summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2017-10-10 22:33:28 +0200
committerMarius Bakke <mbakke@fastmail.com>2017-10-10 22:33:28 +0200
commitc01ef97594a8b06e884906a5efbdfacf8ba33dc3 (patch)
tree828b4711c6ad71ab8fc9b6fc8f23f80979c5fe9b /gnu/packages/patches
parent86d02fa8010c053ba980e4c39373b9bf8af0561d (diff)
parent4b8b4418e609b5e0bfb6efbc11ac28deaa437e80 (diff)
downloadguix-c01ef97594a8b06e884906a5efbdfacf8ba33dc3.tar.gz
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/bluez-CVE-2017-1000250.patch42
-rw-r--r--gnu/packages/patches/clisp-remove-failing-test.patch43
-rw-r--r--gnu/packages/patches/cube-nocheck.patch16
-rw-r--r--gnu/packages/patches/curl-bounds-check.patch19
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch210
-rw-r--r--gnu/packages/patches/libmwaw-CVE-2017-9433.patch33
-rw-r--r--gnu/packages/patches/libvisio-fix-tests.patch35
-rw-r--r--gnu/packages/patches/libxfont-CVE-2017-13720.patch36
-rw-r--r--gnu/packages/patches/libxfont-CVE-2017-13722.patch53
-rw-r--r--gnu/packages/patches/mesa-skip-disk-cache-test.patch6
-rw-r--r--gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch55
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-12982.patch28
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-14040.patch83
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-14041.patch25
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-14151.patch46
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-14152.patch38
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-14164.patch89
-rw-r--r--gnu/packages/patches/python-nose-timer-drop-ordereddict.patch44
-rw-r--r--gnu/packages/patches/python2-unittest2-remove-argparse.patch11
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-13711.patch89
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-14167.patch69
-rw-r--r--gnu/packages/patches/xorg-server-CVE-2017-10971.patch153
-rw-r--r--gnu/packages/patches/xorg-server-CVE-2017-10972.patch35
23 files changed, 506 insertions, 752 deletions
diff --git a/gnu/packages/patches/bluez-CVE-2017-1000250.patch b/gnu/packages/patches/bluez-CVE-2017-1000250.patch
deleted file mode 100644
index 81f209d7b2..0000000000
--- a/gnu/packages/patches/bluez-CVE-2017-1000250.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Description: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req
-Origin: vendor
-Bug-Debian: https://bugs.debian.org/875633
-Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1489446
-Bug-SuSE: https://bugzilla.suse.com/show_bug.cgi?id=1057342
-Forwarded: no
-Author: Armis Security <security@armis.com>
-Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
-Last-Update: 2017-09-13
-
---- a/src/sdpd-request.c
-+++ b/src/sdpd-request.c
-@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_r
- 		/* continuation State exists -> get from cache */
- 		sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
- 		if (pCache) {
--			uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
--			pResponse = pCache->data;
--			memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
--			buf->data_size += sent;
--			cstate->cStateValue.maxBytesSent += sent;
--			if (cstate->cStateValue.maxBytesSent == pCache->data_size)
--				cstate_size = sdp_set_cstate_pdu(buf, NULL);
--			else
--				cstate_size = sdp_set_cstate_pdu(buf, cstate);
-+			if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
-+				status = SDP_INVALID_CSTATE;
-+				SDPDBG("Got bad cstate with invalid size");
-+			} else {
-+				uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
-+				pResponse = pCache->data;
-+				memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
-+				buf->data_size += sent;
-+				cstate->cStateValue.maxBytesSent += sent;
-+				if (cstate->cStateValue.maxBytesSent == pCache->data_size)
-+					cstate_size = sdp_set_cstate_pdu(buf, NULL);
-+				else
-+					cstate_size = sdp_set_cstate_pdu(buf, cstate);
-+			}
- 		} else {
- 			status = SDP_INVALID_CSTATE;
- 			SDPDBG("Non-null continuation state, but null cache buffer");
diff --git a/gnu/packages/patches/clisp-remove-failing-test.patch b/gnu/packages/patches/clisp-remove-failing-test.patch
new file mode 100644
index 0000000000..e44ce80f74
--- /dev/null
+++ b/gnu/packages/patches/clisp-remove-failing-test.patch
@@ -0,0 +1,43 @@
+This test doesn't ever complete or timeout
+
+---
+ tests/socket.tst | 24 ------------------------
+ 1 file changed, 24 deletions(-)
+
+diff --git a/tests/socket.tst b/tests/socket.tst
+index 93c6310..1d976ff 100644
+--- a/tests/socket.tst
++++ b/tests/socket.tst
+@@ -551,30 +551,6 @@ T
+           interfaces))
+ ("0.0.0.0" "127.0.0.1" "0.0.0.0" "127.0.0.1")
+ 
+-(multiple-value-bind (run args) (cmd-args)
+-  (let ((se (socket:socket-server)))
+-    (ext:run-program run :arguments (append args (list "-q" "-q" "-x" (format nil "(close (socket:socket-connect ~D))" (socket:socket-server-port se))))
+-                     :wait nil :input nil :output nil)
+-    (unwind-protect
+-         (with-open-stream (so (socket:socket-accept se))
+-           (list
+-            (socket:socket-status so)
+-            (write-line "foo" so)
+-            (socket:socket-status so)
+-            #+macos (handler-case (read-char so)
+-                      (end-of-file (c)
+-                        (princ 'read-char) (princ-error c) t))
+-            #-macos (check-os-error (read-char so) (:ECONNRESET 104))
+-            (null (member (socket:socket-status so) '(:EOF :APPEND)))
+-            #+macos (string= (write-line "bar" so) "bar")
+-            #-macos (check-os-error (write-line "bar" so) (:EPIPE 32))
+-            (null (member (socket:socket-status so) '(:EOF :APPEND)))
+-            (handler-case (read-char so)
+-              (end-of-file (c)
+-                (princ 'read-char) (princ-error c) 'end-of-file))))
+-      (socket:socket-server-close se))))
+-(:OUTPUT "foo" :OUTPUT T NIL T NIL END-OF-FILE)
+-
+ ;; https://sourceforge.net/p/clisp/feature-requests/46/
+ (check-os-error (socket:socket-connect 0)
+   #-(or win32 macos) (:ECONNREFUSED 111)
+-- 
+
diff --git a/gnu/packages/patches/cube-nocheck.patch b/gnu/packages/patches/cube-nocheck.patch
new file mode 100644
index 0000000000..576044e622
--- /dev/null
+++ b/gnu/packages/patches/cube-nocheck.patch
@@ -0,0 +1,16 @@
+Unconditionally disable network check for new versions (from Fedora).
