summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2017-01-23 22:33:10 +0100
committerLudovic Courtès <ludo@gnu.org>2017-01-23 22:33:10 +0100
commit58ea4d407c2e4adbe51b2d7b71dc8bef095677c7 (patch)
tree0fd70c0cb82d7980a7ff82500dec7bfd0d535d3f /gnu/packages/patches
parentfcd75bdbfa99d14363b905afbf914eec20e69df8 (diff)
parent84b60a7cdfca1421a478894e279104a0c18a7c6d (diff)
downloadguix-58ea4d407c2e4adbe51b2d7b71dc8bef095677c7.tar.gz
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/cracklib-fix-buffer-overflow.patch39
-rw-r--r--gnu/packages/patches/duplicity-piped-password.patch20
-rw-r--r--gnu/packages/patches/duplicity-test_selection-tmp.patch18
-rw-r--r--gnu/packages/patches/lcms-fix-out-of-bounds-read.patch34
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-10092.patch42
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-10093.patch53
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-10094.patch34
-rw-r--r--gnu/packages/patches/libtiff-CVE-2017-5225.patch86
-rw-r--r--gnu/packages/patches/libtiff-assertion-failure.patch60
-rw-r--r--gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch63
-rw-r--r--gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch104
-rw-r--r--gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch57
-rw-r--r--gnu/packages/patches/libtiff-divide-by-zero.patch67
-rw-r--r--gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch131
-rw-r--r--gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch132
-rw-r--r--gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch67
-rw-r--r--gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch60
-rw-r--r--gnu/packages/patches/libtiff-invalid-read.patch64
-rw-r--r--gnu/packages/patches/libtiff-null-dereference.patch42
-rw-r--r--gnu/packages/patches/libtiff-tiffcp-underflow.patch41
-rw-r--r--gnu/packages/patches/libxt-guix-search-paths.patch126
-rw-r--r--gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch188
-rw-r--r--gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch36
-rw-r--r--gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch69
-rw-r--r--gnu/packages/patches/qemu-CVE-2016-10155.patch49
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5525.patch55
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5526.patch58
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5552.patch44
-rw-r--r--gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch17
-rw-r--r--gnu/packages/patches/tipp10-fix-compiling.patch213
-rw-r--r--gnu/packages/patches/tipp10-remove-license-code.patch332
-rw-r--r--gnu/packages/patches/totem-debug-format-fix.patch11
-rw-r--r--gnu/packages/patches/upower-builddir.patch2
-rw-r--r--gnu/packages/patches/xf86-video-glint-remove-mibstore.patch24
-rw-r--r--gnu/packages/patches/xf86-video-nv-remove-mibstore.patch72
35 files changed, 2347 insertions, 163 deletions
diff --git a/gnu/packages/patches/cracklib-fix-buffer-overflow.patch b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch
new file mode 100644
index 0000000000..b1c990f282
--- /dev/null
+++ b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch
@@ -0,0 +1,39 @@
+Fix buffer overflow processing long words in Mangle().
+
+Patch adpated from upstream commit, omitting changes to 'NEWS':
+
+https://github.com/cracklib/cracklib/commit/33d7fa4585247cd2247a1ffa032ad245836c6edb
+
+From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001
+From: Jan Dittberner <jan@dittberner.info>
+Date: Thu, 25 Aug 2016 17:17:53 +0200
+Subject: [PATCH] Fix a buffer overflow processing long words
+
+A buffer overflow processing long words has been discovered. This commit
+applies the patch from
+https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch
+by Howard Guo.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and
+http://www.openwall.com/lists/oss-security/2016/08/23/8
+---
+ src/NEWS        | 1 +
+ src/lib/rules.c | 5 ++---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/rules.c b/src/lib/rules.c
+index d193cc0..3a2aa46 100644
+--- a/lib/rules.c
++++ b/lib/rules.c
+@@ -434,9 +434,8 @@ Mangle(input, control)		/* returns a pointer to a controlled Mangle */
+ {
+     int limit;
+     register char *ptr;
+-    static char area[STRINGSIZE];
+-    char area2[STRINGSIZE];
+-    area[0] = '\0';
++    static char area[STRINGSIZE * 2] = {0};
++    char area2[STRINGSIZE * 2] = {0};
+     strcpy(area, input);
+ 
+     for (ptr = control; *ptr; ptr++)
diff --git a/gnu/packages/patches/duplicity-piped-password.patch b/gnu/packages/patches/duplicity-piped-password.patch
deleted file mode 100644
index db50f5df32..0000000000
--- a/gnu/packages/patches/duplicity-piped-password.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-This test, on three occasions, is failing with the error:
-
-  EOF: End Of File (EOF) in read_nonblocking(). Braindead platform.
