("SOURCE_DATE_EPOCH") != NULL) {
++	const char *epoch = Py_GETENV("SOURCE_DATE_EPOCH");
++	mtime = atoi(epoch);
++    }
++
+     PyMarshal_WriteLongToFile((long)mtime, fp, Py_MARSHAL_VERSION);
+     fflush(fp);
+     fclose(fp);
diff --git a/gnu/packages/patches/python-3-deterministic-build-info.patch b/gnu/packages/patches/python-3-deterministic-build-info.patch
new file mode 100644
index 0000000000..22c372a0cf
--- /dev/null
+++ b/gnu/packages/patches/python-3-deterministic-build-info.patch
@@ -0,0 +1,17 @@
+Always provide the same date and time in 'Py_GetBuildInfo'.
+This is the information shown at the REPL and in 'sys.version'.
+We cannot pass it in CPPFLAGS due to whitespace in the DATE string.
+
+--- Modules/getbuildinfo.c
++++ Modules/getbuildinfo.c
+@@ -4,6 +4,10 @@
+ #include <stdio.h>
+ #endif
+ 
++/* Deterministic date and time.  */
++#define DATE "Jan  1 1970"
++#define TIME "00:00:01"
++
+ #ifndef DATE
+ #ifdef __DATE__
+ #define DATE __DATE__
diff --git a/gnu/packages/patches/python-configobj-setuptools.patch b/gnu/packages/patches/python-configobj-setuptools.patch
new file mode 100644
index 0000000000..3f207ffd74
--- /dev/null
+++ b/gnu/packages/patches/python-configobj-setuptools.patch
@@ -0,0 +1,30 @@
+From 16fbc38f13e435b4e3e1a37d706e64e05bad4691 Mon Sep 17 00:00:00 2001
+From: Leo Famulari <leo@famulari.name>
+Date: Tue, 10 Nov 2015 23:09:24 -0500
+Subject: [PATCH] patch build to use setuptools
+
+---
+ setup.py | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/setup.py b/setup.py
+index c6d57a6..27bf260 100644
+--- a/setup.py
++++ b/setup.py
+@@ -12,7 +12,12 @@
+ # http://opensource.org/licenses/BSD-3-Clause
+ import os
+ import sys
+-from distutils.core import setup
++
++try:
++    from setuptools import setup
++except ImportError:
++    from distutils.core import setup
++
+ # a simple import wouldn't work if we moved towards a package with __init__
+ from _version import __version__
+ 
+-- 
+2.6.2
+
diff --git a/gnu/packages/patches/scribus-qobject.patch b/gnu/packages/patches/scribus-qobject.patch
new file mode 100644
index 0000000000..91be932f1b
--- /dev/null
+++ b/gnu/packages/patches/scribus-qobject.patch
@@ -0,0 +1,17 @@
+See upstream bug report: http://bugs.scribus.net/view.php?id=13102
+
+scribus/sclayer.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/scribus/sclayer.cpp b/scribus/sclayer.cpp
+index 502112b..4da7bd5 100644
+--- a/scribus/sclayer.cpp
++++ b/scribus/sclayer.cpp
+@@ -9,6 +9,7 @@ for which a new license (GPL+exception) is in place.
+ 

+ #include <QHash>   //necessary to avoid msvc warnings induced by SCRIBUS_API on ScLayers + early instanciation of templates

+ #include <QVector> //necessary to avoid msvc warnings induced by SCRIBUS_API on ScLayers + early instanciation of templates

++#include <QObject>

+ #include <QtAlgorithms>

+ 

+ ScLayer::ScLayer(void)

diff --git a/gnu/packages/patches/synfig-build-fix.patch b/gnu/packages/patches/synfig-build-fix.patch
new file mode 100644
index 0000000000..3f6168e0fb
--- /dev/null
+++ b/gnu/packages/patches/synfig-build-fix.patch
@@ -0,0 +1,61 @@
+Allow Synfig to build in C++11 mode.
