summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorRicardo Wurmus <rekado@elephly.net>2018-06-29 22:51:23 +0200
committerRicardo Wurmus <rekado@elephly.net>2018-06-29 22:51:23 +0200
commitf1728d43460e63b106dd446e70001d8e100eaf6d (patch)
tree9d211fabf9e200743be49e25d108d58ed88d2f60 /gnu/packages/patches
parentcda7f4bc8ecf331d623c7d37b01931a46830c648 (diff)
parent373cc3b74a6ad33fddf75c2d773a97b1775bda8e (diff)
downloadguix-f1728d43460e63b106dd446e70001d8e100eaf6d.tar.gz
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/beignet-correct-file-names.patch32
-rw-r--r--gnu/packages/patches/bind-CVE-2018-5738.patch100
-rw-r--r--gnu/packages/patches/binutils-aarch64-symbol-relocation.patch36
-rw-r--r--gnu/packages/patches/dovecot-trees-support-dovecot-2.3.patch60
-rw-r--r--gnu/packages/patches/doxygen-gcc-ice.patch25
-rw-r--r--gnu/packages/patches/elixir-disable-failing-tests.patch284
-rw-r--r--gnu/packages/patches/flann-cmake-3.11.patch84
-rw-r--r--gnu/packages/patches/gcc-8-strmov-store-file-names.patch110
-rw-r--r--gnu/packages/patches/heimdal-CVE-2017-11103.patch45
-rw-r--r--gnu/packages/patches/heimdal-CVE-2017-6594.patch85
-rw-r--r--gnu/packages/patches/icecat-bug-1413868-pt1.patch663
-rw-r--r--gnu/packages/patches/java-commons-collections-fix-java8.patch299
-rw-r--r--gnu/packages/patches/libreoffice-icu.patch126
-rw-r--r--gnu/packages/patches/libtiff-CVE-2018-10963.patch40
-rw-r--r--gnu/packages/patches/libtiff-CVE-2018-8905.patch61
-rw-r--r--gnu/packages/patches/libyaml-CVE-2014-9130.patch30
-rw-r--r--gnu/packages/patches/maven-generate-component-xml.patch171
-rw-r--r--gnu/packages/patches/maven-generate-javax-inject-named.patch31
-rw-r--r--gnu/packages/patches/mrrescue-support-love-11.patch213
-rw-r--r--gnu/packages/patches/mumble-1.2.19-abs.patch31
-rw-r--r--gnu/packages/patches/nyx-show-header-stats-with-python3.patch70
-rw-r--r--gnu/packages/patches/ocaml-enable-ocamldoc-reproducibility.patch149
-rw-r--r--gnu/packages/patches/opensmtpd-fix-crash.patch44
-rw-r--r--gnu/packages/patches/openssl-1.0.2-CVE-2018-0495.patch215
-rw-r--r--gnu/packages/patches/openssl-1.0.2-CVE-2018-0732.patch50
-rw-r--r--gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch152
-rw-r--r--gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch50
-rw-r--r--gnu/packages/patches/password-store-gnupg-compat.patch28
-rw-r--r--gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch36
-rw-r--r--gnu/packages/patches/python-nose-timer-drop-ordereddict.patch44
-rw-r--r--gnu/packages/patches/qemu-CVE-2018-11806.patch105
-rw-r--r--gnu/packages/patches/strace-kernel-4.16.patch92
-rw-r--r--gnu/packages/patches/upx-fix-CVE-2017-15056.patch96
-rw-r--r--gnu/packages/patches/x265-fix-ppc64le-build.patch25
34 files changed, 3074 insertions, 608 deletions
diff --git a/gnu/packages/patches/beignet-correct-file-names.patch b/gnu/packages/patches/beignet-correct-file-names.patch
new file mode 100644
index 0000000000..2c5d0bbaea
--- /dev/null
+++ b/gnu/packages/patches/beignet-correct-file-names.patch
@@ -0,0 +1,32 @@
+Help CMake find Clang's libraries.
+Have it install the ICD file in the right place.
+
+diff --git a/CMake/FindLLVM.cmake b/CMake/FindLLVM.cmake
+index 5457f248..e8e8f94a 100644
+--- a/CMake/FindLLVM.cmake
++++ b/CMake/FindLLVM.cmake
+@@ -107,7 +107,7 @@ endif (LLVM_VERSION_NODOT VERSION_GREATER 34)
+ macro(add_one_lib name)
+   FIND_LIBRARY(CLANG_LIB
+     NAMES ${name}
+-    PATHS ${LLVM_LIBRARY_DIR} NO_DEFAULT_PATH)
++    PATHS ${CLANG_LIBRARY_DIR} NO_DEFAULT_PATH)
+   set(CLANG_LIBRARIES ${CLANG_LIBRARIES} ${CLANG_LIB})
+ 	unset(CLANG_LIB CACHE)
+ endmacro()
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index c11acbb2..fb99e5c8 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -217,7 +217,7 @@ IF(OCLIcd_FOUND)
+     "intel-beignet.icd.in"
+     "${ICD_FILE_NAME}"
+   )
+-  install (FILES ${CMAKE_CURRENT_BINARY_DIR}/${ICD_FILE_NAME} DESTINATION /etc/OpenCL/vendors)
++  install (FILES ${CMAKE_CURRENT_BINARY_DIR}/${ICD_FILE_NAME} DESTINATION etc/OpenCL/vendors COMPONENT config)
+ ELSE(OCLIcd_FOUND)
+   MESSAGE(STATUS "Looking for OCL ICD header file - not found")
+   MESSAGE(FATAL_ERROR "OCL ICD loader miss. If you really want to disable OCL ICD support, please run cmake with option -DOCLICD_COMPAT=0.")
+--
+2.14.3
+
diff --git a/gnu/packages/patches/bind-CVE-2018-5738.patch b/gnu/packages/patches/bind-CVE-2018-5738.patch
new file mode 100644
index 0000000000..ddef014651
--- /dev/null
+++ b/gnu/packages/patches/bind-CVE-2018-5738.patch
@@ -0,0 +1,100 @@
+Fix CVE-2018-5738:
+
+https://kb.isc.org/article/AA-01616/0/CVE-2018-5738
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index f63554e..847c4ff 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 	CHECKM(named_config_getport(config, &port), "port");
+ 	dns_view_setdstport(view, port);
+ 
+-	CHECK(configure_view_acl(vconfig, config, named_g_config,
+-				 "allow-query", NULL, actx,
+-				 named_g_mctx, &view->queryacl));
+-
+ 	/*
+ 	 * Make the list of response policy zone names for a view that
+ 	 * is used for real lookups and so cares about hints.
+@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 				 "allow-query-cache-on", NULL, actx,
+ 				 named_g_mctx, &view->cacheonacl));
+ 	/*
+-	 * Set "allow-query-cache", "allow-recursion", and
+-	 * "allow-recursion-on" acls if configured in named.conf.
+-	 * (Ignore the global defaults for now, because these ACLs
+-	 * can inherit from each other when only some of them set at
+-	 * the options/view level.)
++	 * Set the "allow-query", "allow-query-cache", "allow-recursion",
++	 * and "allow-recursion-on" ACLs if configured in named.conf, but
++	 * NOT from the global defaults. This is done by leaving the third
++	 * argument to configure_view_acl() NULL.
++	 *
++	 * We ignore the global defaults here because these ACLs
++	 * can inherit from each other.  If any are still unset after
++	 * applying the inheritance rules, we'll look up the defaults at
++	 * that time.
+ 	 */
+-	CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
+-				 NULL, actx, named_g_mctx, &view->cacheacl));
++
++	/* named.conf only */
++	CHECK(configure_view_acl(vconfig, config, NULL,
++				 "allow-query", NULL, actx,
++				 named_g_mctx, &view->queryacl));
++
++	/* named.conf only */
++	CHECK(configure_view_acl(vconfig, config, NULL,
++				 "allow-query-cache", NULL, actx,
++				 named_g_mctx, &view->cacheacl));
+ 
+ 	if (strcmp(view->name, "_bind") != 0 &&
+ 	    view->rdclass != dns_rdataclass_chaos)
+ 	{
++		/* named.conf only */
+ 		CHECK(configure_view_acl(vconfig, config, NULL,
+ 					 "allow-recursion", NULL, actx,
+ 					 named_g_mctx, &view->recursionacl));
++		/* named.conf only */
+ 		CHECK(configure_view_acl(vconfig, config, NULL,
+ 					 "allow-recursion-on", NULL, actx,
+ 					 named_g_mctx, &view->recursiononacl));
+@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 		 * the global config.
+ 		 */
+ 		if (view->recursionacl == NULL) {
++			/* global default only */
+ 			CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ 						 "allow-recursion", NULL,
+ 						 actx, named_g_mctx,
+ 						 &view->recursionacl));
+ 		}
+ 		if (view->recursiononacl == NULL) {
++			/* global default only */
+ 			CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ 						 "allow-recursion-on", NULL,
+ 						 actx, named_g_mctx,
+ 						 &view->recursiononacl));
+ 		}
+ 		if (view->cacheacl == NULL) {
++			/* global default only */
+ 			CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ 						 "allow-query-cache", NULL,
+ 						 actx, named_g_mctx,
+@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 		CHECK(dns_acl_none(mctx, &view->cacheacl));
+ 	}
+ 
++	if (view->queryacl == NULL) {
++		/* global default only */
++		CHECK(configure_view_acl(NULL, NULL, named_g_config,
++					 "allow-query", NULL,
++					 actx, named_g_mctx,
++					 &view->queryacl));
++	}
++
+ 	/*
+ 	 * Ignore case when compressing responses to the specified
+ 	 * clients. This causes case not always to be preserved,
diff --git a/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch b/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch
new file mode 100644
index 0000000000..fbd596862b
--- /dev/null
+++ b/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch
@@ -0,0 +1,36 @@
+Fix a regression in Binutils 2.30 where some symbols are incorrectly assumed
+to be addresses:
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=22764
+
+Patch taken from upstream (with ChangeLog entries and tests omitted):
+
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=279b2f94168ee91e02ccd070d27c983fc001fe12
+
+diff --git a/bfd/elfnn-aarch64.c b/bfd/elfnn-aarch64.c
+index af448f9..2737773 100644
+--- a/bfd/elfnn-aarch64.c
++++ b/bfd/elfnn-aarch64.c
+@@ -7189,10 +7189,19 @@ elfNN_aarch64_check_relocs (bfd *abfd, struct bfd_link_info *info,
+ #if ARCH_SIZE == 64
+ 	case BFD_RELOC_AARCH64_32:
+ #endif
+-	  if (bfd_link_pic (info)
+-	      && (sec->flags & SEC_ALLOC) != 0
+-	      && (sec->flags & SEC_READONLY) != 0)
++	  if (bfd_link_pic (info) && (sec->flags & SEC_ALLOC) != 0)
+ 	    {
++	      if (h != NULL
++		  /* This is an absolute symbol.  It represents a value instead
++		     of an address.  */
++		  && ((h->root.type == bfd_link_hash_defined
++		       && bfd_is_abs_section (h->root.u.def.section))
++		      /* This is an undefined symbol.  */
++		      || h->root.type == bfd_link_hash_undefined))
++		break;
++
++	      /* For local symbols, defined global symbols in a non-ABS section,
++		 it is assumed that the value is an address.  */
+ 	      int howto_index = bfd_r_type - BFD_RELOC_AARCH64_RELOC_START;
+ 	      _bfd_error_handler
+ 		/* xgettext:c-format */
diff --git a/gnu/packages/patches/dovecot-trees-support-dovecot-2.3.patch b/gnu/packages/patches/dovecot-trees-support-dovecot-2.3.patch
new file mode 100644
index 0000000000..314f6b6de0
--- /dev/null
+++ b/gnu/packages/patches/dovecot-trees-support-dovecot-2.3.patch
@@ -0,0 +1,60 @@
+From: Tobias Geerinckx-Rice <me@tobias.gr>
+Date: Mon, 25 Jun 2018 00:34:52 +0200
+Subject: dovecot-trees: Fix build with dovecot 2.3.
+
+The following patch was taken verbatim from the upstream repository[0]
+and will be included in the next release.
+
+[0]: https://0xacab.org/riseuplabs/trees/commit/e136c32a044701d68b0235b8405357c5fca62a11
+---
+From e136c32a044701d68b0235b8405357c5fca62a11 Mon Sep 17 00:00:00 2001
+From: David Goulet <dgoulet@ev0ke.net>
+Date: Tue, 10 Apr 2018 13:48:01 -0400
+Subject: [PATCH] Support dovecot 2.3
+
+Untested but it builds now properly. Thanks to "smorks" for the report!
+
+Fixes #16
+
+Signed-off-by: David Goulet <dgoulet@ev0ke.net>
+---
+ src/trees-istream.c | 4 ++++
+ src/trees-ostream.c | 7 +++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/trees-istream.c b/src/trees-istream.c
+index b08ff16..e94be7d 100644
+--- a/src/trees-istream.c
++++ b/src/trees-istream.c
+@@ -431,5 +431,9 @@ trees_istream_create(struct istream *input,
+   sstream->out_byte_count = 0;
+ #endif
+ 
++#if DOVECOT_PREREQ(2, 3)
++	return i_stream_create(&sstream->istream, input, i_stream_get_fd(input), 0);
++#else
+   return i_stream_create(&sstream->istream, input, i_stream_get_fd(input));
++#endif /* DOVECOT_PREREQ */
+ }
+diff --git a/src/trees-ostream.c b/src/trees-ostream.c
+index 1b25a91..0cb7867 100644
+--- a/src/trees-ostream.c
++++ b/src/trees-ostream.c
+@@ -174,7 +174,14 @@ trees_ostream_sendv(struct ostream_private *stream,
+ static int
+ trees_ostream_flush(struct ostream_private *stream)
+ {
++  /* This is pretty ugly but unfortunately between 2.2 and 2.3, Dovecot changed
++   * the expected value to be non zero in 2.3+ . */
++#if DOVECOT_PREREQ(2, 3)
++  ssize_t result = 1;
++#else
+   ssize_t result = 0;
++#endif /* DOVECOT_PREREQ */
++
+   struct trees_ostream *sstream = (struct trees_ostream *) stream;
+ 
+   if (sstream->flushed) {
+-- 
+2.17.1
+
diff --git a/gnu/packages/patches/doxygen-gcc-ice.patch b/gnu/packages/patches/doxygen-gcc-ice.patch
new file mode 100644
index 0000000000..fbfedcb7ab
--- /dev/null
+++ b/gnu/packages/patches/doxygen-gcc-ice.patch
@@ -0,0 +1,25 @@
+Work around this GCC ICE: <https://bugs.gnu.org/31708>.  It shows up
+only when doing native compiles on armhf-linux.
+
+Yes it's a terrible patch, but it does the job.
+
+--- doxygen-1.8.13/qtools/qutfcodec.cpp	1970-01-01 01:00:00.000000000 +0100
++++ doxygen-1.8.13/qtools/qutfcodec.cpp	2018-06-08 14:14:29.614009929 +0200
+@@ -189,7 +189,7 @@ int QUtf16Codec::heuristicContentMatch(c
+ }
+ 
+ 
+-
++volatile const void *bomPointer = &QChar::byteOrderMark;
+ 
+ class QUtf16Encoder : public QTextEncoder {
+     bool headerdone;
+@@ -209,7 +209,7 @@ public:
+ 	    headerdone = TRUE;
+ 	    len_in_out = (1+uc.length())*(int)sizeof(QChar);
+ 	    QCString d(len_in_out);
+-	    memcpy(d.rawData(),&QChar::byteOrderMark,sizeof(QChar));
++	    memcpy(d.rawData(),(void *)bomPointer,sizeof(QChar));
+ 	    memcpy(d.rawData()+sizeof(QChar),uc.unicode(),uc.length()*sizeof(QChar));
+ 	    return d;
+ 	}
diff --git a/gnu/packages/patches/elixir-disable-failing-tests.patch b/gnu/packages/patches/elixir-disable-failing-tests.patch
deleted file mode 100644
index 547598b292..0000000000
--- a/gnu/packages/patches/elixir-disable-failing-tests.patch
+++ /dev/null
@@ -1,284 +0,0 @@
-Most of these tests fail for unknown reasons when run in the chroot
-environment of a Guix build process.
-
-Common failures are:
-
- * Mix.Shell.cmd() fails with error 130
- * The git_repo fixture cannot be found
- * Communication with spawned processes fails with EPIPE
- * Failure to copy files
-
-
-diff --git a/lib/elixir/test/elixir/kernel/cli_test.exs b/lib/elixir/test/elixir/kernel/cli_test.exs
-index 3ffd56c..1232d19 100644
---- a/lib/elixir/test/elixir/kernel/cli_test.exs
-+++ b/lib/elixir/test/elixir/kernel/cli_test.exs
-@@ -39,6 +39,7 @@ end
- defmodule Kernel.CLI.OptionParsingTest do
-   use ExUnit.Case, async: true
-
-+  @tag :skip
-   test "properly parses paths" do
-     root = fixture_path("../../..") |> to_charlist
-     list = elixir('-pa "#{root}/*" -pz "#{root}/lib/*" -e "IO.inspect(:code.get_path, limit: :infinity)"')
-@@ -57,6 +58,7 @@ end
- defmodule Kernel.CLI.AtExitTest do
-   use ExUnit.Case, async: true
-
-+  @tag :skip
-   test "invokes at_exit callbacks" do
-     assert elixir(fixture_path("at_exit.exs") |> to_charlist) ==
-            'goodbye cruel world with status 1\n'
-@@ -66,6 +68,7 @@ end
- defmodule Kernel.CLI.ErrorTest do
-   use ExUnit.Case, async: true
-
-+  @tag :skip
-   test "properly format errors" do
-     assert :string.str('** (throw) 1', elixir('-e "throw 1"')) == 0
-     assert :string.str('** (ErlangError) erlang error: 1', elixir('-e "error 1"')) == 0
-@@ -86,6 +89,7 @@ defmodule Kernel.CLI.CompileTest do
-     {:ok, [tmp_dir_path: tmp_dir_path, beam_file_path: beam_file_path, fixture: fixture]}
-   end
-
-+  @tag :skip
-   test "compiles code", context do
-     assert elixirc('#{context[:fixture]} -o #{context[:tmp_dir_path]}') == ''
-     assert File.regular?(context[:beam_file_path])
-@@ -96,6 +100,7 @@ defmodule Kernel.CLI.CompileTest do
-     Code.delete_path context[:tmp_dir_path]
-   end
-
-+  @tag :skip
-   test "fails on missing patterns", context do
-     output = elixirc('#{context[:fixture]} non_existing.ex -o #{context[:tmp_dir_path]}')
-     assert :string.str(output, 'non_existing.ex') > 0, "expected non_existing.ex to be mentioned"
-@@ -103,6 +108,7 @@ defmodule Kernel.CLI.CompileTest do
-     refute File.exists?(context[:beam_file_path]), "expected the sample to not be compiled"
-   end
-
-+  @tag :skip
-   test "fails on missing write access to .beam file", context do
-     compilation_args = '#{context[:fixture]} -o #{context[:tmp_dir_path]}'
-
-diff --git a/lib/elixir/test/elixir/kernel/dialyzer_test.exs b/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-index 801d852..40fc5bc 100644
---- a/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-+++ b/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-@@ -60,16 +60,19 @@ defmodule Kernel.DialyzerTest do
-     assert_dialyze_no_warnings! context
-   end
-
-+  @tag :skip
-   test "no warnings on rewrites", context do
-     copy_beam! context, Dialyzer.Rewrite
-     assert_dialyze_no_warnings! context
-   end
-
-+  @tag :skip
-   test "no warnings on raise", context do
-     copy_beam! context, Dialyzer.Raise
-     assert_dialyze_no_warnings! context
-   end
-
-+  @tag :skip
-   test "no warnings on macrocallback", context do
-     copy_beam! context, Dialyzer.Macrocallback
-     copy_beam! context, Dialyzer.Macrocallback.Impl
-diff --git a/lib/elixir/test/elixir/system_test.exs b/lib/elixir/test/elixir/system_test.exs
-index aafa559..0f9c178 100644
---- a/lib/elixir/test/elixir/system_test.exs
-+++ b/lib/elixir/test/elixir/system_test.exs
-@@ -53,7 +53,8 @@ defmodule SystemTest do
-     assert System.endianness in [:little, :big]
-     assert System.endianness == System.compiled_endianness
-   end
--
-+
-+  @tag :skip
-   test "argv/0" do
