summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2017-01-13 10:21:17 -0500
committerLeo Famulari <leo@famulari.name>2017-01-13 10:21:17 -0500
commitcc0725914e74c4c4dec369f3e7cdb6f201b3fecd (patch)
treee68b452ed625a2db8ed10914fb0968fdc36c655d /gnu/packages/patches
parenta25b6880f1398ad36aea1d0e4e4105936a8b7e70 (diff)
parentce195ba12277ec4286ad0d8ddf7294655987ea9d (diff)
downloadguix-cc0725914e74c4c4dec369f3e7cdb6f201b3fecd.tar.gz
Merge branch 'master' into python-tests
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/awesome-reproducible-png.patch4
-rw-r--r--gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch81
-rw-r--r--gnu/packages/patches/cracklib-fix-buffer-overflow.patch39
-rw-r--r--gnu/packages/patches/gnupg-test-segfault-on-32bit-arch.patch40
-rw-r--r--gnu/packages/patches/inkscape-drop-wait-for-targets.patch68
-rw-r--r--gnu/packages/patches/kdbusaddons-kinit-file-name.patch15
-rw-r--r--gnu/packages/patches/khal-disable-failing-tests.patch33
-rw-r--r--gnu/packages/patches/libpng-CVE-2016-10087.patch37
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-10092.patch42
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-10093.patch53
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-10094.patch34
-rw-r--r--gnu/packages/patches/libtiff-assertion-failure.patch60
-rw-r--r--gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch63
-rw-r--r--gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch104
-rw-r--r--gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch57
-rw-r--r--gnu/packages/patches/libtiff-divide-by-zero.patch67
-rw-r--r--gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch131
-rw-r--r--gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch132
-rw-r--r--gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch67
-rw-r--r--gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch60
-rw-r--r--gnu/packages/patches/libtiff-invalid-read.patch64
-rw-r--r--gnu/packages/patches/libtiff-null-dereference.patch42
-rw-r--r--gnu/packages/patches/libtiff-tiffcp-underflow.patch41
-rw-r--r--gnu/packages/patches/libupnp-CVE-2016-8863.patch72
-rw-r--r--gnu/packages/patches/libxml2-CVE-2016-4658.patch257
-rw-r--r--gnu/packages/patches/libxml2-CVE-2016-5131.patch218
-rw-r--r--gnu/packages/patches/libxt-guix-search-paths.patch126
-rw-r--r--gnu/packages/patches/mcrypt-CVE-2012-4409.patch35
-rw-r--r--gnu/packages/patches/mcrypt-CVE-2012-4527.patch198
-rw-r--r--gnu/packages/patches/multiqc-fix-git-subprocess-error.patch16
-rw-r--r--gnu/packages/patches/ocaml-Add-a-.file-directive.patch96
-rw-r--r--gnu/packages/patches/ocaml-bisect-fix-camlp4-in-another-directory.patch125
-rw-r--r--gnu/packages/patches/ocaml-bitstring-fix-configure.patch53
-rw-r--r--gnu/packages/patches/openssh-memory-exhaustion.patch39
-rw-r--r--gnu/packages/patches/python-dendropy-exclude-failing-tests.patch21
-rw-r--r--gnu/packages/patches/python-pycrypto-CVE-2013-7459.patch97
-rw-r--r--gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch69
-rw-r--r--gnu/packages/patches/qemu-CVE-2016-8576.patch62
-rw-r--r--gnu/packages/patches/qemu-CVE-2016-8577.patch36
-rw-r--r--gnu/packages/patches/qemu-CVE-2016-8578.patch27
-rw-r--r--gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch17
-rw-r--r--gnu/packages/patches/slock-CVE-2016-6866.patch51
-rw-r--r--gnu/packages/patches/unrtf-CVE-2016-10091.patch189
43 files changed, 2686 insertions, 452 deletions
diff --git a/gnu/packages/patches/awesome-reproducible-png.patch b/gnu/packages/patches/awesome-reproducible-png.patch
index 0fae65bc71..d8e92c70f9 100644
--- a/gnu/packages/patches/awesome-reproducible-png.patch
+++ b/gnu/packages/patches/awesome-reproducible-png.patch
@@ -7,8 +7,8 @@ See <https://wiki.debian.org/ReproducibleBuilds/TimestampsInPNG>.
          set(ALL_ICONS ${ALL_ICONS} ${output})
  
          add_custom_command(
--            COMMAND ${CONVERT_EXECUTABLE} ${input} ${ARGN} ${output}
-+            COMMAND ${CONVERT_EXECUTABLE} +set date:create +set date:modify -define png:exclude-chunk=time ${input} ${ARGN} ${output}
+-            COMMAND ${CONVERT_EXECUTABLE} ${input} -strip ${ARGN} ${output}
++            COMMAND ${CONVERT_EXECUTABLE} +set date:create +set date:modify -define png:exclude-chunk=time ${input} -strip ${ARGN} ${output}
              OUTPUT  ${output}
              DEPENDS ${input}
              VERBATIM)
diff --git a/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
new file mode 100644
index 0000000000..59decde0e9
--- /dev/null
+++ b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
@@ -0,0 +1,81 @@
+diff -ur a/irregex-core.scm b/irregex-core.scm
+--- a/irregex-core.scm	2016-09-11 19:03:00.000000000 -0400
++++ b/irregex-core.scm	2017-01-01 22:24:08.000000000 -0500
+@@ -30,6 +30,8 @@
+ 
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;;;; History
++;; 0.9.6: 2016/12/05 - fixed exponential memory use of + in compilation
++;;                     of backtracking matcher.
+ ;; 0.9.5: 2016/09/10 - fixed a bug in irregex-fold handling of bow
+ ;; 0.9.4: 2015/12/14 - performance improvement for {n,m} matches
+ ;; 0.9.3: 2014/07/01 - R7RS library
+@@ -3170,16 +3172,7 @@
+               ((sre-empty? (sre-sequence (cdr sre)))
+                (error "invalid sre: empty *" sre))
+               (else
+-               (letrec
+-                   ((body
+-                     (lp (sre-sequence (cdr sre))
+-                         n
+-                         flags
+-                         (lambda (cnk init src str i end matches fail)
+-                           (body cnk init src str i end matches
+-                                 (lambda ()
+-                                   (next cnk init src str i end matches fail)
+-                                   ))))))
++               (let ((body (rec (list '+ (sre-sequence (cdr sre))))))
+                  (lambda (cnk init src str i end matches fail)
+                    (body cnk init src str i end matches
+                          (lambda ()
+@@ -3204,10 +3197,21 @@
+                          (lambda ()
+                            (body cnk init src str i end matches fail))))))))
+             ((+)
+-             (lp (sre-sequence (cdr sre))
+-                 n
+-                 flags
+-                 (rec (list '* (sre-sequence (cdr sre))))))
++             (cond
++              ((sre-empty? (sre-sequence (cdr sre)))
++               (error "invalid sre: empty +" sre))
++              (else
++               (letrec
++                   ((body
++                     (lp (sre-sequence (cdr sre))
++                         n
++                         flags
++                         (lambda (cnk init src str i end matches fail)
++                           (body cnk init src str i end matches
++                                 (lambda ()
++                                   (next cnk init src str i end matches fail)
++                                   ))))))
++                 body))))
+             ((=)
+              (rec `(** ,(cadr sre) ,(cadr sre) ,@(cddr sre))))
+             ((>=)
+diff -ur a/irregex-utils.scm b/irregex-utils.scm
+--- a/irregex-utils.scm	2016-09-11 19:03:00.000000000 -0400
++++ b/irregex-utils.scm	2017-01-01 22:25:25.000000000 -0500
+@@ -89,7 +89,7 @@
+         (case (car x)
+           ((: seq)
+            (cond
+-            ((and (pair? (cddr x)) (pair? (cddr x)) (not (eq? x obj)))
++            ((and (pair? (cdr x)) (pair? (cddr x)) (not (eq? x obj)))
+              (display "(?:" out) (for-each lp (cdr x)) (display ")" out))
+             (else (for-each lp (cdr x)))))
+           ((submatch)
+diff -ur "a/manual-html/Unit irregex.html" "b/manual-html/Unit irregex.html"
+--- "a/manual-html/Unit irregex.html"	2016-09-11 19:10:47.000000000 -0400
++++ "b/manual-html/Unit irregex.html"	2017-01-01 22:26:05.000000000 -0500
+@@ -353,6 +353,6 @@
+ <dd class="defsig"><p>Returns an optimized SRE matching any of the literal strings in the list, like Emacs' <tt>regexp-opt</tt>.  Note this optimization doesn't help when irregex is able to build a DFA.</p></dd>
+ </dl>
+ <h5 id="sec:sre-.3estring"><a href="#sec:sre-.3estring">sre-&gt;string</a></h5><dl class="defsig"><dt class="defsig" id="def:sre-.3estring"><span class="sig"><tt>(sre-&gt;string &lt;sre&gt;)</tt></span> <span class="type">procedure</span></dt>
+-<dd class="defsig"><p>Convert an SRE to a POSIX-style regular expression string, if possible.</p></dd>
++<dd class="defsig"><p>Convert an SRE to a PCRE-style regular expression string, if possible.</p></dd>
+ </dl>
+-<hr /><p>Previous: <a href="Unit%20extras.html">Unit extras</a></p><p>Next: <a href="Unit%20srfi-1.html">Unit srfi-1</a></p></div></div></body>
+\ No newline at end of file
++<hr /><p>Previous: <a href="Unit%20extras.html">Unit extras</a></p><p>Next: <a href="Unit%20srfi-1.html">Unit srfi-1</a></p></div></div></body>
diff --git a/gnu/packages/patches/cracklib-fix-buffer-overflow.patch b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch
new file mode 100644
index 0000000000..b1c990f282
--- /dev/null
+++ b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch
@@ -0,0 +1,39 @@
+Fix buffer overflow processing long words in Mangle().
+
+Patch adpated from upstream commit, omitting changes to 'NEWS':
+
+https://github.com/cracklib/cracklib/commit/33d7fa4585247cd2247a1ffa032ad245836c6edb
+
+From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001
+From: Jan Dittberner <jan@dittberner.info>
+Date: Thu, 25 Aug 2016 17:17:53 +0200
+Subject: [PATCH] Fix a buffer overflow processing long words
+
+A buffer overflow processing long words has been discovered. This commit
+applies the patch from
+https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch
+by Howard Guo.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and
+http://www.openwall.com/lists/oss-security/2016/08/23/8
+---
+ src/NEWS        | 1 +
+ src/lib/rules.c | 5 ++---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/rules.c b/src/lib/rules.c
+index d193cc0..3a2aa46 100644
+--- a/lib/rules.c
++++ b/lib/rules.c
+@@ -434,9 +434,8 @@ Mangle(input, control)		/* returns a pointer to a controlled Mangle */
+ {
+     int limit;
+     register char *ptr;
+-    static char area[STRINGSIZE];
+-    char area2[STRINGSIZE];
+-    area[0] = '\0';
++    static char area[STRINGSIZE * 2] = {0};
++    char area2[STRINGSIZE * 2] = {0};
+     strcpy(area, input);
+ 
+     for (ptr = control; *ptr; ptr++)
diff --git a/gnu/packages/patches/gnupg-test-segfault-on-32bit-arch.patch b/gnu/packages/patches/gnupg-test-segfault-on-32bit-arch.patch
new file mode 100644
index 0000000000..79bb41caaa
--- /dev/null
+++ b/gnu/packages/patches/gnupg-test-segfault-on-32bit-arch.patch
@@ -0,0 +1,40 @@
+This fixes a segfault on 32-bit architectures. Upstream discussion:
+
+https://lists.gnupg.org/pipermail/gnupg-devel/2016-December/032364.html
+
+Guix thread: https://lists.gnu.org/archive/html/guix-devel/2016-12/msg00631.html
+
+Patch copied from upstream source repository:
+
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=6e96cdd41a0e55b672309431062f37c4a4a9f485
+
+From 6e96cdd41a0e55b672309431062f37c4a4a9f485 Mon Sep 17 00:00:00 2001
+From: Justus Winter <justus@g10code.com>
+Date: Wed, 21 Dec 2016 16:14:45 +0100
+Subject: [PATCH] gpgscm: Guard use of union member.
+
+* tests/gpgscm/scheme.c (opexe_5): Check that we have a file port
+before accessing filename.  Fixes a crash on 32-bit architectures.
+
+Fixes-commit: e7429b1ced0c69fa7901f888f8dc25f00fc346a4
+Signed-off-by: Justus Winter <justus@g10code.com>
+---
+ tests/gpgscm/scheme.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/gpgscm/scheme.c b/tests/gpgscm/scheme.c
+index a5b7691..2844545 100644
+--- a/tests/gpgscm/scheme.c
++++ b/tests/gpgscm/scheme.c
+@@ -4838,7 +4838,7 @@ static pointer opexe_5(scheme *sc, enum scheme_opcodes op) {
+                } else {
+                     sc->nesting_stack[sc->file_i]++;
+ #if USE_TAGS && SHOW_ERROR_LINE
+-		    {
++		    if (sc->load_stack[sc->file_i].kind & port_file) {
+ 		      const char *filename =
+ 			sc->load_stack[sc->file_i].rep.stdio.filename;
+ 		      int lineno =
+-- 
+2.8.0.rc3
+
diff --git a/gnu/packages/patches/inkscape-drop-wait-for-targets.patch b/gnu/packages/patches/inkscape-drop-wait-for-targets.patch
deleted file mode 100644
index 3dbe6641e2..0000000000
--- a/gnu/packages/patches/inkscape-drop-wait-for-targets.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-Copied from Fedora.
-
-http://pkgs.fedoraproject.org/cgit/rpms/inkscape.git/plain/inkscape-0.91-drop-wait-for-targets.patch?id=eb5340800b563d6b05aa5f11a2f24f2cc0d8c80e
-
-=== modified file 'src/ui/clipboard.cpp'
---- src/ui/clipboard.cpp	2016-04-02 15:15:43 +0000
-+++ src/ui/clipboard.cpp	2016-04-07 16:30:32 +0000
-@@ -146,8 +146,6 @@
-     void _setClipboardColor(guint32);
-     void _userWarn(SPDesktop *, char const *);
- 
--    void _inkscape_wait_for_targets(std::list<Glib::ustring> &);
--
-     // private properites
-     SPDocument *_clipboardSPDoc; ///< Document that stores the clipboard until someone requests it
-     Inkscape::XML::Node *_defs; ///< Reference to the clipboard document's defs node
-@@ -1302,9 +1300,7 @@
-  */
- Glib::ustring ClipboardManagerImpl::_getBestTarget()
- {
--    // GTKmm's wait_for_targets() is broken, see the comment in _inkscape_wait_for_targets()
--    std::list<Glib::ustring> targets; // = _clipboard->wait_for_targets();
--    _inkscape_wait_for_targets(targets);
-+    std::list<Glib::ustring> targets = _clipboard->wait_for_targets();
- 
-     // clipboard target debugging snippet
-     /*
-@@ -1456,39 +1452,6 @@
-     desktop->messageStack()->flash(Inkscape::WARNING_MESSAGE, msg);
- }
- 
--
--// GTKMM's clipboard::wait_for_targets is buggy and might return bogus, see
--//
--// https://bugs.launchpad.net/inkscape/+bug/296778
--// http://mail.gnome.org/archives/gtk-devel-list/2009-June/msg00062.html
--//
--// for details. Until this has been fixed upstream we will use our own implementation
--// of this method, as copied from /gtkmm-2.16.0/gtk/gtkmm/clipboard.cc.
--void ClipboardManagerImpl::_inkscape_wait_for_targets(std::list<Glib::ustring> &listTargets)
--{
--    //Get a newly-allocated array of atoms:
--    GdkAtom* targets = NULL;
--    gint n_targets = 0;
--    gboolean test = gtk_clipboard_wait_for_targets( gtk_clipboard_get(GDK_SELECTION_CLIPBOARD), &targets, &n_targets );
--    if (!test || (targets == NULL)) {
--        return;
--    }
--
--    //Add the targets to the C++ container:
--    for (int i = 0; i < n_targets; i++)
--    {
--        //Convert the atom to a string:
--        gchar* const atom_name = gdk_atom_name(targets[i]);
--
--        Glib::ustring target;
--        if (atom_name) {
--            target = Glib::ScopedPtr<char>(atom_name).get(); //This frees the gchar*.