+
+Taken from here:
+https://projects.archlinux.org/svntogit/community.git/plain/trunk/build-fix.patch?h=packages/synfig
+
+diff -wbBur synfig-1.0-RC5/src/modules/mod_libavcodec/mptr.cpp synfig-1.0-RC5.my/src/modules/mod_libavcodec/mptr.cpp
+--- synfig-1.0-RC5/src/modules/mod_libavcodec/mptr.cpp	2015-03-28 13:15:00.000000000 +0300
++++ synfig-1.0-RC5.my/src/modules/mod_libavcodec/mptr.cpp	2015-04-28 16:56:11.568749053 +0300
+@@ -56,8 +56,8 @@
+ /* === M E T H O D S ======================================================= */
+ 
+ 
+-Importer_LibAVCodec::Importer_LibAVCodec(const char *file):
+-	filename(file)
++Importer_LibAVCodec::Importer_LibAVCodec(const synfig::FileSystem::Identifier &identifier):
++	Importer(identifier)
+ {
+ }
+ 
+diff -wbBur synfig-1.0-RC5/src/modules/mod_libavcodec/mptr.h synfig-1.0-RC5.my/src/modules/mod_libavcodec/mptr.h
+--- synfig-1.0-RC5/src/modules/mod_libavcodec/mptr.h	2015-03-28 13:15:00.000000000 +0300
++++ synfig-1.0-RC5.my/src/modules/mod_libavcodec/mptr.h	2015-04-28 16:55:18.699192946 +0300
+@@ -46,7 +46,7 @@
+ 	synfig::String filename;
+ 
+ public:
+-	Importer_LibAVCodec(const char *filename);
++	Importer_LibAVCodec(const synfig::FileSystem::Identifier &identifier);
+ 	~Importer_LibAVCodec();
+ 
+ 	virtual bool get_frame(synfig::Surface &surface, const synfig::RendDesc &renddesc, synfig::Time time, synfig::ProgressCallback *callback);
+diff -wbBur synfig-1.0-RC5/src/modules/mod_libavcodec/trgt_av.cpp synfig-1.0-RC5.my/src/modules/mod_libavcodec/trgt_av.cpp
+--- synfig-1.0-RC5/src/modules/mod_libavcodec/trgt_av.cpp	2015-03-28 13:15:00.000000000 +0300
++++ synfig-1.0-RC5.my/src/modules/mod_libavcodec/trgt_av.cpp	2015-04-28 16:46:54.720091106 +0300
+@@ -121,14 +121,14 @@
+     picture = avcodec_alloc_frame();
+     if (!picture)
+         return NULL;
+-    size = avpicture_get_size(pix_fmt, width, height);
++    size = avpicture_get_size((::PixelFormat)pix_fmt, width, height);
+     picture_buf = (uint8_t *)malloc(size);
+     if (!picture_buf) {
+         av_free(picture);
+         return NULL;
+     }
+     avpicture_fill((AVPicture *)picture, picture_buf,
+-                   pix_fmt, width, height);
++                   (::PixelFormat)pix_fmt, width, height);
+     return picture;
+ }
+ 
+diff -wbBur synfig-1.0.2/src/synfig/time.cpp synfig-1.0.2.my/src/synfig/time.cpp
+--- synfig-1.0.2/src/synfig/time.cpp	2015-07-09 10:33:03.000000000 +0300
++++ synfig-1.0.2.my/src/synfig/time.cpp	2015-10-12 13:54:58.382313903 +0300
+@@ -319,5 +319,5 @@
+ bool
+ Time::is_valid()const
+ {
+-	return !isnan(value_);
++	return !::isnan(value_);
+ }
diff --git a/gnu/packages/patches/tcl-mkindex-deterministic.patch b/gnu/packages/patches/tcl-mkindex-deterministic.patch
new file mode 100644
index 0000000000..2fcef6a4f7
--- /dev/null
+++ b/gnu/packages/patches/tcl-mkindex-deterministic.patch
@@ -0,0 +1,29 @@
+This patch ensures that the 'tclIndex' files generated by 'auto_mkindex'
+are sorted in a deterministic fashion.