+
+diff -u /home/dlove/rpmbuild/BUILD/cube-4.3.4/src/GUI-qt/display/VersionCheckWidget.cpp\~ /home/dlove/rpmbuild/BUILD/cube-4.3.4/src/GUI-qt/display/VersionCheckWidget.cpp
+--- cube-4.3.4/src/GUI-qt/display/VersionCheckWidget.cpp~	2016-04-03 00:05:37.942066948 +0100
++++ cube-4.3.4/src/GUI-qt/display/VersionCheckWidget.cpp	2016-05-06 17:16:31.648143908 +0100
+@@ -52,7 +52,8 @@
+     url              = QUrl( UPDATE_CHECK_URL );
+     download         = NULL;
+     update_Available = false;
+-    bool no_http = env_str2bool( getenv( "CUBE_DISABLE_HTTP_DOCS" ) );
++    // bool no_http = env_str2bool( getenv( "CUBE_DISABLE_HTTP_DOCS" ) );
++    bool no_http = true;
+     if ( !no_http )
+     {
+         updateDescription =   tr( "Check for update is not performed yet." );
+
diff --git a/gnu/packages/patches/curl-bounds-check.patch b/gnu/packages/patches/curl-bounds-check.patch
deleted file mode 100644
index 4b8ff65304..0000000000
--- a/gnu/packages/patches/curl-bounds-check.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Fix test failure on some 32-bit platforms.
-
-Patch copied from upstream source repository:
-
-https://github.com/curl/curl/commit/45a560390c4356bcb81d933bbbb229c8ea2acb63
-
-diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c
-index b9dedc989e..85c5e79a7e 100644
---- a/src/tool_paramhlp.c
-+++ b/src/tool_paramhlp.c
-@@ -218,7 +218,7 @@ static ParameterError str2double(double *val, const char *str, long max)
-     num = strtod(str, &endptr);
-     if(errno == ERANGE)
-       return PARAM_NUMBER_TOO_LARGE;
--    if((long)num > max) {
-+    if(num > max) {
-       /* too large */
-       return PARAM_NUMBER_TOO_LARGE;
-     }
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch
new file mode 100644
index 0000000000..8e1166ba7a
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch
@@ -0,0 +1,210 @@
+http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a
+http://www.openwall.com/lists/oss-security/2017/09/22/2
+
+Some changes were made to make the patch apply.
+
+Notably, the DestroyJNG() function in the upstream diff has been replaced by
+its equivalent, a series of calls to MagickFreeMemory(), DestroyImageInfo(),
+and DestroyImage(). See
+http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5.
+
+# HG changeset patch
+# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
+# Date 1504014487 14400
+# Node ID 358608a46f0a9c55e9bb8b37d09bf1ac9bc87f06
+# Parent  38c362f0ae5e7a914c3fe822284c6953f8e6eee2
+Fix Issue 439
+
+diff -ru a/coders/png.c b/coders/png.c
+--- a/coders/png.c	1969-12-31 19:00:00.000000000 -0500
++++ b/coders/png.c	2017-09-30 08:20:16.218944991 -0400
+@@ -1176,15 +1176,15 @@
+   /* allocate space */
+   if (length == 0)
+     {
+-      (void) ThrowException2(&image->exception,CoderWarning,
+-                             "invalid profile length",(char *) NULL);
++      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++          "invalid profile length");
+       return (MagickFail);
+     }
+   info=MagickAllocateMemory(unsigned char *,length);
+   if (info == (unsigned char *) NULL)
+     {
+-      (void) ThrowException2(&image->exception,CoderWarning,
+-                             "unable to copy profile",(char *) NULL);
++      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++          "Unable to copy profile");
+       return (MagickFail);
+     }
+   /* copy profile, skipping white space and column 1 "=" signs */
+@@ -1197,8 +1197,8 @@
+           if (*sp == '\0')
+             {
+               MagickFreeMemory(info);
+-              (void) ThrowException2(&image->exception,CoderWarning,
+-                                     "ran out of profile data",(char *) NULL);
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                  "ran out of profile data");
+               return (MagickFail);
+             }
+           sp++;
+@@ -1234,8 +1234,9 @@
+   if(SetImageProfile(image,profile_name,info,length) == MagickFail)
+     {
+       MagickFreeMemory(info);
+-      (void) ThrowException(&image->exception,ResourceLimitError,
+-                            MemoryAllocationFailed,"unable to copy profile");
++      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++           "unable to copy profile");
++      return MagickFail;
+     }
+   MagickFreeMemory(info);
+   return MagickTrue;
+@@ -3285,7 +3286,6 @@
+               if (status == MagickFalse)
+                 {
+                   DestroyJNGInfo(color_image_info,alpha_image_info);
+-                  DestroyImage(alpha_image);
+                   (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                       "    could not allocate alpha_image blob");
+                   return ((Image *)NULL);
+@@ -3534,7 +3534,7 @@
+       CloseBlob(color_image);
+       if (logging)
+         (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+-                              "    Reading jng_image from color_blob.");
++            "    Reading jng_image from color_blob.");
+
+       FormatString(color_image_info->filename,"%.1024s",color_image->filename);
+
+@@ -3558,13 +3558,18 @@
+
+       if (logging)
+         (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+-                              "    Copying jng_image pixels to main image.");
++            "    Copying jng_image pixels to main image.");
+       image->rows=jng_height;
+       image->columns=jng_width;
+       length=image->columns*sizeof(PixelPacket);
++      if ((jng_height == 0 || jng_width == 0) && logging)
++        (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++            "    jng_width=%lu jng_height=%lu",
++            (unsigned long)jng_width,(unsigned long)jng_height);
+       for (y=0; y < (long) image->rows; y++)
+         {
+-          s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception);
++          s=AcquireImagePixels(jng_image,0,y,image->columns,1,
++             &image->exception);
+           q=SetImagePixels(image,0,y,image->columns,1);
+           (void) memcpy(q,s,length);
+           if (!SyncImagePixels(image))
+@@ -3589,45 +3594,79 @@
+               CloseBlob(alpha_image);
+               if (logging)
+                 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+-                                      "    Reading opacity from alpha_blob.");
++                     "    Reading opacity from alpha_blob.");
+
+               FormatString(alpha_image_info->filename,"%.1024s",
+                            alpha_image->filename);
+
+               jng_image=ReadImage(alpha_image_info,exception);
+
+-              for (y=0; y < (long) image->rows; y++)
++              if (jng_image == (Image *)NULL)
+                 {
+-                  s=AcquireImagePixels(jng_image,0,y,image->columns,1,
+-                                       &image->exception);
+-                  if (image->matte)
+-                    {