--        }
--
--        listTargets.push_back(target);
--    }
--}
--
- /* #######################################
-           ClipboardManager class
-    ####################################### */
-
diff --git a/gnu/packages/patches/kdbusaddons-kinit-file-name.patch b/gnu/packages/patches/kdbusaddons-kinit-file-name.patch
new file mode 100644
index 0000000000..ffed88e043
--- /dev/null
+++ b/gnu/packages/patches/kdbusaddons-kinit-file-name.patch
@@ -0,0 +1,15 @@
+Add placeholder for kinit's store file name.
+
+diff --git a/src/kdeinitinterface.cpp b/src/kdeinitinterface.cpp
+index 22fa5e5..3d40937 100644
+--- a/src/kdeinitinterface.cpp
++++ b/src/kdeinitinterface.cpp
+@@ -52,7 +52,7 @@ void KDEInitInterface::ensureKdeinitRunning()
+     // If not found in system paths, search other paths
+     if (srv.isEmpty()) {
+         const QStringList searchPaths = QStringList()
+-            << QCoreApplication::applicationDirPath() // then look where our application binary is located
++            << QString::fromUtf8("@SUBSTITUTEME@/bin") // using QStringLiteral would be more efficient, but breaks guix store reference detection.
+             << QLibraryInfo::location(QLibraryInfo::BinariesPath); // look where exec path is (can be set in qt.conf)
+         srv = QStandardPaths::findExecutable(QStringLiteral("kdeinit5"), searchPaths);
+         if (srv.isEmpty()) {
diff --git a/gnu/packages/patches/khal-disable-failing-tests.patch b/gnu/packages/patches/khal-disable-failing-tests.patch
new file mode 100644
index 0000000000..e2c65df8ce
--- /dev/null
+++ b/gnu/packages/patches/khal-disable-failing-tests.patch
@@ -0,0 +1,33 @@
+Disable some tests that are known to fail:
+
+https://github.com/pimutils/khal/issues/546
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844081
+
+diff --git a/tests/khalendar_test.py b/tests/khalendar_test.py
+index fd8dcc6..17732bf 100644
+--- a/tests/khalendar_test.py
++++ b/tests/khalendar_test.py
+@@ -65,6 +65,7 @@ class TestCalendar(object):
+                 else:
+                     mtimes[cal] = mtime
+ 
++    @pytest.mark.xfail
+     def test_db_needs_update(self, coll_vdirs):
+         coll, vdirs = coll_vdirs
+ 
+@@ -321,6 +322,7 @@ class TestDbCreation(object):
+             CalendarCollection(calendars, dbpath=dbpath, locale=aux.locale)
+ 
+ 
++@pytest.mark.xfail
+ def test_default_calendar(coll_vdirs):
+     """test if an update to the vdir is detected by the CalendarCollection"""
+     coll, vdirs = coll_vdirs
+@@ -341,6 +343,7 @@ def test_default_calendar(coll_vdirs):
+     assert len(list(coll.get_events_on(today))) == 0
+ 
+ 
++@pytest.mark.xfail
+ def test_only_update_old_event(coll_vdirs, monkeypatch):
+     coll, vdirs = coll_vdirs
+ 
diff --git a/gnu/packages/patches/libpng-CVE-2016-10087.patch b/gnu/packages/patches/libpng-CVE-2016-10087.patch
new file mode 100644
index 0000000000..8093b3e448
--- /dev/null
+++ b/gnu/packages/patches/libpng-CVE-2016-10087.patch
@@ -0,0 +1,37 @@
+Fix CVE-2016-10087, a null pointer dereference in png_set_text_2():
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087
+http://seclists.org/oss-sec/2016/q4/777
+
+Patch adapted from upstream source repository:
+
+https://sourceforge.net/p/libpng/code/ci/812768d7a9c973452222d454634496b25ed415eb/
+
+From 812768d7a9c973452222d454634496b25ed415eb Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Thu, 29 Dec 2016 07:51:33 -0600
+Subject: [PATCH] [libpng16] Fixed a potential null pointer dereference in
+ png_set_text_2()
+
+(bug report and patch by Patrick Keshishian).
+---
+ ANNOUNCE | 2 ++
+ CHANGES  | 2 ++
+ png.c    | 1 +
+ 3 files changed, 5 insertions(+)
+
+diff --git a/png.c b/png.c
+index 8afc28fc2..2e05de159 100644
+--- a/png.c
++++ b/png.c
+@@ -477,6 +477,7 @@ png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
+          png_free(png_ptr, info_ptr->text);
+          info_ptr->text = NULL;
+          info_ptr->num_text = 0;
++         info_ptr->max_text = 0;
+       }
+    }
+ #endif
+-- 
+2.11.0
+
diff --git a/gnu/packages/patches/libtiff-CVE-2016-10092.patch b/gnu/packages/patches/libtiff-CVE-2016-10092.patch
new file mode 100644
index 0000000000..d5fd796169
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2016-10092.patch
@@ -0,0 +1,42 @@
+Fix CVE-2016-10092:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2620
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10092
+https://security-tracker.debian.org/tracker/CVE-2016-10092
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore)
+	mode so that the output buffer is correctly incremented to avoid write
+	outside bounds.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1178; previous revision: 1.1177
+/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v  <--  tools/tiffcrop.c
+new revision: 1.47; previous revision: 1.46
+
+Index: libtiff/tools/tiffcrop.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
+retrieving revision 1.46
+retrieving revision 1.47
+diff -u -r1.46 -r1.47
+--- libtiff/tools/tiffcrop.c	18 Nov 2016 14:58:46 -0000	1.46
++++ libtiff/tools/tiffcrop.c	3 Dec 2016 11:35:56 -0000	1.47
+@@ -1,4 +1,4 @@
+-/* $Id: tiffcrop.c,v 1.46 2016-11-18 14:58:46 erouault Exp $ */
++/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */
+ 
+ /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
+  * the image data through additional options listed below
+@@ -3698,7 +3698,7 @@
+                                   (unsigned long) strip, (unsigned long)rows);
+                         return 0;
+                 }
+-                bufp += bytes_read;
++                bufp += stripsize;
+         }
+ 
+         return 1;
diff --git a/gnu/packages/patches/libtiff-CVE-2016-10093.patch b/gnu/packages/patches/libtiff-CVE-2016-10093.patch
new file mode 100644
index 0000000000..5897ec1029
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2016-10093.patch
@@ -0,0 +1,53 @@
+Fix CVE-2016-10093:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2610
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10093
+https://security-tracker.debian.org/tracker/CVE-2016-10093
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcp.c: fix uint32 underflow/overflow that can cause
+	heap-based buffer overflow.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1187; previous revision: 1.1186
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
+new revision: 1.59; previous revision: 1.58
+
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.58
+retrieving revision 1.59
+diff -u -r1.58 -r1.59
+--- libtiff/tools/tiffcp.c	3 Dec 2016 15:44:15 -0000	1.58
++++ libtiff/tools/tiffcp.c	3 Dec 2016 16:40:01 -0000	1.59
+@@ -1163,7 +1163,7 @@
+ 
+ static void
+ cpStripToTile(uint8* out, uint8* in,
+-    uint32 rows, uint32 cols, int outskew, int inskew)
++    uint32 rows, uint32 cols, int outskew, int64 inskew)
+ {
+ 	while (rows-- > 0) {
+ 		uint32 j = cols;
+@@ -1320,7 +1320,7 @@
+ 	tdata_t tilebuf;
+ 	uint32 imagew = TIFFScanlineSize(in);
+ 	uint32 tilew  = TIFFTileRowSize(in);
+-	int iskew = imagew - tilew;
++	int64 iskew = (int64)imagew - (int64)tilew;
+ 	uint8* bufp = (uint8*) buf;
+ 	uint32 tw, tl;
+ 	uint32 row;
+@@ -1348,7 +1348,7 @@
+ 				status = 0;
+ 				goto done;
+ 			}
+-			if (colb + tilew > imagew) {
++			if (colb > iskew) {
+ 				uint32 width = imagew - colb;
+ 				uint32 oskew = tilew - width;
+ 				cpStripToTile(bufp + colb,
diff --git a/gnu/packages/patches/libtiff-CVE-2016-10094.patch b/gnu/packages/patches/libtiff-CVE-2016-10094.patch
new file mode 100644
index 0000000000..9018773565
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2016-10094.patch
@@ -0,0 +1,34 @@
+Fix CVE-2016-10094:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2640
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10094
+https://security-tracker.debian.org/tracker/CVE-2016-10094
+
+2016-12-20 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiff2pdf.c: avoid potential heap-based overflow in
+        t2p_readwrite_pdf_image_tile().
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1199; previous revision: 1.1198
+/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v  <--  tools/tiff2pdf.c
+new revision: 1.101; previous revision: 1.100
+
+Index: libtiff/tools/tiff2pdf.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
+retrieving revision 1.100
+retrieving revision 1.101
+diff -u -r1.100 -r1.101
+--- libtiff/tools/tiff2pdf.c	20 Dec 2016 17:24:35 -0000	1.100
++++ libtiff/tools/tiff2pdf.c	20 Dec 2016 17:28:17 -0000	1.101
+@@ -2895,7 +2895,7 @@
+ 				return(0);
+ 			}
+ 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
+-				if (count >= 4) {
++				if (count > 4) {
+                                         int retTIFFReadRawTile;
+                     /* Ignore EOI marker of JpegTables */
+ 					_TIFFmemcpy(buffer, jpt, count - 2);
diff --git a/gnu/packages/patches/libtiff-assertion-failure.patch b/gnu/packages/patches/libtiff-assertion-failure.patch
new file mode 100644
index 0000000000..ef747fbdd7
--- /dev/null
+++ b/gnu/packages/patches/libtiff-assertion-failure.patch
@@ -0,0 +1,60 @@
+Fix assertion failure in readSeparateTilesIntoBuffer():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2605
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert
+check.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1188; previous revision: 1.1187
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
+new revision: 1.60; previous revision: 1.59
+
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.59
+retrieving revision 1.60
+diff -u -r1.59 -r1.60
+--- libtiff/tools/tiffcp.c	3 Dec 2016 16:40:01 -0000	1.59
++++ libtiff/tools/tiffcp.c	3 Dec 2016 16:50:02 -0000	1.60
+@@ -45,7 +45,6 @@
+ #include <string.h>
+ 
+ #include <ctype.h>
+-#include <assert.h>
+ 
+ #ifdef HAVE_UNISTD_H
+ # include <unistd.h>
+@@ -1393,7 +1392,12 @@
+             status = 0;
+             goto done;
+         }
+-	assert( bps % 8 == 0 );
++        if( (bps % 8) != 0 )
++        {
++            TIFFError(TIFFFileName(in), "Error, cannot handle BitsPerSample that is not a multiple of 8");
++            status = 0;
++            goto done;
++        }
+ 	bytes_per_sample = bps/8;
+ 
+ 	for (row = 0; row < imagelength; row += tl) {
+@@ -1584,7 +1588,12 @@
+             _TIFFfree(obuf);
+             return 0;
+         }
+-	assert( bps % 8 == 0 );
++        if( (bps % 8) != 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
++            _TIFFfree(obuf);
++            return 0;
++        }
+ 	bytes_per_sample = bps/8;
+ 
+ 	for (row = 0; row < imagelength; row += tl) {
diff --git a/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch b/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch
new file mode 100644
index 0000000000..2a96b68521
--- /dev/null
+++ b/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch
@@ -0,0 +1,63 @@
+Fix divide-by-zero in OJPEGDecodeRaw():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2611
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure
+in
+        OJPEGPreDecode(). This will avoid a divide by zero, and potential other
+issues.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1177; previous revision: 1.1176
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v  <--  libtiff/tif_ojpeg.c
+new revision: 1.66; previous revision: 1.65
+
+Index: libtiff/libtiff/tif_ojpeg.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v
+retrieving revision 1.65
+retrieving revision 1.66
+diff -u -r1.65 -r1.66
+--- libtiff/libtiff/tif_ojpeg.c	4 Sep 2016 21:32:56 -0000	1.65
++++ libtiff/libtiff/tif_ojpeg.c	3 Dec 2016 11:15:18 -0000	1.66
+@@ -1,4 +1,4 @@
+-/* $Id: tif_ojpeg.c,v 1.65 2016-09-04 21:32:56 erouault Exp $ */
++/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */
+ 
+ /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0
+    specification is now totally obsolete and deprecated for new applications and
+@@ -244,6 +244,7 @@
+ 
+ typedef struct {
+ 	TIFF* tif;
++        int decoder_ok;
+ 	#ifndef LIBJPEG_ENCAP_EXTERNAL
+ 	JMP_BUF exit_jmpbuf;
+ 	#endif
+@@ -722,6 +723,7 @@
+ 		}
+ 		sp->write_curstrile++;
+ 	}
++	sp->decoder_ok = 1;
+ 	return(1);
+ }
+ 
+@@ -784,8 +786,14 @@
+ static int
+ OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
+ {
++        static const char module[]="OJPEGDecode";
+ 	OJPEGState* sp=(OJPEGState*)tif->tif_data;
+ 	(void)s;
++        if( !sp->decoder_ok )
++        {
++            TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");
++            return 0;
++        }
+ 	if (sp->libjpeg_jpeg_query_style==0)
+ 	{
+ 		if (OJPEGDecodeRaw(tif,buf,cc)==0)
diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch
new file mode 100644
index 0000000000..d3f1c2b60e
--- /dev/null
+++ b/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch
@@ -0,0 +1,104 @@
+Fix two divide-by-zero bugs in readSeparateTilesIntoBuffer():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2597
+http://bugzilla.maptools.org/show_bug.cgi?id=2607
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples
+tag is
+        missing.
+        Reported by Agostino sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1183; previous revision: 1.1182
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
+new revision: 1.57; previous revision: 1.56
+
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.56
+retrieving revision 1.57
+diff -u -r1.56 -r1.57
+--- libtiff/tools/tiffcp.c	2 Dec 2016 22:13:32 -0000	1.56
++++ libtiff/tools/tiffcp.c	3 Dec 2016 14:42:40 -0000	1.57
+@@ -1,4 +1,4 @@
+-/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */
++/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -1378,7 +1378,7 @@
+ 	uint8* bufp = (uint8*) buf;
+ 	uint32 tw, tl;
+ 	uint32 row;
+-	uint16 bps, bytes_per_sample;
++	uint16 bps = 0, bytes_per_sample;
+ 
+ 	tilebuf = _TIFFmalloc(tilesize);
+ 	if (tilebuf == 0)
+@@ -1387,6 +1387,12 @@
+ 	(void) TIFFGetField(in, TIFFTAG_TILEWIDTH, &tw);
+ 	(void) TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
+ 	(void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++        if( bps == 0 )
++        {
++            TIFFError(TIFFFileName(in), "Error, cannot read BitsPerSample");
++            status = 0;
++            goto done;
++        }
+ 	assert( bps % 8 == 0 );
+ 	bytes_per_sample = bps/8;
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples
+tag is
+        missing.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1186; previous revision: 1.1185
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
+new revision: 1.58; previous revision: 1.57
+ 
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.57
+retrieving revision 1.58
+diff -u -r1.57 -r1.58
+--- libtiff/tools/tiffcp.c	3 Dec 2016 14:42:40 -0000	1.57
++++ libtiff/tools/tiffcp.c	3 Dec 2016 15:44:15 -0000	1.58
+@@ -1,4 +1,4 @@
+-/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */
++/* $Id: tiffcp.c,v 1.58 2016-12-03 15:44:15 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -1569,7 +1569,7 @@
+ 	uint8* bufp = (uint8*) buf;
+ 	uint32 tl, tw;
+ 	uint32 row;
+-	uint16 bps, bytes_per_sample;
++	uint16 bps = 0, bytes_per_sample;
+ 
+ 	obuf = _TIFFmalloc(TIFFTileSize(out));
+ 	if (obuf == NULL)
+@@ -1578,6 +1578,12 @@
+ 	(void) TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
+ 	(void) TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
+ 	(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++        if( bps == 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
++            _TIFFfree(obuf);
++            return 0;
++        }
+ 	assert( bps % 8 == 0 );
+ 	bytes_per_sample = bps/8;
+ 
diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch
new file mode 100644
index 0000000000..823293f1cf
--- /dev/null
+++ b/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch
@@ -0,0 +1,57 @@
+Fix divide-by-zero in readSeparateStripsIntoBuffer():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2619
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is
+missing.