-     list = elixir('-e "IO.inspect System.argv" -- -o opt arg1 arg2 --long-opt 10')
-     {args, _} = Code.eval_string list, []
-diff --git a/lib/mix/test/mix/dep_test.exs b/lib/mix/test/mix/dep_test.exs
-index fff3351..d6ed1b3 100644
---- a/lib/mix/test/mix/dep_test.exs
-+++ b/lib/mix/test/mix/dep_test.exs
-@@ -244,6 +244,7 @@ defmodule Mix.DepTest do
-     end
-   end
-
-+  @tag :skip
-   test "remote converger" do
-     deps = [{:deps_repo, "0.1.0", path: "custom/deps_repo"},
-             {:git_repo, "0.2.0", git: MixTest.Case.fixture_path("git_repo")}]
-@@ -301,6 +302,7 @@ defmodule Mix.DepTest do
-     end
-   end
-
-+  @tag :skip
-   test "remote converger is not invoked if deps diverge" do
-     deps = [{:deps_repo, "0.1.0", path: "custom/deps_repo"},
-             {:git_repo, "0.2.0", git: MixTest.Case.fixture_path("git_repo"), only: :test}]
-
-diff --git a/lib/mix/test/mix/shell/io_test.exs b/lib/mix/test/mix/shell/io_test.exs
-index 9bfb6b4..d982ef3 100644
---- a/lib/mix/test/mix/shell/io_test.exs
-+++ b/lib/mix/test/mix/shell/io_test.exs
-@@ -29,6 +29,7 @@ defmodule Mix.Shell.IOTest do
-     assert capture_io("", fn -> refute yes?("Ok?") end)
-   end
-
-+  @tag :skip
-   test "runs a given command" do
-     assert capture_io("", fn -> assert cmd("echo hello") == 0 end) == "hello\n"
-
-diff --git a/lib/mix/test/mix/shell/quiet_test.exs b/lib/mix/test/mix/shell/quiet_test.exs
-index 626429b..99fab35 100644
---- a/lib/mix/test/mix/shell/quiet_test.exs
-+++ b/lib/mix/test/mix/shell/quiet_test.exs
-@@ -29,6 +29,7 @@ defmodule Mix.Shell.QuietTest do
-     assert capture_io("", fn -> refute yes?("Ok?") end)
-   end
-
-+  @tag :skip
-   test "runs a given command" do
-     assert capture_io("", fn -> assert cmd("echo hello") == 0 end) == ""
-
-diff --git a/lib/mix/test/mix/tasks/cmd_test.exs b/lib/mix/test/mix/tasks/cmd_test.exs
-index db4bf06..4d441f7 100644
---- a/lib/mix/test/mix/tasks/cmd_test.exs
-+++ b/lib/mix/test/mix/tasks/cmd_test.exs
-@@ -3,6 +3,7 @@ Code.require_file "../../test_helper.exs", __DIR__
- defmodule Mix.Tasks.CmdTest do
-   use MixTest.Case
-
-+  @tag :skip
-   test "runs the command for each app" do
-     in_fixture "umbrella_dep/deps/umbrella", fn ->
-       Mix.Project.in_project(:umbrella, ".", fn _ ->
-diff --git a/lib/mix/test/mix/tasks/deps.tree_test.exs b/lib/mix/test/mix/tasks/deps.tree_test.exs
-index 4f09ff3..c371997 100644
---- a/lib/mix/test/mix/tasks/deps.tree_test.exs
-+++ b/lib/mix/test/mix/tasks/deps.tree_test.exs
-@@ -29,6 +29,7 @@ defmodule Mix.Tasks.Deps.TreeTest do
-     end
-   end
-
-+  @tag :skip
-   test "shows the dependency tree", context do
-     Mix.Project.push ConvergedDepsApp
-
-@@ -109,6 +110,7 @@ defmodule Mix.Tasks.Deps.TreeTest do
-     end
-   end
-
-+  @tag :skip
-   test "shows the dependency tree in DOT graph format", context do
-     Mix.Project.push ConvergedDepsApp
-
-diff --git a/lib/mix/test/mix/tasks/deps_test.exs b/lib/mix/test/mix/tasks/deps_test.exs
-index b061777..cc45cf8 100644
---- a/lib/mix/test/mix/tasks/deps_test.exs
-+++ b/lib/mix/test/mix/tasks/deps_test.exs
-@@ -96,6 +96,7 @@
-     end
-   end
-
-+  @tag :skip
-   test "prints list of dependencies and their lock status" do
-     Mix.Project.push DepsApp
-
-@@ -409,6 +409,7 @@ defmodule Mix.Tasks.DepsTest do
-     end
-   end
-
-+  @tag :skip
-   test "fails on diverged dependencies by requirement" do
-     Mix.Project.push ConvergedDepsApp
-
-@@ -440,6 +441,7 @@ defmodule Mix.Tasks.DepsTest do
-     end
-   end
-
-+  @tag :skip
-   test "fails on diverged dependencies even when optional" do
-     Mix.Project.push ConvergedDepsApp
-
-@@ -469,6 +471,7 @@ defmodule Mix.Tasks.DepsTest do
-     end
-   end
-
-+  @tag :skip
-   test "works with converged dependencies" do
-     Mix.Project.push ConvergedDepsApp
-
-@@ -491,6 +494,7 @@ defmodule Mix.Tasks.DepsTest do
-     purge [GitRepo, GitRepo.Mixfile]
-   end
-
-+  @tag :skip
-   test "works with overridden dependencies" do
-     Mix.Project.push OverriddenDepsApp
-
-diff --git a/lib/mix/test/mix/umbrella_test.exs b/lib/mix/test/mix/umbrella_test.exs
-index 69f9428..406668a 100644
---- a/lib/mix/test/mix/umbrella_test.exs
-+++ b/lib/mix/test/mix/umbrella_test.exs
-@@ -98,6 +98,7 @@ defmodule Mix.UmbrellaTest do
-     end
-   end
-
-+  @tag :skip
-   test "loads umbrella child dependencies in all environments" do
-     in_fixture "umbrella_dep/deps/umbrella", fn ->
-       Mix.Project.in_project :umbrella, ".", fn _ ->
-
-diff --git a/lib/elixir/test/elixir/kernel/dialyzer_test.exs b/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-index 792222c..e90beb9 100644
---- a/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-+++ b/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-@@ -54,6 +54,7 @@ defmodule Kernel.DialyzerTest do
-     {:ok, [outdir: dir, dialyzer: dialyzer]}
-   end
-
-+  @tag :skip
-   test "no warnings on valid remote calls", context do
-     copy_beam! context, Dialyzer.RemoteCall
-     assert_dialyze_no_warnings! context
-@@ -78,11 +79,13 @@ defmodule Kernel.DialyzerTest do
-     assert_dialyze_no_warnings! context
-   end
-
-+  @tag :skip
-   test "no warnings on struct update", context do
-     copy_beam! context, Dialyzer.StructUpdate
-     assert_dialyze_no_warnings! context
-   end
-
-+  @tag :skip
-   test "no warnings on protocol calls with opaque types", context do
-     copy_beam! context, Dialyzer.ProtocolOpaque
-     copy_beam! context, Dialyzer.ProtocolOpaque.Entity
-@@ -90,6 +93,7 @@ defmodule Kernel.DialyzerTest do
-     assert_dialyze_no_warnings! context
-   end
-
-+  @tag :skip
-   test "no warnings on and/2 and or/2", context do
-     copy_beam! context, Dialyzer.BooleanCheck
-     assert_dialyze_no_warnings! context
-
-diff --git a/Makefile b/Makefile
-index 2fc4f9a..aef8366 100644
---- a/Makefile
-+++ b/Makefile
-@@ -201,7 +201,7 @@ $(TEST_EBIN)/%.beam: $(TEST_ERL)/%.erl
-        $(Q) mkdir -p $(TEST_EBIN)
-        $(Q) $(ERLC) -o $(TEST_EBIN) $<
-
--test_elixir: test_stdlib test_ex_unit test_logger test_mix test_eex test_iex
-+test_elixir: test_stdlib test_ex_unit test_logger test_eex test_iex
-
- test_stdlib: compile
-        @ echo "==> elixir (exunit)"
-
diff --git a/gnu/packages/patches/flann-cmake-3.11.patch b/gnu/packages/patches/flann-cmake-3.11.patch
new file mode 100644
index 0000000000..1fb76eca0a
--- /dev/null
+++ b/gnu/packages/patches/flann-cmake-3.11.patch
@@ -0,0 +1,84 @@
+Fixes this issue:
+ <https://github.com/mariusmuja/flann/issues/369>.
+Patch from Buildroot:
+ <https://github.com/buildroot/buildroot/commit/45a39b3e2ba42b72d19bfcef30db1b8da9ead51a>.
+
+From fa5ec96a94646492a3f908e12905b3e48a8e800b Mon Sep 17 00:00:00 2001
+From: Romain Naour <romain.naour@gmail.com>
+Date: Wed, 18 Apr 2018 20:24:13 +0200
+Subject: [PATCH] src/cpp: fix cmake >= 3.11 build
+
+CMake < 3.11 doesn't support add_library() without any source file
+(i.e add_library(foo SHARED)). But flann CMake use a trick that use
+an empty string "" as source list (i.e add_library(foo SHARED "")).
+This look like a bug in CMake < 3.11.
+
+With CMake >= 3.11, the new behaviour of add_library() break the
+existing flann CMake code.
+
+From CMake Changelog [1]:
+"add_library() and add_executable() commands can now be called without
+ any sources and will not complain as long as sources are added later
+ via the target_sources() command."
+
+Note: flann CMake code doesn't use target_sources() since no source file
+are provided intentionally since the flann shared library is created by
+linking with the flann_cpp_s static library with this line:
+
+target_link_libraries(flann_cpp -Wl,-whole-archive flann_cpp_s -Wl,-no-whole-archive)
+
+If you try to use "add_library(flann_cpp SHARED ${CPP_SOURCES})" (as it should
+be normally done), the link fail due to already defined symbol.
+
+They are building the shared version using the static library "to speedup the
+build time" [3]
+
+This issue is already reported upstream [2] with a proposed solution.
+
+Upstream status: Pending
+
+Fixes:
+http://autobuild.buildroot.net/results/b2f/b2febfaf8c44ce477b3e4a5b9b976fd25e8d7454
+
+[1] https://cmake.org/cmake/help/v3.11/release/3.11.html
+[2] https://github.com/mariusmuja/flann/issues/369
+[3] https://github.com/mariusmuja/flann/commit/0fd62b43be2fbb0b8d791ee36290791224dc030c
+
+Signed-off-by: Romain Naour <romain.naour@gmail.com>
+---
+ src/cpp/CMakeLists.txt | 4 ++--
+ src/cpp/empty.cpp      | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+ create mode 100644 src/cpp/empty.cpp
+
+diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt
+index b44a735..a816863 100644
+--- a/src/cpp/CMakeLists.txt
++++ b/src/cpp/CMakeLists.txt
+@@ -29,7 +29,7 @@ if (BUILD_CUDA_LIB)
+ endif()
+ 
+ if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_COMPILER_IS_GNUCC)
+-    add_library(flann_cpp SHARED "")
++    add_library(flann_cpp SHARED "empty.cpp")
+     set_target_properties(flann_cpp PROPERTIES LINKER_LANGUAGE CXX)
+     target_link_libraries(flann_cpp -Wl,-whole-archive flann_cpp_s -Wl,-no-whole-archive)
+ 
+@@ -85,7 +85,7 @@ if (BUILD_C_BINDINGS)
+     set_property(TARGET flann_s PROPERTY COMPILE_DEFINITIONS FLANN_STATIC)
+ 
+     if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_COMPILER_IS_GNUCC)
+-        add_library(flann SHARED "")
++        add_library(flann SHARED "empty.cpp")
+         set_target_properties(flann PROPERTIES LINKER_LANGUAGE CXX)
+         target_link_libraries(flann -Wl,-whole-archive flann_s -Wl,-no-whole-archive)
+     else()
+diff --git a/src/cpp/empty.cpp b/src/cpp/empty.cpp
+new file mode 100644
+index 0000000..40a8c17
+--- /dev/null
++++ b/src/cpp/empty.cpp
+@@ -0,0 +1 @@
++/* empty */
+-- 
+2.14.3
diff --git a/gnu/packages/patches/gcc-8-strmov-store-file-names.patch b/gnu/packages/patches/gcc-8-strmov-store-file-names.patch
new file mode 100644
index 0000000000..f8e6b951b2
--- /dev/null
+++ b/gnu/packages/patches/gcc-8-strmov-store-file-names.patch
@@ -0,0 +1,110 @@
+Make sure that statements such as:
+
+  strcpy (dst, "/gnu/store/…");
+
+or
+
+  static const char str[] = "/gnu/store/…";
+  …
+  strcpy (dst, str);
+
+do not result in chunked /gnu/store strings that are undetectable by
+Guix's GC and its grafting code.  See <https://bugs.gnu.org/24703>
+and <https://bugs.gnu.org/30395>.
+
+--- gcc-5.3.0/gcc/builtins.c	2016-10-18 10:50:46.080616285 +0200
++++ gcc-5.3.0/gcc/builtins.c	2016-11-09 15:26:43.693042737 +0100
+@@ -3012,6 +3012,58 @@ determine_block_size (tree len, rtx len_rtx,
+ 			  GET_MODE_MASK (GET_MODE (len_rtx)));
+ }
+ 
++extern void debug_tree (tree);
++
++/* Return true if STR contains the string "/gnu/store".  */
++
++bool
++store_reference_p (tree str)
++{
++  if (getenv ("GUIX_GCC_DEBUG") != NULL)
++    debug_tree (str);
++
++  if (TREE_CODE (str) == ADDR_EXPR)
++    str = TREE_OPERAND (str, 0);
++
++  if (TREE_CODE (str) == VAR_DECL
++      && TREE_STATIC (str)
++      && TREE_READONLY (str))
++    {
++      /* STR may be a 'static const' variable whose initial value
++         is a string constant.  See <https://bugs.gnu.org/30395>.  */
++      str = DECL_INITIAL (str);
++      if (str == NULL_TREE)
++        return false;
++    }
++
++  if (TREE_CODE (str) != STRING_CST)
++    return false;
++
++  int len;
++  const char *store;
++
++  store = getenv ("NIX_STORE") ? getenv ("NIX_STORE") : "/gnu/store";
++  len = strlen (store);
++
++  /* Size of the hash part of store file names, including leading slash and
++     trailing hyphen.  */
++  const int hash_len = 34;
++
++  if (TREE_STRING_LENGTH (str) < len + hash_len)
++    return false;
++
++  /* We cannot use 'strstr' because 'TREE_STRING_POINTER' returns a string
++     that is not necessarily NUL-terminated.  */
++
++  for (int i = 0; i < TREE_STRING_LENGTH (str) - (len + hash_len); i++)
++    {
++      if (strncmp (TREE_STRING_POINTER (str) + i, store, len) == 0)
++	return true;
++    }
++
++  return false;
++}
++
+ /* Try to verify that the sizes and lengths of the arguments to a string
+    manipulation function given by EXP are within valid bounds and that
+    the operation does not lead to buffer overflow or read past the end.
+@@ -3605,6 +3657,13 @@ expand_builtin_memory_copy_args (tree dest, tree src, tree len,
+   unsigned HOST_WIDE_INT max_size;
+   unsigned HOST_WIDE_INT probable_max_size;
+ 
++  /* Do not emit block moves, which translate to the 'movabs' instruction on
++     x86_64, when SRC refers to store items.  That way, store references
++     remain visible to the Guix GC and grafting code.  See
++     <https://bugs.gnu.org/24703>.  */
++  if (store_reference_p (src))
++    return NULL_RTX;
++
+   /* If DEST is not a pointer type, call the normal function.  */
+   if (dest_align == 0)
+     return NULL_RTX;
+--- gcc-5.5.0/gcc/gimple-fold.c	2018-03-20 11:36:16.709442004 +0100
++++ gcc-5.5.0/gcc/gimple-fold.c	2018-03-20 11:46:43.838487065 +0100
+@@ -635,6 +635,8 @@ var_decl_component_p (tree var)
+   return SSA_VAR_P (inner);
+ }
+ 
++extern bool store_reference_p (tree);
++
+ /* If the SIZE argument representing the size of an object is in a range
+    of values of which exactly one is valid (and that is zero), return
+    true, otherwise false.  */
+@@ -742,6 +744,9 @@ gimple_fold_builtin_memory_op (gimple_stmt_iterator *gsi,
+       off0 = build_int_cst (build_pointer_type_for_mode (char_type_node,
+ 							 ptr_mode, true), 0);
+ 
++      if (store_reference_p (src))
++        return false;
++
+       /* If we can perform the copy efficiently with first doing all loads
+          and then all stores inline it that way.  Currently efficiently
+ 	 means that we can load all the memory into a single integer
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
deleted file mode 100644
index d76f0df369..0000000000
--- a/gnu/packages/patches/heimdal-CVE-2017-11103.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Fix CVE-2017-11103:
-
-https://orpheus-lyre.info/
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
-https://security-tracker.debian.org/tracker/CVE-2017-11103
-
-Patch lifted from upstream source repository:
-
-https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
-
-From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
-From: Jeffrey Altman <jaltman@secure-endpoints.com>
-Date: Wed, 12 Apr 2017 15:40:42 -0400
-Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
-
-In _krb5_extract_ticket() the KDC-REP service name must be obtained from
-encrypted version stored in 'enc_part' instead of the unencrypted version
-stored in 'ticket'.  Use of the unecrypted version provides an
-opportunity for successful server impersonation and other attacks.
-
-Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
-
-Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
----
- lib/krb5/ticket.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
-index d95d96d1b..b8d81c6ad 100644
---- a/lib/krb5/ticket.c
-+++ b/lib/krb5/ticket.c
-@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
-     /* check server referral and save principal */
-     ret = _krb5_principalname2krb5_principal (context,
- 					      &tmp_principal,
--					      rep->kdc_rep.ticket.sname,
--					      rep->kdc_rep.ticket.realm);
-+					      rep->enc_part.sname,
-+					      rep->enc_part.srealm);
-     if (ret)
- 	goto out;
-     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
--- 
-2.13.3
-
diff --git a/gnu/packages/patches/heimdal-CVE-2017-6594.patch b/gnu/packages/patches/heimdal-CVE-2017-6594.patch
deleted file mode 100644
index 714af60304..0000000000
--- a/gnu/packages/patches/heimdal-CVE-2017-6594.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-Fix CVE-2017-6594:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594
-https://security-tracker.debian.org/tracker/CVE-2017-6594
-
-Patch lifted from upstream source repository:
-
-https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837
-
-To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and
-files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified.
-
-From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001
-From: Viktor Dukhovni <viktor@twosigma.com>
-Date: Wed, 10 Aug 2016 23:31:14 +0000
-Subject: [PATCH] Fix transit path validation CVE-2017-6594
-
-Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
-to not be added to the transit path of issued tickets.  This may, in
-some cases, enable bypass of capath policy in Heimdal versions 1.5
-through 7.2.
-
-Note, this may break sites that rely on the bug.  With the bug some
-incomplete [capaths] worked, that should not have.  These may now break
-authentication in some cross-realm configurations.
----
- NEWS                   | 14 ++++++++++++++
- kdc/krb5tgs.c          | 12 ++++++++++--
- tests/kdc/check-kdc.in | 17 +++++++++++++++++
- tests/kdc/krb5.conf.in |  4 ++++
- 4 files changed, 45 insertions(+), 2 deletions(-)
-
-diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
-index 6048b9c55..98503812f 100644
---- a/kdc/krb5tgs.c
-+++ b/kdc/krb5tgs.c
-@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context,
- 		  "Decoding transited encoding");