+-                      q=SetImagePixels(image,0,y,image->columns,1);
+-                      for (x=(long) image->columns; x > 0; x--,q++,s++)
+-                        q->opacity=(Quantum) MaxRGB-s->red;
+-                    }
+-                  else
++                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                       "    jng_image is NULL.");
++                  if (color_image_info)
++                    DestroyImageInfo(color_image_info);
++                  if (alpha_image_info)
++                    DestroyImageInfo(alpha_image_info);
++                  if (color_image)
++                    DestroyImage(color_image);
++                  if (alpha_image)
++                    DestroyImage(alpha_image);
++                }
++              else
++                {
++
++                  if (logging)
+                     {
+-                      q=SetImagePixels(image,0,y,image->columns,1);
+-                      for (x=(long) image->columns; x > 0; x--,q++,s++)
+-                        {
+-                          q->opacity=(Quantum) MaxRGB-s->red;
+-                          if (q->opacity != OpaqueOpacity)
+-                            image->matte=MagickTrue;
+-                        }
++                      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                          "    Read jng_image.");
++                      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                          "      jng_image->width=%lu, jng_image->height=%lu",
++                          (unsigned long)jng_width,(unsigned long)jng_height);
++                      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                          "      image->rows=%lu, image->columns=%lu",
++                         (unsigned long)image->rows,
++                         (unsigned long)image->columns);
+                     }
+-                  if (!SyncImagePixels(image))
+-                    break;
+-                }
+-              (void) LiberateUniqueFileResource(alpha_image->filename);
+-              DestroyImage(alpha_image);
+-              alpha_image = (Image *)NULL;
+-              DestroyImageInfo(alpha_image_info);
+-              alpha_image_info = (ImageInfo *)NULL;
+-              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+-                  " Destroy the JNG image");
+-              DestroyImage(jng_image);
+-              jng_image = (Image *)NULL;
++
++                  for (y=0; y < (long) image->rows; y++)
++                   {
++                     s=AcquireImagePixels(jng_image,0,y,image->columns,1,
++                                          &image->exception);
++                     if (image->matte)
++                       {
++                         q=SetImagePixels(image,0,y,image->columns,1);
++                         for (x=(long) image->columns; x > 0; x--,q++,s++)
++                           q->opacity=(Quantum) MaxRGB-s->red;
++                       }
++                     else
++                       {
++                         q=SetImagePixels(image,0,y,image->columns,1);
++                         for (x=(long) image->columns; x > 0; x--,q++,s++)
++                           {
++                             q->opacity=(Quantum) MaxRGB-s->red;
++                             if (q->opacity != OpaqueOpacity)
++                               image->matte=MagickTrue;
++                           }
++                       }
++                     if (!SyncImagePixels(image))
++                       break;
++                   }
++                 (void) LiberateUniqueFileResource(alpha_image->filename);
++                 if (color_image_info)
++                   DestroyImageInfo(color_image_info);
++                 if (alpha_image_info)
++                   DestroyImageInfo(alpha_image_info);
++                 if (color_image)
++                   DestroyImage(color_image);
++                 if (alpha_image)
++                   DestroyImage(alpha_image);
++                 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                     " Destroy the JNG image");
++                 DestroyImage(jng_image);
++                 jng_image = (Image *)NULL;
++               }
+             }
+         }
diff --git a/gnu/packages/patches/libmwaw-CVE-2017-9433.patch b/gnu/packages/patches/libmwaw-CVE-2017-9433.patch
deleted file mode 100644
index 502a11d2a8..0000000000
--- a/gnu/packages/patches/libmwaw-CVE-2017-9433.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Fix CVE-2017-9433:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9433
-
-Patch copied from upstream source repository:
-
-https://sourceforge.net/p/libmwaw/libmwaw/ci/68b3b74569881248bfb6cbb4266177cc253b292f
-
-From 68b3b74569881248bfb6cbb4266177cc253b292f Mon Sep 17 00:00:00 2001
-From: David Tardon <dtardon@redhat.com>
-Date: Sat, 8 Apr 2017 14:03:29 +0200
-Subject: [PATCH] ofz#1037 resize vector correctly
-
----
- src/lib/MsWrd1Parser.cxx | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/lib/MsWrd1Parser.cxx b/src/lib/MsWrd1Parser.cxx
-index 63547e6..3626064 100644
---- a/src/lib/MsWrd1Parser.cxx
-+++ b/src/lib/MsWrd1Parser.cxx
-@@ -902,7 +902,7 @@ bool MsWrd1Parser::readFootnoteCorrespondance(MWAWVec2i limits)
-     int id = fIt++->second;
-     fPos[1] = fIt==footnoteMap.end() ? m_state->m_eot : fIt->first;
-     if (id >= int(m_state->m_footnotesList.size()))
--      m_state->m_footnotesList.resize(size_t(id),MWAWVec2l(0,0));
-+      m_state->m_footnotesList.resize(size_t(id)+1,MWAWVec2l(0,0));
-     m_state->m_footnotesList[size_t(id)]=fPos;
-   }
-   ascii().addDelimiter(input->tell(),'|');
--- 
-2.13.1
-
diff --git a/gnu/packages/patches/libvisio-fix-tests.patch b/gnu/packages/patches/libvisio-fix-tests.patch
new file mode 100644
index 0000000000..335f7c11a8
--- /dev/null
+++ b/gnu/packages/patches/libvisio-fix-tests.patch
@@ -0,0 +1,35 @@
+Tests assume a CET timezone, but do not respect the "TZ" variable.
+
+This patch is a "squashed" version of these upstream commits:
+<https://cgit.freedesktop.org/libreoffice/libvisio/commit/?id=a97d30ad693374deab404ec31fe00665882cc949>
+<https://cgit.freedesktop.org/libreoffice/libvisio/commit/?id=c933df45a873e566c6ce4e5de5f829e64eb892f5>
+
+diff --git a/src/test/Makefile.am b/src/test/Makefile.am
+index 59d3419..23049b5 100644
+--- a/src/test/Makefile.am
++++ b/src/test/Makefile.am
+@@ -29,4 +29,7 @@ EXTRA_DIST = \
+ 	     data/dwg.vsdx \
+ 	     $(test_SOURCES)
+ 
++# ImportTest::testVsdMetadataTitleUtf8 checks formatted date string
++AM_TESTS_ENVIRONMENT = TZ=UTC; export TZ;
++
+ TESTS = test
+diff --git a/src/test/importtest.cpp b/src/test/importtest.cpp
+index e05b3c1..32fb185 100644
+--- a/src/test/importtest.cpp
++++ b/src/test/importtest.cpp
+@@ -242,8 +242,8 @@ void ImportTest::testVsdMetadataTitleUtf8()
+   // Test the case when the string is UTF-8 encoded already in the file.