+        Reported by Agostina Sarubo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1180; previous revision: 1.1179
+/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v  <--  tools/tiffcrop.c
+new revision: 1.49; previous revision: 1.48
+
+Index: libtiff/tools/tiffcrop.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
+retrieving revision 1.48
+retrieving revision 1.49
+diff -u -r1.48 -r1.49
+--- libtiff/tools/tiffcrop.c	3 Dec 2016 12:19:32 -0000	1.48
++++ libtiff/tools/tiffcrop.c	3 Dec 2016 13:00:04 -0000	1.49
+@@ -1,4 +1,4 @@
+-/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */
++/* $Id: tiffcrop.c,v 1.49 2016-12-03 13:00:04 erouault Exp $ */
+ 
+ /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
+  * the image data through additional options listed below
+@@ -1164,7 +1164,7 @@
+   tdata_t  obuf;
+ 
+   (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+-  (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++  (void) TIFFGetFieldDefaulted(out, TIFFTAG_BITSPERSAMPLE, &bps);
+   bytes_per_sample = (bps + 7) / 8;
+   if( width == 0 ||
+       (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width ||
+@@ -4760,7 +4760,7 @@
+   int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
+   uint32 j;
+   int32  bytes_read = 0;
+-  uint16 bps, planar;
++  uint16 bps = 0, planar;
+   uint32 nstrips;
+   uint32 strips_per_sample;
+   uint32 src_rowsize, dst_rowsize, rows_processed, rps;
+@@ -4780,7 +4780,7 @@
+     }
+ 
+   memset (srcbuffs, '\0', sizeof(srcbuffs));
+-  TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++  TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+   TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &planar);
+   TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
+   if (rps > length)
diff --git a/gnu/packages/patches/libtiff-divide-by-zero.patch b/gnu/packages/patches/libtiff-divide-by-zero.patch
new file mode 100644
index 0000000000..6dbd4666cd
--- /dev/null
+++ b/gnu/packages/patches/libtiff-divide-by-zero.patch
@@ -0,0 +1,67 @@
+Fix an integer overflow in TIFFReadEncodedStrip() that led to division-by-zero:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2596
+
+2016-12-02 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
+        TIFFReadEncodedStrip() that caused an integer division by zero.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1173; previous revision: 1.1172
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v  <--  libtiff/tif_read.c
+new revision: 1.50; previous revision: 1.49
+/cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v  <--  libtiff/tiffiop.h
+new revision: 1.90; previous revision: 1.89
+
+Index: libtiff/libtiff/tif_read.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v
+retrieving revision 1.49
+retrieving revision 1.50
+diff -u -r1.49 -r1.50
+--- libtiff/libtiff/tif_read.c	10 Jul 2016 18:00:21 -0000	1.49
++++ libtiff/libtiff/tif_read.c	2 Dec 2016 21:56:56 -0000	1.50
+@@ -1,4 +1,4 @@
+-/* $Id: tif_read.c,v 1.49 2016-07-10 18:00:21 erouault Exp $ */
++/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -346,7 +346,7 @@
+ 	rowsperstrip=td->td_rowsperstrip;
+ 	if (rowsperstrip>td->td_imagelength)
+ 		rowsperstrip=td->td_imagelength;
+-	stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
++	stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
+ 	stripinplane=(strip%stripsperplane);
+ 	plane=(uint16)(strip/stripsperplane);
+ 	rows=td->td_imagelength-stripinplane*rowsperstrip;
+Index: libtiff/libtiff/tiffiop.h
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v
+retrieving revision 1.89
+retrieving revision 1.90
+diff -u -r1.89 -r1.90
+--- libtiff/libtiff/tiffiop.h	23 Jan 2016 21:20:34 -0000	1.89
++++ libtiff/libtiff/tiffiop.h	2 Dec 2016 21:56:56 -0000	1.90
+@@ -1,4 +1,4 @@
+-/* $Id: tiffiop.h,v 1.89 2016-01-23 21:20:34 erouault Exp $ */
++/* $Id: tiffiop.h,v 1.90 2016-12-02 21:56:56 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -250,6 +250,10 @@
+ #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
+ 			   ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
+ 			   0U)
++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
++#define TIFFhowmany_32_maxuint_compat(x, y) \
++			   (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
+ #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
+ #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
+ #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))
diff --git a/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch b/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch
new file mode 100644
index 0000000000..2d5e23586d
--- /dev/null
+++ b/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch
@@ -0,0 +1,131 @@
+Fix heap-based buffer overflow in _TIFFmemcpy():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2604
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
+        overflow on generation of PixarLog / LUV compressed files, with
+        ColorMap, TransferFunction attached and nasty plays with bitspersample.
+        The fix for LUV has not been tested, but suffers from the same kind
+        of issue of PixarLog.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1175; previous revision: 1.1174
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v  <--  libtiff/tif_luv.c
+new revision: 1.44; previous revision: 1.43
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v  <-- 
+libtiff/tif_pixarlog.c
+new revision: 1.49; previous revision: 1.48
+
+Index: libtiff/libtiff/tif_luv.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v
+retrieving revision 1.43
+retrieving revision 1.44
+diff -u -r1.43 -r1.44
+--- libtiff/libtiff/tif_luv.c	4 Sep 2016 21:32:56 -0000	1.43
++++ libtiff/libtiff/tif_luv.c	2 Dec 2016 23:05:51 -0000	1.44
+@@ -1,4 +1,4 @@
+-/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */
++/* $Id: tif_luv.c,v 1.44 2016-12-02 23:05:51 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1997 Greg Ward Larson
+@@ -158,6 +158,7 @@
+ typedef struct logLuvState LogLuvState;
+ 
+ struct logLuvState {
++        int                     encoder_state;  /* 1 if encoder correctly initialized */
+ 	int                     user_datafmt;   /* user data format */
+ 	int                     encode_meth;    /* encoding method */
+ 	int                     pixel_size;     /* bytes per pixel */
+@@ -1552,6 +1553,7 @@
+ 		    td->td_photometric, "must be either LogLUV or LogL");
+ 		break;
+ 	}
++	sp->encoder_state = 1;
+ 	return (1);
+ notsupported:
+ 	TIFFErrorExt(tif->tif_clientdata, module,
+@@ -1563,19 +1565,27 @@
+ static void
+ LogLuvClose(TIFF* tif)
+ {
++        LogLuvState* sp = (LogLuvState*) tif->tif_data;
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 
++	assert(sp != 0);
+ 	/*
+ 	 * For consistency, we always want to write out the same
+ 	 * bitspersample and sampleformat for our TIFF file,
+ 	 * regardless of the data format being used by the application.
+ 	 * Since this routine is called after tags have been set but
+ 	 * before they have been recorded in the file, we reset them here.
++         * Note: this is really a nasty approach. See PixarLogClose
+ 	 */
+-	td->td_samplesperpixel =
+-	    (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+-	td->td_bitspersample = 16;
+-	td->td_sampleformat = SAMPLEFORMAT_INT;
++        if( sp->encoder_state )
++        {
++            /* See PixarLogClose. Might avoid issues with tags whose size depends
++             * on those below, but not completely sure this is enough. */
++            td->td_samplesperpixel =
++                (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
++            td->td_bitspersample = 16;
++            td->td_sampleformat = SAMPLEFORMAT_INT;
++        }
+ }
+ 
+ static void
+Index: libtiff/libtiff/tif_pixarlog.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
+retrieving revision 1.48
+retrieving revision 1.49
+diff -u -r1.48 -r1.49
+--- libtiff/libtiff/tif_pixarlog.c	23 Sep 2016 22:12:18 -0000	1.48
++++ libtiff/libtiff/tif_pixarlog.c	2 Dec 2016 23:05:51 -0000	1.49
+@@ -1,4 +1,4 @@
+-/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */
++/* $Id: tif_pixarlog.c,v 1.49 2016-12-02 23:05:51 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1996-1997 Sam Leffler
+@@ -1233,8 +1233,10 @@
+ static void
+ PixarLogClose(TIFF* tif)
+ {
++        PixarLogState* sp = (PixarLogState*) tif->tif_data;
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 
++	assert(sp != 0);
+ 	/* In a really sneaky (and really incorrect, and untruthful, and
+ 	 * troublesome, and error-prone) maneuver that completely goes against
+ 	 * the spirit of TIFF, and breaks TIFF, on close, we covertly
+@@ -1243,8 +1245,19 @@
+ 	 * readers that don't know about PixarLog, or how to set
+ 	 * the PIXARLOGDATFMT pseudo-tag.
+ 	 */
+-	td->td_bitspersample = 8;
+-	td->td_sampleformat = SAMPLEFORMAT_UINT;
++
++        if (sp->state&PLSTATE_INIT) {
++            /* We test the state to avoid an issue such as in
++             * http://bugzilla.maptools.org/show_bug.cgi?id=2604
++             * What appends in that case is that the bitspersample is 1 and
++             * a TransferFunction is set. The size of the TransferFunction
++             * depends on 1<<bitspersample. So if we increase it, an access
++             * out of the buffer will happen at directory flushing.
++             * Another option would be to clear those targs. 
++             */
++            td->td_bitspersample = 8;
++            td->td_sampleformat = SAMPLEFORMAT_UINT;
++        }
+ }
+ 
+ static void
diff --git a/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch b/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch
new file mode 100644
index 0000000000..68889b121b
--- /dev/null
+++ b/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch
@@ -0,0 +1,132 @@
+Fix heap-based buffer overflow in TIFFFillStrip():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2608
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
+        instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength,
+rowsperstrip),
+        instead of a logic based on the total size of data. Which is faulty is
+        the total size of data is not sufficient to fill the whole image, and
+thus
+        results in reading outside of the StripByCounts/StripOffsets arrays
+when
+        using TIFFReadScanline().
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
+
+        * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
+        for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273
+since
+        the above change is a better fix that makes it unnecessary.
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1176; previous revision: 1.1175
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v  <-- 
+libtiff/tif_dirread.c
+new revision: 1.205; previous revision: 1.204
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v  <--  libtiff/tif_strip.c
+new revision: 1.38; previous revision: 1.37
+
+Index: libtiff/libtiff/tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.204
+retrieving revision 1.205
+diff -u -r1.204 -r1.205
+--- libtiff/libtiff/tif_dirread.c	16 Nov 2016 15:14:15 -0000	1.204
++++ libtiff/libtiff/tif_dirread.c	3 Dec 2016 11:02:15 -0000	1.205
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */
++/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -5502,8 +5502,7 @@
+ 	uint64 rowblockbytes;
+ 	uint64 stripbytes;
+ 	uint32 strip;
+-	uint64 nstrips64;
+-	uint32 nstrips32;
++	uint32 nstrips;
+ 	uint32 rowsperstrip;
+ 	uint64* newcounts;
+ 	uint64* newoffsets;
+@@ -5534,18 +5533,17 @@
+ 	    return;
+ 
+ 	/*
+-	 * never increase the number of strips in an image
++	 * never increase the number of rows per strip
+ 	 */
+ 	if (rowsperstrip >= td->td_rowsperstrip)
+ 		return;
+-	nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
+-	if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
+-	    return;
+-	nstrips32 = (uint32)nstrips64;
++        nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
++        if( nstrips == 0 )
++            return;
+ 
+-	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ 				"for chopped \"StripByteCounts\" array");
+-	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ 				"for chopped \"StripOffsets\" array");
+ 	if (newcounts == NULL || newoffsets == NULL) {
+ 		/*
+@@ -5562,18 +5560,18 @@
+ 	 * Fill the strip information arrays with new bytecounts and offsets
+ 	 * that reflect the broken-up format.
+ 	 */
+-	for (strip = 0; strip < nstrips32; strip++) {
++	for (strip = 0; strip < nstrips; strip++) {
+ 		if (stripbytes > bytecount)
+ 			stripbytes = bytecount;
+ 		newcounts[strip] = stripbytes;
+-		newoffsets[strip] = offset;
++		newoffsets[strip] = stripbytes ? offset : 0;
+ 		offset += stripbytes;
+ 		bytecount -= stripbytes;
+ 	}
+ 	/*
+ 	 * Replace old single strip info with multi-strip info.
+ 	 */
+-	td->td_stripsperimage = td->td_nstrips = nstrips32;
++	td->td_stripsperimage = td->td_nstrips = nstrips;
+ 	TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+ 
+ 	_TIFFfree(td->td_stripbytecount);
+Index: libtiff/libtiff/tif_strip.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v
+retrieving revision 1.37
+retrieving revision 1.38
+diff -u -r1.37 -r1.38
+--- libtiff/libtiff/tif_strip.c	9 Nov 2016 23:00:49 -0000	1.37
++++ libtiff/libtiff/tif_strip.c	3 Dec 2016 11:02:15 -0000	1.38
+@@ -1,4 +1,4 @@
+-/* $Id: tif_strip.c,v 1.37 2016-11-09 23:00:49 erouault Exp $ */
++/* $Id: tif_strip.c,v 1.38 2016-12-03 11:02:15 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1991-1997 Sam Leffler
+@@ -63,15 +63,6 @@
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 	uint32 nstrips;
+ 
+-    /* If the value was already computed and store in td_nstrips, then return it,
+-       since ChopUpSingleUncompressedStrip might have altered and resized the
+-       since the td_stripbytecount and td_stripoffset arrays to the new value
+-       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
+-       tif_dirread.c ~line 3612.
+-       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
+-    if( td->td_nstrips )
+-        return td->td_nstrips;
+-
+ 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
+ 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
+ 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch
new file mode 100644
index 0000000000..f0fef08bf3
--- /dev/null
+++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch
@@ -0,0 +1,67 @@
+Fix heap buffer overflow in tiffcp when parsing number of inks:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2599
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is
+called,
+        limit the return number of inks to SamplesPerPixel, so that code that
+parses
+        ink names doesn't go past the end of the buffer.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1184; previous revision: 1.1183
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v  <--  libtiff/tif_dir.c
+new revision: 1.128; previous revision: 1.127
+
+Index: libtiff/libtiff/tif_dir.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v
+retrieving revision 1.127
+retrieving revision 1.128
+diff -u -r1.127 -r1.128
+--- libtiff/libtiff/tif_dir.c	25 Oct 2016 21:35:15 -0000	1.127
++++ libtiff/libtiff/tif_dir.c	3 Dec 2016 15:30:31 -0000	1.128
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */
++/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -854,6 +854,32 @@
+ 	if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
+ 	    return 0;
+ 	
++        if( tag == TIFFTAG_NUMBEROFINKS )
++        {
++            int i;
++            for (i = 0; i < td->td_customValueCount; i++) {
++                uint16 val;
++                TIFFTagValue *tv = td->td_customValues + i;
++                if (tv->info->field_tag != tag)
++                    continue;
++                val = *(uint16 *)tv->value;
++                /* Truncate to SamplesPerPixel, since the */
++                /* setting code for INKNAMES assume that there are SamplesPerPixel */
++                /* inknames. */
++                /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
++                if( val > td->td_samplesperpixel )
++                {
++                    TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
++                                   "Truncating NumberOfInks from %u to %u",
++                                   val, td->td_samplesperpixel);
++                    val = td->td_samplesperpixel;
++                }
++                *va_arg(ap, uint16*) = val;
++                return 1;
++            }
++            return 0;
++        }
++
+ 	/*
+ 	 * We want to force the custom code to be used for custom
+ 	 * fields even if the tag happens to match a well known 
diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch
new file mode 100644
index 0000000000..8166c55758
--- /dev/null
+++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch
@@ -0,0 +1,60 @@
+Fix heap-based buffer overflow in combineSeparateSamples16bits():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2621
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
+        readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
+buffer.