- 	return ret;
-     }
-+
-+    /*
-+     * If the realm of the presented tgt is neither the client nor the server
-+     * realm, it is a transit realm and must be added to transited set.
-+     */
-     if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
--	/* not us, so add the previous realm to transited set */
- 	if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
- 	    ret = ERANGE;
- 	    goto free_realms;
-@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context,
- 	       const char *server_name,
- 	       hdb_entry_ex *client,
- 	       krb5_principal client_principal,
-+               const char *tgt_realm,
- 	       hdb_entry_ex *krbtgt,
- 	       krb5_enctype krbtgt_etype,
- 	       krb5_principals spp,
-@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context,
- 				 &tgt->transited, &et,
- 				 krb5_principal_get_realm(context, client_principal),
- 				 krb5_principal_get_realm(context, server->entry.principal),
--				 krb5_principal_get_realm(context, krbtgt->entry.principal));
-+				 tgt_realm);
-     if(ret)
- 	goto out;
- 
-@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context,
-     krb5_keyblock sessionkey;
-     krb5_kvno kvno;
-     krb5_data rspac;
-+    const char *tgt_realm = /* Realm of TGT issuer */
-+        krb5_principal_get_realm(context, krbtgt->entry.principal);
-
-@@ -2324,6 +2331,7 @@ server_lookup:
- 			 spn,
- 			 client,
- 			 cp,
-+                         tgt_realm,
- 			 krbtgt_out,
- 			 tkey_sign->key.keytype,
- 			 spp,
--- 
-2.13.3
-
diff --git a/gnu/packages/patches/icecat-bug-1413868-pt1.patch b/gnu/packages/patches/icecat-bug-1413868-pt1.patch
new file mode 100644
index 0000000000..18382dc33a
--- /dev/null
+++ b/gnu/packages/patches/icecat-bug-1413868-pt1.patch
@@ -0,0 +1,663 @@
+Based on <https://hg.mozilla.org/releases/mozilla-esr52/rev/431fa5dd4016>
+Adapted to apply cleanly to GNU IceCat.
+
+# HG changeset patch
+# User Honza Bambas <honzab.moz@firemni.cz>
+# Date 1528830658 14400
+# Node ID 431fa5dd4016bdab7e4bb0d3c4df85468fe337b0
+# Parent  e8e9e1ef79f2a18c61ec1b87cfb214c8d4960f8e
+Bug 1413868. r=valentin, a=RyanVM
+
+diff --git a/toolkit/xre/nsAppRunner.cpp b/toolkit/xre/nsAppRunner.cpp
+--- a/toolkit/xre/nsAppRunner.cpp
++++ b/toolkit/xre/nsAppRunner.cpp
+@@ -4,16 +4,17 @@
+  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+ 
+ #include "mozilla/dom/ContentParent.h"
+ #include "mozilla/dom/ContentChild.h"
+ #include "mozilla/ipc/GeckoChildProcessHost.h"
+ 
+ #include "mozilla/ArrayUtils.h"
+ #include "mozilla/Attributes.h"
++#include "mozilla/FilePreferences.h"
+ #include "mozilla/ChaosMode.h"
+ #include "mozilla/IOInterposer.h"
+ #include "mozilla/Likely.h"
+ #include "mozilla/MemoryChecking.h"
+ #include "mozilla/Poison.h"
+ #include "mozilla/Preferences.h"
+ #include "mozilla/ScopeExit.h"
+ #include "mozilla/Services.h"
+@@ -4304,16 +4305,20 @@ XREMain::XRE_mainRun()
+       // Need to write out the fact that the profile has been removed and potentially
+       // that the selected/default profile changed.
+       mProfileSvc->Flush();
+     }
+   }
+ 
+   mDirProvider.DoStartup();
+ 
++  // As FilePreferences need the profile directory, we must initialize right here.
++  mozilla::FilePreferences::InitDirectoriesWhitelist();
++  mozilla::FilePreferences::InitPrefs();
++
+   OverrideDefaultLocaleIfNeeded();
+ 
+ #ifdef MOZ_CRASHREPORTER
+   nsCString userAgentLocale;
+   // Try a localized string first. This pref is always a localized string in
+   // IceCatMobile, and might be elsewhere, too.
+   if (NS_SUCCEEDED(Preferences::GetLocalizedCString("general.useragent.locale", &userAgentLocale))) {
+     CrashReporter::AnnotateCrashReport(NS_LITERAL_CSTRING("useragent_locale"), userAgentLocale);
+diff --git a/toolkit/xre/nsEmbedFunctions.cpp b/toolkit/xre/nsEmbedFunctions.cpp
+--- a/toolkit/xre/nsEmbedFunctions.cpp
++++ b/toolkit/xre/nsEmbedFunctions.cpp
+@@ -46,16 +46,17 @@
+ #include "nsX11ErrorHandler.h"
+ #include "nsGDKErrorHandler.h"
+ #include "base/at_exit.h"
+ #include "base/command_line.h"
+ #include "base/message_loop.h"
+ #include "base/process_util.h"
+ #include "chrome/common/child_process.h"
+ 
++#include "mozilla/FilePreferences.h"
+ #include "mozilla/ipc/BrowserProcessSubThread.h"
+ #include "mozilla/ipc/GeckoChildProcessHost.h"
+ #include "mozilla/ipc/IOThreadChild.h"
+ #include "mozilla/ipc/ProcessChild.h"
+ #include "ScopedXREEmbed.h"
+ 
+ #include "mozilla/plugins/PluginProcessChild.h"
+ #include "mozilla/dom/ContentProcess.h"
+@@ -680,16 +681,18 @@ XRE_InitChildProcess(int aArgc,
+       ::SetProcessShutdownParameters(0x280 - 1, SHUTDOWN_NORETRY);
+ #endif
+ 
+ #if defined(MOZ_SANDBOX) && defined(XP_WIN)
+       // We need to do this after the process has been initialised, as
+       // InitLoggingIfRequired may need access to prefs.
+       mozilla::sandboxing::InitLoggingIfRequired(aChildData->ProvideLogFunction);
+ #endif
++      mozilla::FilePreferences::InitDirectoriesWhitelist();
++      mozilla::FilePreferences::InitPrefs();
+ 
+       OverrideDefaultLocaleIfNeeded();
+ 
+ #if defined(MOZ_CRASHREPORTER)
+ #if defined(MOZ_CONTENT_SANDBOX) && !defined(MOZ_WIDGET_GONK)
+       AddContentSandboxLevelAnnotation();
+ #endif
+ #endif
+diff --git a/xpcom/io/FilePreferences.cpp b/xpcom/io/FilePreferences.cpp
+new file mode 100644
+--- /dev/null
++++ b/xpcom/io/FilePreferences.cpp
+@@ -0,0 +1,271 @@
++/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
++/* vim: set ts=8 sts=2 et sw=2 tw=80: */
++/* This Source Code Form is subject to the terms of the Mozilla Public
++* License, v. 2.0. If a copy of the MPL was not distributed with this
++* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#include "FilePreferences.h"
++
++#include "mozilla/Preferences.h"
++#include "nsAppDirectoryServiceDefs.h"
++#include "nsDirectoryServiceDefs.h"
++#include "nsDirectoryServiceUtils.h"
++
++namespace mozilla {
++namespace FilePreferences {
++
++static bool sBlockUNCPaths = false;
++typedef nsTArray<nsString> Paths;
++
++static Paths& PathArray()
++{
++  static Paths sPaths;
++  return sPaths;
++}
++
++static void AllowDirectory(char const* directory)
++{
++  nsCOMPtr<nsIFile> file;
++  NS_GetSpecialDirectory(directory, getter_AddRefs(file));
++  if (!file) {
++    return;
++  }
++
++  nsString path;
++  if (NS_FAILED(file->GetTarget(path))) {
++    return;
++  }
++
++  // The whitelist makes sense only for UNC paths, because this code is used
++  // to block only UNC paths, hence, no need to add non-UNC directories here
++  // as those would never pass the check.
++  if (!StringBeginsWith(path, NS_LITERAL_STRING("\\\\"))) {
++    return;
++  }
++
++  if (!PathArray().Contains(path)) {
++    PathArray().AppendElement(path);
++  }
++}
++
++void InitPrefs()
++{
++  sBlockUNCPaths = Preferences::GetBool("network.file.disable_unc_paths", false);
++}
++
++void InitDirectoriesWhitelist()
++{
++  // NS_GRE_DIR is the installation path where the binary resides.
++  AllowDirectory(NS_GRE_DIR);
++  // NS_APP_USER_PROFILE_50_DIR and NS_APP_USER_PROFILE_LOCAL_50_DIR are the two
++  // parts of the profile we store permanent and local-specific data.
++  AllowDirectory(NS_APP_USER_PROFILE_50_DIR);
++  AllowDirectory(NS_APP_USER_PROFILE_LOCAL_50_DIR);
++}
++
++namespace { // anon
++
++class Normalizer
++{
++public:
++  Normalizer(const nsAString& aFilePath, const char16_t aSeparator);
++  bool Get(nsAString& aNormalizedFilePath);
++
++private:
++  bool ConsumeItem();
++  bool ConsumeSeparator();
++  bool IsEOF() { return mFilePathCursor == mFilePathEnd; }
++
++  bool ConsumeName();
++  bool CheckParentDir();
++  bool CheckCurrentDir();
++
++  nsString::const_char_iterator mFilePathCursor;
++  nsString::const_char_iterator mFilePathEnd;
++
++  nsDependentSubstring mItem;
++  char16_t const mSeparator;
++  nsTArray<nsDependentSubstring> mStack;
++};
++
++Normalizer::Normalizer(const nsAString& aFilePath, const char16_t aSeparator)
++  : mFilePathCursor(aFilePath.BeginReading())
++  , mFilePathEnd(aFilePath.EndReading())
++  , mSeparator(aSeparator)
++{
++}
++
++bool Normalizer::ConsumeItem()
++{
++  if (IsEOF()) {
++    return false;
++  }
++
++  nsString::const_char_iterator nameBegin = mFilePathCursor;
++  while (mFilePathCursor != mFilePathEnd) {
++    if (*mFilePathCursor == mSeparator) {
++      break; // don't include the separator
++    }
++    ++mFilePathCursor;
++  }
++
++  mItem.Rebind(nameBegin, mFilePathCursor);
++  return true;
++}
++
++bool Normalizer::ConsumeSeparator()
++{
++  if (IsEOF()) {
++    return false;
++  }
++
++  if (*mFilePathCursor != mSeparator) {
++    return false;
++  }
++
++  ++mFilePathCursor;
++  return true;
++}
++
++bool Normalizer::Get(nsAString& aNormalizedFilePath)
++{
++  aNormalizedFilePath.Truncate();
++
++  if (IsEOF()) {
++    return true;
++  }
++  if (ConsumeSeparator()) {
++    aNormalizedFilePath.Append(mSeparator);
++  }
++
++  if (IsEOF()) {
++    return true;
++  }
++  if (ConsumeSeparator()) {
++    aNormalizedFilePath.Append(mSeparator);
++  }
++
++  while (!IsEOF()) {
++    if (!ConsumeName()) {
++      return false;
++    }
++  }
++
++  for (auto const& name : mStack) {
++    aNormalizedFilePath.Append(name);
++  }
++
++  return true;
++}
++
++bool Normalizer::ConsumeName()
++{
++  if (!ConsumeItem()) {
++    return true;
++  }
++
++  if (CheckCurrentDir()) {
++    return true;
++  }
++
++  if (CheckParentDir()) {
++    if (!mStack.Length()) {
++      // This means there are more \.. than valid names
++      return false;
++    }
++
++    mStack.RemoveElementAt(mStack.Length() - 1);
++    return true;
++  }
++
++  if (mItem.IsEmpty()) {
++    // this means an empty name (a lone slash), which is illegal
++    return false;
++  }
++
++  if (ConsumeSeparator()) {
++    mItem.Rebind(mItem.BeginReading(), mFilePathCursor);
++  }
++  mStack.AppendElement(mItem);
++
++  return true;
++}
++
++bool Normalizer::CheckCurrentDir()
++{
++  if (mItem == NS_LITERAL_STRING(".")) {
++    ConsumeSeparator();
++    // EOF is acceptable
++    return true;
++  }
++
++  return false;
++}
++
++bool Normalizer::CheckParentDir()
++{
++  if (mItem == NS_LITERAL_STRING("..")) {
++    ConsumeSeparator();
++    // EOF is acceptable
++    return true;
++  }
++
++  return false;
++}
++
++} // anon
++
++bool IsBlockedUNCPath(const nsAString& aFilePath)
++{
++  if (!sBlockUNCPaths) {
++    return false;
++  }
++
++  if (!StringBeginsWith(aFilePath, NS_LITERAL_STRING("\\\\"))) {
++    return false;
++  }
++
++  nsAutoString normalized;
++  if (!Normalizer(aFilePath, L'\\').Get(normalized)) {
++    // Broken paths are considered invalid and thus inaccessible
++    return true;
++  }
++
++  for (const auto& allowedPrefix : PathArray()) {
++    if (StringBeginsWith(normalized, allowedPrefix)) {
++      if (normalized.Length() == allowedPrefix.Length()) {
++        return false;
++      }
++      if (normalized[allowedPrefix.Length()] == L'\\') {
++        return false;
++      }
++
++      // When we are here, the path has a form "\\path\prefixevil"
++      // while we have an allowed prefix of "\\path\prefix".
++      // Note that we don't want to add a slash to the end of a prefix
++      // so that opening the directory (no slash at the end) still works.
++      break;
++    }
++  }
++
++  return true;
++}
++
++void testing::SetBlockUNCPaths(bool aBlock)
++{
++  sBlockUNCPaths = aBlock;
++}
++
++void testing::AddDirectoryToWhitelist(nsAString const & aPath)
++{
++  PathArray().AppendElement(aPath);
++}
++
++bool testing::NormalizePath(nsAString const & aPath, nsAString & aNormalized)
++{
++  Normalizer normalizer(aPath, L'\\');
++  return normalizer.Get(aNormalized);
++}
++
++} // ::FilePreferences
++} // ::mozilla
+diff --git a/xpcom/io/FilePreferences.h b/xpcom/io/FilePreferences.h
+new file mode 100644
+--- /dev/null
++++ b/xpcom/io/FilePreferences.h
+@@ -0,0 +1,25 @@
++/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
++/* vim: set ts=8 sts=2 et sw=2 tw=80: */
++/* This Source Code Form is subject to the terms of the Mozilla Public
++* License, v. 2.0. If a copy of the MPL was not distributed with this
++* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#include "nsIObserver.h"
++
++namespace mozilla {
++namespace FilePreferences {
++
++void InitPrefs();
++void InitDirectoriesWhitelist();
++bool IsBlockedUNCPath(const nsAString& aFilePath);
++
++namespace testing {
++
++void SetBlockUNCPaths(bool aBlock);
++void AddDirectoryToWhitelist(nsAString const& aPath);
++bool NormalizePath(nsAString const & aPath, nsAString & aNormalized);
++
++}
++
++} // FilePreferences
++} // mozilla
+diff --git a/xpcom/io/moz.build b/xpcom/io/moz.build
+--- a/xpcom/io/moz.build
++++ b/xpcom/io/moz.build
+@@ -79,24 +79,26 @@ EXPORTS += [
+     'nsUnicharInputStream.h',
+     'nsWildCard.h',
+     'SlicedInputStream.h',
+     'SpecialSystemDirectory.h',
+ ]
+ 
+ EXPORTS.mozilla += [
+     'Base64.h',
++    'FilePreferences.h',
+     'SnappyCompressOutputStream.h',
+     'SnappyFrameUtils.h',
+     'SnappyUncompressInputStream.h',
+ ]
+ 
+ UNIFIED_SOURCES += [
+     'Base64.cpp',
+     'crc32c.c',
++    'FilePreferences.cpp',
+     'nsAnonymousTemporaryFile.cpp',
+     'nsAppFileLocationProvider.cpp',
+     'nsBinaryStream.cpp',
+     'nsDirectoryService.cpp',
+     'nsEscape.cpp',
+     'nsInputStreamTee.cpp',
+     'nsIOUtil.cpp',
+     'nsLinebreakConverter.cpp',
+diff --git a/xpcom/io/nsLocalFileWin.cpp b/xpcom/io/nsLocalFileWin.cpp
+--- a/xpcom/io/nsLocalFileWin.cpp
++++ b/xpcom/io/nsLocalFileWin.cpp
+@@ -41,16 +41,17 @@
+ #include  <stdio.h>
+ #include  <stdlib.h>
+ #include  <mbstring.h>
+ 
+ #include "nsXPIDLString.h"
+ #include "prproces.h"
+ #include "prlink.h"
+ 
++#include "mozilla/FilePreferences.h"
+ #include "mozilla/Mutex.h"
+ #include "SpecialSystemDirectory.h"
+ 
+ #include "nsTraceRefcnt.h"
+ #include "nsXPCOMCIDInternal.h"
+ #include "nsThreadUtils.h"
+ #include "nsXULAppAPI.h"
+ 
+@@ -1162,16 +1163,20 @@ nsLocalFile::InitWithPath(const nsAStrin
+   char16_t secondChar = *(++begin);
+ 
+   // just do a sanity check.  if it has any forward slashes, it is not a Native path
+   // on windows.  Also, it must have a colon at after the first char.
+   if (FindCharInReadable(L'/', begin, end)) {
+     return NS_ERROR_FILE_UNRECOGNIZED_PATH;
+   }
+ 
++  if (FilePreferences::IsBlockedUNCPath(aFilePath)) {
++    return NS_ERROR_FILE_ACCESS_DENIED;
++  }
++
+   if (secondChar != L':' && (secondChar != L'\\' || firstChar != L'\\')) {
+     return NS_ERROR_FILE_UNRECOGNIZED_PATH;
+   }
+ 
+   if (secondChar == L':') {
+     // Make sure we have a valid drive, later code assumes the drive letter
+     // is a single char a-z or A-Z.
+     if (PathGetDriveNumberW(aFilePath.Data()) == -1) {
+@@ -1974,16 +1979,20 @@ nsLocalFile::CopySingleFile(nsIFile* aSo
+     bool path1Remote, path2Remote;
+     if (!IsRemoteFilePath(filePath.get(), path1Remote) ||
+         !IsRemoteFilePath(destPath.get(), path2Remote) ||
+         path1Remote || path2Remote) {
+       dwCopyFlags |= COPY_FILE_NO_BUFFERING;
+     }
+   }
+ 
++  if (FilePreferences::IsBlockedUNCPath(destPath)) {
++    return NS_ERROR_FILE_ACCESS_DENIED;
++  }
++
+   if (!move) {
+     copyOK = ::CopyFileExW(filePath.get(), destPath.get(), nullptr,
+                            nullptr, nullptr, dwCopyFlags);
+   } else {
+     copyOK = ::MoveFileExW(filePath.get(), destPath.get(),
+                            MOVEFILE_REPLACE_EXISTING);
+ 
+     // Check if copying the source file to a different volume,
+diff --git a/xpcom/tests/gtest/TestFilePreferencesWin.cpp b/xpcom/tests/gtest/TestFilePreferencesWin.cpp
+new file mode 100644
+--- /dev/null
++++ b/xpcom/tests/gtest/TestFilePreferencesWin.cpp
+@@ -0,0 +1,141 @@
++#include "gtest/gtest.h"
++
++#include "mozilla/FilePreferences.h"
++#include "nsIFile.h"
++#include "nsXPCOMCID.h"
++
++TEST(FilePreferencesWin, Normalization)
++{
++  nsAutoString normalized;
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("foo"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("foo"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\foo"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\foo"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\foo"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("foo\\some"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("foo\\some"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\.\\foo"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\."), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\.\\"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\.\\."), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\foo\\bar"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo\\bar"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\foo\\bar\\"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo\\bar\\"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\foo\\bar\\."), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo\\bar\\"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\foo\\bar\\.\\"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo\\bar\\"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\foo\\bar\\..\\"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo\\"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\foo\\bar\\.."), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo\\"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\foo\\..\\bar\\..\\"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\foo\\..\\bar"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\bar"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\foo\\bar\\..\\..\\"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\"));