+   assertXPath(m_doc, "/document/setDocumentMetaData", "title", "mytitle\xC3\xA9\xC3\xA1\xC5\x91\xC5\xB1");
+   // Test <dcterms:created> and <dcterms:modified>.
+-  assertXPath(m_doc, "/document/setDocumentMetaData", "creation-date", "2014-11-26T09:24:56Z");
+-  assertXPath(m_doc, "/document/setDocumentMetaData", "date", "2014-11-26T09:24:56Z");
++  assertXPath(m_doc, "/document/setDocumentMetaData", "creation-date", "2014-11-26T08:24:56Z");
++  assertXPath(m_doc, "/document/setDocumentMetaData", "date", "2014-11-26T08:24:56Z");
+ }
+ 
+ void ImportTest::testVsdUserDefinedMetadata()
+-- 
+2.1.4
diff --git a/gnu/packages/patches/libxfont-CVE-2017-13720.patch b/gnu/packages/patches/libxfont-CVE-2017-13720.patch
new file mode 100644
index 0000000000..0936171060
--- /dev/null
+++ b/gnu/packages/patches/libxfont-CVE-2017-13720.patch
@@ -0,0 +1,36 @@
+Fix CVE-2017-13720.
+
+Copied from upstream source repository:
+<https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608>
+
+
+From d1e670a4a8704b8708e493ab6155589bcd570608 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Thu, 20 Jul 2017 13:38:53 +0200
+Subject: Check for end of string in PatternMatch (CVE-2017-13720)
+
+If a pattern contains '?' character, any character in the string is skipped,
+even if it is '\0'. The rest of the matching then reads invalid memory.
+
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
+index 4ce2473..996b7d1 100644
+--- a/src/fontfile/fontdir.c
++++ b/src/fontfile/fontdir.c
+@@ -400,8 +400,10 @@ PatternMatch(char *pat, int patdashes, char *string, int stringdashes)
+ 		}
+ 	    }
+ 	case '?':
+-	    if (*string++ == XK_minus)
++	    if ((t = *string++) == XK_minus)
+ 		stringdashes--;
++	    if (!t)
++		return 0;
+ 	    break;
+ 	case '\0':
+ 	    return (*string == '\0');
+-- 
+cgit v0.10.2
+
diff --git a/gnu/packages/patches/libxfont-CVE-2017-13722.patch b/gnu/packages/patches/libxfont-CVE-2017-13722.patch
new file mode 100644
index 0000000000..458fdfd1a7
--- /dev/null
+++ b/gnu/packages/patches/libxfont-CVE-2017-13722.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-13722.
+
+Copied from upstream source repository:
+<https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902905bcd>
+
+From 672bb944311392e2415b39c0d63b1e1902905bcd Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Thu, 20 Jul 2017 17:05:23 +0200
+Subject: pcfGetProperties: Check string boundaries (CVE-2017-13722)
+
+Without the checks a malformed PCF file can cause the library to make
+atom from random heap memory that was behind the `strings` buffer.
+This may crash the process or leak information.
+
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/src/bitmap/pcfread.c b/src/bitmap/pcfread.c
+index dab1c44..ae34c28 100644
+--- a/src/bitmap/pcfread.c
++++ b/src/bitmap/pcfread.c
+@@ -45,6 +45,7 @@ from The Open Group.
+ 
+ #include <stdarg.h>
+ #include <stdint.h>
++#include <string.h>
+ 
+ void
+ pcfError(const char* message, ...)
+@@ -311,11 +312,19 @@ pcfGetProperties(FontInfoPtr pFontInfo, FontFilePtr file,
+     if (IS_EOF(file)) goto Bail;
+     position += string_size;
+     for (i = 0; i < nprops; i++) {
++	if (props[i].name >= string_size) {
++	    pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].name, string_size);
++	    goto Bail;
++	}
+ 	props[i].name = MakeAtom(strings + props[i].name,
+-				 strlen(strings + props[i].name), TRUE);
++				 strnlen(strings + props[i].name, string_size - props[i].name), TRUE);
+ 	if (isStringProp[i]) {
++	    if (props[i].value >= string_size) {
++		pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].value, string_size);
++		goto Bail;
++	    }
+ 	    props[i].value = MakeAtom(strings + props[i].value,
+-				      strlen(strings + props[i].value), TRUE);
++				      strnlen(strings + props[i].value, string_size - props[i].value), TRUE);
+ 	}
+     }
+     free(strings);
+-- 
+cgit v0.10.2
+
diff --git a/gnu/packages/patches/mesa-skip-disk-cache-test.patch b/gnu/packages/patches/mesa-skip-disk-cache-test.patch
index b3f9367fd5..190f6b6ee1 100644
--- a/gnu/packages/patches/mesa-skip-disk-cache-test.patch
+++ b/gnu/packages/patches/mesa-skip-disk-cache-test.patch
@@ -8,12 +8,12 @@ for now.
 @@ -170,11 +170,6 @@
     unsetenv("MESA_GLSL_CACHE_DIR");
     unsetenv("XDG_CACHE_HOME");
-
--   cache = disk_cache_create("test", "make_check");
+ 
+-   cache = disk_cache_create("test", "make_check", 0);
 -   expect_non_null(cache, "disk_cache_create with no environment variables");
 -
 -   disk_cache_destroy(cache);
 -
     /* Test with XDG_CACHE_HOME set */
     setenv("XDG_CACHE_HOME", CACHE_TEST_TMP "/xdg-cache-home", 1);
-    cache = disk_cache_create("test", "make_check");
+    cache = disk_cache_create("test", "make_check", 0);
diff --git a/gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch b/gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch
new file mode 100644
index 0000000000..6057ebeb08
--- /dev/null
+++ b/gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch
@@ -0,0 +1,55 @@
+From e724bb7018a482640c4f194f88b554af2c59d76e Mon Sep 17 00:00:00 2001
+From: Mark Benvenuto <mark.benvenuto@mongodb.com>
+Date: Wed, 20 Sep 2017 11:50:02 -0400
+Subject: [PATCH] SERVER-30857 Support unknown Linux distributions
+
+---
+ src/mongo/rpc/metadata/client_metadata.cpp | 6 ------
+ src/mongo/util/processinfo_linux.cpp       | 9 ++++++---
+ 2 files changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/src/mongo/rpc/metadata/client_metadata.cpp b/src/mongo/rpc/metadata/client_metadata.cpp
+index 845a315dd74..a959a4e31e9 100644
+--- a/src/mongo/rpc/metadata/client_metadata.cpp
++++ b/src/mongo/rpc/metadata/client_metadata.cpp
+@@ -302,9 +302,6 @@ void ClientMetadata::serializePrivate(StringData driverName,
+                                       StringData osArchitecture,
+                                       StringData osVersion,
+                                       BSONObjBuilder* builder) {
+-    invariant(!driverName.empty() && !driverVersion.empty() && !osType.empty() && !osName.empty() &&
+-              !osArchitecture.empty() && !osVersion.empty());
+-
+     BSONObjBuilder metaObjBuilder(builder->subobjStart(kMetadataDocumentName));
+ 
+     {
+@@ -347,9 +344,6 @@ Status ClientMetadata::serializePrivate(StringData driverName,
+                                         StringData osVersion,
+                                         StringData appName,
+                                         BSONObjBuilder* builder) {
+-    invariant(!driverName.empty() && !driverVersion.empty() && !osType.empty() && !osName.empty() &&
+-              !osArchitecture.empty() && !osVersion.empty());
+-
+     if (appName.size() > kMaxApplicationNameByteLength) {
+         return Status(ErrorCodes::ClientMetadataAppNameTooLarge,
+                       str::stream() << "The '" << kApplication << "." << kName
+diff --git a/src/mongo/util/processinfo_linux.cpp b/src/mongo/util/processinfo_linux.cpp
+index c3debf377bd..c2813b026b0 100644
+--- a/src/mongo/util/processinfo_linux.cpp
++++ b/src/mongo/util/processinfo_linux.cpp
+@@ -376,10 +376,13 @@ class LinuxSysHelper {
+             if ((nl = name.find('\n', nl)) != string::npos)
+                 // stop at first newline
+                 name.erase(nl);
+-            // no standard format for name and version.  use kernel version
+-            version = "Kernel ";
+-            version += LinuxSysHelper::readLineFromFile("/proc/sys/kernel/osrelease");
++        } else {
++            name = "unknown";
+         }
++
++        // There is no standard format for name and version so use the kernel version.