+        Reported by Agostina Sarubo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1179; previous revision: 1.1178
+/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v  <--  tools/tiffcrop.c
+new revision: 1.48; previous revision: 1.47
+
+Index: libtiff/tools/tiffcrop.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
+retrieving revision 1.47
+retrieving revision 1.48
+diff -u -r1.47 -r1.48
+--- libtiff/tools/tiffcrop.c	3 Dec 2016 11:35:56 -0000	1.47
++++ libtiff/tools/tiffcrop.c	3 Dec 2016 12:19:32 -0000	1.48
+@@ -1,4 +1,4 @@
+-/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */
++/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */
+ 
+ /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
+  * the image data through additional options listed below
+@@ -4815,10 +4815,17 @@
+   nstrips = TIFFNumberOfStrips(in);
+   strips_per_sample = nstrips /spp;
+ 
++  /* Add 3 padding bytes for combineSeparateSamples32bits */
++  if( (size_t) stripsize > 0xFFFFFFFFU - 3U )
++  {
++      TIFFError("readSeparateStripsIntoBuffer", "Integer overflow when calculating buffer size.");
++      exit(-1);
++  }
++
+   for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+     {
+     srcbuffs[s] = NULL;
+-    buff = _TIFFmalloc(stripsize);
++    buff = _TIFFmalloc(stripsize + 3);
+     if (!buff)
+       {
+       TIFFError ("readSeparateStripsIntoBuffer", 
+@@ -4827,6 +4834,9 @@
+         _TIFFfree (srcbuffs[i]);
+       return 0;
+       }
++    buff[stripsize] = 0;
++    buff[stripsize+1] = 0;
++    buff[stripsize+2] = 0;
+     srcbuffs[s] = buff;
+     }
+ 
diff --git a/gnu/packages/patches/libtiff-invalid-read.patch b/gnu/packages/patches/libtiff-invalid-read.patch
new file mode 100644
index 0000000000..92742d8757
--- /dev/null
+++ b/gnu/packages/patches/libtiff-invalid-read.patch
@@ -0,0 +1,64 @@
+Fix invalid read in t2p_writeproc():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2639
+
+2016-12-20 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiff2pdf.c: avoid potential invalid memory read in
+        t2p_writeproc.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1198; previous revision: 1.1197
+/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v  <--  tools/tiff2pdf.c
+new revision: 1.100; previous revision: 1.99
+
+Index: libtiff/tools/tiff2pdf.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
+retrieving revision 1.99
+retrieving revision 1.100
+diff -u -r1.99 -r1.100
+--- libtiff/tools/tiff2pdf.c	20 Dec 2016 17:13:26 -0000	1.99
++++ libtiff/tools/tiff2pdf.c	20 Dec 2016 17:24:35 -0000	1.100
+@@ -2896,6 +2896,7 @@
+ 			}
+ 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
+ 				if (count >= 4) {
++                                        int retTIFFReadRawTile;
+                     /* Ignore EOI marker of JpegTables */
+ 					_TIFFmemcpy(buffer, jpt, count - 2);
+ 					bufferoffset += count - 2;
+@@ -2903,22 +2904,23 @@
+ 					table_end[0] = buffer[bufferoffset-2];
+ 					table_end[1] = buffer[bufferoffset-1];
+ 					xuint32 = bufferoffset;
+-                    bufferoffset -= 2;
+-					bufferoffset += TIFFReadRawTile(
++                                        bufferoffset -= 2;
++                                        retTIFFReadRawTile= TIFFReadRawTile(
+ 						input, 
+ 						tile, 
+ 						(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), 
+ 						-1);
++                                        if( retTIFFReadRawTile < 0 )
++                                        {
++                                            _TIFFfree(buffer);
++                                            t2p->t2p_error = T2P_ERR_ERROR;
++                                            return(0);
++                                        }
++					bufferoffset += retTIFFReadRawTile;
+                     /* Overwrite SOI marker of image scan with previously */
+                     /* saved end of JpegTables */
+ 					buffer[xuint32-2]=table_end[0];
+ 					buffer[xuint32-1]=table_end[1];
+-				} else {
+-					bufferoffset += TIFFReadRawTile(
+-						input, 
+-						tile, 
+-						(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), 
+-						-1);
+ 				}
+ 			}
+ 			t2pWriteFile(output, (tdata_t) buffer, bufferoffset);
diff --git a/gnu/packages/patches/libtiff-null-dereference.patch b/gnu/packages/patches/libtiff-null-dereference.patch
new file mode 100644
index 0000000000..8c6345b804
--- /dev/null
+++ b/gnu/packages/patches/libtiff-null-dereference.patch
@@ -0,0 +1,42 @@
+Fix NULL pointer dereference in TIFFReadRawData():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2594
+
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffinfo.c: fix null pointer dereference in -r mode when
+        * the
+image has
+        no StripByteCount tag.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1182; previous revision: 1.1181
+/cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v  <--  tools/tiffinfo.c
+new revision: 1.26; previous revision: 1.25
+
+Index: libtiff/tools/tiffinfo.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v
+retrieving revision 1.25
+retrieving revision 1.26
+diff -u -r1.25 -r1.26
+--- libtiff/tools/tiffinfo.c	12 Nov 2016 20:06:05 -0000	1.25
++++ libtiff/tools/tiffinfo.c	3 Dec 2016 14:18:49 -0000	1.26
+@@ -1,4 +1,4 @@
+-/* $Id: tiffinfo.c,v 1.25 2016-11-12 20:06:05 bfriesen Exp $ */
++/* $Id: tiffinfo.c,v 1.26 2016-12-03 14:18:49 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -417,7 +417,7 @@
+ 	uint64* stripbc=NULL;
+ 
+ 	TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &stripbc);
+-	if (nstrips > 0) {
++	if (stripbc != NULL && nstrips > 0) {
+ 		uint32 bufsize = (uint32) stripbc[0];
+ 		tdata_t buf = _TIFFmalloc(bufsize);
+ 		tstrip_t s;
diff --git a/gnu/packages/patches/libtiff-tiffcp-underflow.patch b/gnu/packages/patches/libtiff-tiffcp-underflow.patch
new file mode 100644
index 0000000000..5615cbb3e1
--- /dev/null
+++ b/gnu/packages/patches/libtiff-tiffcp-underflow.patch
@@ -0,0 +1,41 @@
+Fix a integer underflow in tiffcp that led to heap overflows in
+TIFFReverseBits():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2598
+
+2016-12-02 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that 
+        can cause various issues, such as buffer overflows in the library.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1174; previous revision: 1.1173
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
+new revision: 1.56; previous revision: 1.55
+
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.55
+retrieving revision 1.56
+diff -u -r1.55 -r1.56
+--- libtiff/tools/tiffcp.c	8 Oct 2016 15:54:57 -0000	1.55
++++ libtiff/tools/tiffcp.c	2 Dec 2016 22:13:32 -0000	1.56
+@@ -1,4 +1,4 @@
+-/* $Id: tiffcp.c,v 1.55 2016-10-08 15:54:57 erouault Exp $ */
++/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -985,7 +985,7 @@
+ 		tstrip_t s, ns = TIFFNumberOfStrips(in);
+ 		uint32 row = 0;
+ 		_TIFFmemset(buf, 0, stripsize);
+-		for (s = 0; s < ns; s++) {
++		for (s = 0; s < ns && row < imagelength; s++) {
+ 			tsize_t cc = (row + rowsperstrip > imagelength) ?
+ 			    TIFFVStripSize(in, imagelength - row) : stripsize;
+ 			if (TIFFReadEncodedStrip(in, s, buf, cc) < 0
diff --git a/gnu/packages/patches/libupnp-CVE-2016-8863.patch b/gnu/packages/patches/libupnp-CVE-2016-8863.patch
new file mode 100644
index 0000000000..9978b39487
--- /dev/null
+++ b/gnu/packages/patches/libupnp-CVE-2016-8863.patch
@@ -0,0 +1,72 @@
+Fix CVE-2016-8863:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
+https://sourceforge.net/p/pupnp/bugs/133/
+
+Patch copied from upstream source repository:
+
+https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7/
+
+From 9c099c2923ab4d98530ab5204af1738be5bddba7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org>
+Date: Thu, 8 Dec 2016 17:11:53 +0100
+Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863)
+
+If there is an invalid URL in URLS->buf after a valid one, uri_parse is
+called with out pointing after the allocated memory. As uri_parse writes
+to *out before returning an error the loop in create_url_list must be
+stopped early to prevent an out-of-bound access
+
+Bug: https://sourceforge.net/p/pupnp/bugs/133/
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
+Bug-Debian: https://bugs.debian.org/842093
+Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771
+(cherry picked from commit a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b)
+---
+ upnp/src/gena/gena_device.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
+index fb04a29..245c56b 100644
+--- a/upnp/src/gena/gena_device.c
++++ b/upnp/src/gena/gena_device.c
+@@ -1113,7 +1113,7 @@ static int create_url_list(
+ 	/*! [out] . */
+ 	URL_list *out)
+ {
+-    size_t URLcount = 0;
++    size_t URLcount = 0, URLcount2 = 0;
+     size_t i;
+     int return_code = 0;
+     uri_type temp;
+@@ -1155,16 +1155,23 @@ static int create_url_list(
+         }
+         memcpy( out->URLs, URLS->buff, URLS->size );
+         out->URLs[URLS->size] = 0;
+-        URLcount = 0;
+         for( i = 0; i < URLS->size; i++ ) {
+             if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
+                 if( ( ( return_code =
+                         parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
+-                                   &out->parsedURLs[URLcount] ) ) ==
++                                   &out->parsedURLs[URLcount2] ) ) ==
+                       HTTP_SUCCESS )
+-                    && ( out->parsedURLs[URLcount].hostport.text.size !=
++                    && ( out->parsedURLs[URLcount2].hostport.text.size !=
+                          0 ) ) {
+-                    URLcount++;
++                    URLcount2++;
++                    if (URLcount2 >= URLcount)
++                        /*
++                         * break early here in case there is a bogus URL that
++                         * was skipped above. This prevents to access
++                         * out->parsedURLs[URLcount] which is beyond the
++                         * allocation.
++                         */
++                        break;
+                 } else {
+                     if( return_code == UPNP_E_OUTOF_MEMORY ) {
+                         free( out->URLs );
+-- 
+2.11.0
+
diff --git a/gnu/packages/patches/libxml2-CVE-2016-4658.patch b/gnu/packages/patches/libxml2-CVE-2016-4658.patch
new file mode 100644
index 0000000000..a4e1f31fae
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2016-4658.patch
@@ -0,0 +1,257 @@
+Fix CVE-2016-4658:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b
+
+From c1d1f7121194036608bf555f08d3062a36fd344b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 28 Jun 2016 18:34:52 +0200
+Subject: [PATCH] Disallow namespace nodes in XPointer ranges
+
+Namespace nodes must be copied to avoid use-after-free errors.
+But they don't necessarily have a physical representation in a
+document, so simply disallow them in XPointer ranges.
+
+Found with afl-fuzz.
+
+Fixes CVE-2016-4658.
+---
+ xpointer.c | 149 +++++++++++++++++++++++--------------------------------------
+ 1 file changed, 56 insertions(+), 93 deletions(-)
+
+diff --git a/xpointer.c b/xpointer.c
+index a7b03fbd..694d120e 100644
+--- a/xpointer.c
++++ b/xpointer.c
+@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) {
+ }
+ 
+ /**
++ * xmlXPtrNewRangeInternal:
++ * @start:  the starting node
++ * @startindex:  the start index
++ * @end:  the ending point
++ * @endindex:  the ending index
++ *
++ * Internal function to create a new xmlXPathObjectPtr of type range
++ *
++ * Returns the newly created object.
++ */
++static xmlXPathObjectPtr
++xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex,
++                        xmlNodePtr end, int endindex) {
++    xmlXPathObjectPtr ret;
++
++    /*
++     * Namespace nodes must be copied (see xmlXPathNodeSetDupNs).
++     * Disallow them for now.
++     */
++    if ((start != NULL) && (start->type == XML_NAMESPACE_DECL))
++	return(NULL);
++    if ((end != NULL) && (end->type == XML_NAMESPACE_DECL))
++	return(NULL);
++
++    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
++    if (ret == NULL) {
++        xmlXPtrErrMemory("allocating range");
++	return(NULL);
++    }
++    memset(ret, 0, sizeof(xmlXPathObject));
++    ret->type = XPATH_RANGE;
++    ret->user = start;
++    ret->index = startindex;
++    ret->user2 = end;
++    ret->index2 = endindex;
++    return(ret);
++}
++
++/**
+  * xmlXPtrNewRange:
+  * @start:  the starting node
+  * @startindex:  the start index
+@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex,
+     if (endindex < 0)
+ 	return(NULL);
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-	return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start;
+-    ret->index = startindex;
+-    ret->user2 = end;
+-    ret->index2 = endindex;
++    ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex);
+     xmlXPtrRangeCheckOrder(ret);
+     return(ret);
+ }
+@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) {
+     if (end->type != XPATH_POINT)
+ 	return(NULL);
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-	return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start->user;
+-    ret->index = start->index;
+-    ret->user2 = end->user;
+-    ret->index2 = end->index;
++    ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user,
++                                  end->index);
+     xmlXPtrRangeCheckOrder(ret);
+     return(ret);
+ }
+@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) {
+     if (start->type != XPATH_POINT)
+ 	return(NULL);
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-	return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start->user;
+-    ret->index = start->index;
+-    ret->user2 = end;
+-    ret->index2 = -1;
++    ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1);
+     xmlXPtrRangeCheckOrder(ret);
+     return(ret);
+ }
+@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) {
+     if (end->type != XPATH_POINT)
+ 	return(NULL);
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-	return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start;
+-    ret->index = -1;
+-    ret->user2 = end->user;
+-    ret->index2 = end->index;
++    ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index);
+     xmlXPtrRangeCheckOrder(ret);
+     return(ret);
+ }
+@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) {
+     if (end == NULL)
+ 	return(NULL);
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-	return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start;
+-    ret->index = -1;
+-    ret->user2 = end;
+-    ret->index2 = -1;
++    ret = xmlXPtrNewRangeInternal(start, -1, end, -1);
+     xmlXPtrRangeCheckOrder(ret);
+     return(ret);
+ }
+@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
+     if (start == NULL)
+ 	return(NULL);
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-	return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start;
+-    ret->index = -1;
+-    ret->user2 = NULL;
+-    ret->index2 = -1;
++    ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1);
+     return(ret);
+ }
+ 
+@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
+  */
+ xmlXPathObjectPtr
+ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
++    xmlNodePtr endNode;
++    int endIndex;
+     xmlXPathObjectPtr ret;
+ 
+     if (start == NULL)
+@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
+ 	return(NULL);
+     switch (end->type) {
+ 	case XPATH_POINT:
++	    endNode = end->user;
++	    endIndex = end->index;
++	    break;
+ 	case XPATH_RANGE:
++	    endNode = end->user2;
++	    endIndex = end->index2;
+ 	    break;
+ 	case XPATH_NODESET:
+ 	    /*
+@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
+ 	     */
+ 	    if (end->nodesetval->nodeNr <= 0)
+ 		return(NULL);
++	    endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
++	    endIndex = -1;
+ 	    break;
+ 	default:
+ 	    /* TODO */
+ 	    return(NULL);
+     }
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-	return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start;
+-    ret->index = -1;
+-    switch (end->type) {
+-	case XPATH_POINT:
+-	    ret->user2 = end->user;
+-	    ret->index2 = end->index;
+-	    break;
+-	case XPATH_RANGE:
+-	    ret->user2 = end->user2;
+-	    ret->index2 = end->index2;
+-	    break;
+-	case XPATH_NODESET: {
+-	    ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
+-	    ret->index2 = -1;
+-	    break;
+-	}
+-	default:
+-	    STRANGE
+-	    return(NULL);
+-    }
++    ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex);
+     xmlXPtrRangeCheckOrder(ret);
+     return(ret);
+ }
+-- 
+2.11.0
+
diff --git a/gnu/packages/patches/libxml2-CVE-2016-5131.patch b/gnu/packages/patches/libxml2-CVE-2016-5131.patch
new file mode 100644
index 0000000000..38938c8e3e
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2016-5131.patch
@@ -0,0 +1,218 @@
+Fix CVE-2016-5131:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131
+
+Patches copied from upstream source repository (the test suite fails
+without the 2nd patch):
+
+https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
+https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8
+
+From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 28 Jun 2016 14:22:23 +0200
+Subject: [PATCH] Fix XPointer paths beginning with range-to
+
+The old code would invoke the broken xmlXPtrRangeToFunction. range-to
+isn't really a function but a special kind of location step. Remove
+this function and always handle range-to in the XPath code.
+
+The old xmlXPtrRangeToFunction could also be abused to trigger a
+use-after-free error with the potential for remote code execution.
+
+Found with afl-fuzz.
+
+Fixes CVE-2016-5131.