++
++  mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\foo\\bar\\.\\..\\.\\..\\"), normalized);
++  ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\"));
++
++  bool result;
++
++  result = mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\.."), normalized);
++  ASSERT_FALSE(result);
++
++  result = mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\..\\"), normalized);
++  ASSERT_FALSE(result);
++
++  result = mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\.\\..\\"), normalized);
++  ASSERT_FALSE(result);
++
++  result = mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\foo\\\\bar"), normalized);
++  ASSERT_FALSE(result);
++
++  result = mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\foo\\bar\\..\\..\\..\\..\\"), normalized);
++  ASSERT_FALSE(result);
++
++  result = mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\\\"), normalized);
++  ASSERT_FALSE(result);
++
++  result = mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\.\\\\"), normalized);
++  ASSERT_FALSE(result);
++
++  result = mozilla::FilePreferences::testing::NormalizePath(
++    NS_LITERAL_STRING("\\\\..\\\\"), normalized);
++  ASSERT_FALSE(result);
++}
++
++TEST(FilePreferencesWin, AccessUNC)
++{
++  nsCOMPtr<nsIFile> lf = do_CreateInstance(NS_LOCAL_FILE_CONTRACTID);
++
++  nsresult rv;
++
++  mozilla::FilePreferences::testing::SetBlockUNCPaths(false);
++
++  rv = lf->InitWithPath(NS_LITERAL_STRING("\\\\nice\\..\\evil\\share"));
++  ASSERT_EQ(rv, NS_OK);
++
++  mozilla::FilePreferences::testing::SetBlockUNCPaths(true);
++
++  rv = lf->InitWithPath(NS_LITERAL_STRING("\\\\nice\\..\\evil\\share"));
++  ASSERT_EQ(rv, NS_ERROR_FILE_ACCESS_DENIED);
++
++  mozilla::FilePreferences::testing::AddDirectoryToWhitelist(NS_LITERAL_STRING("\\\\nice"));
++
++  rv = lf->InitWithPath(NS_LITERAL_STRING("\\\\nice\\share"));
++  ASSERT_EQ(rv, NS_OK);
++
++  rv = lf->InitWithPath(NS_LITERAL_STRING("\\\\nice\\..\\evil\\share"));
++  ASSERT_EQ(rv, NS_ERROR_FILE_ACCESS_DENIED);
++}
+diff --git a/xpcom/tests/gtest/moz.build b/xpcom/tests/gtest/moz.build
+--- a/xpcom/tests/gtest/moz.build
++++ b/xpcom/tests/gtest/moz.build
+@@ -51,16 +51,21 @@ UNIFIED_SOURCES += [
+ if CONFIG['MOZ_DEBUG'] and CONFIG['OS_ARCH'] not in ('WINNT') and CONFIG['OS_TARGET'] != 'Android':
+     # FIXME bug 523392: TestDeadlockDetector doesn't like Windows
+     # Bug 1054249: Doesn't work on Android
+     UNIFIED_SOURCES += [
+         'TestDeadlockDetector.cpp',
+         'TestDeadlockDetectorScalability.cpp',
+     ]
+ 
++if CONFIG['OS_TARGET'] == 'WINNT':
++    UNIFIED_SOURCES += [
++        'TestFilePreferencesWin.cpp',
++    ]
++
+ if CONFIG['WRAP_STL_INCLUDES'] and not CONFIG['CLANG_CL']:
+     UNIFIED_SOURCES += [
+         'TestSTLWrappers.cpp',
+     ]
+ 
+ # Compile TestAllocReplacement separately so Windows headers don't pollute
+ # the global namespace for other files.
+ SOURCES += [
+
diff --git a/gnu/packages/patches/java-commons-collections-fix-java8.patch b/gnu/packages/patches/java-commons-collections-fix-java8.patch
new file mode 100644
index 0000000000..322fd7f699
--- /dev/null
+++ b/gnu/packages/patches/java-commons-collections-fix-java8.patch
@@ -0,0 +1,299 @@
+From e760d181abd20ecb98654af63faec7b2a4d61189 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=A1bor=20Boskovits?= <boskovits@gmail.com>
+Date: Mon, 25 Jun 2018 15:02:25 +0200
+Subject: [PATCH] Rename removes in maps to fix java8.
+
+* src/java/org/apache/commons/collections/MultiHashMap.java:
+Rename "V MultiHashMap#remove(K, V)"
+to "boolean MulitHashMap#removeMapping(K, V)".
+* src/java/org/apache/commons/collections/MultiMap.java:
+Rename "V MultiMap#remove(K, V)"
+to "boolean MultiMap#removeMapping(K, V)".
+* src/java/org/apache/commons/collections/map/MultiKeyMap.java:
+Rename "V MultiKeyMap#remove(...)"
+to "V MultiKeyMap#removeMultiKey(...)".
+* src/java/org/apache/commons/collections/map/MultiValueMap.java:
+Rename "V MultiValueMap#remove(K, V)"
+to "boolean MultiValueMap#removeMapping(K, V)".
+* src/test/org/apache/commons/collections/TestMultiHashMap.java:
+Adjust accordingly.
+* src/test/org/apache/commons/collections/map/TestMultiKeyMap.java:
+Adjust accordingly.
+* src/test/org/apache/commons/collections/map/TestMultiValueMap.java:
+Adjust accordingly.
+---
+ .../commons/collections/MultiHashMap.java      |  8 ++++----
+ .../apache/commons/collections/MultiMap.java   |  2 +-
+ .../commons/collections/map/MultiKeyMap.java   |  8 ++++----
+ .../commons/collections/map/MultiValueMap.java |  8 ++++----
+ .../commons/collections/TestMultiHashMap.java  | 16 ++++++++--------
+ .../collections/map/TestMultiKeyMap.java       | 16 ++++++++--------
+ .../collections/map/TestMultiValueMap.java     | 18 +++++++++---------
+ 7 files changed, 38 insertions(+), 38 deletions(-)
+
+diff --git a/src/java/org/apache/commons/collections/MultiHashMap.java b/src/java/org/apache/commons/collections/MultiHashMap.java
+index 7fec9af..482ecbd 100644
+--- a/src/java/org/apache/commons/collections/MultiHashMap.java
++++ b/src/java/org/apache/commons/collections/MultiHashMap.java
+@@ -331,21 +331,21 @@ public class MultiHashMap extends HashMap implements MultiMap {
+      * @param item  the value to remove
+      * @return the value removed (which was passed in), null if nothing removed
+      */
+-    public Object remove(Object key, Object item) {
++    public boolean removeMapping(Object key, Object item) {
+         Collection valuesForKey = getCollection(key);
+         if (valuesForKey == null) {
+-            return null;
++            return false;
+         }
+         boolean removed = valuesForKey.remove(item);
+         if (removed == false) {
+-            return null;
++            return false;
+         }
+         // remove the list if it is now empty
+         // (saves space, and allows equals to work)
+         if (valuesForKey.isEmpty()){
+             remove(key);
+         }
+-        return item;
++        return true;
+     }
+ 
+     /**
+diff --git a/src/java/org/apache/commons/collections/MultiMap.java b/src/java/org/apache/commons/collections/MultiMap.java
+index be9455b..fe54234 100644
+--- a/src/java/org/apache/commons/collections/MultiMap.java
++++ b/src/java/org/apache/commons/collections/MultiMap.java
+@@ -66,7 +66,7 @@ public interface MultiMap extends Map {
+      * @throws ClassCastException if the key or value is of an invalid type
+      * @throws NullPointerException if the key or value is null and null is invalid
+      */
+-    public Object remove(Object key, Object item);
++    public boolean removeMapping(Object key, Object item);
+ 
+     //-----------------------------------------------------------------------
+     /**
+diff --git a/src/java/org/apache/commons/collections/map/MultiKeyMap.java b/src/java/org/apache/commons/collections/map/MultiKeyMap.java
+index 9e3e02d..0b99b65 100644
+--- a/src/java/org/apache/commons/collections/map/MultiKeyMap.java
++++ b/src/java/org/apache/commons/collections/map/MultiKeyMap.java
+@@ -197,7 +197,7 @@ public class MultiKeyMap
+      * @param key2  the second key
+      * @return the value mapped to the removed key, null if key not in map
+      */
+-    public Object remove(Object key1, Object key2) {
++    public Object removeMultiKey(Object key1, Object key2) {
+         int hashCode = hash(key1, key2);
+         int index = map.hashIndex(hashCode, map.data.length);
+         AbstractHashedMap.HashEntry entry = map.data[index];
+@@ -327,7 +327,7 @@ public class MultiKeyMap
+      * @param key3  the third key
+      * @return the value mapped to the removed key, null if key not in map
+      */
+-    public Object remove(Object key1, Object key2, Object key3) {
++    public Object removeMultiKey(Object key1, Object key2, Object key3) {
+         int hashCode = hash(key1, key2, key3);
+         int index = map.hashIndex(hashCode, map.data.length);
+         AbstractHashedMap.HashEntry entry = map.data[index];
+@@ -467,7 +467,7 @@ public class MultiKeyMap
+      * @param key4  the fourth key
+      * @return the value mapped to the removed key, null if key not in map
+      */
+-    public Object remove(Object key1, Object key2, Object key3, Object key4) {
++    public Object removeMultiKey(Object key1, Object key2, Object key3, Object key4) {
+         int hashCode = hash(key1, key2, key3, key4);
+         int index = map.hashIndex(hashCode, map.data.length);
+         AbstractHashedMap.HashEntry entry = map.data[index];
+@@ -617,7 +617,7 @@ public class MultiKeyMap
+      * @param key5  the fifth key
+      * @return the value mapped to the removed key, null if key not in map
+      */
+-    public Object remove(Object key1, Object key2, Object key3, Object key4, Object key5) {
++    public Object removeMultiKey(Object key1, Object key2, Object key3, Object key4, Object key5) {
+         int hashCode = hash(key1, key2, key3, key4, key5);
+         int index = map.hashIndex(hashCode, map.data.length);
+         AbstractHashedMap.HashEntry entry = map.data[index];
+diff --git a/src/java/org/apache/commons/collections/map/MultiValueMap.java b/src/java/org/apache/commons/collections/map/MultiValueMap.java
+index f44999b..86eaeb0 100644
+--- a/src/java/org/apache/commons/collections/map/MultiValueMap.java
++++ b/src/java/org/apache/commons/collections/map/MultiValueMap.java
+@@ -153,19 +153,19 @@ public class MultiValueMap extends AbstractMapDecorator implements MultiMap {
+      * @param value the value to remove
+      * @return the value removed (which was passed in), null if nothing removed
+      */
+-    public Object remove(Object key, Object value) {
++    public boolean removeMapping(Object key, Object value) {
+         Collection valuesForKey = getCollection(key);
+         if (valuesForKey == null) {
+-            return null;
++            return false;
+         }
+         boolean removed = valuesForKey.remove(value);
+         if (removed == false) {
+-            return null;
++            return false;
+         }
+         if (valuesForKey.isEmpty()) {
+             remove(key);
+         }
+-        return value;
++        return true;
+     }
+ 
+     /**
+diff --git a/src/test/org/apache/commons/collections/TestMultiHashMap.java b/src/test/org/apache/commons/collections/TestMultiHashMap.java
+index eca833a..a1de943 100644
+--- a/src/test/org/apache/commons/collections/TestMultiHashMap.java
++++ b/src/test/org/apache/commons/collections/TestMultiHashMap.java
+@@ -217,7 +217,7 @@ public class TestMultiHashMap extends AbstractTestMap {
+         MultiHashMap one = new MultiHashMap();
+         Integer value = new Integer(1);
+         one.put("One", value);
+-        one.remove("One", value);
++        one.removeMapping("One", value);
+         
+         MultiHashMap two = new MultiHashMap();
+         assertEquals(two, one);
+@@ -269,7 +269,7 @@ public class TestMultiHashMap extends AbstractTestMap {
+         assertEquals(4, map.totalSize());
+         map.remove("A");
+         assertEquals(3, map.totalSize());
+-        map.remove("B", "BC");
++        map.removeMapping("B", "BC");
+         assertEquals(2, map.totalSize());
+     }
+     
+@@ -292,7 +292,7 @@ public class TestMultiHashMap extends AbstractTestMap {
+         map.remove("A");
+         assertEquals(0, map.size("A"));
+         assertEquals(3, map.size("B"));
+-        map.remove("B", "BC");
++        map.removeMapping("B", "BC");
+         assertEquals(0, map.size("A"));
+         assertEquals(2, map.size("B"));
+     }
+@@ -464,11 +464,11 @@ public class TestMultiHashMap extends AbstractTestMap {
+         map.put("A", "AA");
+         map.put("A", "AB");
+         map.put("A", "AC");
+-        assertEquals(null, map.remove("C", "CA"));
+-        assertEquals(null, map.remove("A", "AD"));
+-        assertEquals("AC", map.remove("A", "AC"));
+-        assertEquals("AB", map.remove("A", "AB"));
+-        assertEquals("AA", map.remove("A", "AA"));
++        assertEquals(false, map.removeMapping("C", "CA"));
++        assertEquals(false, map.removeMapping("A", "AD"));
++        assertEquals(true, map.removeMapping("A", "AC"));
++        assertEquals(true, map.removeMapping("A", "AB"));
++        assertEquals(true, map.removeMapping("A", "AA"));
+         assertEquals(new MultiHashMap(), map);
+     }
+ 
+diff --git a/src/test/org/apache/commons/collections/map/TestMultiKeyMap.java b/src/test/org/apache/commons/collections/map/TestMultiKeyMap.java
+index b1ee3d0..b18f480 100644
+--- a/src/test/org/apache/commons/collections/map/TestMultiKeyMap.java
++++ b/src/test/org/apache/commons/collections/map/TestMultiKeyMap.java
+@@ -315,34 +315,34 @@ public class TestMultiKeyMap extends AbstractTestIterableMap {
+             switch (key.size()) {
+                 case 2:
+                 assertEquals(true, multimap.containsKey(key.getKey(0), key.getKey(1)));
+-                assertEquals(value, multimap.remove(key.getKey(0), key.getKey(1)));
++                assertEquals(value, multimap.removeMultiKey(key.getKey(0), key.getKey(1)));
+                 assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1)));
+                 assertEquals(size - 1, multimap.size());
+-                assertEquals(null, multimap.remove(key.getKey(0), key.getKey(1)));
++                assertEquals(null, multimap.removeMultiKey(key.getKey(0), key.getKey(1)));
+                 assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1)));
+                 break;
+                 case 3:
+                 assertEquals(true, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2)));
+-                assertEquals(value, multimap.remove(key.getKey(0), key.getKey(1), key.getKey(2)));
++                assertEquals(value, multimap.removeMultiKey(key.getKey(0), key.getKey(1), key.getKey(2)));
+                 assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2)));
+                 assertEquals(size - 1, multimap.size());
+-                assertEquals(null, multimap.remove(key.getKey(0), key.getKey(1), key.getKey(2)));
++                assertEquals(null, multimap.removeMultiKey(key.getKey(0), key.getKey(1), key.getKey(2)));
+                 assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2)));
+                 break;
+                 case 4:
+                 assertEquals(true, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3)));
+-                assertEquals(value, multimap.remove(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3)));
++                assertEquals(value, multimap.removeMultiKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3)));
+                 assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3)));
+                 assertEquals(size - 1, multimap.size());
+-                assertEquals(null, multimap.remove(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3)));
++                assertEquals(null, multimap.removeMultiKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3)));
+                 assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3)));
+                 break;
+                 case 5:
+                 assertEquals(true, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4)));
+-                assertEquals(value, multimap.remove(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4)));
++                assertEquals(value, multimap.removeMultiKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4)));
+                 assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4)));
+                 assertEquals(size - 1, multimap.size());
+-                assertEquals(null, multimap.remove(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4)));
++                assertEquals(null, multimap.removeMultiKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4)));
+                 assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4)));
+                 break;
+                 default:
+diff --git a/src/test/org/apache/commons/collections/map/TestMultiValueMap.java b/src/test/org/apache/commons/collections/map/TestMultiValueMap.java
+index b9a5ac8..9ecc269 100644
+--- a/src/test/org/apache/commons/collections/map/TestMultiValueMap.java
++++ b/src/test/org/apache/commons/collections/map/TestMultiValueMap.java
+@@ -161,7 +161,7 @@ public class TestMultiValueMap extends TestCase {
+         MultiValueMap one = new MultiValueMap();