+
+Fixes a non-determinism issue reported
+at <https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00696.html>.
+
+--- tcl8.6.4/library/auto.tcl	2015-02-26 17:57:28.000000000 +0100
++++ tcl8.6.4/library/auto.tcl	2015-11-13 23:18:34.964831717 +0100
+@@ -207,6 +207,9 @@ proc auto_mkindex {dir args} {
+ 	set args *.tcl
+     }
+ 
++    # Keep file names sorted in a determistic order.
++    set args [lsort -ascii $args]
++
+     auto_mkindex_parser::init
+     foreach file [glob -- {*}$args] {
+ 	try {
+@@ -241,6 +244,10 @@ proc auto_mkindex_old {dir args} {
+     if {![llength $args]} {
+ 	set args *.tcl
+     }
++
++    # Keep file names sorted in a determistic order.
++    set args [lsort -ascii $args]
++
+     foreach file [glob -- {*}$args] {
+ 	set f ""
+ 	set error [catch {
diff --git a/gnu/packages/patches/tinyxml-use-stl.patch b/gnu/packages/patches/tinyxml-use-stl.patch
new file mode 100644
index 0000000000..5d8aa899a9
--- /dev/null
+++ b/gnu/packages/patches/tinyxml-use-stl.patch
@@ -0,0 +1,41 @@
+From a53b6ee4519a7657164610ac14a82c57b1273bf6 Mon Sep 17 00:00:00 2001
+From: David Thompson <dthompson2@worcester.edu>
+Date: Mon, 23 Nov 2015 06:54:36 -0500
+Subject: [PATCH] Use STL.
+
+Software that uses the shared library, such as Kodi, assume that TinyXML was
+compiled with STL activated.
+
+---
+ tinyxml.h   | 2 ++
+ xmltest.cpp | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/tinyxml.h b/tinyxml.h
+index a3589e5..6cbfc7d 100644
+--- a/tinyxml.h
++++ b/tinyxml.h
+@@ -43,6 +43,8 @@ distribution.
+ #define DEBUG
+ #endif
+ 
++#define TIXML_USE_STL 1
++
+ #ifdef TIXML_USE_STL
+ 	#include <string>
+  	#include <iostream>
+diff --git a/xmltest.cpp b/xmltest.cpp
+index 663c157..057dbfe 100644
+--- a/xmltest.cpp
++++ b/xmltest.cpp
+@@ -2,6 +2,7 @@
+    Test program for TinyXML.
+ */
+ 
++#define TIXML_USE_STL 1
+ 
+ #ifdef TIXML_USE_STL
+ 	#include <iostream>
+-- 
+2.5.0
+
diff --git a/gnu/packages/patches/tk-find-library.patch b/gnu/packages/patches/tk-find-library.patch
new file mode 100644
index 0000000000..70911bf0d2
--- /dev/null
+++ b/gnu/packages/patches/tk-find-library.patch
@@ -0,0 +1,29 @@
+This patch hard-codes the Tk library directory during package initialization.
+
+See <http://core.tcl.tk/tk/tktview/765642ffffffffffffff>.