++        version = "Kernel ";
++        version += LinuxSysHelper::readLineFromFile("/proc/sys/kernel/osrelease");
+     }
+ 
+     /**
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-12982.patch b/gnu/packages/patches/openjpeg-CVE-2017-12982.patch
deleted file mode 100644
index 3929a73570..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-12982.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-http://openwall.com/lists/oss-security/2017/08/21/1
-https://github.com/uclouvain/openjpeg/commit/baf0c1ad4572daa89caa3b12985bdd93530f0dd7.patch
-
-From baf0c1ad4572daa89caa3b12985bdd93530f0dd7 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Mon, 14 Aug 2017 17:26:58 +0200
-Subject: [PATCH] bmp_read_info_header(): reject bmp files with biBitCount == 0
- (#983)
-
----
- src/bin/jp2/convertbmp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
-index b49e7a080..2715fdf24 100644
---- a/src/bin/jp2/convertbmp.c
-+++ b/src/bin/jp2/convertbmp.c
-@@ -392,6 +392,10 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
- 
-     header->biBitCount  = (OPJ_UINT16)getc(IN);
-     header->biBitCount |= (OPJ_UINT16)((OPJ_UINT32)getc(IN) << 8);
-+    if (header->biBitCount == 0) {
-+        fprintf(stderr, "Error, invalid biBitCount %d\n", 0);
-+        return OPJ_FALSE;
-+    }
- 
-     if (header->biSize >= 40U) {
-         header->biCompression  = (OPJ_UINT32)getc(IN);
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14040.patch b/gnu/packages/patches/openjpeg-CVE-2017-14040.patch
deleted file mode 100644
index bd7473ba0d..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14040.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-http://openwall.com/lists/oss-security/2017/08/28/3
-https://github.com/uclouvain/openjpeg/commit/2cd30c2b06ce332dede81cccad8b334cde997281.patch
-
-From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Thu, 17 Aug 2017 11:47:40 +0200
-Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
- fixes unaligned load (#995)
-
----
- src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
- 1 file changed, 27 insertions(+), 12 deletions(-)
-
-diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
-index a4eb81f6a..73dfc8d5f 100644
---- a/src/bin/jp2/convert.c
-+++ b/src/bin/jp2/convert.c
-@@ -580,13 +580,10 @@ struct tga_header {
- };
- #endif /* INFORMATION_ONLY */
- 
--static unsigned short get_ushort(const unsigned char *data)
-+/* Returns a ushort from a little-endian serialized value */
-+static unsigned short get_tga_ushort(const unsigned char *data)
- {
--    unsigned short val = *(const unsigned short *)data;
--#ifdef OPJ_BIG_ENDIAN
--    val = ((val & 0xffU) << 8) | (val >> 8);
--#endif
--    return val;
-+    return data[0] | (data[1] << 8);
- }
- 
- #define TGA_HEADER_SIZE 18
-@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
-     id_len = tga[0];
-     /*cmap_type = tga[1];*/
-     image_type = tga[2];
--    /*cmap_index = get_ushort(&tga[3]);*/
--    cmap_len = get_ushort(&tga[5]);
-+    /*cmap_index = get_tga_ushort(&tga[3]);*/
-+    cmap_len = get_tga_ushort(&tga[5]);
-     cmap_entry_size = tga[7];
- 
- 
- #if 0
--    x_origin = get_ushort(&tga[8]);
--    y_origin = get_ushort(&tga[10]);
-+    x_origin = get_tga_ushort(&tga[8]);
-+    y_origin = get_tga_ushort(&tga[10]);
- #endif
--    image_w = get_ushort(&tga[12]);
--    image_h = get_ushort(&tga[14]);
-+    image_w = get_tga_ushort(&tga[12]);
-+    image_h = get_tga_ushort(&tga[14]);
-     pixel_depth = tga[16];
-     image_desc  = tga[17];
- 
-@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
-         color_space = OPJ_CLRSPC_SRGB;
-     }
- 
-+    /* If the declared file size is > 10 MB, check that the file is big */
-+    /* enough to avoid excessive memory allocations */
-+    if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
-+        char ch;
-+        OPJ_UINT64 expected_file_size =
-+            (OPJ_UINT64)image_width * image_height * numcomps;
-+        long curpos = ftell(f);
-+        if (expected_file_size > (OPJ_UINT64)INT_MAX) {
-+            expected_file_size = (OPJ_UINT64)INT_MAX;
-+        }
-+        fseek(f, (long)expected_file_size - 1, SEEK_SET);
-+        if (fread(&ch, 1, 1, f) != 1) {
-+            fclose(f);
-+            return NULL;
-+        }
-+        fseek(f, curpos, SEEK_SET);
-+    }
-+
-     subsampling_dx = parameters->subsampling_dx;
-     subsampling_dy = parameters->subsampling_dy;
- 
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14041.patch b/gnu/packages/patches/openjpeg-CVE-2017-14041.patch
deleted file mode 100644
index 6e3fccf3c0..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14041.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-http://openwall.com/lists/oss-security/2017/08/28/4
-https://github.com/uclouvain/openjpeg/commit/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
-
-From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Fri, 18 Aug 2017 13:39:20 +0200
-Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
-
----
- src/bin/jp2/convert.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
-index 5459f7d44..e606c9be7 100644
---- a/src/bin/jp2/convert.c
-+++ b/src/bin/jp2/convert.c
-@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
-     }
- 
-     fseek(f, 0, SEEK_SET);
--    if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
-+    if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
-                &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
-         fclose(f);
-         fprintf(stderr,
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14151.patch b/gnu/packages/patches/openjpeg-CVE-2017-14151.patch
deleted file mode 100644
index 4fcf6af6db..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14151.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-https://github.com/uclouvain/openjpeg/commit/afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
-http://openwall.com/lists/oss-security/2017/09/06/1
-
-From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Mon, 14 Aug 2017 17:20:37 +0200
-Subject: [PATCH] Encoder: grow buffer size in
- opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
- opj_mqc_flush (#982)
-
----
- src/lib/openjp2/tcd.c                   | 7 +++++--
- tests/nonregression/test_suite.ctest.in | 2 ++
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
-index 301c7213e..53cdcf64d 100644
---- a/src/lib/openjp2/tcd.c
-+++ b/src/lib/openjp2/tcd.c
-@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
- {
-     OPJ_UINT32 l_data_size;
- 
--    /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
--    l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
-+    /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
-+    /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
-+    /* TODO: is there a theoretical upper-bound for the compressed code */
-+    /* block size ? */
-+    l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