+---
+ result/XPath/xptr/vidbase | 13 ++++++++
+ test/XPath/xptr/vidbase   |  1 +
+ xpath.c                   |  7 ++++-
+ xpointer.c                | 76 ++++-------------------------------------------
+ 4 files changed, 26 insertions(+), 71 deletions(-)
+
+diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase
+index 8b9e92d6..f19193e7 100644
+--- a/result/XPath/xptr/vidbase
++++ b/result/XPath/xptr/vidbase
+@@ -17,3 +17,16 @@ Object is a Location Set:
+   To node
+     ELEMENT p
+ 
++
++========================
++Expression: xpointer(range-to(id('chapter2')))
++Object is a Location Set:
++1 :   Object is a range :
++  From node
++     /
++  To node
++    ELEMENT chapter
++      ATTRIBUTE id
++        TEXT
++          content=chapter2
++
+diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase
+index b1463830..884b1065 100644
+--- a/test/XPath/xptr/vidbase
++++ b/test/XPath/xptr/vidbase
+@@ -1,2 +1,3 @@
+ xpointer(id('chapter1')/p)
+ xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))
++xpointer(range-to(id('chapter2')))
+diff --git a/xpath.c b/xpath.c
+index d992841e..5a01b1b3 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
+ 		    lc = 1;
+ 		    break;
+ 		} else if ((NXT(len) == '(')) {
+-		    /* Note Type or Function */
++		    /* Node Type or Function */
+ 		    if (xmlXPathIsNodeType(name)) {
+ #ifdef DEBUG_STEP
+ 		        xmlGenericError(xmlGenericErrorContext,
+ 				"PathExpr: Type search\n");
+ #endif
+ 			lc = 1;
++#ifdef LIBXML_XPTR_ENABLED
++                    } else if (ctxt->xptr &&
++                               xmlStrEqual(name, BAD_CAST "range-to")) {
++                        lc = 1;
++#endif
+ 		    } else {
+ #ifdef DEBUG_STEP
+ 		        xmlGenericError(xmlGenericErrorContext,
+diff --git a/xpointer.c b/xpointer.c
+index 676c5105..d74174a3 100644
+--- a/xpointer.c
++++ b/xpointer.c
+@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
+     ret->here = here;
+     ret->origin = origin;
+ 
+-    xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
+-	                 xmlXPtrRangeToFunction);
+     xmlXPathRegisterFunc(ret, (xmlChar *)"range",
+ 	                 xmlXPtrRangeFunction);
+     xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
+@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+  * @nargs:  the number of args
+  *
+  * Implement the range-to() XPointer function
++ *
++ * Obsolete. range-to is not a real function but a special type of location
++ * step which is handled in xpath.c.
+  */
+ void
+-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+-    xmlXPathObjectPtr range;
+-    const xmlChar *cur;
+-    xmlXPathObjectPtr res, obj;
+-    xmlXPathObjectPtr tmp;
+-    xmlLocationSetPtr newset = NULL;
+-    xmlNodeSetPtr oldset;
+-    int i;
+-
+-    if (ctxt == NULL) return;
+-    CHECK_ARITY(1);
+-    /*
+-     * Save the expression pointer since we will have to evaluate
+-     * it multiple times. Initialize the new set.
+-     */
+-    CHECK_TYPE(XPATH_NODESET);
+-    obj = valuePop(ctxt);
+-    oldset = obj->nodesetval;
+-    ctxt->context->node = NULL;
+-
+-    cur = ctxt->cur;
+-    newset = xmlXPtrLocationSetCreate(NULL);
+-
+-    for (i = 0; i < oldset->nodeNr; i++) {
+-	ctxt->cur = cur;
+-
+-	/*
+-	 * Run the evaluation with a node list made of a single item
+-	 * in the nodeset.
+-	 */
+-	ctxt->context->node = oldset->nodeTab[i];
+-	tmp = xmlXPathNewNodeSet(ctxt->context->node);
+-	valuePush(ctxt, tmp);
+-
+-	xmlXPathEvalExpr(ctxt);
+-	CHECK_ERROR;
+-
+-	/*
+-	 * The result of the evaluation need to be tested to
+-	 * decided whether the filter succeeded or not
+-	 */
+-	res = valuePop(ctxt);
+-	range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
+-	if (range != NULL) {
+-	    xmlXPtrLocationSetAdd(newset, range);
+-	}
+-
+-	/*
+-	 * Cleanup
+-	 */
+-	if (res != NULL)
+-	    xmlXPathFreeObject(res);
+-	if (ctxt->value == tmp) {
+-	    res = valuePop(ctxt);
+-	    xmlXPathFreeObject(res);
+-	}
+-
+-	ctxt->context->node = NULL;
+-    }
+-
+-    /*
+-     * The result is used as the new evaluation set.
+-     */
+-    xmlXPathFreeObject(obj);
+-    ctxt->context->node = NULL;
+-    ctxt->context->contextSize = -1;
+-    ctxt->context->proximityPosition = -1;
+-    valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
++xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
++                       int nargs ATTRIBUTE_UNUSED) {
++    XP_ERROR(XPATH_EXPR_ERROR);
+ }
+ 
+ /**
+-- 
+2.11.0
+
+From a005199330b86dada19d162cae15ef9bdcb6baa8 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 28 Jun 2016 14:19:58 +0200
+Subject: [PATCH] Fix comparison with root node in xmlXPathCmpNodes
+
+This change has already been made in xmlXPathCmpNodesExt but not in
+xmlXPathCmpNodes.
+---
+ xpath.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 751665b8..d992841e 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
+      * compute depth to root
+      */
+     for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
+-	if (cur == node1)
++	if (cur->parent == node1)
+ 	    return(1);
+ 	depth2++;
+     }
+     root = cur;
+     for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
+-	if (cur == node2)
++	if (cur->parent == node2)
+ 	    return(-1);
+ 	depth1++;
+     }
+-- 
+2.11.0
+
diff --git a/gnu/packages/patches/libxt-guix-search-paths.patch b/gnu/packages/patches/libxt-guix-search-paths.patch
new file mode 100644
index 0000000000..c618f48da5
--- /dev/null
+++ b/gnu/packages/patches/libxt-guix-search-paths.patch
@@ -0,0 +1,126 @@
+--- libXt-1.1.5/src/Intrinsic.c	2015-05-01 07:36:20.000000000 +0200
++++ Intrinsic.c	2016-12-12 00:42:16.567388450 +0100
+@@ -1303,21 +1303,101 @@
+     } else (void) strcpy(*rest, string);
+ }
+ 
+-/*
+- * default path used if environment variable XFILESEARCHPATH
+- * is not defined.  Also substitued for %D.
+- * The exact value should be documented in the implementation
+- * notes for any Xt implementation.
++
++
++/* 
++   Return the default search path for the function
++   XtResolvePathname to use if XFILESEARCHPATH is 
++   not defined.
++
++   It returns the combination the set of values which are the 6 "stems" below,
++   prepended with "/run/current-system/profile", and $GUIX_PROFILE and 
++   "$HOME/.guix-profile"
++
++   These values provide the default paths where Guix/GuixSD  can expect
++   to find resources for installed packages.
+  */
+-static const char *implementation_default_path(void)
++static const char *guix_default_path(void)
+ {
+-#if defined(WIN32)
+-    static char xfilesearchpath[] = "";
+-
+-    return xfilesearchpath;
+-#else
+-    return XFILESEARCHPATHDEFAULT;
+-#endif
++  static const char *search_path_default_stem[] = {
++    "/lib/X11/%L/%T/%N%C%S",
++    "/lib/X11/%l/%T/%N%C%S",
++    "/lib/X11/%T/%N%C%S",
++    "/lib/X11/%L/%T/%N%S",
++    "/lib/X11/%l/%T/%N%S",
++    "/lib/X11/%T/%N%S"
++  };
++
++#define SIZEOF_STEMS  (strlen (search_path_default_stem[0])	\
++		       + strlen (search_path_default_stem[1])	\
++		       + strlen (search_path_default_stem[2])	\
++		       + strlen (search_path_default_stem[3])	\
++		       + strlen (search_path_default_stem[4])	\
++		       + strlen (search_path_default_stem[5]))
++
++
++  int i;
++  const char *current_profile = "/run/current-system/profile";
++  char *home = getenv ("HOME");
++  char *guix_profile = getenv ("GUIX_PROFILE");
++
++  size_t bytesAllocd = SIZEOF_STEMS + 1; 
++
++  /* This function is evaluated multiple times and the calling
++     code assumes that it is idempotent. So we must not allow
++     (say) a changed environment variable to cause it to return
++     something different. */
++  static char *path = NULL;
++  if (path)
++    return path;
++
++  bytesAllocd += 6 * (1 + strlen (current_profile));
++
++  if (guix_profile != NULL)
++    {
++      bytesAllocd += SIZEOF_STEMS;
++      bytesAllocd += 6 * (1 + strlen (guix_profile));
++    }
++
++  if (home != NULL)
++    {
++      bytesAllocd += SIZEOF_STEMS;
++      bytesAllocd += 6 * (1 + strlen(home) + strlen ("/.guix-profile"));
++    }
++
++  path = XtMalloc(bytesAllocd);
++  if (path == NULL) _XtAllocError(NULL);
++
++  memset (path, 0, bytesAllocd);
++  
++  for (i = 0 ; i < 6 ; ++i)
++    {
++      strcat (path, current_profile);
++      strcat (path, search_path_default_stem[i]);
++      strcat (path, ":");
++    }
++
++  if (guix_profile != NULL)
++    for (i = 0 ; i < 6 ; ++i)
++      {
++	strcat (path, guix_profile);
++	strcat (path, search_path_default_stem[i]);
++	strcat (path, ":");
++      }
++
++  if (home != NULL)
++    for (i = 0 ; i < 6 ; ++i)
++      {
++	strcat (path, home);
++	strcat (path, "/.guix-profile");
++	strcat (path, search_path_default_stem[i]);
++	strcat (path, ":");
++      }
++
++  /* Remove final : */
++  path[strlen(path) - 1] = '\0';
++  
++  return path;
+ }
+ 
+ 
+@@ -1345,7 +1425,7 @@
+ {
+     XtPerDisplay pd;
+     static const char *defaultPath = NULL;
+-    const char *impl_default = implementation_default_path();
++    const char *impl_default = guix_default_path();
+     int idef_len = strlen(impl_default);
+     char *massagedPath;
+     int bytesAllocd, bytesLeft;
diff --git a/gnu/packages/patches/mcrypt-CVE-2012-4409.patch b/gnu/packages/patches/mcrypt-CVE-2012-4409.patch
index 60cf8e0430..3089f962f7 100644
--- a/gnu/packages/patches/mcrypt-CVE-2012-4409.patch
+++ b/gnu/packages/patches/mcrypt-CVE-2012-4409.patch
@@ -3,30 +3,17 @@ From: Tom Callaway <spot@fedoraproject.org>
 Date: Fri, 7 Sep 2012 11:39:29 -0400
 Subject: apply fix for CVE-2012-4409 (thanks to Raphael Geissert)
 
----
- mcrypt-CVE-2012-4409.patch | 12 ++++++++++++
- mcrypt.spec                | 10 +++++++++-
- 2 files changed, 21 insertions(+), 1 deletion(-)
- create mode 100644 mcrypt-CVE-2012-4409.patch
-
-diff --git a/mcrypt-CVE-2012-4409.patch b/mcrypt-CVE-2012-4409.patch
-new file mode 100644
-index 0000000..747f428
---- /dev/null
-+++ b/mcrypt-CVE-2012-4409.patch
-@@ -0,0 +1,12 @@
-+diff -up mcrypt-2.6.8/src/extra.c.CVE-2012-4409 mcrypt-2.6.8/src/extra.c
-+--- mcrypt-2.6.8/src/extra.c.CVE-2012-4409	2012-09-07 11:00:55.906870746 -0400
-++++ mcrypt-2.6.8/src/extra.c	2012-09-07 11:00:27.967858365 -0400
-+@@ -242,6 +242,8 @@ int check_file_head(FILE * fstream, char
-+ 			if (m_getbit(0, sflag) != 0) { /* if the first bit is set */
-+ 				*salt_size = m_setbit(0, sflag, 0);
-+ 				if (*salt_size > 0) {
-++					if (*salt_size > sizeof(tmp_buf))
-++						err_quit(_("Salt is too long\n"));
-+ 					fread(tmp_buf, 1, *salt_size,
-+ 					      fstream);
-+ 					memmove(salt, tmp_buf, *salt_size);
+--- mcrypt-2.6.8/src/extra.c.CVE-2012-4409	2012-09-07 11:00:55.906870746 -0400
++++ mcrypt-2.6.8/src/extra.c	2012-09-07 11:00:27.967858365 -0400
+@@ -242,6 +242,8 @@ int check_file_head(FILE * fstream, char
+ 			if (m_getbit(0, sflag) != 0) { /* if the first bit is set */
+ 				*salt_size = m_setbit(0, sflag, 0);
+ 				if (*salt_size > 0) {
++					if (*salt_size > sizeof(tmp_buf))
++						err_quit(_("Salt is too long\n"));
+ 					fread(tmp_buf, 1, *salt_size,
+ 					      fstream);
+ 					memmove(salt, tmp_buf, *salt_size);
  
 -- 
 cgit v0.12
diff --git a/gnu/packages/patches/mcrypt-CVE-2012-4527.patch b/gnu/packages/patches/mcrypt-CVE-2012-4527.patch
index d931dd174b..dfbf048583 100644
--- a/gnu/packages/patches/mcrypt-CVE-2012-4527.patch
+++ b/gnu/packages/patches/mcrypt-CVE-2012-4527.patch
@@ -3,109 +3,97 @@ From: Tom Callaway <spot@fedoraproject.org>
 Date: Tue, 30 Oct 2012 15:39:24 -0400
 Subject: apply workaround to CVE-2012-4527
 
----
- mcrypt-CVE-2012-4527-80-width-patch | 91 +++++++++++++++++++++++++++++++++++++
- mcrypt.spec                         | 10 +++-
- 2 files changed, 100 insertions(+), 1 deletion(-)
- create mode 100644 mcrypt-CVE-2012-4527-80-width-patch
-
-diff --git a/mcrypt-CVE-2012-4527-80-width-patch b/mcrypt-CVE-2012-4527-80-width-patch
-new file mode 100644
-index 0000000..0eb94d8
---- /dev/null
-+++ b/mcrypt-CVE-2012-4527-80-width-patch
-@@ -0,0 +1,91 @@
-+--- mcrypt-2.6.8.orig/src/mcrypt.c
-++++ mcrypt-2.6.8/src/mcrypt.c
-+@@ -41,6 +41,8 @@
-+ # include <time.h>
-+ #endif
-+ 
-++#define WIDTH 80
-++
-+ static char rcsid[] =
-+     "$Id: mcrypt.c,v 1.2 2007/11/07 17:10:21 nmav Exp $";
-+ 
-+@@ -482,7 +484,7 @@
-+ #ifdef HAVE_STAT
-+       if (stream_flag == FALSE) {
-+ 	 if (is_normal_file(file[i]) == FALSE) {
-+-	    sprintf(tmperr,
-++	    snprintf(tmperr, WIDTH,
-+ 		    _
-+ 		    ("%s: %s is not a regular file. Skipping...\n"),
-+ 		    program_name, file[i]);
-+@@ -501,7 +503,7 @@
-+ 	    dinfile = file[i];
-+ 	 if ((isatty(fileno((FILE *) (stdin))) == 1)
-+ 	     && (stream_flag == TRUE) && (force == 0)) {	/* not a tty */
-+-	    sprintf(tmperr,
-++	    snprintf(tmperr, WIDTH,
-+ 		    _
-+ 		    ("%s: Encrypted data will not be read from a terminal.\n"),
-+ 		    program_name);
-+@@ -520,7 +522,7 @@
-+ 	    einfile = file[i];
-+ 	 if ((isatty(fileno((FILE *) (stdout))) == 1)
-+ 	     && (stream_flag == TRUE) && (force == 0)) {	/* not a tty */
-+-	    sprintf(tmperr,
-++	    snprintf(tmperr, WIDTH,
-+ 		    _
-+ 		    ("%s: Encrypted data will not be written to a terminal.\n"),
-+ 		    program_name);
-+@@ -544,7 +546,7 @@
-+ 	    strcpy(outfile, einfile);
-+ 	    /* if file has already the .nc ignore it */
-+ 	    if (strstr(outfile, ".nc") != NULL) {
-+-	       sprintf(tmperr,
-++	       snprintf(tmperr, WIDTH,
-+ 		       _