+         Integer value = new Integer(1);

+         one.put("One", value);

+-        one.remove("One", value);

++        one.removeMapping("One", value);

+         

+         MultiValueMap two = new MultiValueMap();

+         assertEquals(two, one);

+@@ -187,7 +187,7 @@ public class TestMultiValueMap extends TestCase {
+         assertEquals(4, map.totalSize());

+         map.remove("A");

+         assertEquals(3, map.totalSize());

+-        map.remove("B", "BC");

++        map.removeMapping("B", "BC");

+         assertEquals(2, map.totalSize());

+     }

+     

+@@ -204,7 +204,7 @@ public class TestMultiValueMap extends TestCase {
+         assertEquals(2, map.size());

+         map.remove("A");

+         assertEquals(2, map.size());

+-        map.remove("B", "BC");

++        map.removeMapping("B", "BC");

+         assertEquals(2, map.size());

+     }

+     

+@@ -227,7 +227,7 @@ public class TestMultiValueMap extends TestCase {
+         map.remove("A");

+         assertEquals(0, map.size("A"));

+         assertEquals(3, map.size("B"));

+-        map.remove("B", "BC");

++        map.removeMapping("B", "BC");

+         assertEquals(0, map.size("A"));

+         assertEquals(2, map.size("B"));

+     }

+@@ -338,11 +338,11 @@ public class TestMultiValueMap extends TestCase {
+         map.put("A", "AA");

+         map.put("A", "AB");

+         map.put("A", "AC");

+-        assertEquals(null, map.remove("C", "CA"));

+-        assertEquals(null, map.remove("A", "AD"));

+-        assertEquals("AC", map.remove("A", "AC"));

+-        assertEquals("AB", map.remove("A", "AB"));

+-        assertEquals("AA", map.remove("A", "AA"));

++        assertEquals(false, map.removeMapping("C", "CA"));

++        assertEquals(false, map.removeMapping("A", "AD"));

++        assertEquals(true, map.removeMapping("A", "AC"));

++        assertEquals(true, map.removeMapping("A", "AB"));

++        assertEquals(true, map.removeMapping("A", "AA"));

+         assertEquals(new MultiValueMap(), map);