-                                    (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
- 
-     if (l_data_size > p_code_block->data_size) {
-diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
-index aaf40d7d0..ffd964c2a 100644
---- a/tests/nonregression/test_suite.ctest.in
-+++ b/tests/nonregression/test_suite.ctest.in
-@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban
- # Same rate as Bretagne2_4.j2k
- opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800
- 
-+opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1
-+
- # DECODER TEST SUITE
- opj_decompress -i  @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx
- opj_decompress -i  @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14152.patch b/gnu/packages/patches/openjpeg-CVE-2017-14152.patch
deleted file mode 100644
index 6c083be123..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14152.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-https://github.com/uclouvain/openjpeg/commit/4241ae6fbbf1de9658764a80944dc8108f2b4154.patch
-http://openwall.com/lists/oss-security/2017/09/06/2
-
-From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Tue, 15 Aug 2017 11:55:58 +0200
-Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in
- opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985)
-
----
- src/lib/openjp2/j2k.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
-index a2521ebbc..54b490a8c 100644
---- a/src/lib/openjp2/j2k.c
-+++ b/src/lib/openjp2/j2k.c
-@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters,
- 
-     /* Precincts */
-     parameters->csty |= 0x01;
--    parameters->res_spec = parameters->numresolution - 1;
--    for (i = 0; i < parameters->res_spec; i++) {
--        parameters->prcw_init[i] = 256;
--        parameters->prch_init[i] = 256;
-+    if (parameters->numresolution == 1) {
-+        parameters->res_spec = 1;
-+        parameters->prcw_init[0] = 128;
-+        parameters->prch_init[0] = 128;
-+    } else {
-+        parameters->res_spec = parameters->numresolution - 1;
-+        for (i = 0; i < parameters->res_spec; i++) {
-+            parameters->prcw_init[i] = 256;
-+            parameters->prch_init[i] = 256;
-+        }
-     }
- 
-     /* The progression order shall be CPRL */
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14164.patch b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch
deleted file mode 100644
index 2bfc5a6a85..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14164.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
-http://openwall.com/lists/oss-security/2017/09/06/3
-
-From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Wed, 16 Aug 2017 17:09:10 +0200
-Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
- (#991)
-
----
- src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
- 1 file changed, 20 insertions(+), 5 deletions(-)
-
-diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
-index 54b490a8c..16915452e 100644
---- a/src/lib/openjp2/j2k.c
-+++ b/src/lib/openjp2/j2k.c
-@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
-  * Writes the SOT marker (Start of tile-part)
-  *
-  * @param       p_j2k            J2K codec.
-- * @param       p_data           FIXME DOC
-- * @param       p_data_written   FIXME DOC
-+ * @param       p_data           Output buffer
-+ * @param       p_total_data_size Output buffer size
-+ * @param       p_data_written   Number of bytes written into stream
-  * @param       p_stream         the stream to write data to.
-  * @param       p_manager        the user event manager.
- */
- static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
-                                   OPJ_BYTE * p_data,
-+                                  OPJ_UINT32 p_total_data_size,
-                                   OPJ_UINT32 * p_data_written,
-                                   const opj_stream_private_t *p_stream,
-                                   opj_event_mgr_t * p_manager);
-@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
- 
- static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
-                                   OPJ_BYTE * p_data,
-+                                  OPJ_UINT32 p_total_data_size,
-                                   OPJ_UINT32 * p_data_written,
-                                   const opj_stream_private_t *p_stream,
-                                   opj_event_mgr_t * p_manager
-@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
-     OPJ_UNUSED(p_stream);
-     OPJ_UNUSED(p_manager);
- 
-+    if (p_total_data_size < 12) {
-+        opj_event_msg(p_manager, EVT_ERROR,
-+                      "Not enough bytes in output buffer to write SOT marker\n");
-+        return OPJ_FALSE;
-+    }
-+
-     opj_write_bytes(p_data, J2K_MS_SOT,
-                     2);                                 /* SOT */
-     p_data += 2;
-@@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,
- 
-     l_current_nb_bytes_written = 0;
-     l_begin_data = p_data;
--    if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
-+    if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
-+                            &l_current_nb_bytes_written, p_stream,
-                             p_manager)) {
-         return OPJ_FALSE;
-     }
-@@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
-         l_part_tile_size = 0;
-         l_begin_data = p_data;
- 
--        if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
-+        if (! opj_j2k_write_sot(p_j2k, p_data,
-+                                p_total_data_size,
-+                                &l_current_nb_bytes_written,
-+                                p_stream,
-                                 p_manager)) {
-             return OPJ_FALSE;
-         }
-@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
-             l_part_tile_size = 0;
-             l_begin_data = p_data;
- 
--            if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
-+            if (! opj_j2k_write_sot(p_j2k, p_data,
-+                                    p_total_data_size,
-+                                    &l_current_nb_bytes_written, p_stream,
-                                     p_manager)) {
-                 return OPJ_FALSE;
-             }
diff --git a/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch b/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch
new file mode 100644
index 0000000000..e1e71a332a
--- /dev/null
+++ b/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch
@@ -0,0 +1,44 @@
+From 700076019b5aff72aac7651cc830aaef21ee9a47 Mon Sep 17 00:00:00 2001
+From: jakirkham <jakirkham@gmail.com>
+Date: Fri, 7 Jul 2017 05:57:56 -0400
+Subject: [PATCH] Drop ordereddict requirement (#84)
+
+* Drop ordereddict requirement
+
+As Python 2.7 is the minimum Python supported, every version of Python
+should have `ordereddict` preincluded in the standard library one way or
+another. So we can drop this dependency and just handle the differences
+between Python 2 and Python 3.