-+ 		       ("%s: file %s has the .nc suffix... skipping...\n"),
-+ 		       program_name, outfile);
-+@@ -590,10 +592,10 @@
-+ 
-+ 	 if (x == 0) {
-+ 	    if (stream_flag == FALSE) {
-+-	       sprintf(tmperr, _("File %s was decrypted.\n"), dinfile);
-++	       snprintf(tmperr, WIDTH, _("File %s was decrypted.\n"), dinfile);
-+ 	       err_warn(tmperr);
-+ 	    } else {
-+-	       sprintf(tmperr, _("Stdin was decrypted.\n"));
-++	       snprintf(tmperr, WIDTH, _("Stdin was decrypted.\n"));
-+ 	       err_warn(tmperr);
-+ 	    }
-+ #ifdef HAVE_STAT
-+@@ -610,7 +612,7 @@
-+ 
-+ 	 } else {
-+ 	    if (stream_flag == FALSE) {
-+-	       sprintf(tmperr,
-++	       snprintf(tmperr, WIDTH,
-+ 		       _
-+ 		       ("File %s was NOT decrypted successfully.\n"),
-+ 		       dinfile);
-+@@ -636,10 +638,10 @@
-+ 
-+ 	 if (x == 0) {
-+ 	    if (stream_flag == FALSE) {
-+-	       sprintf(tmperr, _("File %s was encrypted.\n"), einfile);
-++	       snprintf(tmperr, WIDTH, _("File %s was encrypted.\n"), einfile);
-+ 	       err_warn(tmperr);
-+ 	    } else {
-+-	       sprintf(tmperr, _("Stdin was encrypted.\n"));
-++	       snprintf(tmperr, WIDTH, _("Stdin was encrypted.\n"));
-+ 	       err_warn(tmperr);
-+ 	    }
-+ #ifdef HAVE_STAT
-+@@ -655,7 +657,7 @@
-+ 
-+ 	 } else {
-+ 	    if (stream_flag == FALSE) {
-+-	       sprintf(tmperr,
-++	       snprintf(tmperr, WIDTH,
-+ 		       _
-+ 		       ("File %s was NOT encrypted successfully.\n"),
-+ 		       einfile);
--- 
-cgit v0.12
+--- mcrypt-2.6.8.orig/src/mcrypt.c
++++ mcrypt-2.6.8/src/mcrypt.c
+@@ -41,6 +41,8 @@
+ # include <time.h>
+ #endif
+ 
++#define WIDTH 80
++
+ static char rcsid[] =
+     "$Id: mcrypt.c,v 1.2 2007/11/07 17:10:21 nmav Exp $";
+ 
+@@ -482,7 +484,7 @@
+ #ifdef HAVE_STAT
+       if (stream_flag == FALSE) {
+ 	 if (is_normal_file(file[i]) == FALSE) {
+-	    sprintf(tmperr,
++	    snprintf(tmperr, WIDTH,
+ 		    _
+ 		    ("%s: %s is not a regular file. Skipping...\n"),
+ 		    program_name, file[i]);
+@@ -501,7 +503,7 @@
+ 	    dinfile = file[i];
+ 	 if ((isatty(fileno((FILE *) (stdin))) == 1)
+ 	     && (stream_flag == TRUE) && (force == 0)) {	/* not a tty */
+-	    sprintf(tmperr,
++	    snprintf(tmperr, WIDTH,
+ 		    _
+ 		    ("%s: Encrypted data will not be read from a terminal.\n"),
+ 		    program_name);
+@@ -520,7 +522,7 @@
+ 	    einfile = file[i];
+ 	 if ((isatty(fileno((FILE *) (stdout))) == 1)
+ 	     && (stream_flag == TRUE) && (force == 0)) {	/* not a tty */
+-	    sprintf(tmperr,
++	    snprintf(tmperr, WIDTH,
+ 		    _
+ 		    ("%s: Encrypted data will not be written to a terminal.\n"),
+ 		    program_name);
+@@ -544,7 +546,7 @@
+ 	    strcpy(outfile, einfile);
+ 	    /* if file has already the .nc ignore it */
+ 	    if (strstr(outfile, ".nc") != NULL) {
+-	       sprintf(tmperr,
++	       snprintf(tmperr, WIDTH,
+ 		       _
+ 		       ("%s: file %s has the .nc suffix... skipping...\n"),
+ 		       program_name, outfile);
+@@ -590,10 +592,10 @@
+ 
+ 	 if (x == 0) {
+ 	    if (stream_flag == FALSE) {
+-	       sprintf(tmperr, _("File %s was decrypted.\n"), dinfile);
++	       snprintf(tmperr, WIDTH, _("File %s was decrypted.\n"), dinfile);
+ 	       err_warn(tmperr);
+ 	    } else {
+-	       sprintf(tmperr, _("Stdin was decrypted.\n"));
++	       snprintf(tmperr, WIDTH, _("Stdin was decrypted.\n"));
+ 	       err_warn(tmperr);
+ 	    }
+ #ifdef HAVE_STAT
+@@ -610,7 +612,7 @@
+ 
+ 	 } else {
+ 	    if (stream_flag == FALSE) {
+-	       sprintf(tmperr,
++	       snprintf(tmperr, WIDTH,
+ 		       _
+ 		       ("File %s was NOT decrypted successfully.\n"),
+ 		       dinfile);
+@@ -636,10 +638,10 @@
+ 
+ 	 if (x == 0) {
+ 	    if (stream_flag == FALSE) {
+-	       sprintf(tmperr, _("File %s was encrypted.\n"), einfile);
++	       snprintf(tmperr, WIDTH, _("File %s was encrypted.\n"), einfile);
+ 	       err_warn(tmperr);
+ 	    } else {
+-	       sprintf(tmperr, _("Stdin was encrypted.\n"));
++	       snprintf(tmperr, WIDTH, _("Stdin was encrypted.\n"));
+ 	       err_warn(tmperr);
+ 	    }
+ #ifdef HAVE_STAT
+@@ -655,7 +657,7 @@
+ 
+ 	 } else {
+ 	    if (stream_flag == FALSE) {
+-	       sprintf(tmperr,
++	       snprintf(tmperr, WIDTH,
+ 		       _
+ 		       ("File %s was NOT encrypted successfully.\n"),
+ 		       einfile);
+- 
+git v0.12
 
diff --git a/gnu/packages/patches/multiqc-fix-git-subprocess-error.patch b/gnu/packages/patches/multiqc-fix-git-subprocess-error.patch
new file mode 100644
index 0000000000..87be6142f4
--- /dev/null
+++ b/gnu/packages/patches/multiqc-fix-git-subprocess-error.patch
@@ -0,0 +1,16 @@
+Without this patch, the incorrect exception is caught when 'git' is not in
+PATH.  See https://github.com/ewels/MultiQC/pull/377.
+
+diff --git a/multiqc/utils/config.py b/multiqc/utils/config.py
+index 01fa554..4a11793 100755
+--- a/multiqc/utils/config.py
++++ b/multiqc/utils/config.py
+@@ -28,7 +28,7 @@ try:
+     git_hash = subprocess.check_output(['git', 'rev-parse', 'HEAD'], stderr=subprocess.STDOUT)
+     git_hash_short = git_hash[:7]
+     version = '{} ({})'.format(version, git_hash_short)
+-except subprocess.CalledProcessError:
++except (subprocess.CalledProcessError, FileNotFoundError):
+     pass
+ os.chdir(cwd)
+ 
diff --git a/gnu/packages/patches/ocaml-Add-a-.file-directive.patch b/gnu/packages/patches/ocaml-Add-a-.file-directive.patch
new file mode 100644
index 0000000000..07842e9c32
--- /dev/null
+++ b/gnu/packages/patches/ocaml-Add-a-.file-directive.patch
@@ -0,0 +1,96 @@
+From: Stephane Glondu <steph@glondu.net>
+Date: Sun, 16 Aug 2015 20:59:14 +0200
+Subject: Add a .file directive to generated .s files
+
+When no .file directive is given, the toolchain records the filename
+of the .o file, which is sometimes random, making generated objects
+non-deterministic.
+
+We use Location.input_name for adding .file directives to assembly
+files. Note: when the file is preprocessed, this reference holds the
+name of the temporary file. Hence, files compiled with -pp are still
+not deterministic.
+
+Bug-Debian: https://bugs.debian.org/795784
+Bug-Debian: https://bugs.debian.org/796336
+---
+ asmcomp/amd64/emit.mlp | 1 +
+ asmcomp/arm/emit.mlp   | 1 +
+ asmcomp/arm64/emit.mlp | 1 +
+ asmcomp/i386/emit.mlp  | 1 +
+ asmcomp/power/emit.mlp | 1 +
+ asmcomp/sparc/emit.mlp | 1 +
+ 6 files changed, 6 insertions(+)
+
+diff --git a/asmcomp/amd64/emit.mlp b/asmcomp/amd64/emit.mlp
+index d56d0f5..4d7aa30 100644
+--- a/asmcomp/amd64/emit.mlp
++++ b/asmcomp/amd64/emit.mlp
+@@ -794,6 +794,7 @@ let data l =
+ let begin_assembly() =
+   reset_debug_info();                   (* PR#5603 *)
+   float_constants := [];
++  `	.file \"{emit_string (String.escaped !Location.input_name)}\"\n`;
+   if !Clflags.dlcode then begin
+     (* from amd64.S; could emit these constants on demand *)
+     if macosx then
+diff --git a/asmcomp/arm/emit.mlp b/asmcomp/arm/emit.mlp
+index 4948fb2..6f30fba 100644
+--- a/asmcomp/arm/emit.mlp
++++ b/asmcomp/arm/emit.mlp
+@@ -892,6 +892,7 @@ let data l =
+
+ let begin_assembly() =
+   reset_debug_info();
++  `	.file \"{emit_string (String.escaped !Location.input_name)}\"\n`;
+   `	.syntax	unified\n`;
+   begin match !arch with
+   | ARMv4   -> `	.arch	armv4t\n`
+diff --git a/asmcomp/arm64/emit.mlp b/asmcomp/arm64/emit.mlp
+index 750c2b2..5afbb8a 100644
+--- a/asmcomp/arm64/emit.mlp
++++ b/asmcomp/arm64/emit.mlp
+@@ -942,6 +942,7 @@ let data l =
+
+ let begin_assembly() =
+   reset_debug_info();
++  `	.file \"{emit_string (String.escaped !Location.input_name)}\"\n`;
+   let lbl_begin = Compilenv.make_symbol (Some "data_begin") in
+   `	.data\n`;
+   `	.globl	{emit_symbol lbl_begin}\n`;
+diff --git a/asmcomp/i386/emit.mlp b/asmcomp/i386/emit.mlp
+index 98df5f9..531150f 100644
+--- a/asmcomp/i386/emit.mlp
++++ b/asmcomp/i386/emit.mlp
+@@ -986,6 +986,7 @@ let data l =
+ let begin_assembly() =
+   reset_debug_info();                   (* PR#5603 *)
+   float_constants := [];
++  `	.file \"{emit_string (String.escaped !Location.input_name)}\"\n`;
+   let lbl_begin = Compilenv.make_symbol (Some "data_begin") in
+   `	.data\n`;
+   `	.globl	{emit_symbol lbl_begin}\n`;
+diff --git a/asmcomp/power/emit.mlp b/asmcomp/power/emit.mlp
+index 4344085..343132b 100644
+--- a/asmcomp/power/emit.mlp
++++ b/asmcomp/power/emit.mlp
+@@ -887,6 +887,7 @@ let data l =
+ let begin_assembly() =
+   defined_functions := StringSet.empty;
+   external_functions := StringSet.empty;
++  `	.file \"{emit_string (String.escaped !Location.input_name)}\"\n`;
+   (* Emit the beginning of the segments *)
+   let lbl_begin = Compilenv.make_symbol (Some "data_begin") in
+   emit_string data_space;
+diff --git a/asmcomp/sparc/emit.mlp b/asmcomp/sparc/emit.mlp
+index 877a3d5..7b041e9 100644
+--- a/asmcomp/sparc/emit.mlp
++++ b/asmcomp/sparc/emit.mlp
+@@ -727,6 +727,7 @@ let data l =
+ (* Beginning / end of an assembly file *)
+
+ let begin_assembly() =
++  `	.file \"{emit_string (String.escaped !Location.input_name)}\"\n`;
+   let lbl_begin = Compilenv.make_symbol (Some "data_begin") in
+   `	.data\n`;
+   `	.global	{emit_symbol lbl_begin}\n`;
diff --git a/gnu/packages/patches/ocaml-bisect-fix-camlp4-in-another-directory.patch b/gnu/packages/patches/ocaml-bisect-fix-camlp4-in-another-directory.patch
new file mode 100644
index 0000000000..2056b42356
--- /dev/null
+++ b/gnu/packages/patches/ocaml-bisect-fix-camlp4-in-another-directory.patch
@@ -0,0 +1,125 @@
+From 26cac62fe0154cf65c06faaee10805531e9dade8 Mon Sep 17 00:00:00 2001
+From: Julien Lepiller <julien@lepiller.eu>
+Date: Wed, 14 Dec 2016 14:14:59 +0100
+Subject: [PATCH] fix camlp4 in another directory
+
+---
+ Makefile        | 11 ++++++-----
+ configure       | 13 ++++++++++++-
+ myocamlbuild.ml |  2 +-
+ 3 files changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 4a8ce17..d94a6d5 100644
+--- a/Makefile
++++ b/Makefile
+@@ -25,7 +25,7 @@ PATH_BUILD=$(PATH_BASE)/_build
+ PATH_OCAMLDOC=$(PATH_BASE)/ocamldoc
+ PATH_SRC=$(PATH_BASE)/src
+ PATH_TESTS=$(PATH_BASE)/tests
+-PATH_INSTALL=$(PATH_OCAML_PREFIX)/lib/ocaml/bisect
++PATH_INSTALL=$(PREFIX)/lib/ocaml/bisect
+
+
+ # DEFINITIONS
+@@ -33,7 +33,8 @@ PATH_INSTALL=$(PATH_OCAML_PREFIX)/lib/ocaml/bisect
+ PROJECT_NAME=bisect
+ OCAMLBUILD=$(PATH_OCAML_PREFIX)/bin/ocamlbuild
+ OCAMLBUILD_ENV=WARNINGS=$(WARNINGS) PATH_OCAML_PREFIX=$(PATH_OCAML_PREFIX)
+-OCAMLBUILD_FLAGS=-classic-display -no-links
++CAMLP4_INCLUDE=$(shell test -z $(CAMLP4_LIBDIR) || echo "-cflags -I,$(CAMLP4_LIBDIR)")
++OCAMLBUILD_FLAGS=-classic-display -no-links $(CAMLP4_INCLUDE)
+ MODULES_ODOCL=$(PROJECT_NAME).odocl
+ MODULES_MLPACK=$(PROJECT_NAME).mlpack
+ MODULES_MLPACK_PP=$(PROJECT_NAME)_pp.mlpack
+@@ -80,11 +81,11 @@ veryclean: clean
+	rm -f $(PATH_OCAMLDOC)/*.html $(PATH_OCAMLDOC)/*.css
+
+ install: FORCE
+-	cp $(PATH_BUILD)/src/report/report.byte $(PATH_OCAML_PREFIX)/bin/bisect-report; \
++	cp $(PATH_BUILD)/src/report/report.byte $(PREFIX)/bin/bisect-report; \
+	if [ "$(PPX)" = "TRUE" ]; then \
+-	  cp $(PATH_BUILD)/src/syntax/bisect_ppx.byte $(PATH_OCAML_PREFIX)/bin; \
++	  cp $(PATH_BUILD)/src/syntax/bisect_ppx.byte $(PREFIX)/bin; \
+	fi; \
+-	(test -x $(PATH_OCAML_PREFIX)/bin/ocamlopt && cp $(PATH_BUILD)/src/report/report.native $(PATH_OCAML_PREFIX)/bin/bisect-report.opt || true); \
++	(test -x $(PATH_OCAML_PREFIX)/bin/ocamlopt && cp $(PATH_BUILD)/src/report/report.native $(PREFIX)/bin/bisect-report.opt || true); \
+	if [ -x "$(PATH_OCAMLFIND)" ]; then \
+	  $(PATH_OCAMLFIND) query $(PROJECT_NAME) && $(PATH_OCAMLFIND) remove $(PROJECT_NAME) || true; \
+	  $(PATH_OCAMLFIND) install $(PROJECT_NAME) META -optional \
+diff --git a/configure b/configure
+index bb7ebf4..61a3095 100755
+--- a/configure
++++ b/configure
+@@ -21,7 +21,9 @@
+ # default values
+ ocamlbuild=`which ocamlbuild || echo '/usr/local/bin/ocamlbuild'`
+ bin_path=`dirname $ocamlbuild`
++prefix=''
+ ocaml_prefix=`dirname $bin_path`
++camlp4_prefix=`dirname $(dirname $(which camlp4of))`
+ ocamlfind=`which ocamlfind 2> /dev/null || echo ''`
+ native_dynlink='TRUE'
+ devel='FALSE'
+@@ -32,8 +34,12 @@ ppx='FALSE'
+ while [ $# -gt 0 ]
+ do
+     case "$1" in
++        -prefix)
++            prefix="$2"; shift;;
+         -ocaml-prefix)
+             ocaml_prefix="$2"; shift;;
++        -camlp4-prefix)
++            camlp4_prefix="$2"; shift;;
+         -ocamlfind)
+             ocamlfind="$2"; shift;;
+         -no-native-dynlink)
+@@ -45,7 +51,7 @@ do
+         -ppx)
+             ppx='TRUE';;
+         *)
+-            echo "usage: $0 [-ocaml-prefix <path>] [-ocamlfind <path>] [-no-native-dynlink] [-devel]";
++            echo "usage: $0 [-prefix <path>] [-ocaml-prefix <path>] [-ocamlfind <path>] [-no-native-dynlink] [-devel]";
+             exit 1;;
+         esac
+         shift
+@@ -57,6 +63,9 @@ if [ "$no_camlp4" = "TRUE" -a "$ppx" = "FALSE" ]; then
+   exit 1
+ fi
+
++# prefix default value
++test -z $prefix && prefix=$ocaml_prefix
++
+ # make options
+ make_quiet=`make -f - <<EOF
+ default: gnumake
+@@ -67,11 +76,13 @@ EOF`
+ # file creation
+ echo "# timestamp: `date`" > Makefile.config
+ echo "PATH_OCAML_PREFIX=$ocaml_prefix" >> Makefile.config
++echo "PATH_CAMLP4_PREFIX=$camlp4_prefix" >> Makefile.config
+ echo "PATH_OCAMLFIND=$ocamlfind" >> Makefile.config
+ echo "NATIVE_DYNLINK=$native_dynlink" >> Makefile.config
+ echo "WARNINGS=$devel" >> Makefile.config
+ echo "NO_CAMLP4=$no_camlp4" >> Makefile.config
+ echo "PPX=$ppx" >> Makefile.config