-
---- duplicity-0.6.24/testing/functional/test_final.py	2014-09-28 13:14:52.146001614 -0500
-+++ duplicity-0.6.24/testing/functional/test_final.py	2014-09-28 13:13:20.333546342 -0500
-@@ -156,13 +156,6 @@
-         self.run_duplicity(options=["remove-older-than", "50000", "--force", self.backend_url])
-         self.assertEqual(self.get_backend_files(), second_chain)
- 
--    def test_piped_password(self):
--        """Make sure that prompting for a password works"""
--        self.set_environ("PASSPHRASE", None)
--        self.backup("full", "testfiles/empty_dir",
--                    passphrase_input=[self.sign_passphrase, self.sign_passphrase])
--        self.restore(passphrase_input=[self.sign_passphrase])
--
- 
- class OldFilenamesFinalTest(FinalTest):
- 
diff --git a/gnu/packages/patches/duplicity-test_selection-tmp.patch b/gnu/packages/patches/duplicity-test_selection-tmp.patch
deleted file mode 100644
index 8f66be4dcc..0000000000
--- a/gnu/packages/patches/duplicity-test_selection-tmp.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Reported upstream at https://bugs.launchpad.net/duplicity/+bug/1375019
-
---- duplicity-0.6.24/testing/unit/test_selection.py	2014-05-09 08:27:40.000000000 -0500
-+++ duplicity-0.6.24/testing/unit/test_selection.py	2014-09-28 12:28:53.932324380 -0500
-@@ -431,10 +431,10 @@
-                        [(), ('1',), ('1', '1'), ('1', '2'), ('1', '3')])
- 
-         self.root = Path("/")
--        self.ParseTest([("--exclude", "/home/*"),
--                        ("--include", "/home"),
-+        self.ParseTest([("--exclude", "/tmp/*"),
-+                        ("--include", "/tmp"),
-                         ("--exclude", "/")],
--                       [(), ("home",)])
-+                       [(), ("tmp",)])
- 
- if __name__ == "__main__":
-     unittest.main()
diff --git a/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch b/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch
new file mode 100644
index 0000000000..d9f7ac6a36
--- /dev/null
+++ b/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch
@@ -0,0 +1,34 @@
+Fix an out-of-bounds heap read in Type_MLU_Read():
+
+http://seclists.org/oss-sec/2016/q3/288
+https://bugzilla.redhat.com/show_bug.cgi?id=1367357
+
+Patch copied from upstream source repository:
+
+https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2
+
+From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001
+From: Marti <marti.maria@tktbrainpower.com>
+Date: Mon, 15 Aug 2016 23:31:39 +0200
+Subject: [PATCH] Added an extra check to MLU bounds
+
+Thanks to Ibrahim el-sayed for spotting the bug
+---
+ src/cmstypes.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cmstypes.c b/src/cmstypes.c
+index cb61860..c7328b9 100644
+--- a/src/cmstypes.c
++++ b/src/cmstypes.c
+@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
+ 
+         // Check for overflow
+         if (Offset < (SizeOfHeader + 8)) goto Error;
++        if ((Offset + Len) > SizeOfTag + 8) goto Error;
+ 
+         // True begin of the string
+         BeginOfThisString = Offset - SizeOfHeader - 8;
+-- 
+2.11.0
+
diff --git a/gnu/packages/patches/libtiff-CVE-2016-10092.patch b/gnu/packages/patches/libtiff-CVE-2016-10092.patch
new file mode 100644
index 0000000000..d5fd796169
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2016-10092.patch
@@ -0,0 +1,42 @@
+Fix CVE-2016-10092:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2620
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10092
+https://security-tracker.debian.org/tracker/CVE-2016-10092
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore)
+	mode so that the output buffer is correctly incremented to avoid write
+	outside bounds.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1178; previous revision: 1.1177
+/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v  <--  tools/tiffcrop.c
+new revision: 1.47; previous revision: 1.46
+
+Index: libtiff/tools/tiffcrop.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
+retrieving revision 1.46
+retrieving revision 1.47
+diff -u -r1.46 -r1.47
+--- libtiff/tools/tiffcrop.c	18 Nov 2016 14:58:46 -0000	1.46
++++ libtiff/tools/tiffcrop.c	3 Dec 2016 11:35:56 -0000	1.47
+@@ -1,4 +1,4 @@
+-/* $Id: tiffcrop.c,v 1.46 2016-11-18 14:58:46 erouault Exp $ */
++/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */
+ 
+ /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
+  * the image data through additional options listed below