+---
+ nosetimer/plugin.py | 5 +----
+ setup.py            | 1 -
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/nosetimer/plugin.py b/nosetimer/plugin.py
+index ef28e11..d093a51 100644
+--- a/nosetimer/plugin.py
++++ b/nosetimer/plugin.py
+@@ -12,10 +12,7 @@
+ except ImportError:
+     import queue as Queue
+ 
+-try:
+-    from collections import OrderedDict
+-except ImportError:
+-    from ordereddict import OrderedDict
++from collections import OrderedDict
+ 
+ 
+ # define constants
+diff --git a/setup.py b/setup.py
+index 6a55b82..d249325 100755
+--- a/setup.py
++++ b/setup.py
+@@ -27,7 +27,6 @@
+     install_requires=[
+         'nose',
+         'termcolor',
+-        'ordereddict',
+     ],
+     license='MIT',
+     entry_points={
diff --git a/gnu/packages/patches/python2-unittest2-remove-argparse.patch b/gnu/packages/patches/python2-unittest2-remove-argparse.patch
new file mode 100644
index 0000000000..c96738757e
--- /dev/null
+++ b/gnu/packages/patches/python2-unittest2-remove-argparse.patch
@@ -0,0 +1,11 @@
+--- a/setup.py	2017-09-12 01:22:06.273997788 +0200
++++ b/setup.py	2017-09-12 01:22:14.297918757 +0200
+@@ -57,7 +57,7 @@
+ # Both install and setup requires - because we read VERSION from within the
+ # package, and the package also exports all the APIs.
+ # six for compat helpers
+-REQUIRES = ['argparse', 'six>=1.4', 'traceback2'],
++REQUIRES = ['six>=1.4', 'traceback2'],
+ 
+ params = dict(
+     name=NAME,
diff --git a/gnu/packages/patches/qemu-CVE-2017-13711.patch b/gnu/packages/patches/qemu-CVE-2017-13711.patch
deleted file mode 100644
index 4070115419..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-13711.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-Fix CVE-2017-13711:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13711
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=1201d308519f1e915866d7583d5136d03cc1d384
-
-From 1201d308519f1e915866d7583d5136d03cc1d384 Mon Sep 17 00:00:00 2001
-From: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Date: Fri, 25 Aug 2017 01:35:53 +0200
-Subject: [PATCH] slirp: fix clearing ifq_so from pending packets
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The if_fastq and if_batchq contain not only packets, but queues of packets
-for the same socket. When sofree frees a socket, it thus has to clear ifq_so
-from all the packets from the queues, not only the first.
-
-Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- slirp/socket.c | 39 +++++++++++++++++++++++----------------
- 1 file changed, 23 insertions(+), 16 deletions(-)
-
-diff --git a/slirp/socket.c b/slirp/socket.c
-index ecec0295a9..cb7b5b608d 100644
---- a/slirp/socket.c
-+++ b/slirp/socket.c
-@@ -59,6 +59,27 @@ socreate(Slirp *slirp)
-   return(so);
- }
- 
-+/*
-+ * Remove references to so from the given message queue.
-+ */
-+static void
-+soqfree(struct socket *so, struct quehead *qh)
-+{
-+    struct mbuf *ifq;
-+
-+    for (ifq = (struct mbuf *) qh->qh_link;
-+             (struct quehead *) ifq != qh;
-+             ifq = ifq->ifq_next) {
-+        if (ifq->ifq_so == so) {
-+            struct mbuf *ifm;
-+            ifq->ifq_so = NULL;
-+            for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) {
-+                ifm->ifq_so = NULL;
-+            }
-+        }
-+    }
-+}
-+
- /*
-  * remque and free a socket, clobber cache
-  */
-@@ -66,23 +87,9 @@ void
- sofree(struct socket *so)
- {
-   Slirp *slirp = so->slirp;
--  struct mbuf *ifm;
- 
--  for (ifm = (struct mbuf *) slirp->if_fastq.qh_link;
--       (struct quehead *) ifm != &slirp->if_fastq;
--       ifm = ifm->ifq_next) {
--    if (ifm->ifq_so == so) {
--      ifm->ifq_so = NULL;
--    }
--  }
--
--  for (ifm = (struct mbuf *) slirp->if_batchq.qh_link;
--       (struct quehead *) ifm != &slirp->if_batchq;
--       ifm = ifm->ifq_next) {
--    if (ifm->ifq_so == so) {
--      ifm->ifq_so = NULL;
--    }
--  }
-+  soqfree(so, &slirp->if_fastq);
-+  soqfree(so, &slirp->if_batchq);
- 
-   if (so->so_emu==EMU_RSH && so->extra) {
- 	sofree(so->extra);
--- 
-2.14.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-14167.patch b/gnu/packages/patches/qemu-CVE-2017-14167.patch
deleted file mode 100644
index a6007ac082..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-14167.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-Fix CVE-2017-14167:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14167
-http://seclists.org/oss-sec/2017/q3/407
-
-Patch copied from upstream development mailing list:
-
-https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html
-
-From: Prasad J Pandit <address@hidden>
-
-While loading kernel via multiboot-v1 image, (flags & 0x00010000)
-indicates that multiboot header contains valid addresses to load
-the kernel image. These addresses are used to compute kernel
-size and kernel text offset in the OS image. Validate these
-address values to avoid an OOB access issue.
-
-This is CVE-2017-14167.
-
-Reported-by: Thomas Garnier <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- hw/i386/multiboot.c | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-Update: add CVE-ID to the commit message.