+
+diff --git a/generic/tkWindow.c b/generic/tkWindow.c
+index b5cbbab..96b5501 100644
+--- a/generic/tkWindow.c
++++ b/generic/tkWindow.c
+@@ -988,6 +988,7 @@ TkCreateMainWindow(
+ 
+     Tcl_SetVar2(interp, "tk_patchLevel", NULL, TK_PATCH_LEVEL, TCL_GLOBAL_ONLY);
+     Tcl_SetVar2(interp, "tk_version",    NULL, TK_VERSION,     TCL_GLOBAL_ONLY);
++    Tcl_SetVar2(interp, "tk_library",    NULL, TK_LIBRARY,     TCL_GLOBAL_ONLY);
+ 
+     tsdPtr->numMainWindows++;
+     return tkwin;
+diff --git a/unix/Makefile.in b/unix/Makefile.in
+index f21fdbb..c61b0df 100644
+--- a/unix/Makefile.in
++++ b/unix/Makefile.in
+@@ -1029,7 +1029,7 @@ tkVisual.o: $(GENERIC_DIR)/tkVisual.c
+ 	$(CC) -c $(CC_SWITCHES) $(GENERIC_DIR)/tkVisual.c
+ 
+ tkWindow.o: $(GENERIC_DIR)/tkWindow.c
+-	$(CC) -c $(CC_SWITCHES) $(GENERIC_DIR)/tkWindow.c
++	$(CC) -c $(CC_SWITCHES) -DTK_LIBRARY=\"${TK_LIBRARY}\" $(GENERIC_DIR)/tkWindow.c
+ 
+ tkButton.o: $(GENERIC_DIR)/tkButton.c
+ 	$(CC) -c $(CC_SWITCHES) $(GENERIC_DIR)/tkButton.c
diff --git a/gnu/packages/patches/torsocks-dns-test.patch b/gnu/packages/patches/torsocks-dns-test.patch
new file mode 100644
index 0000000000..ba70ba5933
--- /dev/null
+++ b/gnu/packages/patches/torsocks-dns-test.patch
@@ -0,0 +1,18 @@
+Skip DNS tests that rely on the ability to look up arbitary
+host names.
+
+--- torsocks/tests/test_dns.c	2015-11-10 18:30:53.955941984 +0100
++++ torsocks/tests/test_dns.c	2015-11-10 18:31:02.199941892 +0100
+@@ -134,11 +134,8 @@ static void test_getaddrinfo(const struc
+ int main(int argc, char **argv)
+ {
+ 	/* Libtap call for the number of tests planned. */
+-	plan_tests(NUM_TESTS);
++	plan_tests(1);
+ 
+-	test_getaddrinfo(&tor_check);
+-    test_gethostbyname(&tor_dir_auth1);
+-	test_gethostbyaddr(&tor_dir_auth2);
+ 	test_getaddrinfo(&tor_localhost);
+ 
+     return 0;
diff --git a/gnu/packages/patches/weechat-python.patch b/gnu/packages/patches/weechat-python.patch
new file mode 100644
index 0000000000..8182636ecb
--- /dev/null
+++ b/gnu/packages/patches/weechat-python.patch
@@ -0,0 +1,40 @@
+Get Python LDFLAGS from 'pkg-config'.
+
+The other approach is more complex and gets it wrong: it returns
+"-L/path/to/python/lib/python-2.7.10/lib/python2.7/config -lpython -lwhatever";
+since that config/ sub-directory contains libpython2.7.a, we end up
+statically linking Python in Weechat's python.so, which we do not want.