+ echo "MAKE_QUIET=$make_quiet" >> Makefile.config
++echo "PREFIX=$prefix" >> Makefile.config
+ echo "" >> Makefile.config
+ echo 'Makefile.config successfully created'
+diff --git a/myocamlbuild.ml b/myocamlbuild.ml
+index 8aa25fd..09a7d48 100644
+--- a/myocamlbuild.ml
++++ b/myocamlbuild.ml
+@@ -70,7 +70,7 @@ let () =
+     | After_rules ->
+         let camlp4of =
+           try
+-            let path_bin = Filename.concat (Sys.getenv "PATH_OCAML_PREFIX") "bin" in
++            let path_bin = Filename.concat (Sys.getenv "PATH_CAMLP4_PREFIX") "bin" in
+             Filename.concat path_bin "camlp4of"
+           with _ -> "camlp4of" in
+         flag ["ocaml"; "compile"; "pp_camlp4of"] (S[A"-pp"; A camlp4of]);
+--
+2.7.4
+
diff --git a/gnu/packages/patches/ocaml-bitstring-fix-configure.patch b/gnu/packages/patches/ocaml-bitstring-fix-configure.patch
new file mode 100644
index 0000000000..c358bf3d6b
--- /dev/null
+++ b/gnu/packages/patches/ocaml-bitstring-fix-configure.patch
@@ -0,0 +1,53 @@
+From 0aaddfceeea3e89df196ab1846da54d09713a512 Mon Sep 17 00:00:00 2001
+From: Julien Lepiller <julien@lepiller.eu>
+Date: Thu, 15 Dec 2016 21:17:31 +0100
+Subject: [PATCH] fix configure
+
+---
+ Makefile.in | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index d040f4c..85e0b38 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -32,6 +32,7 @@ BISECT_REPORT	= @BISECT_REPORT@
+ BYTESWAP_H	= @BYTESWAP_H@
+
+ OCAMLLIB	= @OCAMLLIB@
++BISECTLIB	= $(shell if test -z $${BISECTLIB}; then echo $(OCAMLLIB); else echo $${BISECTLIB}; fi)
+ top_srcdir	= @top_srcdir@
+
+ pkg_cil		= @OCAML_PKG_cil@
+@@ -47,9 +48,9 @@ OCAMLOPTPACKAGES = $(OCAMLCPACKAGES)
+ OCAMLOPTLIBS	= -linkpkg
+
+ ifneq ($(enable_coverage),no)
+-OCAMLCFLAGS     += -I +bisect -pp 'camlp4o $(OCAMLLIB)/bisect/instrument.cma'
++OCAMLCFLAGS     += -I +bisect -pp 'camlp4o $(BISECTLIB)/bisect/instrument.cma'
+ OCAMLCLIBS	+= -I +bisect bisect.cma
+-OCAMLOPTFLAGS   += -I +bisect -pp 'camlp4o $(OCAMLLIB)/bisect/instrument.cma'
++OCAMLOPTFLAGS   += -I +bisect -pp 'camlp4o $(BISECTLIB)/bisect/instrument.cma'
+ OCAMLOPTLIBS	+= -I +bisect bisect.cmxa
+ endif
+
+@@ -110,7 +111,7 @@ bitstring_persistent.cmi: bitstring_persistent.mli
+	  -I +camlp4 -pp camlp4of -c $<
+
+ pa_bitstring.cmo: pa_bitstring.ml bitstring.cma bitstring_persistent.cma
+-	$(OCAMLFIND) ocamlc bitstring.cma -I +camlp4 dynlink.cma camlp4lib.cma \
++	$(OCAMLFIND) ocamlc $(OCAMLCFLAGS) bitstring.cma -I +camlp4 dynlink.cma camlp4lib.cma \
+	  -pp camlp4of -c $< -o $@
+
+ bitstring-objinfo: bitstring_objinfo.cmo bitstring.cma bitstring_persistent.cma
+@@ -133,7 +134,7 @@ byteswap.h: byteswap.in.h
+ ifeq ($(enable_coverage),no)
+ PP	= -pp 'camlp4o bitstring.cma bitstring_persistent.cma pa_bitstring.cmo'
+ else
+-PP	= -pp 'camlp4o $(OCAMLLIB)/bisect/bisect.cma bitstring.cma bitstring_persistent.cma pa_bitstring.cmo'
++PP	= -pp 'camlp4o $(BISECTLIB)/bisect/bisect.cma bitstring.cma bitstring_persistent.cma pa_bitstring.cmo'
+ endif
+
+ check: test
+--
+2.11.0
diff --git a/gnu/packages/patches/openssh-memory-exhaustion.patch b/gnu/packages/patches/openssh-memory-exhaustion.patch
deleted file mode 100644
index 91fe294ca4..0000000000
--- a/gnu/packages/patches/openssh-memory-exhaustion.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Fix a memory exhaustion bug in the key exchange, whereby an unauthenticated user
-could potentially consume 38400 MB of memory on the server:
-
-http://seclists.org/oss-sec/2016/q4/185
-
-Patch adapted from upstream source repository:
-
-https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe3064a8c200de6531e89ad
-
-From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
-From: "markus@openbsd.org" <markus@openbsd.org>
-Date: Mon, 10 Oct 2016 19:28:48 +0000
-Subject: [PATCH] upstream commit
-
-Unregister the KEXINIT handler after message has been
-received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
-allocation of up to 128MB -- until the connection is closed. Reported by
-shilei-c at 360.cn
-
-Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
----
- kex.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/kex.c b/kex.c
-index 3f97f8c..6a94bc5 100644
---- a/kex.c
-+++ b/kex.c
-@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
- 	if (kex == NULL)
- 		return SSH_ERR_INVALID_ARGUMENT;
- 
-+	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
- 	ptr = sshpkt_ptr(ssh, &dlen);
- 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
- 		return r;
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/python-dendropy-exclude-failing-tests.patch b/gnu/packages/patches/python-dendropy-exclude-failing-tests.patch
deleted file mode 100644
index 288a58b06f..0000000000
--- a/gnu/packages/patches/python-dendropy-exclude-failing-tests.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff --git a/dendropy/test/test_phylogenetic_distance_matrix.py b/dendropy/test/test_phylogenetic_distance_matrix.py
-index 10c05f5..a18ba52 100644
---- a/dendropy/test/test_phylogenetic_distance_matrix.py
-+++ b/dendropy/test/test_phylogenetic_distance_matrix.py
-@@ -793,7 +793,7 @@ class PdmUpgmaTree(PdmTreeChecker, unittest.TestCase):
-                     expected_tree=expected_tree)
- 
- class NodeToNodeDistancesTest(unittest.TestCase):
--
-+    @unittest.expectedFailure
-     def test_distances(self):
-         ## get distances from ape
-         # library(ape)
-@@ -825,6 +825,7 @@ class NodeToNodeDistancesTest(unittest.TestCase):
-                     e = reference_table[nd1.label, nd2.label]
-                     self.assertAlmostEqual(d, e)
- 
-+    @unittest.expectedFailure
-     def test_mrca(self):
-         test_runs = [
-                 "hiv1.newick",
diff --git a/gnu/packages/patches/python-pycrypto-CVE-2013-7459.patch b/gnu/packages/patches/python-pycrypto-CVE-2013-7459.patch
new file mode 100644
index 0000000000..3570b94e9b
--- /dev/null
+++ b/gnu/packages/patches/python-pycrypto-CVE-2013-7459.patch
@@ -0,0 +1,97 @@
+Fix CVE-2013-7459:
+
+https://github.com/dlitz/pycrypto/issues/176
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7459
+
+Copied from Debian:
+
+https://anonscm.debian.org/cgit/collab-maint/python-crypto.git/commit/?id=0de2243837ed369a086f15c50cca2be85bdfab9d
+
+Debian adapts this upstream commit:
+
+https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
+
+From 8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 Mon Sep 17 00:00:00 2001
+From: Legrandin <helderijs@gmail.com>
+Date: Sun, 22 Dec 2013 22:24:46 +0100
+Subject: [PATCH] Throw exception when IV is used with ECB or CTR
+
+The IV parameter is currently ignored when initializing
+a cipher in ECB or CTR mode.
+
+For CTR mode, it is confusing: it takes some time to see
+that a different parameter is needed (the counter).
+
+For ECB mode, it is outright dangerous.
+
+This patch forces an exception to be raised.
+---
+ lib/Crypto/SelfTest/Cipher/common.py | 31 +++++++++++++++++++++++--------
+ src/block_template.c                 | 11 +++++++++++
+ 2 files changed, 34 insertions(+), 8 deletions(-)
+
+--- a/lib/Crypto/SelfTest/Cipher/common.py
++++ b/lib/Crypto/SelfTest/Cipher/common.py
+@@ -239,19 +239,34 @@ class RoundtripTest(unittest.TestCase):
+         return """%s .decrypt() output of .encrypt() should not be garbled""" % (self.module_name,)
+ 
+     def runTest(self):
+-        for mode in (self.module.MODE_ECB, self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB, self.module.MODE_OPENPGP):
++
++        ## ECB mode
++        mode = self.module.MODE_ECB
++        encryption_cipher = self.module.new(a2b_hex(self.key), mode)
++        ciphertext = encryption_cipher.encrypt(self.plaintext)
++        decryption_cipher = self.module.new(a2b_hex(self.key), mode)
++        decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
++        self.assertEqual(self.plaintext, decrypted_plaintext)
++
++        ## OPENPGP mode
++        mode = self.module.MODE_OPENPGP
++        encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
++        eiv_ciphertext = encryption_cipher.encrypt(self.plaintext)
++        eiv = eiv_ciphertext[:self.module.block_size+2]
++        ciphertext = eiv_ciphertext[self.module.block_size+2:]
++        decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv)
++        decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
++        self.assertEqual(self.plaintext, decrypted_plaintext)
++
++        ## All other non-AEAD modes (but CTR)
++        for mode in (self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB):
+             encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
+             ciphertext = encryption_cipher.encrypt(self.plaintext)
+-            
+-            if mode != self.module.MODE_OPENPGP:
+-                decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
+-            else:
+-                eiv = ciphertext[:self.module.block_size+2]
+-                ciphertext = ciphertext[self.module.block_size+2:]
+-                decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv)
++            decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
+             decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
+             self.assertEqual(self.plaintext, decrypted_plaintext)
+ 
++
+ class PGPTest(unittest.TestCase):
+     def __init__(self, module, params):
+         unittest.TestCase.__init__(self)
+--- a/src/block_template.c
++++ b/src/block_template.c
+@@ -170,6 +170,17 @@ ALGnew(PyObject *self, PyObject *args, P
+ 				"Key cannot be the null string");
+ 		return NULL;
+ 	}
++	if (IVlen != 0 && mode == MODE_ECB)
++	{
++		PyErr_Format(PyExc_ValueError, "ECB mode does not use IV");
++		return NULL;
++	}
++	if (IVlen != 0 && mode == MODE_CTR)
++	{
++		PyErr_Format(PyExc_ValueError,
++			"CTR mode needs counter parameter, not IV");
++		return NULL;
++	}
+ 	if (IVlen != BLOCK_SIZE && mode != MODE_ECB && mode != MODE_CTR)
+ 	{
+ 		PyErr_Format(PyExc_ValueError,
diff --git a/gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch b/gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch
new file mode 100644
index 0000000000..1f7a4cadb7
--- /dev/null
+++ b/gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch
@@ -0,0 +1,69 @@
+Fix test failure of test_XXX caused by upgrade of gpgme from 1.6.0 to
+1.8.0:
+
+======================================================================
+FAIL: test_encrypt_to_signonly (tests.test_encrypt_decrypt.EncryptDecryptTestCase)
+----------------------------------------------------------------------
+Traceback (most recent call last):
+  File "/tmp/guix-build-python2-pygpgme-0.3.drv-0/pygpgme-0.3/tests/test_encrypt_decrypt.py", line 185, in test_encrypt_to_signonly
+    self.assertEqual(exc.args[0], gpgme.ERR_SOURCE_UNKNOWN)
+AssertionError: 7 != 0
+
+----------------------------------------------------------------------
+
+Patch copied from the Debian package pygpgme-0.3-1.2:
+
+https://sources.debian.net/src/pygpgme/0.3-1.2/debian/patches/0005-Fix-test-failures-with-pinentry.patch/
+
+From: "Dr. Tobias Quathamer" <toddy@debian.org>
+Date: Thu, 24 Nov 2016 12:20:54 +0100
+Subject: Fix test failures with pinentry
+
+---
+ tests/test_encrypt_decrypt.py | 5 +++--
+ tests/test_passphrase.py      | 2 ++
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tests/test_encrypt_decrypt.py b/tests/test_encrypt_decrypt.py
+index 21ae83e..05707e1 100644
+--- a/tests/test_encrypt_decrypt.py
++++ b/tests/test_encrypt_decrypt.py
+@@ -132,6 +132,7 @@ class EncryptDecryptTestCase(GpgHomeTestCase):
+             os.write(fd, b'Symmetric passphrase\n')
+         ctx = gpgme.Context()
+         ctx.armor = True
++        ctx.pinentry_mode = gpgme.PINENTRY_MODE_LOOPBACK
+         ctx.passphrase_cb = passphrase
+         ctx.encrypt(None, 0, plaintext, ciphertext)
+         self.assertTrue(
+@@ -182,8 +183,8 @@ class EncryptDecryptTestCase(GpgHomeTestCase):
+             ctx.encrypt([recipient], gpgme.ENCRYPT_ALWAYS_TRUST,
+                         plaintext, ciphertext)
+         except gpgme.GpgmeError as exc:
+-            self.assertEqual(exc.args[0], gpgme.ERR_SOURCE_UNKNOWN)
+-            self.assertEqual(exc.args[1], gpgme.ERR_GENERAL)
++            self.assertEqual(exc.args[0], gpgme.ERR_SOURCE_GPGME)
++            self.assertEqual(exc.args[1], gpgme.ERR_UNUSABLE_PUBKEY)
+         else:
+             self.fail('gpgme.GpgmeError not raised')
+ 
+diff --git a/tests/test_passphrase.py b/tests/test_passphrase.py
+index 35b3c59..05e6811 100644
+--- a/tests/test_passphrase.py
++++ b/tests/test_passphrase.py
+@@ -34,6 +34,7 @@ class PassphraseTestCase(GpgHomeTestCase):
+         ctx = gpgme.Context()
+         key = ctx.get_key('EFB052B4230BBBC51914BCBB54DCBBC8DBFB9EB3')
+         ctx.signers = [key]
++        ctx.pinentry_mode = gpgme.PINENTRY_MODE_LOOPBACK
+         plaintext = BytesIO(b'Hello World\n')
+         signature = BytesIO()
+ 
+@@ -55,6 +56,7 @@ class PassphraseTestCase(GpgHomeTestCase):
+         ctx = gpgme.Context()
+         key = ctx.get_key('EFB052B4230BBBC51914BCBB54DCBBC8DBFB9EB3')
+         ctx.signers = [key]
++        ctx.pinentry_mode = gpgme.PINENTRY_MODE_LOOPBACK
+         ctx.passphrase_cb = self.passphrase_cb
+         plaintext = BytesIO(b'Hello World\n')
+         signature = BytesIO()
diff --git a/gnu/packages/patches/qemu-CVE-2016-8576.patch b/gnu/packages/patches/qemu-CVE-2016-8576.patch