+     }

+ 

+-- 
+2.18.0
+
diff --git a/gnu/packages/patches/libreoffice-icu.patch b/gnu/packages/patches/libreoffice-icu.patch
new file mode 100644
index 0000000000..2985d564aa
--- /dev/null
+++ b/gnu/packages/patches/libreoffice-icu.patch
@@ -0,0 +1,126 @@
+This patch fixes the build of Libreoffice 6.0.5 with icu 61.1.
+It was downloaded from https://bugs.gentoo.org/651702.
+
+--- a/forms/source/xforms/datatypes.hxx	
++++ a/forms/source/xforms/datatypes.hxx	
+@@ -36,6 +36,8 @@ 
+ 
+ #include <memory>
+ 
++using icu::RegexMatcher;
++
+ 
+ namespace xforms
+ {
+--- a/i18npool/inc/collator_unicode.hxx	
++++ a/i18npool/inc/collator_unicode.hxx	
+@@ -26,6 +26,8 @@ 
+ 
+ #include <unicode/tblcoll.h>
+ 
++using icu::RuleBasedCollator;
++
+ //      ----------------------------------------------------
+ //      class Collator_Unicode
+ //      ----------------------------------------------------
+--- a/i18npool/source/breakiterator/breakiterator_unicode.cxx	
++++ a/i18npool/source/breakiterator/breakiterator_unicode.cxx	
+@@ -30,6 +30,9 @@ 
+ #include <rtl/ustring.hxx>
+ #include <string.h>
+ 
++using icu::BreakIterator;
++using icu::RuleBasedBreakIterator;
++
+ U_CDECL_BEGIN
+ extern const char OpenOffice_dat[];
+ U_CDECL_END
+--- a/i18npool/source/collator/collator_unicode.cxx	
++++ a/i18npool/source/collator/collator_unicode.cxx	
+@@ -29,6 +29,8 @@ 
+ #include <com/sun/star/i18n/CollatorOptions.hpp>
+ #include <cppuhelper/supportsservice.hxx>
+ 
++using icu::Collator;
++
+ using namespace ::com::sun::star;
+ using namespace ::com::sun::star::i18n;
+ using namespace ::com::sun::star::lang;
+--- a/i18npool/source/collator/gencoll_rule.cxx	
++++ a/i18npool/source/collator/gencoll_rule.cxx	
+@@ -31,6 +31,8 @@ 
+ 
+ #include <unicode/tblcoll.h>
+ 
++using icu::RuleBasedCollator;
++
+ /* Main Procedure */
+ 
+ void data_write(char* file, char* name, sal_uInt8 *data, sal_Int32 len)
+--- a/i18npool/source/ordinalsuffix/ordinalsuffix.cxx	
++++ a/i18npool/source/ordinalsuffix/ordinalsuffix.cxx	
+@@ -29,6 +29,8 @@ 
+ #include <unicode/normlzr.h>
+ #include <memory>
+ 
++using icu::NumberFormat;
++
+ using namespace ::com::sun::star::i18n;
+ using namespace ::com::sun::star::uno;
+ using namespace ::com::sun::star;
+--- a/i18npool/source/transliteration/ignoreDiacritics_CTL.cxx	
++++ a/i18npool/source/transliteration/ignoreDiacritics_CTL.cxx	
+@@ -12,6 +12,8 @@ 
+ #include <unicode/translit.h>
+ #include <unicode/uchar.h>
+ 
++using icu::UnicodeString;
++
+ namespace i18npool {
+ 
+ ignoreDiacritics_CTL::ignoreDiacritics_CTL()
+--- a/i18nutil/source/utility/unicode.cxx	
++++ a/i18nutil/source/utility/unicode.cxx	
+@@ -34,6 +34,9 @@ 
+ // which (obviously) breaks UnicodeType::CURRENCY_SYMBOL
+ #undef CURRENCY_SYMBOL
+ 
++using icu::NumberFormat;
++using icu::UnicodeString;
++
+ using namespace ::com::sun::star::i18n;
+ 
+ template<class L, typename T>
+--- a/lotuswordpro/source/filter/localtime.cxx	
++++ a/lotuswordpro/source/filter/localtime.cxx	
+@@ -57,6 +57,8 @@ 
+ #include <limits.h>
+ #include <unicode/timezone.h>
+ 
++using icu::TimeZone;
++
+ const long DAY_SEC =24 * 60 * 60;
+ const long YEAR_SEC = 365 * DAY_SEC;
+ const long FOURYEAR_SEC = 4 * YEAR_SEC + DAY_SEC;
+--- a/opencl/source/openclconfig.cxx	
++++ a/opencl/source/openclconfig.cxx	
+@@ -17,6 +17,8 @@ 
+ #include <sal/log.hxx>
+ #include <sal/types.h>
+ 
++using icu::RegexMatcher;
++
+ OpenCLConfig::OpenCLConfig() :
+     mbUseOpenCL(true)
+ {
+--- a/vcl/inc/scrptrun.h	
++++ a/vcl/inc/scrptrun.h	
+@@ -45,6 +45,8 @@ 
+ #include <unicode/uscript.h>
+ #include <vector>
+ 
++using icu::UObject;
++
+ namespace vcl {
+ 
+ struct ParenStackEntry
diff --git a/gnu/packages/patches/libtiff-CVE-2018-10963.patch b/gnu/packages/patches/libtiff-CVE-2018-10963.patch
new file mode 100644
index 0000000000..d31c12399d
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2018-10963.patch
@@ -0,0 +1,40 @@
+Fix CVE-2018-10963:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2795
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/de144fd228e4be8aa484c3caf3d814b6fa88c6d9
+
+From de144fd228e4be8aa484c3caf3d814b6fa88c6d9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 12 May 2018 14:24:15 +0200
+Subject: [PATCH] TIFFWriteDirectorySec: avoid assertion. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
+
+---
+ libtiff/tif_dirwrite.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 2430de6d..c15a28db 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -695,8 +695,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
+ 								}
+ 								break;
+ 							default:
+-								assert(0);   /* we should never get here */
+-								break;
++								TIFFErrorExt(tif->tif_clientdata,module,
++								            "Cannot write tag %d (%s)",
++								            TIFFFieldTag(o),
++                                                                            o->field_name ? o->field_name : "unknown");
++								goto bad;
+ 						}
+ 					}
+ 				}
+-- 
+2.17.0
+
diff --git a/gnu/packages/patches/libtiff-CVE-2018-8905.patch b/gnu/packages/patches/libtiff-CVE-2018-8905.patch
new file mode 100644
index 0000000000..f49815789e
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2018-8905.patch
@@ -0,0 +1,61 @@
+Fix CVE-2018-8095:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2780
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/58a898cb4459055bb488ca815c23b880c242a27d
+
+From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 12 May 2018 15:32:31 +0200
+Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
+
+The fix consists in using the similar code LZWDecode() to validate we
+don't write outside of the output buffer.
+---
+ libtiff/tif_lzw.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
+index 4ccb443c..94d85e38 100644
+--- a/libtiff/tif_lzw.c
++++ b/libtiff/tif_lzw.c
+@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ 	char *tp;
+ 	unsigned char *bp;
+ 	int code, nbits;
++	int len;
+ 	long nextbits, nextdata, nbitsmask;
+ 	code_t *codep, *free_entp, *maxcodep, *oldcodep;
+ 
+@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ 				}  while (--occ);
+ 				break;
+ 			}
+-			assert(occ >= codep->length);
+-			op += codep->length;
+-			occ -= codep->length;
+-			tp = op;
++			len = codep->length;
++			tp = op + len;
+ 			do {
+-				*--tp = codep->value;
+-			} while( (codep = codep->next) != NULL );
++				int t;
++				--tp;
++				t = codep->value;
++				codep = codep->next;
++				*tp = (char)t;
++			} while (codep && tp > op);
++			assert(occ >= len);
++			op += len;
++			occ -= len;
+ 		} else {
+ 			*op++ = (char)code;
+ 			occ--;
+-- 
+2.17.0
+
diff --git a/gnu/packages/patches/libyaml-CVE-2014-9130.patch b/gnu/packages/patches/libyaml-CVE-2014-9130.patch
deleted file mode 100644
index 800358c0d6..0000000000
--- a/gnu/packages/patches/libyaml-CVE-2014-9130.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Fixes CVE-2014-9130
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130
-
-Upstream source:
-https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2
-
-# HG changeset patch
-# User Kirill Simonov <xi@resolvent.net>
-# Date 1417197312 21600
-# Node ID 2b9156756423e967cfd09a61d125d883fca6f4f2
-# Parent  053f53a381ff6adbbc93a31ab7fdee06a16c8a33
-Removed invalid simple key assertion (thank to Jonathan Gray).
-
-diff --git a/src/scanner.c b/src/scanner.c
---- a/src/scanner.c
-+++ b/src/scanner.c
-@@ -1106,13 +1106,6 @@
-             && parser->indent == (ptrdiff_t)parser->mark.column);
- 
-     /*
--     * A simple key is required only when it is the first token in the current
--     * line.  Therefore it is always allowed.  But we add a check anyway.
--     */
--
--    assert(parser->simple_key_allowed || !required);    /* Impossible. */
--
--    /*
-      * If the current position may start a simple key, save it.
-      */
- 
diff --git a/gnu/packages/patches/maven-generate-component-xml.patch b/gnu/packages/patches/maven-generate-component-xml.patch
new file mode 100644
index 0000000000..6cb23c7858
--- /dev/null
+++ b/gnu/packages/patches/maven-generate-component-xml.patch
@@ -0,0 +1,171 @@
+From da9e282d834f0e2128501a8154128dc95b4c599d Mon Sep 17 00:00:00 2001
+From: Julien Lepiller <julien@lepiller.eu>
+Date: Sat, 9 Sep 2017 20:34:38 +0200
+Subject: [PATCH] Add a script to generate component.xml files.
+
+plexus-component-metadata is normally used for this task, but it
+depends on maven-core, which depends on maven-model-builder, which needs
+plexus-component-metadata. This script is meant to break this dependency
+cycle.
+---
+ components.sh | 132 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 132 insertions(+)
+ create mode 100755 components.sh
+
+diff --git a/components.sh b/components.sh
+new file mode 100755
+index 0000000..c6748bd
+--- /dev/null
++++ b/components.sh
+@@ -0,0 +1,148 @@
++## This script generates a rough plexus/components.xml file. It is meant to
++## replace plexus-component-metadata as it eventually has a recursive dependency
++## on itself.
++##
++## This script must be run in the source directory (usually src/main/java).
++
++# Finds the complete name from a class name.
++function find_role() {
++    role=$1
++    # Find role
++    case $role in
++      "SettingsWriter" | "SettingsReader")
++        role=org.apache.maven.settings.io.$role
++        ;;
++      "SecDispatcher")
++        role=org.sonatype.plexus.components.sec.dispatcher.$role
++        ;;
++      "SettingsDecrypter")
++        role=org.apache.maven.settings.crypto.$role
++        ;;
++      "SettingsBuilder")
++        role=org.apache.maven.settings.building.$role
++        ;;
++      "SettingsValidator")
++        role=org.apache.maven.settings.validation.$role
++        ;;
++      "LoggerFactory")
++        role=org.eclipse.aether.spi.log.$role
++        ;;
++      "RemoteRepositoryManager" | "VersionResolver" | "VersionRangeResolver" \
++      | "ArtifactResolver" | "RepositoryEventDispatcher" | "MetadataResolver" \
++      | "SyncContextFactory" | "MetadataGeneratorFactory" | "MetadatResolver" \
++      | "ArtifactDescriptorReader")
++        role=org.eclipse.aether.impl.$role
++        ;;
++      "ModelBuilder" | "ModelProcessor")
++        role=org.apache.maven.model.building.$role
++        ;;
++      "ModelValidator")
++        role=org.apache.maven.model.validation.$role
++        ;;
++      "ProfileInjector" | "ProfileSelector")
++        role=org.apache.maven.model.profile.$role
++        ;;
++      "ProfileActivator")
++        role=org.apache.maven.model.profile.activation.$role
++        ;;
++      "SuperPomProvider")
++        role=org.apache.maven.model.superpom.$role
++        ;;
++      "ReportConfigurationExpander" | "PluginConfigurationExpander" \
++      | "ReportingConverter" | "LifecycleBindingsInjector")
++        role=org.apache.maven.model.plugin.$role
++        ;;
++      "ModelLocator")
++        role=org.apache.maven.model.locator.$role
++        ;;
++      "ModelPathTranslator" | "PathTranslator" | "UrlNormalizer" | "ModelUrlNormalizer")
++        role=org.apache.maven.model.path.$role
++        ;;
++      "DependencyManagementInjector" | "PluginManagementInjector")
++        role=org.apache.maven.model.management.$role
++        ;;
++      "ModelWriter" | "ModelReader")
++        role=org.apache.maven.model.io.$role
++        ;;
++      "DependencyManagementImporter")
++        role=org.apache.maven.model.composition.$role
++        ;;
++      "ModelNormalizer")
++        role=org.apache.maven.model.normalization.$role
++        ;;
++      "ModelInterpolator")
++        role=org.apache.maven.model.interpolation.$role
++        ;;
++      "InheritanceAssembler")
++        role=org.apache.maven.model.inheritance.$role
++        ;;
++      *)
++        role=$role
++        ;;
++    esac
++    echo $role
++}
++
++function generate_xml() {
++echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
++echo "<component-set>"
++echo "<components>"
++
++for file in `find -name '*.java'`; do
++  annot=`grep "@Component" $file`
++  if [ "$?" == "0" ]; then
++    # We have a component!
++    role=$(echo $annot | sed 's|.*role = \(.*\).class.*|\1|')
++    role_hint=$(echo $annot | sed 's|.*hint = "\(.*\)" .*|\1|')
++    if [ "$role_hint" = "$annot" ]; then
++      role_hint=default
++    fi
++    implem=$(echo $file | sed -e 's|^\./||' -e 's|\.java||' -e 's|/|.|g')
++    role=$(find_role $role)
++
++    echo "<component>"
++    echo "  <role>$role</role>"
++    echo "  <role-hint>$role_hint</role-hint>"
++    echo "  <implementation>$implem</implementation>"
++    echo "  <description />"
++    echo "  <isolated-realm>false</isolated-realm>"
++    echo "  <requirements>"
++    reqn=1
++    cont=true
++    while [ "$cont" = "true" ]; do
++      requirement=$(grep "@Requirement" $file -A1 | head -n ${reqn} | tail -1)
++      ((reqn++))
++      property=$(grep "@Requirement" $file -A1 | head -n ${reqn} | tail -1)
++      if (echo $requirement | grep "@Requirement" >/dev/null); then
++        ((reqn++))
++        ((reqn++))
++        optional=$(echo $requirement | sed 's|.*optional = \(.*\) .*|\1|')
++        req_role=$(echo $requirement | sed 's|.*role = \(.*\).class .*|\1|')
++        if (echo $req_role | grep "@Requirement" >/dev/null); then
++          req_role=$(echo $property | sed 's|.*private \(.*\) .*|\1|')
++        fi
++        req_role=$(find_role $req_role)
++        req_name=$(echo $property | sed 's|[^ ]* [^ ]* \([^ ;]*\).*|\1|')
++        echo "    <requirement>"
++        echo "      <role>$req_role</role>"
++        echo "      <field-name>$req_name</field-name>"
++        if (echo $optional | grep "@Requirement" >/dev/null); then
++          :
++        else
++          echo "      <optional>$optional</optional>"
++        fi
++        echo "    </requirement>"
++      else
++        cont=false
++      fi
++    done
++    echo "  </requirements>"
++    echo "</component>"
++  fi
++done
++
++echo "</components>"
++echo "</component-set>"
++}
++
++(cd $1; generate_xml) > $2
+-- 
+2.14.1
+
diff --git a/gnu/packages/patches/maven-generate-javax-inject-named.patch b/gnu/packages/patches/maven-generate-javax-inject-named.patch
new file mode 100644
index 0000000000..b8eba5ab90
--- /dev/null
+++ b/gnu/packages/patches/maven-generate-javax-inject-named.patch
@@ -0,0 +1,31 @@
+From 1d20c0e403f1a38d4aca830e0eb4db03ba43efd3 Mon Sep 17 00:00:00 2001
+From: Julien Lepiller <julien@lepiller.eu>
+Date: Tue, 19 Sep 2017 22:21:29 +0200
+Subject: [PATCH] Add sisu-maven-plugin replacement
+
+---
+ sisu.sh | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+ create mode 100755 sisu.sh
+
+diff --git a/sisu.sh b/sisu.sh
+new file mode 100755
+index 0000000..979f373
+--- /dev/null
++++ b/sisu.sh
+@@ -0,0 +1,12 @@
++## This script generates a rough javax.inject.Named file. It is meant to
++## replace sisu-maven-plugin as it eventually has a recursive dependency
++## on maven.
++##
++## This script must be run in the source directory (usually src/main/java).
++
++for file in `(cd $1; find -name '*.java')`; do
++  annot=`grep "^@Named" $1/$file`
++  if [ "$annot" != "" ]; then
++    echo $file | sed -e 's|^\./||' -e 's|\.java||' -e 's|/|.|g'
++  fi
++done > $2
+-- 
+2.14.1
+
diff --git a/gnu/packages/patches/mrrescue-support-love-11.patch b/gnu/packages/patches/mrrescue-support-love-11.patch
new file mode 100644
index 0000000000..2786a6b01b
--- /dev/null
+++ b/gnu/packages/patches/mrrescue-support-love-11.patch
@@ -0,0 +1,213 @@
+From: Tobias Geerinckx-Rice <me@tobias.gr>
+Date: Tue, 19 Jun 2018 04:37:46 +0200
+Subject: gnu: mrrescue: Support Love 11.
+
+The patch below was copied verbatim from an as-yet-unmerged PR[0] to
+make Mr. Rescue run on a newer version of the Löve engine.
+
+[0]: https://github.com/SimonLarsen/mrrescue/pull/17
+---
+From ab23031e0c2faecb77fde1be8a41d6f8ea4e6eda Mon Sep 17 00:00:00 2001
+From: Mystro256 <alexjnewt@hotmail.com>
+Date: Sun, 10 Jun 2018 21:19:23 -0400
+Subject: [PATCH] Love 11 support
+
+---
+ conf.lua            | 2 +-
+ config.lua          | 6 +++---
+ highscore_entry.lua | 4 ++--
+ highscore_list.lua  | 4 ++--
+ ingame.lua          | 6 +++---
+ ingame_menu.lua     | 4 ++--
+ joystick.lua        | 4 ++--
+ main.lua            | 2 +-
+ resources.lua       | 4 ++--
+ util.lua            | 4 ++--
+ 10 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/conf.lua b/conf.lua
+index 8776da4..f00b216 100644
+--- a/conf.lua
++++ b/conf.lua
+@@ -1,6 +1,6 @@
+ function love.conf(t)
+     t.identity = "mrrescue"
+-    t.version = "0.10.0"
++    t.version = "11.0"
+     t.console = false
+     t.accelerometerjoystick = true
+     t.gammacorrect = false
+diff --git a/config.lua b/config.lua
+index 63eeb04..71c2b66 100644
+--- a/config.lua
++++ b/config.lua
+@@ -38,7 +38,7 @@ function loadConfig()
+ 			config[i] = v
+ 		end
+ 	end
+-	if love.filesystem.exists("settings") then
++	if love.filesystem.getInfo("settings")~= nil then
+ 		local data = love.filesystem.read("settings")
+ 		local file = TSerial.unpack(data)
+ 		for i,v in pairs(file) do
+@@ -52,7 +52,7 @@ function loadConfig()
+ end
+ 
+ function loadHighscores()
+-	if love.filesystem.exists("highscores") then
++	if love.filesystem.getInfo("highscores")~= nil then
+ 		local data = love.filesystem.read("highscores")
+ 		local file = TSerial.unpack(data)
+ 		for i=1,3 do
+@@ -64,7 +64,7 @@ function loadHighscores()
+ end
+ 
+ function loadStats()
+-	if love.filesystem.exists("stats") then
++	if love.filesystem.getInfo("stats")~= nil then
+ 		local data = love.filesystem.read("stats")
+ 		stats = TSerial.unpack(data)
+ 	end
+diff --git a/highscore_entry.lua b/highscore_entry.lua
+index 2f763af..3b3bb73 100644
+--- a/highscore_entry.lua
++++ b/highscore_entry.lua
+@@ -45,9 +45,9 @@ function highscore_entry.draw()
+ 		for ix = 1,10 do
+ 			if highscore_entry.selection == char then
+ 				lg.rectangle("fill", 33+ix*16, 66+iy*16, 14, 14)
+-				lg.setColor(0,0,0,255)
++				lg.setColor(0,0,0,1)
+ 				lg.print(KEYBOARD:sub(char,char), 37+ix*16, 70+iy*16)
+-				lg.setColor(255,255,255,255)
++				lg.setColor(1,1,1,1)
+ 			else
+ 				lg.print(KEYBOARD:sub(char,char), 37+ix*16, 70+iy*16)
+ 			end
+diff --git a/highscore_list.lua b/highscore_list.lua
+index 6a17973..b66d0e2 100644
+--- a/highscore_list.lua
++++ b/highscore_list.lua
+@@ -31,10 +31,10 @@ function highscore_list.draw()
+ 		if scores[i] then
+ 			if highscore_list.level == highscore_list.hllevel
+ 			and highscore_list.hlpos == i then
+-				lg.setColor(25,118,115,255)
++				lg.setColor(25/255,118/255,115/255,1)
+ 				lg.print(scores[i].name,   48, 14+i*16)
+ 				lg.print(scores[i].score, 105, 14+i*16)
+-				lg.setColor(255,255,255,255)
++				lg.setColor(1,1,1,1)
+ 			else
+ 				lg.print(scores[i].name,   48, 14+i*16)
+ 				lg.print(scores[i].score, 105, 14+i*16)
+diff --git a/ingame.lua b/ingame.lua
+index 52004f1..f5c6f7c 100644
+--- a/ingame.lua
++++ b/ingame.lua
+@@ -189,16 +189,16 @@ function ingame.draw()
+ 		lg.pop()
+ 
+ 		if map.type == MT_NORMAL then
+-			lg.setBlendMode("multiply")
++			lg.setBlendMode("multiply", "premultiplied")
+ 			lg.draw(canvas, 0,0)
+ 			lg.setBlendMode("alpha")
+ 		end
+ 
+ 		-- Draw red screen if hit
+ 		if player.heat > 0 then
+-			lg.setColor(255,255,255,cap(player.heat*255, 16, 255))
++			lg.setColor(1,1,1,cap(player.heat*255, 16, 255)/255)
+ 			lg.draw(img.red_screen, quad.red_screen, 0,0)
+-			lg.setColor(255,255,255,255)
++			lg.setColor(1,1,1,1)
+ 		end
+ 
+ 		-- Draw hud
+diff --git a/ingame_menu.lua b/ingame_menu.lua
+index 9fcf768..82a8459 100644
+--- a/ingame_menu.lua
++++ b/ingame_menu.lua
+@@ -18,10 +18,10 @@ function ingame_menu.draw()
+ 	lg.pop()
+ 
+ 	lg.scale(config.scale)
+-	lg.setColor(0,0,0,238)
++	lg.setColor(0,0,0,238/255)
+ 	lg.rectangle("fill", 0, 0, WIDTH, HEIGHT)
+ 
+-	lg.setColor(255,255,255,255)
++	lg.setColor(1,1,1,1)
+ 	lg.printf("PAUSED", 0, 46, WIDTH, "center")
+ 	lg.print("RESUME", 103, 92)
+ 	lg.print("QUIT", 103, 106)
+diff --git a/joystick.lua b/joystick.lua
+index 50ccadb..72d545e 100644
+--- a/joystick.lua
++++ b/joystick.lua
+@@ -22,11 +22,11 @@ function joystick.draw()
+ 	lg.printf("SET JOYSTICK", 0, 39, WIDTH, "center")
+ 	for i=1,4 do
+ 		if joystick.waiting == true and joystick.selection == i then
+-			lg.setColor(195,52,41)
++			lg.setColor(195/255,52/255,41/255)
+ 		end
+ 		lg.print(string.upper(joykeynames[i]), 65, 53+i*13)
+ 		lg.print(config.joykeys[joykeynames[i]], 165, 53+i*13)
+-		lg.setColor(255,255,255)
++		lg.setColor(1,1,1)
+ 	end
+ 	lg.print("DEFAULT", 65, 118)
+ 	lg.print("BACK", 65, 131)
+diff --git a/main.lua b/main.lua
+index 9433e42..56096fa 100644
+--- a/main.lua
++++ b/main.lua
+@@ -273,7 +273,7 @@ function love.releaseerrhand(msg)
+     local font = love.graphics.newFont(14)
+     love.graphics.setFont(font)
+ 
+-    love.graphics.setColor(255, 255, 255, 255)
++    love.graphics.setColor(1, 1, 1, 1)
+ 
+     love.graphics.clear()
+ 
+diff --git a/resources.lua b/resources.lua
+index e5aa70d..1bab520 100644
+--- a/resources.lua
++++ b/resources.lua
+@@ -7,7 +7,7 @@ local snd = {}	-- sound Sources
+ 
+ local IMAGE_FILES = {
+ 	"splash", "tangram", "lovesplashpixel", "howto",
+-	"tiles", "door", "boldfont", "captain_dialog", "captain_dialog_sad",
++	"tiles", "door", "captain_dialog", "captain_dialog_sad",
+ 	"boss_health", "highscore_panes", "exclamation", "stats_screen",
+ 	"awards", "hud", "hud2", "hud_people", "item_slots", "water_bar",
+ 	"reserve_bar", "overloaded_bar", "temperature_bar", "temperature_bar_blink",
+@@ -147,7 +147,7 @@ function loadResources()
+ 	img.stream:setWrap("repeat", "clamp")
+ 
+ 	-- Create fonts
+-	font.bold = lg.newImageFont(img.boldfont, " ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.,!'-:*@<>+/_$&?", 2)
++	font.bold = lg.newImageFont("data/boldfont.png", " ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.,!'-:*@<>+/_$&?", 2)