+
+--- weechat-1.3/configure.ac	2015-08-16 08:27:07.000000000 +0200
++++ weechat-1.3/configure.ac	2015-11-29 18:18:52.975197048 +0100
+@@ -535,29 +535,7 @@ if test "x$enable_python" = "xyes" ; the
+             if test -r "$PYTHON_INCLUDE/Python.h"; then
+                 PYTHON_CFLAGS="-I$PYTHON_INCLUDE"
+                 AC_MSG_RESULT(found)
+-                PYTHON_LIB=`$PYTHON -c "import sys, distutils.sysconfig; sys.stdout.write(distutils.sysconfig.get_config_var('LIBPL'))"`
+-                PYTHON_LFLAGS="-lpython$PYTHON_VERSION "`$PYTHON -c "import sys, distutils.sysconfig; sys.stdout.write(distutils.sysconfig.get_config_var('LIBS')+' '+distutils.sysconfig.get_config_var('SYSLIBS')+' '+distutils.sysconfig.get_config_var('LINKFORSHARED'))"`
+-                AC_MSG_CHECKING(for Python library)
+-                if test -r "$PYTHON_LIB/libpython$PYTHON_VERSION.so"; then
+-                   PYTHON_LFLAGS="-L$PYTHON_LIB $PYTHON_LFLAGS"
+-                   AC_MSG_RESULT(found)
+-                elif test -r "$PYTHON_LIB/libpython$PYTHON_VERSION.a"; then
+-                   PYTHON_LFLAGS="-L$PYTHON_LIB $PYTHON_LFLAGS"
+-                   AC_MSG_RESULT(found)
+-                elif test -r "$PYTHON_LIB/libpython$PYTHON_VERSION.dll.a"; then
+-                   PYTHON_LFLAGS="-L$PYTHON_LIB $PYTHON_LFLAGS"
+-                   AC_MSG_RESULT(found)
+-                elif test -r "$PYTHON_SYSPREFIX/lib/libpython$PYTHON_VERSION.so"; then
+-                   PYTHON_LFLAGS="-L$PYTHON_SYSPREFIX/lib/ $PYTHON_LFLAGS"
+-                   AC_MSG_RESULT(found)
+-                else
+-                    AC_MSG_WARN([
+-*** Python library couldn't be found on your system.
+-*** Try to install it with your software package manager.
+-*** WeeChat will be built without Python support.])
+-                    enable_python="no"
+-                    not_found="$not_found python"
+-                fi
++                PYTHON_LFLAGS=`pkg-config python2 --libs`
+             else
+                 AC_MSG_WARN([
+ *** Python header files couldn't be found on your system.
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch
new file mode 100644
index 0000000000..00e5b7c771
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch
@@ -0,0 +1,32 @@
+From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 25 Oct 2015 15:45:50 +0200
+Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no
+ PMF in use
+
+WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
+enabled. Verify that PMF is in use before using this field on station
+side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ wpa_supplicant/wnm_sta.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
+index 954de67..7d79499 100644
+--- a/wpa_supplicant/wnm_sta.c
++++ b/wpa_supplicant/wnm_sta.c
+@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s,
+ 	end = ptr + key_len_total;
+ 	wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total);
+ 
++	if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) {
++		wpa_msg(wpa_s, MSG_INFO,
++			"WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
++		return;
++	}
++
+ 	while (ptr + 1 < end) {
+ 		if (ptr + 2 + ptr[1] > end) {
+ 			wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element "
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch
new file mode 100644
index 0000000000..bfc4c74e95
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch
@@ -0,0 +1,51 @@
+From bef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Nov 2015 18:24:16 +0200
+Subject: [PATCH] EAP-pwd server: Fix last fragment length validation
+
+All but the last fragment had their length checked against the remaining
+room in the reassembly buffer. This allowed a suitably constructed last
+fragment frame to try to add extra data that would go beyond the buffer.
+The length validation code in wpabuf_put_data() prevents an actual
+buffer write overflow from occurring, but this results in process
+termination. (CVE-2015-5314)
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_server/eap_server_pwd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index cb83ff7..9f787ab 100644
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
+ 	/*
+ 	 * the first and all intermediate fragments have the M bit set
+ 	 */
+-	if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
++	if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
+ 		if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
+ 			wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
+ 				   "attack detected! (%d+%d > %d)",
+@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
+ 		}
+ 		wpabuf_put_data(data->inbuf, pos, len);
+ 		data->in_frag_pos += len;
++	}
++	if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
+ 		wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment",
+ 			   (int) len);
+ 		return;
+@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
+ 	 * buffering fragments so that's how we know it's the last)
+ 	 */
+ 	if (data->in_frag_pos) {
+-		wpabuf_put_data(data->inbuf, pos, len);
+-		data->in_frag_pos += len;
+ 		pos = wpabuf_head_u8(data->inbuf);
+ 		len = data->in_frag_pos;
+ 		wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
+-- 
+1.9.1
+
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch
new file mode 100644
index 0000000000..82c26398b6
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch
@@ -0,0 +1,54 @@
+From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Nov 2015 18:18:17 +0200
+Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation
+
+All but the last fragment had their length checked against the remaining
+room in the reassembly buffer. This allowed a suitably constructed last
+fragment frame to try to add extra data that would go beyond the buffer.