deleted file mode 100644
index 5031b59d81..0000000000
--- a/gnu/packages/patches/qemu-CVE-2016-8576.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Fri, 7 Oct 2016 10:15:29 +0200
-Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/hcd-xhci.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
-index 726435c..ee4fa48 100644
---- a/hw/usb/hcd-xhci.c
-+++ b/hw/usb/hcd-xhci.c
-@@ -54,6 +54,8 @@
-  * to the specs when it gets them */
- #define ER_FULL_HACK
- 
-+#define TRB_LINK_LIMIT  4
-+
- #define LEN_CAP         0x40
- #define LEN_OPER        (0x400 + 0x10 * MAXPORTS)
- #define LEN_RUNTIME     ((MAXINTRS + 1) * 0x20)
-@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
-                                dma_addr_t *addr)
- {
-     PCIDevice *pci_dev = PCI_DEVICE(xhci);
-+    uint32_t link_cnt = 0;
- 
-     while (1) {
-         TRBType type;
-@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
-             ring->dequeue += TRB_SIZE;
-             return type;
-         } else {
-+            if (++link_cnt > TRB_LINK_LIMIT) {
-+                return 0;
-+            }
-             ring->dequeue = xhci_mask64(trb->parameter);
-             if (trb->control & TRB_LK_TC) {
-                 ring->ccs = !ring->ccs;
-@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
-     bool ccs = ring->ccs;
-     /* hack to bundle together the two/three TDs that make a setup transfer */
-     bool control_td_set = 0;
-+    uint32_t link_cnt = 0;
- 
-     while (1) {
-         TRBType type;
-@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
-         type = TRB_TYPE(trb);
- 
-         if (type == TR_LINK) {
-+            if (++link_cnt > TRB_LINK_LIMIT) {
-+                return -length;
-+            }
-             dequeue = xhci_mask64(trb.parameter);
-             if (trb.control & TRB_LK_TC) {
-                 ccs = !ccs;
--- 
-1.8.3.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2016-8577.patch b/gnu/packages/patches/qemu-CVE-2016-8577.patch
deleted file mode 100644
index c4132d2fb1..0000000000
--- a/gnu/packages/patches/qemu-CVE-2016-8577.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Subject: [Qemu-devel] [PATCH] 9pfs: fix potential host memory leak in v9fs_read
-From: Li Qiang <liq3ea@gmail.com>
-
-In 9pfs read dispatch function, it doesn't free two QEMUIOVector
-object thus causing potential memory leak. This patch avoid this.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
----
- hw/9pfs/9p.c | 5 +++--
-  1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 119ee58..543a791 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
-             if (len < 0) {
-                 /* IO error return the error */
-                 err = len;
--                goto out;
-+                goto out_free_iovec;
-             }
-         } while (count < max_count && len > 0);
-         err = pdu_marshal(pdu, offset, "d", count);
-         if (err < 0) {
--            goto out;
-+            goto out_free_iovec;
-         }
-         err += offset + count;
-+out_free_iovec:
-         qemu_iovec_destroy(&qiov);
-         qemu_iovec_destroy(&qiov_full);
-     } else if (fidp->fid_type == P9_FID_XATTR) {
--- 
-1.8.3.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2016-8578.patch b/gnu/packages/patches/qemu-CVE-2016-8578.patch
deleted file mode 100644
index 92ba365727..0000000000
--- a/gnu/packages/patches/qemu-CVE-2016-8578.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From: Li Qiang <liq3ea@gmail.com>
-
-In 9pfs function v9fs_iov_vunmarshal, it will not allocate space
-for empty string. This will cause several NULL pointer dereference
-issues. this patch fix this issue.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
----
- fsdev/9p-iov-marshal.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
-index 663cad5..1d16f8d 100644
---- a/fsdev/9p-iov-marshal.c
-+++ b/fsdev/9p-iov-marshal.c
-@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
-                 str->data = g_malloc(str->size + 1);
-                 copied = v9fs_unpack(str->data, out_sg, out_num, offset,
-                                      str->size);
--                if (copied > 0) {
-+                if (copied >= 0) {
-                     str->data[str->size] = 0;
-                 } else {
-                     v9fs_string_free(str);
--- 
-1.8.3.1
-
diff --git a/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch b/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch
deleted file mode 100644
index f592f5cd51..0000000000
--- a/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-The tests currently fail due to use of 'skip' rather than 'pending' to skip a
-test usually not skipped by upstream.  This patch has been proposed upstream
-at https://github.com/lsegal/yard/pull/1033
-
-diff --git a/spec/templates/helpers/html_helper_spec.rb b/spec/templates/helpers/html_helper_spec.rb
-index 84624c3..9c4fc2b 100644
---- a/spec/templates/helpers/html_helper_spec.rb
-+++ b/spec/templates/helpers/html_helper_spec.rb
-@@ -184,7 +184,7 @@ describe YARD::Templates::Helpers::HtmlHelper do
-     it "creates tables (markdown specific)" do
-       log.enter_level(Logger::FATAL) do
-         unless markup_class(:markdown).to_s == "RedcarpetCompat"
--          skip "This test depends on a markdown engine that supports tables"
-+          pending "This test depends on a markdown engine that supports tables"
-         end
-       end
- 
diff --git a/gnu/packages/patches/slock-CVE-2016-6866.patch b/gnu/packages/patches/slock-CVE-2016-6866.patch
deleted file mode 100644
index 2f94b8c1a9..0000000000
--- a/gnu/packages/patches/slock-CVE-2016-6866.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-Fix CVE-2016-6866.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6866
-https://security-tracker.debian.org/tracker/CVE-2016-6866
-
-Copied from upstream source repository:
-http://git.suckless.org/slock/commit/?id=d8bec0f6fdc8a246d78cb488a0068954b46fcb29
-
-From d8bec0f6fdc8a246d78cb488a0068954b46fcb29 Mon Sep 17 00:00:00 2001
-From: Markus Teich <markus.teich@stusta.mhn.de>
-Date: Tue, 30 Aug 2016 22:59:06 +0000
-Subject: fix CVE-2016-6866
-
----
-diff --git a/slock.c b/slock.c
-index 847b328..8ed59ca 100644
---- a/slock.c
-+++ b/slock.c
-@@ -123,7 +123,7 @@ readpw(Display *dpy)
- readpw(Display *dpy, const char *pws)
- #endif
- {
--	char buf[32], passwd[256];
-+	char buf[32], passwd[256], *encrypted;
- 	int num, screen;
- 	unsigned int len, color;
- 	KeySym ksym;
-@@ -159,7 +159,11 @@ readpw(Display *dpy, const char *pws)
- #ifdef HAVE_BSD_AUTH
- 				running = !auth_userokay(getlogin(), NULL, "auth-slock", passwd);
- #else
--				running = !!strcmp(crypt(passwd, pws), pws);
-+				errno = 0;
-+				if (!(encrypted = crypt(passwd, pws)))
-+					fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
-+				else
-+					running = !!strcmp(encrypted, pws);
- #endif
- 				if (running) {
- 					XBell(dpy, 100);
-@@ -312,6 +316,8 @@ main(int argc, char **argv) {
- 
- #ifndef HAVE_BSD_AUTH
- 	pws = getpw();
-+	if (strlen(pws) < 2)
-+		die("slock: failed to get user password hash.\n");
- #endif
- 
- 	if (!(dpy = XOpenDisplay(NULL)))
---
-cgit v0.9.0.3-65-g4555
diff --git a/gnu/packages/patches/unrtf-CVE-2016-10091.patch b/gnu/packages/patches/unrtf-CVE-2016-10091.patch
new file mode 100644
index 0000000000..badd1b8ed6
--- /dev/null
+++ b/gnu/packages/patches/unrtf-CVE-2016-10091.patch
@@ -0,0 +1,189 @@
+Fix CVE-2016-10091 (stack-based buffer overflows in cmd_* functions):
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705
+http://seclists.org/oss-sec/2016/q4/787
+
+Patch adapted from Debian:
+
+https://anonscm.debian.org/cgit/collab-maint/unrtf.git/commit/?h=jessie&id=7500a48fb0fbad3ab963fb17560b2f90a8a485c8
+
+The Debian patch adapts this upstream commit so that it can be applied
+to the 0.21.9 release tarball:
+
+http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406
+
+From 7dd568ed8a6a5acb6c04f2b40f457d63a00435f3 Mon Sep 17 00:00:00 2001
+From: Willi Mann <willi@debian.org>
+Date: Sat, 31 Dec 2016 20:31:38 +0100
+Subject: [PATCH] Add patch from upstream to fix CVE-2016-10091 (buffer
+ overflow in various cmd_ functions)
+
+diff --git a/src/attr.c b/src/attr.c
+index 02b5c81..e2951ea 100644
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -746,7 +746,7 @@ char *
+ assemble_string(char *string, int nr)
+ {
+ 
+-	char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */
++	char *s, tmp[20];
+ 	int i = 0, j = 0;
+ 
+ 	if (string == NULL)
+@@ -762,7 +762,7 @@ assemble_string(char *string, int nr)
+ 		}
+ 
+ 		if (string[i] != '\0') {
+-			sprintf(tmp, "%d", nr);
++			snprintf(tmp, 20, "%d", nr);
+ 			strcpy(&s[j], tmp);
+ 			j = j + strlen(tmp);
+ 		}
+diff --git a/src/convert.c b/src/convert.c
+index c76d7d6..8eacdcb 100644
+--- a/src/convert.c
++++ b/src/convert.c
+@@ -472,7 +472,7 @@ static const int fcharsetparmtocp(int parm)
+ }
+ 
+ // Translate code page to encoding name hopefully suitable as iconv input
+-static char *cptoencoding(parm)
++static char *cptoencoding(int parm)
+ {
+     // Note that CP0 is supposed to mean current system default, which does
+     // not make any sense as a stored value, we don't handle it.
+@@ -964,7 +964,7 @@ cmd_cf (Word *w, int align, char has_param, int num)
+ 	}
+ 	else
+ 	{
+-		sprintf(str,"#%02x%02x%02x",
++		snprintf(str, 40, "#%02x%02x%02x",
+ 			color_table[num].r,
+ 			color_table[num].g,
+ 			color_table[num].b);
+@@ -993,7 +993,7 @@ cmd_cb (Word *w, int align, char has_param, int num)
+ 	}
+ 	else
+ 	{
+-		sprintf(str,"#%02x%02x%02x",
++		snprintf(str, 40, "#%02x%02x%02x",
+ 			color_table[num].r,
+ 			color_table[num].g,
+ 			color_table[num].b);
+@@ -1018,7 +1018,7 @@ cmd_fs (Word *w, int align, char has_param, int points) {
+ 	/* Note, fs20 means 10pt */
+ 	points /= 2;
+ 
+-	sprintf(str,"%d",points);
++	snprintf(str, 20, "%d", points);
+ 	attr_push(ATTR_FONTSIZE,str);
+ 
+ 	return FALSE;
+@@ -1166,7 +1166,7 @@ cmd_f (Word *w, int align, char has_param, int num)
+         {
+             // TOBEDONE: WHAT'S THIS ???
+             name = my_malloc(12);
+-            sprintf(name, "%d", num);
++			snprintf(name, 12, "%d", num);
+         }
+ 
+         /* we are going to output entities, so should not output font */
+@@ -1218,7 +1218,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
+ 	}
+ 	else
+ 	{
+-		sprintf(str,"#%02x%02x%02x",
++		snprintf(str, 40, "#%02x%02x%02x",
+ 			color_table[num].r,
+ 			color_table[num].g,
+ 			color_table[num].b);
+@@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) {
+ 
+ static int 
+ cmd_expand (Word *w, int align, char has_param, int param) {
+-	char str[10];
++	char str[20];
+ 	if (has_param) {
+-		sprintf(str, "%d", param/4);
++		snprintf(str, 20, "%d", param / 4);
+ 		if (!param) 
+ 			attr_pop(ATTR_EXPAND);
+ 		else 
+@@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int param) {
+ 
+ static int 
+ cmd_emboss (Word *w, int align, char has_param, int param) {
+-	char str[10];
++	char str[20];
+ 	if (has_param && !param)
+ #ifdef SUPPORT_UNNESTED
+ 		attr_find_pop(ATTR_EMBOSS);
+@@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
+ #endif
+ 	else
+ 	{
+-		sprintf(str, "%d", param);
++		snprintf(str, 20, "%d", param);
+ 		attr_push(ATTR_EMBOSS, str);
+ 	}
+ 	return FALSE;
+@@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
+ 
+ static int 
+ cmd_engrave (Word *w, int align, char has_param, int param) {
+-	char str[10];
++	char str[20];
+ 	if (has_param && !param) 
+ 		attr_pop(ATTR_ENGRAVE);
+ 	else
+ 	{
+-		sprintf(str, "%d", param);
++		snprintf(str, 20, "%d", param);
+ 		attr_push(ATTR_ENGRAVE, str);
+ 	}
+ 	return FALSE;
+@@ -1976,7 +1976,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
+ 
+ 	short	done=0;
+ 	long unicode_number = (long) param; /* On 16bit architectures int is too small to store unicode characters. - AF */
+-	char tmp[12]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
++	char tmp[20]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
+ 	const char *alias;
+ #define DEBUG 0
+ #if DEBUG
+@@ -2006,7 +2006,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
+                             /* RTF spec: Unicode values beyond 32767 are represented by negative numbers */
+ 				unicode_number += 65536;
+ 			}
+-			sprintf(tmp, "%ld", unicode_number);
++			snprintf(tmp, 20, "%ld", unicode_number);
+ 
+ 			if (safe_printf(1, op->unisymbol_print, tmp)) fprintf(stderr, TOO_MANY_ARGS, "unisymbol_print");
+ 			done++;
+diff --git a/src/output.c b/src/output.c
+index 86d8b5c..4cdbfa6 100644
+--- a/src/output.c
++++ b/src/output.c
+@@ -320,7 +320,7 @@ op_begin_std_fontsize (OutputPersonality *op, int size)
+ 	if (!found_std_expr) {
+ 		if (op->fontsize_begin) {
+ 			char expr[16];
+-			sprintf (expr, "%d", size);
++			snprintf(expr, 16, "%d", size);
+ 			if (safe_printf (1, op->fontsize_begin, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_begin");
+ 		} else {
+ 			/* If we cannot write out a change for the exact
+@@ -440,7 +440,7 @@ op_end_std_fontsize (OutputPersonality *op, int size)
+ 	if (!found_std_expr) {
+ 		if (op->fontsize_end) {
+ 			char expr[16];
+-			sprintf (expr, "%d", size);
++			snprintf(expr, 16, "%d", size);
+ 			if (safe_printf(1, op->fontsize_end, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_end");
+ 		} else {
+ 			/* If we cannot write out a change for the exact
+- 
+.11.0
+