+@@ -3698,7 +3698,7 @@
+                                   (unsigned long) strip, (unsigned long)rows);
+                         return 0;
+                 }
+-                bufp += bytes_read;
++                bufp += stripsize;
+         }
+ 
+         return 1;
diff --git a/gnu/packages/patches/libtiff-CVE-2016-10093.patch b/gnu/packages/patches/libtiff-CVE-2016-10093.patch
new file mode 100644
index 0000000000..5897ec1029
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2016-10093.patch
@@ -0,0 +1,53 @@
+Fix CVE-2016-10093:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2610
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10093
+https://security-tracker.debian.org/tracker/CVE-2016-10093
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcp.c: fix uint32 underflow/overflow that can cause
+	heap-based buffer overflow.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1187; previous revision: 1.1186
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
+new revision: 1.59; previous revision: 1.58
+
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.58
+retrieving revision 1.59
+diff -u -r1.58 -r1.59
+--- libtiff/tools/tiffcp.c	3 Dec 2016 15:44:15 -0000	1.58
++++ libtiff/tools/tiffcp.c	3 Dec 2016 16:40:01 -0000	1.59
+@@ -1163,7 +1163,7 @@
+ 
+ static void
+ cpStripToTile(uint8* out, uint8* in,
+-    uint32 rows, uint32 cols, int outskew, int inskew)
++    uint32 rows, uint32 cols, int outskew, int64 inskew)
+ {
+ 	while (rows-- > 0) {
+ 		uint32 j = cols;
+@@ -1320,7 +1320,7 @@
+ 	tdata_t tilebuf;
+ 	uint32 imagew = TIFFScanlineSize(in);
+ 	uint32 tilew  = TIFFTileRowSize(in);
+-	int iskew = imagew - tilew;
++	int64 iskew = (int64)imagew - (int64)tilew;
+ 	uint8* bufp = (uint8*) buf;
+ 	uint32 tw, tl;
+ 	uint32 row;
+@@ -1348,7 +1348,7 @@
+ 				status = 0;
+ 				goto done;
+ 			}
+-			if (colb + tilew > imagew) {
++			if (colb > iskew) {
+ 				uint32 width = imagew - colb;
+ 				uint32 oskew = tilew - width;
+ 				cpStripToTile(bufp + colb,
diff --git a/gnu/packages/patches/libtiff-CVE-2016-10094.patch b/gnu/packages/patches/libtiff-CVE-2016-10094.patch
new file mode 100644
index 0000000000..9018773565
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2016-10094.patch
@@ -0,0 +1,34 @@
+Fix CVE-2016-10094:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2640
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10094
+https://security-tracker.debian.org/tracker/CVE-2016-10094
+
+2016-12-20 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiff2pdf.c: avoid potential heap-based overflow in
+        t2p_readwrite_pdf_image_tile().
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1199; previous revision: 1.1198
+/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v  <--  tools/tiff2pdf.c
+new revision: 1.101; previous revision: 1.100
+
+Index: libtiff/tools/tiff2pdf.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
+retrieving revision 1.100
+retrieving revision 1.101
+diff -u -r1.100 -r1.101
+--- libtiff/tools/tiff2pdf.c	20 Dec 2016 17:24:35 -0000	1.100
++++ libtiff/tools/tiff2pdf.c	20 Dec 2016 17:28:17 -0000	1.101
+@@ -2895,7 +2895,7 @@
+ 				return(0);
+ 			}
+ 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
+-				if (count >= 4) {
++				if (count > 4) {
+                                         int retTIFFReadRawTile;
+                     /* Ignore EOI marker of JpegTables */
+ 					_TIFFmemcpy(buffer, jpt, count - 2);
diff --git a/gnu/packages/patches/libtiff-CVE-2017-5225.patch b/gnu/packages/patches/libtiff-CVE-2017-5225.patch
new file mode 100644
index 0000000000..3158b49360
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-5225.patch
@@ -0,0 +1,86 @@
+Fix CVE-2017-5225 (Heap based buffer overflow in tools/tiffcp):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2656
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225
+https://security-tracker.debian.org/tracker/CVE-2017-5225
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
+        cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
+overflow.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
+        http://bugzilla.maptools.org/show_bug.cgi?id=2657
+
+
+less C/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1210; previous revision: 1.1209
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
+new revision: 1.61; previous revision: 1.60
+
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.60
+retrieving revision 1.61