+ 	lg.setFont(font.bold)
+ 
+ 	-- Create quads
+diff --git a/util.lua b/util.lua
+index b9976da..656600a 100644
+--- a/util.lua
++++ b/util.lua
+@@ -105,9 +105,9 @@ end
+ 
+ 
+ function drawBox(x,y,w,h)
+-	lg.setColor(30,23,18)
++	lg.setColor(30/255,23/255,18/255)
+ 	lg.rectangle("fill",x+1,y+1,w-2,h-2)
+-	lg.setColor(255,255,255)
++	lg.setColor(1,1,1)
+ 	-- Draw sides
+ 	lg.draw(img.menu_box, quad.box_left, x, y+1, 0, 1, (h-2))
+ 	lg.draw(img.menu_box, quad.box_left, x+w, y+1, 0, -1, (h-2))
diff --git a/gnu/packages/patches/mumble-1.2.19-abs.patch b/gnu/packages/patches/mumble-1.2.19-abs.patch
new file mode 100644
index 0000000000..683325f4bc
--- /dev/null
+++ b/gnu/packages/patches/mumble-1.2.19-abs.patch
@@ -0,0 +1,31 @@
+From ea861fe86743c8402bbad77d8d1dd9de8dce447e Mon Sep 17 00:00:00 2001
+From: Mikkel Krautz <mikkel@krautz.dk>
+Date: Fri, 29 Dec 2017 14:47:25 +0100
+Subject: [PATCH] AudioOutput: do not use non-existant template version of
+ std::abs.
+
+This change fixes AudioOutput to use the float overload of std::abs:
+
+    float std::abs(float);
+
+instead of a non-existant template version (for newer Boost 1.66).
+
+Fixes mumble-voip/mumble#3281
+
+---
+ src/mumble/AudioOutput.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mumble/AudioOutput.cpp b/src/mumble/AudioOutput.cpp
+index cbe0c0e2b..7a0a5e2ab 100644
+--- a/src/mumble/AudioOutput.cpp
++++ b/src/mumble/AudioOutput.cpp
+@@ -437,7 +437,7 @@ bool AudioOutput::mix(void *outbuff, unsigned int nsamp) {
+ 					top[2] = 0.0f;
+ 				}
+ 
+-				if (std::abs<float>(front[0] * top[0] + front[1] * top[1] + front[2] * top[2]) > 0.01f) {
++				if (std::abs(front[0] * top[0] + front[1] * top[1] + front[2] * top[2]) > 0.01f) {
+ 					// Not perpendicular. Assume Y up and rotate 90 degrees.
+ 
+ 					float azimuth = 0.0f;
diff --git a/gnu/packages/patches/nyx-show-header-stats-with-python3.patch b/gnu/packages/patches/nyx-show-header-stats-with-python3.patch
new file mode 100644
index 0000000000..5b20f180f7
--- /dev/null
+++ b/gnu/packages/patches/nyx-show-header-stats-with-python3.patch
@@ -0,0 +1,70 @@
+From: Tobias Geerinckx-Rice <me@tobias.gr>
+Date: Fri, 22 Jun 2018 02:56:39 +0200
+Subject: nyx: Show header stats.
+
+The following patch was taken verbatim from the upstream repository and
+will be included in the next release.
+---
+commit 3494111cc81ad4985e81d0c1ea5e451d8f7a2bcc
+Author: Damian Johnson <atagar@torproject.org>
+Date:   Mon Feb 5 20:07:40 2018 -0800
+
+    Header stats missing with python3
+    
+    Ick! took me a while to find this. Python3 changed division from providing ints
+    to floats. This in turn caused our header panel to call addstr with float x/y
+    coordinates, which made that funciton fail silently. End result is that when
+    the header panel showed two columns of stats the right column was missing.
+    
+    Caught thanks to Stijn.
+
+diff --git a/nyx/panel/header.py b/nyx/panel/header.py
+index 09e3838..fb6f2f7 100644
+--- a/nyx/panel/header.py
++++ b/nyx/panel/header.py
+@@ -155,7 +155,7 @@ class HeaderPanel(nyx.panel.DaemonPanel):
+     # space available for content
+ 
+     interface = nyx_interface()
+-    left_width = max(subwindow.width / 2, 77) if is_wide else subwindow.width
++    left_width = max(subwindow.width // 2, 77) if is_wide else subwindow.width
+     right_width = subwindow.width - left_width
+ 
+     _draw_platform_section(subwindow, 0, 0, left_width, vals)
+diff --git a/web/changelog/index.html b/web/changelog/index.html
+index 333fa84..196d82b 100644
+--- a/web/changelog/index.html
++++ b/web/changelog/index.html
+@@ -74,6 +74,12 @@
+           </ul>
+         </li>
+ 
++        <li><span class="component">Header</span>
++          <ul>
++            <li>Right column of stats missing when using python 3.x</li>
++          </ul>
++        </li>
++
+         <li><span class="component">Connections</span>
+           <ul>
+             <li>Geoip information unavailable for inbound connections</li>
+diff --git a/web/changelog/legacy.html b/web/changelog/legacy.html
+index a380806..02d405f 100644
+--- a/web/changelog/legacy.html
++++ b/web/changelog/legacy.html
+@@ -137,13 +137,13 @@
+           </ul>
+         </li>
+ 
+-        <li><span class="component">Startup</span>
++        <li><span class="component">Graph</span>
+           <ul>
+             <li>Crash when pausing if we showed accounting stats</li>
+           </ul>
+         </li>
+ 
+-        <li><span class="component">Startup</span>
++        <li><span class="component">Logging</span>
+           <ul>
+             <li>Skip reading from malformed tor log files</li>
+             <li>Unable to log GUARD events</li>
diff --git a/gnu/packages/patches/ocaml-enable-ocamldoc-reproducibility.patch b/gnu/packages/patches/ocaml-enable-ocamldoc-reproducibility.patch
new file mode 100644
index 0000000000..39fb7aa226
--- /dev/null
+++ b/gnu/packages/patches/ocaml-enable-ocamldoc-reproducibility.patch
@@ -0,0 +1,149 @@
+From a87c3f20e846c00e53d695497dba7038edbd12f0 Mon Sep 17 00:00:00 2001
+From: Valentin Lorentz <progval@progval.net>
+Date: Thu, 13 Aug 2015 11:59:04 +0200
+Subject: [PATCH] Enable ocamldoc to build reproducible manpages
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794586
+Signed-off-by: Stephane Glondu <steph@glondu.net>
+---
+ ocamldoc/odoc_man.ml   | 15 +++++----------
+ ocamldoc/odoc_misc.ml  | 12 ++++++++++--
+ ocamldoc/odoc_misc.mli |  7 ++++++-
+ 3 files changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/ocamldoc/odoc_man.ml b/ocamldoc/odoc_man.ml
+index 615c5e172..3c85aa32a 100644
+--- a/ocamldoc/odoc_man.ml
++++ b/ocamldoc/odoc_man.ml
+@@ -864,14 +864,13 @@ class man =
+     (** Generate the man page for the given class.*)
+     method generate_for_class cl =
+       Odoc_info.reset_type_names () ;
+-      let date = Unix.time () in
+       let file = self#file_name cl.cl_name in
+       try
+         let chanout = self#open_out file in
+         let b = new_buf () in
+         bs b (".TH \""^cl.cl_name^"\" ");
+         bs b !man_section ;
+-        bs b (" "^(Odoc_misc.string_of_date ~hour: false date)^" ");
++        bs b (" source: "^Odoc_misc.current_date^" ");
+         bs b "OCamldoc ";
+         bs b ("\""^(match !Global.title with Some t -> t | None -> "")^"\"\n");
+ 
+@@ -923,14 +922,13 @@ class man =
+     (** Generate the man page for the given class type.*)
+     method generate_for_class_type ct =
+       Odoc_info.reset_type_names () ;
+-      let date = Unix.time () in
+       let file = self#file_name ct.clt_name in
+       try
+         let chanout = self#open_out file in
+         let b = new_buf () in
+         bs b (".TH \""^ct.clt_name^"\" ");
+         bs b !man_section ;
+-        bs b (" "^(Odoc_misc.string_of_date ~hour: false date)^" ");
++        bs b (" source: "^Odoc_misc.current_date^" ");
+         bs b "OCamldoc ";
+         bs b ("\""^(match !Global.title with Some t -> t | None -> "")^"\"\n");
+ 
+@@ -1016,14 +1014,13 @@ class man =
+     (** Generate the man file for the given module type.
+        @raise Failure if an error occurs.*)
+     method generate_for_module_type mt =
+-      let date = Unix.time () in
+       let file = self#file_name mt.mt_name in
+       try
+         let chanout = self#open_out file in
+         let b = new_buf () in
+         bs b (".TH \""^mt.mt_name^"\" ");
+         bs b !man_section ;
+-        bs b (" "^(Odoc_misc.string_of_date ~hour: false date)^" ");
++        bs b (" source: "^Odoc_misc.current_date^" ");
+         bs b "OCamldoc ";
+         bs b ("\""^(match !Global.title with Some t -> t | None -> "")^"\"\n");
+ 
+@@ -1099,14 +1096,13 @@ class man =
+     (** Generate the man file for the given module.
+        @raise Failure if an error occurs.*)
+     method generate_for_module m =
+-      let date = Unix.time () in
+       let file = self#file_name m.m_name in
+       try
+         let chanout = self#open_out file in
+         let b = new_buf () in
+         bs b (".TH \""^m.m_name^"\" ");
+         bs b !man_section ;
+-        bs b (" "^(Odoc_misc.string_of_date ~hour: false date)^" ");
++        bs b (" source: "^Odoc_misc.current_date^" ");
+         bs b "OCamldoc ";
+         bs b ("\""^(match !Global.title with Some t -> t | None -> "")^"\"\n");
+ 
+@@ -1206,14 +1202,13 @@ class man =
+           | Res_const (_,f) -> f.vc_name
+          )
+      in
+-     let date = Unix.time () in
+       let file = self#file_name name in
+       try
+         let chanout = self#open_out file in
+         let b = new_buf () in
+         bs b (".TH \""^name^"\" ");
+         bs b !man_section ;
+-        bs b (" "^(Odoc_misc.string_of_date ~hour: false date)^" ");
++        bs b (" source: "^Odoc_misc.current_date^" ");
+         bs b "OCamldoc ";
+         bs b ("\""^(match !Global.title with Some t -> t | None -> "")^"\"\n");
+         bs b ".SH NAME\n";
+diff --git a/ocamldoc/odoc_misc.ml b/ocamldoc/odoc_misc.ml
+index 4c74476da..456225f62 100644
+--- a/ocamldoc/odoc_misc.ml
++++ b/ocamldoc/odoc_misc.ml
+@@ -223,9 +223,9 @@ let apply_opt f v_opt =
+     None -> None
+   | Some v -> Some (f v)
+ 
+-let string_of_date ?(hour=true) d =
++let string_of_date ?(absolute=false) ?(hour=true) d =
+   let add_0 s = if String.length s < 2 then "0"^s else s in
+-  let t = Unix.localtime d in
++  let t = (if absolute then Unix.gmtime else Unix.localtime) d in
+   (string_of_int (t.Unix.tm_year + 1900))^"-"^
+   (add_0 (string_of_int (t.Unix.tm_mon + 1)))^"-"^
+   (add_0 (string_of_int t.Unix.tm_mday))^
+@@ -238,6 +238,14 @@ let string_of_date ?(hour=true) d =
+      ""
+   )
+ 
++let current_date =
++  let time =
++    try
++      float_of_string (Sys.getenv "SOURCE_DATE_EPOCH")
++    with
++      Not_found -> Unix.time ()
++  in string_of_date ~absolute: true ~hour: false time
++
+ 
+ let rec text_list_concat sep l =
+   match l with
+diff --git a/ocamldoc/odoc_misc.mli b/ocamldoc/odoc_misc.mli
+index dd5a7fcb9..38ff0612b 100644
+--- a/ocamldoc/odoc_misc.mli
++++ b/ocamldoc/odoc_misc.mli
+@@ -62,7 +62,12 @@ val apply_opt : ('a -> 'b) -> 'a option -> 'b option
+ 
+ (** Return a string representing a date given as a number of seconds
+    since 1970. The hour is optionnaly displayed. *)
+-val string_of_date : ?hour:bool -> float -> string
++val string_of_date : ?absolute:bool -> ?hour:bool -> float -> string
++
++(* Value returned by string_of_date for current time.
++ * Uses environment variable SOURCE_DATE_EPOCH if set; falls back to
++ * current timestamp otherwise. *)
++val current_date : string
+ 
+ (** Return the first sentence (until the first dot) of a text.
+    Don't stop in the middle of [Code], [Verbatim], [List], [Lnum],
+-- 
+2.17.1
+
diff --git a/gnu/packages/patches/opensmtpd-fix-crash.patch b/gnu/packages/patches/opensmtpd-fix-crash.patch
new file mode 100644
index 0000000000..0030167533
--- /dev/null
+++ b/gnu/packages/patches/opensmtpd-fix-crash.patch
@@ -0,0 +1,44 @@
+From 9b5f70b93e038df5446bd37a4adac5a0380748e7 Mon Sep 17 00:00:00 2001
+From: johannes <johannes.brechtmann@gmail.com>
+Date: Wed, 21 Feb 2018 23:57:11 +0100
+Subject: [PATCH] crypt_checkpass: include HAVE_CRYPT_H definition, add NULL
+ check
+
+---
+ openbsd-compat/crypt_checkpass.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/openbsd-compat/crypt_checkpass.c b/openbsd-compat/crypt_checkpass.c
+index dafd2dae..d10b3a57 100644
+--- a/openbsd-compat/crypt_checkpass.c
++++ b/openbsd-compat/crypt_checkpass.c
+@@ -1,5 +1,6 @@
+ /* OPENBSD ORIGINAL: lib/libc/crypt/cryptutil.c */
+ 
++#include "includes.h"
+ #include <errno.h>
+ #ifdef HAVE_CRYPT_H
+ #include <crypt.h>
+@@ -10,6 +11,8 @@
+ int
+ crypt_checkpass(const char *pass, const char *goodhash)
+ {
++	char *c;
++
+ 	if (goodhash == NULL)
+ 		goto fail;
+ 
+@@ -17,7 +20,11 @@ crypt_checkpass(const char *pass, const char *goodhash)
+ 	if (strlen(goodhash) == 0 && strlen(pass) == 0)
+ 		return 0;
+ 
+-	if (strcmp(crypt(pass, goodhash), goodhash) == 0)
++	c = crypt(pass, goodhash);
++	if (c == NULL)
++		goto fail;
++
++	if (strcmp(c, goodhash) == 0)
+ 		return 0;
+ 
+ fail:
+
diff --git a/gnu/packages/patches/openssl-1.0.2-CVE-2018-0495.patch b/gnu/packages/patches/openssl-1.0.2-CVE-2018-0495.patch
new file mode 100644
index 0000000000..2d54ed03b9
--- /dev/null
+++ b/gnu/packages/patches/openssl-1.0.2-CVE-2018-0495.patch
@@ -0,0 +1,215 @@
+Fix CVE-2018-0495:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495
+https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
+
+Patch copied from upstream source repository:
+
+https://github.com/openssl/openssl/commit/949ff36623eafc3523a9f91784992965018ffb05
+
+From 949ff36623eafc3523a9f91784992965018ffb05 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 25 May 2018 12:10:13 +0100
+Subject: [PATCH] Add blinding to an ECDSA signature
+
+Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
+ECDSA signature operation. During signing the signer calculates:
+
+s:= k^-1 * (m + r * priv_key) mod order
+
+The addition operation above provides a sufficient signal for a
+flush+reload attack to derive the private key given sufficient signature
+operations.
+
+As a mitigation (based on a suggestion from Keegan) we add blinding to
+the operation so that:
+
+s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
+
+Since this attack is a localhost side channel only no CVE is assigned.
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+---
+ CHANGES                  |  4 ++
+ crypto/ecdsa/ecdsatest.c |  9 ++++-
+ crypto/ecdsa/ecs_ossl.c  | 82 ++++++++++++++++++++++++++++++++--------
+ 3 files changed, 79 insertions(+), 16 deletions(-)
+
+diff --git a/crypto/ecdsa/ecdsatest.c b/crypto/ecdsa/ecdsatest.c
+index 0f301f86d9..a130fc9117 100644
+--- a/crypto/ecdsa/ecdsatest.c
++++ b/crypto/ecdsa/ecdsatest.c
+@@ -137,7 +137,7 @@ int restore_rand(void)
+         return 1;
+ }
+ 
+-static int fbytes_counter = 0;
++static int fbytes_counter = 0, use_fake = 0;
+ static const char *numbers[8] = {
+     "651056770906015076056810763456358567190100156695615665659",
+     "6140507067065001063065065565667405560006161556565665656654",
+@@ -158,6 +158,11 @@ int fbytes(unsigned char *buf, int num)
+     int ret;
+     BIGNUM *tmp = NULL;
+ 
++    if (use_fake == 0)
++        return old_rand->bytes(buf, num);
++
++    use_fake = 0;
++
+     if (fbytes_counter >= 8)
+         return 0;
+     tmp = BN_new();
+@@ -199,11 +204,13 @@ int x9_62_test_internal(BIO *out, int nid, const char *r_in, const char *s_in)
+     /* create the key */
+     if ((key = EC_KEY_new_by_curve_name(nid)) == NULL)
+         goto x962_int_err;
++    use_fake = 1;
+     if (!EC_KEY_generate_key(key))
+         goto x962_int_err;
+     BIO_printf(out, ".");
+     (void)BIO_flush(out);
+     /* create the signature */
++    use_fake = 1;
+     signature = ECDSA_do_sign(digest, 20, key);
+     if (signature == NULL)
+         goto x962_int_err;
+diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
+index 16d4f59b9b..1d37551803 100644
+--- a/crypto/ecdsa/ecs_ossl.c
++++ b/crypto/ecdsa/ecs_ossl.c
+@@ -252,6 +252,7 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
+ {
+     int ok = 0, i;
+     BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL;
++    BIGNUM *blind = NULL, *blindm = NULL;
+     const BIGNUM *ckinv;
+     BN_CTX *ctx = NULL;
+     const EC_GROUP *group;
+@@ -269,14 +270,25 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
+     }
+ 
+     ret = ECDSA_SIG_new();
+-    if (!ret) {
++    if (ret == NULL) {
+         ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
+         return NULL;
+     }
+     s = ret->s;
+ 
+-    if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
+-        (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
++    ctx = BN_CTX_new();
++    if (ctx == NULL) {
++        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
++        goto err;
++    }
++
++    BN_CTX_start(ctx);
++    order = BN_CTX_get(ctx);
++    tmp = BN_CTX_get(ctx);
++    m = BN_CTX_get(ctx);
++    blind = BN_CTX_get(ctx);
++    blindm = BN_CTX_get(ctx);
++    if (blindm == NULL) {
+         ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
+         goto err;
+     }
+@@ -315,26 +327,70 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
+             }
+         }
+ 
+-        if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
++        /*
++         * The normal signature calculation is:
++         *
++         *   s := k^-1 * (m + r * priv_key) mod order
++         *
++         * We will blind this to protect against side channel attacks
++         *
++         *   s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order
++         */
++
++        /* Generate a blinding value */
++        do {
++            if (!BN_rand(blind, BN_num_bits(order) - 1, -1, 0))
++                goto err;
++        } while (BN_is_zero(blind));
++        BN_set_flags(blind, BN_FLG_CONSTTIME);
++        BN_set_flags(blindm, BN_FLG_CONSTTIME);
++        BN_set_flags(tmp, BN_FLG_CONSTTIME);
++
++        /* tmp := blind * priv_key * r mod order */
++        if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) {
++            ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
++            goto err;
++        }
++        if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) {
++            ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
++            goto err;
++        }
++
++        /* blindm := blind * m mod order */
++        if (!BN_mod_mul(blindm, blind, m, order, ctx)) {
++            ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
++            goto err;
++        }
++
++        /* s : = (blind * priv_key * r) + (blind * m) mod order */
++        if (!BN_mod_add_quick(s, tmp, blindm, order)) {
++            ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
++            goto err;
++        }
++
++        /* s:= s * blind^-1 mod order */
++        if (BN_mod_inverse(blind, blind, order, ctx) == NULL) {
+             ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
+             goto err;
+         }
+-        if (!BN_mod_add_quick(s, tmp, m, order)) {
++        if (!BN_mod_mul(s, s, blind, order, ctx)) {
+             ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
+             goto err;
+         }
++
++        /* s := s * k^-1 mod order */
+         if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
+             ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
+             goto err;
+         }
++
+         if (BN_is_zero(s)) {
+             /*
+              * if kinv and r have been supplied by the caller don't to
+              * generate new kinv and r values
+              */
+             if (in_kinv != NULL && in_r != NULL) {
+-                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
+-                         ECDSA_R_NEED_NEW_SETUP_VALUES);
++                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES);
+                 goto err;
+             }
+         } else
+@@ -349,15 +405,11 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
+         ECDSA_SIG_free(ret);
+         ret = NULL;
+     }
+-    if (ctx)
++    if (ctx != NULL) {
++        BN_CTX_end(ctx);
+         BN_CTX_free(ctx);
+-    if (m)
+-        BN_clear_free(m);
+-    if (tmp)
+-        BN_clear_free(tmp);
+-    if (order)
+-        BN_free(order);
+-    if (kinv)
++    }
++    if (kinv != NULL)
+         BN_clear_free(kinv);
+     return ret;
+ }
+-- 
+2.17.1
+
diff --git a/gnu/packages/patches/openssl-1.0.2-CVE-2018-0732.patch b/gnu/packages/patches/openssl-1.0.2-CVE-2018-0732.patch
new file mode 100644
index 0000000000..50b95306a5
--- /dev/null
+++ b/gnu/packages/patches/openssl-1.0.2-CVE-2018-0732.patch
@@ -0,0 +1,50 @@
+Fix CVE-2018-0732:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732
+
+Patch copied from upstream source repository:
+
+https://github.com/openssl/openssl/commit/3984ef0b72831da8b3ece4745cac4f8575b19098
+
+From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001
+From: Guido Vranken <guidovranken@gmail.com>
+Date: Mon, 11 Jun 2018 19:38:54 +0200
+Subject: [PATCH] Reject excessively large primes in DH key generation.
+
+CVE-2018-0732
+
+Signed-off-by: Guido Vranken <guidovranken@gmail.com>
+
+(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/6457)
+---
+ crypto/dh/dh_key.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index 387558f146..f235e0d682 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -130,10 +130,15 @@ static int generate_key(DH *dh)
+     int ok = 0;
+     int generate_new_key = 0;
+     unsigned l;
+-    BN_CTX *ctx;
++    BN_CTX *ctx = NULL;
+     BN_MONT_CTX *mont = NULL;
+     BIGNUM *pub_key = NULL, *priv_key = NULL;
+ 
++    if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
++        DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
++        return 0;
++    }
++
+     ctx = BN_CTX_new();
+     if (ctx == NULL)
+         goto err;
+-- 
+2.17.1
+
diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch
new file mode 100644
index 0000000000..15dedbcbd0
--- /dev/null
+++ b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch
@@ -0,0 +1,152 @@
+Fix CVE-2018-0495:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495
+https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
+
+Patch copied from upstream source repository:
+
+https://github.com/openssl/openssl/commit/0c27d793745c7837b13646302b6890a556b7017a
+
+From 0c27d793745c7837b13646302b6890a556b7017a Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 25 May 2018 12:10:13 +0100
+Subject: [PATCH] Add blinding to an ECDSA signature
+
+Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
+ECDSA signature operation. During signing the signer calculates:
+
+s:= k^-1 * (m + r * priv_key) mod order
+
+The addition operation above provides a sufficient signal for a
+flush+reload attack to derive the private key given sufficient signature
+operations.
+
+As a mitigation (based on a suggestion from Keegan) we add blinding to
+the operation so that:
+
+s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
+
+Since this attack is a localhost side channel only no CVE is assigned.
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+---
+ CHANGES                |  4 +++
+ crypto/ec/ecdsa_ossl.c | 70 +++++++++++++++++++++++++++++++++++++-----
+ 2 files changed, 67 insertions(+), 7 deletions(-)
+
+diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c
+index 72e2f0f28b..449be0e92a 100644
+--- a/crypto/ec/ecdsa_ossl.c
++++ b/crypto/ec/ecdsa_ossl.c
+@@ -210,7 +210,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+                                EC_KEY *eckey)
+ {
+     int ok = 0, i;
+-    BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL;
++    BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *blind = NULL;
++    BIGNUM *blindm = NULL;
+     const BIGNUM *order, *ckinv;
+     BN_CTX *ctx = NULL;
+     const EC_GROUP *group;
+@@ -243,8 +244,18 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+     }
+     s = ret->s;
+ 
+-    if ((ctx = BN_CTX_new()) == NULL ||
+-        (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
++    ctx = BN_CTX_secure_new();
++    if (ctx == NULL) {
++        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
++        goto err;
++    }
++
++    BN_CTX_start(ctx);
++    tmp = BN_CTX_get(ctx);
++    m = BN_CTX_get(ctx);
++    blind = BN_CTX_get(ctx);
++    blindm = BN_CTX_get(ctx);
++    if (blindm == NULL) {
+         ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+         goto err;
+     }
+@@ -284,18 +295,64 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+             }
+         }
+ 
+-        if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
++        /*
++         * The normal signature calculation is:
++         *
++         *   s := k^-1 * (m + r * priv_key) mod order
++         *
++         * We will blind this to protect against side channel attacks
++         *
++         *   s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order
++         */
++
++        /* Generate a blinding value */
++        do {
++            if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY,
++                         BN_RAND_BOTTOM_ANY))
++                goto err;
++        } while (BN_is_zero(blind));
++        BN_set_flags(blind, BN_FLG_CONSTTIME);
++        BN_set_flags(blindm, BN_FLG_CONSTTIME);
++        BN_set_flags(tmp, BN_FLG_CONSTTIME);
++
++        /* tmp := blind * priv_key * r mod order */
++        if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) {
+             ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+             goto err;
+         }
+-        if (!BN_mod_add_quick(s, tmp, m, order)) {
++        if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) {
+             ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+             goto err;
+         }
++
++        /* blindm := blind * m mod order */
++        if (!BN_mod_mul(blindm, blind, m, order, ctx)) {
++            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++            goto err;
++        }
++
++        /* s : = (blind * priv_key * r) + (blind * m) mod order */
++        if (!BN_mod_add_quick(s, tmp, blindm, order)) {
++            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++            goto err;
++        }
++
++        /* s:= s * blind^-1 mod order */
++        if (BN_mod_inverse(blind, blind, order, ctx) == NULL) {
++            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++            goto err;
++        }
++        if (!BN_mod_mul(s, s, blind, order, ctx)) {
++            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++            goto err;
++        }
++
++        /* s := s * k^-1 mod order */
+         if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
+             ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+             goto err;
+         }
++
+         if (BN_is_zero(s)) {
+             /*
+              * if kinv and r have been supplied by the caller don't to
+@@ -317,9 +374,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+         ECDSA_SIG_free(ret);
+         ret = NULL;
+     }
++    BN_CTX_end(ctx);
+     BN_CTX_free(ctx);
+-    BN_clear_free(m);
+-    BN_clear_free(tmp);
+     BN_clear_free(kinv);
+     return ret;
+ }
+-- 
+2.17.1
+
diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch
new file mode 100644
index 0000000000..dfea6e7d06
--- /dev/null
+++ b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch
@@ -0,0 +1,50 @@
+Fix CVE-2018-0732:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732
+
+Patch copied from upstream source repository:
+
+https://github.com/openssl/openssl/commit/ea7abeeabf92b7aca160bdd0208636d4da69f4f4
+
+From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001
+From: Guido Vranken <guidovranken@gmail.com>
+Date: Mon, 11 Jun 2018 19:38:54 +0200
+Subject: [PATCH] Reject excessively large primes in DH key generation.
+
+CVE-2018-0732
+
+Signed-off-by: Guido Vranken <guidovranken@gmail.com>
+
+(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/6457)
+---
+ crypto/dh/dh_key.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index fce9ff47f3..58003d7087 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -78,10 +78,15 @@ static int generate_key(DH *dh)
+     int ok = 0;
+     int generate_new_key = 0;
+     unsigned l;
+-    BN_CTX *ctx;
++    BN_CTX *ctx = NULL;
+     BN_MONT_CTX *mont = NULL;
+     BIGNUM *pub_key = NULL, *priv_key = NULL;
+ 
++    if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
++        DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
++        return 0;
++    }
++
+     ctx = BN_CTX_new();
+     if (ctx == NULL)
+         goto err;
+-- 
+2.17.1
+
diff --git a/gnu/packages/patches/password-store-gnupg-compat.patch b/gnu/packages/patches/password-store-gnupg-compat.patch
deleted file mode 100644
index 75c6362021..0000000000
--- a/gnu/packages/patches/password-store-gnupg-compat.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Copied from upstream mailing list:
-https://lists.zx2c4.com/pipermail/password-store/2018-February/003216.html.
-
-From 9b0c86159d754cc88dd3642564eed527153dfb7f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= <clement@lassieur.org>
-Date: Sat, 24 Feb 2018 12:05:46 +0100
-Subject: [PATCH] tests: fix compatibility with GnuPG 2.2.5
-
----
- tests/t0300-reencryption.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/t0300-reencryption.sh b/tests/t0300-reencryption.sh
-index 6d5811d..6d15364 100755
---- a/tests/t0300-reencryption.sh
-+++ b/tests/t0300-reencryption.sh
-@@ -10,7 +10,7 @@ canonicalize_gpg_keys() {
- 	$GPG --list-keys --with-colons "$@" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u
- }
- gpg_keys_from_encrypted_file() {
--	$GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u
-+	$GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | grep "public key is" | cut -d ' ' -f 5 | LC_ALL=C sort -u
- }
- gpg_keys_from_group() {
- 	local output="$($GPG --list-config --with-colons | sed -n "s/^cfg:group:$1:\\(.*\\)/\\1/p" | head -n 1)"
--- 
-2.16.2
-
diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
new file mode 100644
index 0000000000..6460cf5855
--- /dev/null
+++ b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
@@ -0,0 +1,36 @@
+Fix CVE-2018-12015:
+
+https://security-tracker.debian.org/tracker/CVE-2018-12015
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
+https://rt.cpan.org/Ticket/Display.html?id=125523
+
+Patch taken from this upstream commit and adapted to apply to
+the bundled copy in the Perl distribution:
+
+https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
+
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
+index 6244369..a83975f 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -845,6 +845,20 @@ sub _extract_file {
+         return;
+     }
+ 
++    ### If a file system already contains a block device with the same name as
++    ### the being extracted regular file, we would write the file's content
++    ### to the block device. So remove the existing file (block device) now.
++    ### If an archive contains multiple same-named entries, the last one
++    ### should replace the previous ones. So remove the old file now.
++    ### If the old entry is a symlink to a file outside of the CWD, the new
++    ### entry would create a file there. This is CVE-2018-12015
++    ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
++    if (-l $full || -e _) {
++	if (!unlink $full) {
++	    $self->_error( qq[Could not remove old file '$full': $!] );
++	    return;
++	}
++    }
+     if( length $entry->type && $entry->is_file ) {
+         my $fh = IO::File->new;
+         $fh->open( $full, '>' ) or (
diff --git a/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch b/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch
deleted file mode 100644
index e1e71a332a..0000000000
--- a/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 700076019b5aff72aac7651cc830aaef21ee9a47 Mon Sep 17 00:00:00 2001
-From: jakirkham <jakirkham@gmail.com>
-Date: Fri, 7 Jul 2017 05:57:56 -0400
-Subject: [PATCH] Drop ordereddict requirement (#84)
-
-* Drop ordereddict requirement
-
-As Python 2.7 is the minimum Python supported, every version of Python
-should have `ordereddict` preincluded in the standard library one way or
-another. So we can drop this dependency and just handle the differences
-between Python 2 and Python 3.
----
- nosetimer/plugin.py | 5 +----
- setup.py            | 1 -
- 2 files changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/nosetimer/plugin.py b/nosetimer/plugin.py
-index ef28e11..d093a51 100644
---- a/nosetimer/plugin.py
-+++ b/nosetimer/plugin.py
-@@ -12,10 +12,7 @@
- except ImportError:
-     import queue as Queue
- 
--try:
--    from collections import OrderedDict
--except ImportError:
--    from ordereddict import OrderedDict
-+from collections import OrderedDict
- 
- 
- # define constants
-diff --git a/setup.py b/setup.py
-index 6a55b82..d249325 100755
---- a/setup.py
-+++ b/setup.py
-@@ -27,7 +27,6 @@
-     install_requires=[
-         'nose',
-         'termcolor',
--        'ordereddict',
-     ],
-     license='MIT',
-     entry_points={
diff --git a/gnu/packages/patches/qemu-CVE-2018-11806.patch b/gnu/packages/patches/qemu-CVE-2018-11806.patch
new file mode 100644
index 0000000000..f021dfa747
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2018-11806.patch
@@ -0,0 +1,105 @@
+Fix CVE-2018-11806:
+
+https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=864036e251f54c99d31df124aad7f34f01f5344c
+
+From 864036e251f54c99d31df124aad7f34f01f5344c Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 5 Jun 2018 23:38:35 +0530
+Subject: [PATCH] slirp: correct size computation while concatenating mbuf
+
+While reassembling incoming fragmented datagrams, 'm_cat' routine
+extends the 'mbuf' buffer, if it has insufficient room. It computes
+a wrong buffer size, which leads to overwriting adjacent heap buffer
+area. Correct this size computation in m_cat.
+
+Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+---
+ slirp/mbuf.c | 11 +++++------
+ slirp/mbuf.h |  8 +++-----
+ 2 files changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/slirp/mbuf.c b/slirp/mbuf.c
+index 5ff24559fd..18cbf759a7 100644
+--- a/slirp/mbuf.c
++++ b/slirp/mbuf.c
+@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
+ 	 * If there's no room, realloc
+ 	 */
+ 	if (M_FREEROOM(m) < n->m_len)
+-		m_inc(m,m->m_size+MINCSIZE);
++		m_inc(m, m->m_len + n->m_len);
+ 
+ 	memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
+ 	m->m_len += n->m_len;
+@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
+ }
+ 
+ 
+-/* make m size bytes large */
++/* make m 'size' bytes large from m_data */
+ void
+ m_inc(struct mbuf *m, int size)
+ {
+@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)
+ 
+         if (m->m_flags & M_EXT) {
+ 	  datasize = m->m_data - m->m_ext;
+-          m->m_ext = g_realloc(m->m_ext, size);
++	  m->m_ext = g_realloc(m->m_ext, size + datasize);
+ 	  m->m_data = m->m_ext + datasize;
+         } else {
+ 	  char *dat;
+ 	  datasize = m->m_data - m->m_dat;
+-          dat = g_malloc(size);
++	  dat = g_malloc(size + datasize);
+ 	  memcpy(dat, m->m_dat, m->m_size);
+ 
+ 	  m->m_ext = dat;
+@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size)
+ 	  m->m_flags |= M_EXT;
+         }
+ 
+-        m->m_size = size;
+-
++        m->m_size = size + datasize;
+ }
+ 
+ 
+diff --git a/slirp/mbuf.h b/slirp/mbuf.h
+index 893601ff9d..33b84485d6 100644
+--- a/slirp/mbuf.h
++++ b/slirp/mbuf.h
+@@ -33,8 +33,6 @@
+ #ifndef MBUF_H
+ #define MBUF_H
+ 
+-#define MINCSIZE 4096	/* Amount to increase mbuf if too small */
+-
+ /*
+  * Macros for type conversion
+  * mtod(m,t) -	convert mbuf pointer to data pointer of correct type
+@@ -72,11 +70,11 @@ struct mbuf {
+ 	struct	mbuf *m_prevpkt;	/* Flags aren't used in the output queue */
+ 	int	m_flags;		/* Misc flags */
+ 
+-	int	m_size;			/* Size of data */
++	int	m_size;			/* Size of mbuf, from m_dat or m_ext */
+ 	struct	socket *m_so;
+ 
+-	caddr_t	m_data;			/* Location of data */
+-	int	m_len;			/* Amount of data in this mbuf */
++	caddr_t	m_data;			/* Current location of data */
++	int	m_len;			/* Amount of data in this mbuf, from m_data */
+ 
+ 	Slirp *slirp;
+ 	bool	resolution_requested;
+-- 
+2.17.1
+
diff --git a/gnu/packages/patches/strace-kernel-4.16.patch b/gnu/packages/patches/strace-kernel-4.16.patch
deleted file mode 100644
index e86d3be439..0000000000
--- a/gnu/packages/patches/strace-kernel-4.16.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-Fix test failure when using Linux-Libre >= 4.16.
-
-Taken from upstream:
-https://github.com/strace/strace/commit/bcff87c31c0f27c678a43d6b7f67dab363a974fa
-
-From bcff87c31c0f27c678a43d6b7f67dab363a974fa Mon Sep 17 00:00:00 2001
-From: Masatake YAMATO <yamato@redhat.com>
-Date: Wed, 2 May 2018 17:11:07 +0900
-Subject: [PATCH] tests/ioctl_kvm_run.c: handle cpuid at the end of vcpu dentry
-
-Since Linux 4.16, kernel appends the cpuid as suffix to the entry
-for a kvm vcpu in /proc/$pid/fd like:
-
-    anon_inode:kvm-vcpu:0
-
-That was
-
-    anon_inode:kvm-vcpu
-
-This kernel change causes the test case failure on newer kernels.
-Update the test to deal with the new name as well as the old one.
-
-* tests/ioctl_kvm_run.c: Include unistd.h for using readlink(2).
-(vcpu_dev_should_have_cpuid): New function for detecting whether
-a proc entry for given fd has the cpuid suffix or not.
-(main): Trim vcpu_dev to remove the cpuid suffix if needed.
-(vcpu_dev): Remove const modifier.
----
- tests/ioctl_kvm_run.c | 29 ++++++++++++++++++++++++++++-
- 1 file changed, 28 insertions(+), 1 deletion(-)
-
-diff --git a/tests/ioctl_kvm_run.c b/tests/ioctl_kvm_run.c
-index 179461430..e1bef5796 100644
---- a/tests/ioctl_kvm_run.c
-+++ b/tests/ioctl_kvm_run.c
-@@ -40,6 +40,7 @@
- # include <string.h>
- # include <sys/ioctl.h>
- # include <sys/mman.h>
-+# include <unistd.h>
- # include <linux/kvm.h>
- 
- static int
-@@ -56,7 +57,7 @@ kvm_ioctl(int fd, unsigned long cmd, const char *cmd_str, void *arg)
- 
- static const char dev[] = "/dev/kvm";
- static const char vm_dev[] = "anon_inode:kvm-vm";
--static const char vcpu_dev[] = "anon_inode:kvm-vcpu";
-+static char vcpu_dev[] = "anon_inode:kvm-vcpu:0";
- static size_t page_size;
- 
- extern const char code[];
-@@ -165,6 +166,23 @@ run_kvm(const int vcpu_fd, struct kvm_run *const run, const size_t mmap_size,
- 	}
- }
- 
-+static int
-+vcpu_dev_should_have_cpuid(int fd)
-+{
-+	int r = 0;
-+	char *filename = NULL;
-+	char buf[sizeof(vcpu_dev)];
-+
-+	if (asprintf(&filename, "/proc/%d/fd/%d", getpid(), fd) < 0)
-+		error_msg_and_fail("asprintf");
-+
-+	if (readlink(filename, buf, sizeof(buf)) == sizeof(buf) - 1
-+	    && (memcmp(buf, vcpu_dev, sizeof(buf) - 1) == 0))
-+		r = 1;
-+	free(filename);
-+	return r;
-+}
-+
- int
- main(void)
- {
-@@ -208,6 +226,15 @@ main(void)
- 	       (unsigned long) page_size, (unsigned long) page_size, mem);
- 
- 	int vcpu_fd = KVM_IOCTL(vm_fd, KVM_CREATE_VCPU, NULL);
-+	if (!vcpu_dev_should_have_cpuid(vcpu_fd))
-+		/*
-+		 * This is an older kernel that doesn't place a cpuid
-+		 * at the end of the dentry associated with vcpu_fd.
-+		 * Trim the cpuid part of vcpu_dev like:
-+		 * "anon_inode:kvm-vcpu:0" -> "anon_inode:kvm-vcpu"
-+		 */
-+		vcpu_dev[strlen (vcpu_dev) - 2] = '\0';
-+
- 	printf("ioctl(%d<%s>, KVM_CREATE_VCPU, 0) = %d<%s>\n",
- 	       vm_fd, vm_dev, vcpu_fd, vcpu_dev);
- 
diff --git a/gnu/packages/patches/upx-fix-CVE-2017-15056.patch b/gnu/packages/patches/upx-fix-CVE-2017-15056.patch
new file mode 100644
index 0000000000..525980e73e
--- /dev/null
+++ b/gnu/packages/patches/upx-fix-CVE-2017-15056.patch
@@ -0,0 +1,96 @@
+From 3e0c2966dffb5dadb512a476ef4be3d0cc51c2be Mon Sep 17 00:00:00 2001
+From: Pierre Neidhardt <ambrevar@gmail.com>
+Date: Sat, 16 Jun 2018 16:35:00 +0200
+Subject: [PATCH] Protect against bad crafted input
+
+Also check for wrap-around when checking oversize involving e_shoff and e_shnum.
+
+raised by https://github.com/upx/upx/pull/190
+	modified:   p_lx_elf.cpp
+---
+ src/p_lx_elf.cpp | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
+index 822a7652..41e805ee 100644
+--- a/src/p_lx_elf.cpp
++++ b/src/p_lx_elf.cpp
+@@ -235,8 +235,17 @@ PackLinuxElf32::PackLinuxElf32help1(InputFile *f)
+         sz_phdrs = 0;
+         return;
+     }
++    if (0==e_phnum) throwCantUnpack("0==e_phnum");
+     e_phoff = get_te32(&ehdri.e_phoff);
++    unsigned const last_Phdr = e_phoff + e_phnum * sizeof(Elf32_Phdr);
++    if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) {
++        throwCantUnpack("bad e_phoff");
++    }
+     e_shoff = get_te32(&ehdri.e_shoff);
++    unsigned const last_Shdr = e_shoff + e_shnum * sizeof(Elf32_Shdr);
++    if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) {
++        throwCantUnpack("bad e_shoff");
++    }
+     sz_phdrs = e_phnum * e_phentsize;
+ 
+     if (f && Elf32_Ehdr::ET_DYN!=e_type) {
+@@ -599,8 +608,17 @@ PackLinuxElf64::PackLinuxElf64help1(InputFile *f)
+         sz_phdrs = 0;
+         return;
+     }
++    if (0==e_phnum) throwCantUnpack("0==e_phnum");
+     e_phoff = get_te64(&ehdri.e_phoff);
++    upx_uint64_t const last_Phdr = e_phoff + e_phnum * sizeof(Elf64_Phdr);
++    if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) {
++        throwCantUnpack("bad e_phoff");
++    }
+     e_shoff = get_te64(&ehdri.e_shoff);
++    upx_uint64_t const last_Shdr = e_shoff + e_shnum * sizeof(Elf64_Shdr);
++    if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) {
++        throwCantUnpack("bad e_shoff");
++    }
+     sz_phdrs = e_phnum * e_phentsize;
+ 
+     if (f && Elf64_Ehdr::ET_DYN!=e_type) {
+@@ -3763,6 +3781,9 @@ void PackLinuxElf64::pack4(OutputFile *fo, Filter &ft)
+ 
+ void PackLinuxElf64::unpack(OutputFile *fo)
+ {
++    if (e_phoff != sizeof(Elf64_Ehdr)) {// Phdrs not contiguous with Ehdr
++        throwCantUnpack("bad e_phoff");
++    }
+     unsigned const c_phnum = get_te16(&ehdri.e_phnum);
+     upx_uint64_t old_data_off = 0;
+     upx_uint64_t old_data_len = 0;
+@@ -3828,6 +3849,9 @@ void PackLinuxElf64::unpack(OutputFile *fo)
+     unsigned total_out = 0;
+     unsigned c_adler = upx_adler32(NULL, 0);
+     unsigned u_adler = upx_adler32(NULL, 0);
++    if ((MAX_ELF_HDR - sizeof(Elf64_Ehdr))/sizeof(Elf64_Phdr) < u_phnum) {
++        throwCantUnpack("bad compressed e_phnum");
++    }
+ 
+     // Packed ET_EXE has no PT_DYNAMIC.
+     // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld.
+@@ -4383,6 +4407,9 @@ Elf64_Sym const *PackLinuxElf64::elf_lookup(char const *name) const
+ 
+ void PackLinuxElf32::unpack(OutputFile *fo)
+ {
++    if (e_phoff != sizeof(Elf32_Ehdr)) {// Phdrs not contiguous with Ehdr
++        throwCantUnpack("bad e_phoff");
++    }
+     unsigned const c_phnum = get_te16(&ehdri.e_phnum);
+     unsigned old_data_off = 0;
+     unsigned old_data_len = 0;
+@@ -4449,6 +4476,9 @@ void PackLinuxElf32::unpack(OutputFile *fo)
+     unsigned total_out = 0;
+     unsigned c_adler = upx_adler32(NULL, 0);
+     unsigned u_adler = upx_adler32(NULL, 0);
++    if ((MAX_ELF_HDR - sizeof(Elf32_Ehdr))/sizeof(Elf32_Phdr) < u_phnum) {
++        throwCantUnpack("bad compressed e_phnum");
++    }
+ 
+     // Packed ET_EXE has no PT_DYNAMIC.
+     // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld.
+-- 
+2.17.0
+
diff --git a/gnu/packages/patches/x265-fix-ppc64le-build.patch b/gnu/packages/patches/x265-fix-ppc64le-build.patch
new file mode 100644
index 0000000000..f71d2436ab
--- /dev/null
+++ b/gnu/packages/patches/x265-fix-ppc64le-build.patch
@@ -0,0 +1,25 @@
+https://sources.debian.org/data/main/x/x265/2.8-3/debian/patches/0003-Fix-build-error-on-on-ppc64le.patch
+
+This patch also fixes building on armhf-linux and aarch64-linux
+
+From: Jayashree <jayashree.c@multicorewareinc.com>
+Date: Fri, 25 May 2018 10:26:05 +0530
+Subject: Fix build error on on ppc64le
+
+---
+ source/common/param.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source/common/param.cpp b/source/common/param.cpp
+index 31bcbc7..4a6d0c8 100644
+--- a/source/common/param.cpp
++++ b/source/common/param.cpp
+@@ -633,7 +633,7 @@ int x265_param_parse(x265_param* p, const char* name, const char* value)
+         if (bValueWasNull)
+             p->cpuid = atobool(value);
+         else
+-            p->cpuid = parseCpuName(value, bError);
++            p->cpuid = parseCpuName(value, bError, false);
+ #endif
+     }
+     OPT("fps")