+The length validation code in wpabuf_put_data() prevents an actual
+buffer write overflow from occurring, but this results in process
+termination. (CVE-2015-5315)
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_peer/eap_pwd.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 1f78544..75ceef1 100644
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
+ 	/*
+ 	 * buffer and ACK the fragment
+ 	 */
+-	if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
++	if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
+ 		data->in_frag_pos += len;
+ 		if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
+ 			wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
+@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
+ 			return NULL;
+ 		}
+ 		wpabuf_put_data(data->inbuf, pos, len);
+-
++	}
++	if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
+ 		resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
+ 				     EAP_PWD_HDR_SIZE,
+ 				     EAP_CODE_RESPONSE, eap_get_id(reqData));
+@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
+ 	 * we're buffering and this is the last fragment
+ 	 */
+ 	if (data->in_frag_pos) {
+-		wpabuf_put_data(data->inbuf, pos, len);
+ 		wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
+ 			   (int) len);
+-		data->in_frag_pos += len;
+ 		pos = wpabuf_head_u8(data->inbuf);
+ 		len = data->in_frag_pos;
+ 	}
+-- 
+1.9.1
+
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch
new file mode 100644
index 0000000000..3088f6a6dc
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch
@@ -0,0 +1,34 @@
+From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Nov 2015 19:35:44 +0200
+Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message
+
+If the Confirm message is received from the server before the Identity
+exchange has been completed, the group has not yet been determined and
+data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
+did not take this corner case into account and could end up
+dereferencing a NULL pointer and terminating the process if invalid
+message sequence is received. (CVE-2015-5316)
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_peer/eap_pwd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 75ceef1..892b590 100644
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ 	wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
+ 
+ fin:
+-	bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
++	if (data->grp)
++		bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
+ 	BN_clear_free(x);
+ 	BN_clear_free(y);
+ 	if (data->outbuf == NULL) {
+-- 
+1.9.1
+
diff --git a/gnu/packages/patches/xfce4-session-fix-xflock4.patch b/gnu/packages/patches/xfce4-session-fix-xflock4.patch
new file mode 100644
index 0000000000..74769e4257
--- /dev/null
+++ b/gnu/packages/patches/xfce4-session-fix-xflock4.patch
@@ -0,0 +1,31 @@
+From cbb9c769316b4d32956a2c78aa01a38b473f0cfc Mon Sep 17 00:00:00 2001
+From: David Thompson <dthompson2@worcester.edu>
+Date: Fri, 30 Oct 2015 08:30:43 -0400
+Subject: [PATCH] xflock4: Do not override PATH with hardcoded value.
+
+The PATH "/bin:/usr/bin" may not be a valid search path on the user's
+machine.  The screen locking program may be in /usr/local/bin or
+elsewhere.  Distros that do not conform to the FHS, such as GuixSD and
+NixOS, will not have their executables in either location.  Thus, we
+simply leave PATH alone.
+---
+ scripts/xflock4 | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/scripts/xflock4 b/scripts/xflock4
+index ec4d05d..e7981ac 100644
+--- a/scripts/xflock4
++++ b/scripts/xflock4
+@@ -21,9 +21,6 @@
+ #  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ #
+ 
+-PATH=/bin:/usr/bin
+-export PATH
+-
+ # Lock by xscreensaver or gnome-screensaver, if a respective daemon is running
+ for lock_cmd in \
+     "xscreensaver-command -lock" \
+-- 
+2.5.0
+