+diff -u -r1.60 -r1.61
+--- libtiff/tools/tiffcp.c	3 Dec 2016 16:50:02 -0000	1.60
++++ libtiff/tools/tiffcp.c	11 Jan 2017 19:26:14 -0000	1.61
+#@@ -1,4 +1,4 @@
+#-/* $Id: tiffcp.c,v 1.60 2016-12-03 16:50:02 erouault Exp $ */
+#+/* $Id: tiffcp.c,v 1.61 2017-01-11 19:26:14 erouault Exp $ */
+# 
+# /*
+#  * Copyright (c) 1988-1997 Sam Leffler
+@@ -591,7 +591,7 @@
+ static int
+ tiffcp(TIFF* in, TIFF* out)
+ {
+-	uint16 bitspersample, samplesperpixel = 1;
++	uint16 bitspersample = 1, samplesperpixel = 1;
+ 	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
+ 	copyFunc cf;
+ 	uint32 width, length;
+@@ -1067,6 +1067,16 @@
+ 	register uint32 n;
+ 	uint32 row;
+ 	tsample_t s;
++        uint16 bps = 0;
++
++        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++        if( bps != 8 )
++        {
++            TIFFError(TIFFFileName(in),
++                      "Error, can only handle BitsPerSample=8 in %s",
++                      "cpContig2SeparateByRow");
++            return 0;
++        }
+ 
+ 	inbuf = _TIFFmalloc(scanlinesizein);
+ 	outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1120,6 +1130,16 @@
+ 	register uint32 n;
+ 	uint32 row;
+ 	tsample_t s;
++        uint16 bps = 0;
++
++        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++        if( bps != 8 )
++        {
++            TIFFError(TIFFFileName(in),
++                      "Error, can only handle BitsPerSample=8 in %s",
++                      "cpSeparate2ContigByRow");
++            return 0;
++        }
+ 
+ 	inbuf = _TIFFmalloc(scanlinesizein);
+ 	outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1784,7 +1804,7 @@
+ 	uint32 w, l, tw, tl;
+ 	int bychunk;
+ 
+-	(void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
++	(void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
+ 	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
+ 		fprintf(stderr,
+ 		    "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
diff --git a/gnu/packages/patches/libtiff-assertion-failure.patch b/gnu/packages/patches/libtiff-assertion-failure.patch
new file mode 100644
index 0000000000..ef747fbdd7
--- /dev/null
+++ b/gnu/packages/patches/libtiff-assertion-failure.patch
@@ -0,0 +1,60 @@
+Fix assertion failure in readSeparateTilesIntoBuffer():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2605
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert
+check.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1188; previous revision: 1.1187
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
+new revision: 1.60; previous revision: 1.59
+
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.59
+retrieving revision 1.60
+diff -u -r1.59 -r1.60
+--- libtiff/tools/tiffcp.c	3 Dec 2016 16:40:01 -0000	1.59
++++ libtiff/tools/tiffcp.c	3 Dec 2016 16:50:02 -0000	1.60
+@@ -45,7 +45,6 @@
+ #include <string.h>
+ 
+ #include <ctype.h>
+-#include <assert.h>
+ 
+ #ifdef HAVE_UNISTD_H
+ # include <unistd.h>
+@@ -1393,7 +1392,12 @@
+             status = 0;
+             goto done;
+         }
+-	assert( bps % 8 == 0 );
++        if( (bps % 8) != 0 )
++        {
++            TIFFError(TIFFFileName(in), "Error, cannot handle BitsPerSample that is not a multiple of 8");
++            status = 0;
++            goto done;
++        }
+ 	bytes_per_sample = bps/8;
+ 
+ 	for (row = 0; row < imagelength; row += tl) {
+@@ -1584,7 +1588,12 @@
+             _TIFFfree(obuf);
+             return 0;
+         }
+-	assert( bps % 8 == 0 );
++        if( (bps % 8) != 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
++            _TIFFfree(obuf);
++            return 0;
++        }
+ 	bytes_per_sample = bps/8;
+ 
+ 	for (row = 0; row < imagelength; row += tl) {
diff --git a/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch b/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch
new file mode 100644
index 0000000000..2a96b68521
--- /dev/null
+++ b/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch
@@ -0,0 +1,63 @@
+Fix divide-by-zero in OJPEGDecodeRaw():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2611
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure
+in
+        OJPEGPreDecode(). This will avoid a divide by zero, and potential other
+issues.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1177; previous revision: 1.1176
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v  <--  libtiff/tif_ojpeg.c
+new revision: 1.66; previous revision: 1.65
+