-
-diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
-index 6001f4caa2..c7b70c91d5 100644
---- a/hw/i386/multiboot.c
-+++ b/hw/i386/multiboot.c
-@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg,
-         uint32_t mh_header_addr = ldl_p(header+i+12);
-         uint32_t mh_load_end_addr = ldl_p(header+i+20);
-         uint32_t mh_bss_end_addr = ldl_p(header+i+24);
-+
-         mh_load_addr = ldl_p(header+i+16);
-+        if (mh_header_addr < mh_load_addr) {
-+            fprintf(stderr, "invalid mh_load_addr address\n");
-+            exit(1);
-+        }
-+
-         uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);
-         uint32_t mb_load_size = 0;
-         mh_entry_addr = ldl_p(header+i+28);
- 
-         if (mh_load_end_addr) {
-+            if (mh_bss_end_addr < mh_load_addr) {
-+                fprintf(stderr, "invalid mh_bss_end_addr address\n");
-+                exit(1);
-+            }
-             mb_kernel_size = mh_bss_end_addr - mh_load_addr;
-+
-+            if (mh_load_end_addr < mh_load_addr) {
-+                fprintf(stderr, "invalid mh_load_end_addr address\n");
-+                exit(1);
-+            }
-             mb_load_size = mh_load_end_addr - mh_load_addr;
-         } else {
-+            if (kernel_file_size < mb_kernel_text_offset) {
-+                fprintf(stderr, "invalid kernel_file_size\n");
-+                exit(1);
-+            }
-             mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
-             mb_load_size = mb_kernel_size;
-         }
--- 
-2.13.5
-
diff --git a/gnu/packages/patches/xorg-server-CVE-2017-10971.patch b/gnu/packages/patches/xorg-server-CVE-2017-10971.patch
deleted file mode 100644
index 2696033e58..0000000000
--- a/gnu/packages/patches/xorg-server-CVE-2017-10971.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:40 +0300
-Subject: dix: Disallow GenericEvent in SendEvent request.
-
-The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
-no less. Both ProcSendEvent and SProcSendEvent verify that the received data
-exactly match the request size. However nothing stops the client from passing
-in event with xEvent::type = GenericEvent and any value of
-xGenericEvent::length.
-
-In the case of ProcSendEvent, the event will be eventually passed to
-WriteEventsToClient which will see that it is Generic event and copy the
-arbitrary length from the receive buffer (and possibly past it) and send it to
-the other client. This allows clients to copy unitialized heap memory out of X
-server or to crash it.
-
-In case of SProcSendEvent, it will attempt to swap the incoming event by
-calling a swapping function from the EventSwapVector array. The swapped event
-is written to target buffer, which in this case is local xEvent variable. The
-xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
-expect that the target buffer has size matching the size of the source
-GenericEvent. This allows clients to cause stack buffer overflows.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/dix/events.c b/dix/events.c
-index 3e3a01e..d3a33ea 100644
---- a/dix/events.c
-+++ b/dix/events.c
-@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
-         client->errorValue = stuff->event.u.u.type;
-         return BadValue;
-     }
-+    /* Generic events can have variable size, but SendEvent request holds
-+       exactly 32B of event data. */
-+    if (stuff->event.u.u.type == GenericEvent) {
-+        client->errorValue = stuff->event.u.u.type;
-+        return BadValue;
-+    }
-     if (stuff->event.u.u.type == ClientMessage &&
-         stuff->event.u.u.detail != 8 &&
-         stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
-diff --git a/dix/swapreq.c b/dix/swapreq.c
-index 719e9b8..6785059 100644
---- a/dix/swapreq.c
-+++ b/dix/swapreq.c
-@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
-     swapl(&stuff->destination);
-     swapl(&stuff->eventMask);
- 
-+    /* Generic events can have variable size, but SendEvent request holds
-+       exactly 32B of event data. */
-+    if (stuff->event.u.u.type == GenericEvent) {
-+        client->errorValue = stuff->event.u.u.type;
-+        return BadValue;
-+    }
-+
-     /* Swap event */
-     proc = EventSwapVector[stuff->event.u.u.type & 0177];
-     if (!proc || proc == NotImplemented)        /* no swapping proc; invalid event type? */
--- 
-cgit v0.10.2
-
-From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:41 +0300
-Subject: Xi: Verify all events in ProcXSendExtensionEvent.
-
-The requirement is that events have type in range
-EXTENSION_EVENT_BASE..lastEvent, but it was tested
-only for first event of all.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 1cf118a..5e63bfc 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
- int
- ProcXSendExtensionEvent(ClientPtr client)
- {
--    int ret;
-+    int ret, i;
-     DeviceIntPtr dev;
-     xEvent *first;
-     XEventClass *list;
-@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
-     /* The client's event type must be one defined by an extension. */
- 
-     first = ((xEvent *) &stuff[1]);
--    if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
--          (first->u.u.type < lastEvent))) {
--        client->errorValue = first->u.u.type;
--        return BadValue;
-+    for (i = 0; i < stuff->num_events; i++) {
-+        if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
-+            (first[i].u.u.type < lastEvent))) {
-+            client->errorValue = first[i].u.u.type;
-+            return BadValue;
-+        }
-     }
- 
-     list = (XEventClass *) (first + stuff->num_events);
--- 
-cgit v0.10.2
-
-From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:42 +0300
-Subject: Xi: Do not try to swap GenericEvent.
-
-The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
-it is assuming that the event has fixed size and gives the swapping function
-xEvent-sized buffer.
-
-A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 5e63bfc..5c2e0fc 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
- 
-     eventP = (xEvent *) &stuff[1];
-     for (i = 0; i < stuff->num_events; i++, eventP++) {
-+        if (eventP->u.u.type == GenericEvent) {
-+            client->errorValue = eventP->u.u.type;
-+            return BadValue;
-+        }
-+
-         proc = EventSwapVector[eventP->u.u.type & 0177];
--        if (proc == NotImplemented)     /* no swapping proc; invalid event type? */
-+        /* no swapping proc; invalid event type? */
-+        if (proc == NotImplemented) {
-+            client->errorValue = eventP->u.u.type;
-             return BadValue;
-+        }
-         (*proc) (eventP, &eventT);
-         *eventP = eventT;
-     }
--- 
-cgit v0.10.2
-
diff --git a/gnu/packages/patches/xorg-server-CVE-2017-10972.patch b/gnu/packages/patches/xorg-server-CVE-2017-10972.patch
deleted file mode 100644
index f24e9c0ae6..0000000000
--- a/gnu/packages/patches/xorg-server-CVE-2017-10972.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:39 +0300
-Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
-
-Make sure that the xEvent eventT is initialized with zeros, the same way as
-in SProcSendEvent.
-
-Some event swapping functions do not overwrite all 32 bytes of xEvent
-structure, for example XSecurityAuthorizationRevoked. Two cooperating
-clients, one swapped and the other not, can send
-XSecurityAuthorizationRevoked event to each other to retrieve old stack data
-from X server. This can be potentialy misused to go around ASLR or
-stack-protector.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 11d8202..1cf118a 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
- {
-     CARD32 *p;
-     int i;
--    xEvent eventT;
-+    xEvent eventT = { .u.u.type = 0 };
-     xEvent *eventP;
-     EventSwapPtr proc;
- 
--- 
-cgit v0.10.2
-