+Index: libtiff/libtiff/tif_ojpeg.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v
+retrieving revision 1.65
+retrieving revision 1.66
+diff -u -r1.65 -r1.66
+--- libtiff/libtiff/tif_ojpeg.c	4 Sep 2016 21:32:56 -0000	1.65
++++ libtiff/libtiff/tif_ojpeg.c	3 Dec 2016 11:15:18 -0000	1.66
+@@ -1,4 +1,4 @@
+-/* $Id: tif_ojpeg.c,v 1.65 2016-09-04 21:32:56 erouault Exp $ */
++/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */
+ 
+ /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0
+    specification is now totally obsolete and deprecated for new applications and
+@@ -244,6 +244,7 @@
+ 
+ typedef struct {
+ 	TIFF* tif;
++        int decoder_ok;
+ 	#ifndef LIBJPEG_ENCAP_EXTERNAL
+ 	JMP_BUF exit_jmpbuf;
+ 	#endif
+@@ -722,6 +723,7 @@
+ 		}
+ 		sp->write_curstrile++;
+ 	}
++	sp->decoder_ok = 1;
+ 	return(1);
+ }
+ 
+@@ -784,8 +786,14 @@
+ static int
+ OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
+ {
++        static const char module[]="OJPEGDecode";
+ 	OJPEGState* sp=(OJPEGState*)tif->tif_data;
+ 	(void)s;
++        if( !sp->decoder_ok )
++        {
++            TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");
++            return 0;
++        }
+ 	if (sp->libjpeg_jpeg_query_style==0)
+ 	{
+ 		if (OJPEGDecodeRaw(tif,buf,cc)==0)
diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch
new file mode 100644
index 0000000000..d3f1c2b60e
--- /dev/null
+++ b/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch
@@ -0,0 +1,104 @@
+Fix two divide-by-zero bugs in readSeparateTilesIntoBuffer():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2597
+http://bugzilla.maptools.org/show_bug.cgi?id=2607
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples
+tag is
+        missing.
+        Reported by Agostino sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1183; previous revision: 1.1182
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
+new revision: 1.57; previous revision: 1.56
+
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.56
+retrieving revision 1.57
+diff -u -r1.56 -r1.57
+--- libtiff/tools/tiffcp.c	2 Dec 2016 22:13:32 -0000	1.56
++++ libtiff/tools/tiffcp.c	3 Dec 2016 14:42:40 -0000	1.57
+@@ -1,4 +1,4 @@
+-/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */
++/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -1378,7 +1378,7 @@
+ 	uint8* bufp = (uint8*) buf;
+ 	uint32 tw, tl;
+ 	uint32 row;
+-	uint16 bps, bytes_per_sample;
++	uint16 bps = 0, bytes_per_sample;
+ 
+ 	tilebuf = _TIFFmalloc(tilesize);
+ 	if (tilebuf == 0)
+@@ -1387,6 +1387,12 @@
+ 	(void) TIFFGetField(in, TIFFTAG_TILEWIDTH, &tw);
+ 	(void) TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
+ 	(void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++        if( bps == 0 )
++        {
++            TIFFError(TIFFFileName(in), "Error, cannot read BitsPerSample");
++            status = 0;
++            goto done;
++        }
+ 	assert( bps % 8 == 0 );
+ 	bytes_per_sample = bps/8;
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples
+tag is
+        missing.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1186; previous revision: 1.1185
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
+new revision: 1.58; previous revision: 1.57
+ 
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.57
+retrieving revision 1.58
+diff -u -r1.57 -r1.58
+--- libtiff/tools/tiffcp.c	3 Dec 2016 14:42:40 -0000	1.57
++++ libtiff/tools/tiffcp.c	3 Dec 2016 15:44:15 -0000	1.58
+@@ -1,4 +1,4 @@
+-/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */
++/* $Id: tiffcp.c,v 1.58 2016-12-03 15:44:15 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -1569,7 +1569,7 @@
+ 	uint8* bufp = (uint8*) buf;
+ 	uint32 tl, tw;
+ 	uint32 row;
+-	uint16 bps, bytes_per_sample;
++	uint16 bps = 0, bytes_per_sample;
+ 
+ 	obuf = _TIFFmalloc(TIFFTileSize(out));
+ 	if (obuf == NULL)
+@@ -1578,6 +1578,12 @@
+ 	(void) TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
+ 	(void) TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
+ 	(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++        if( bps == 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
++            _TIFFfree(obuf);
++            return 0;
++        }
+ 	assert( bps % 8 == 0 );
+ 	bytes_per_sample = bps/8;
+ 
diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch
new file mode 100644
index 0000000000..823293f1cf
--- /dev/null
+++ b/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch
@@ -0,0 +1,57 @@
+Fix divide-by-zero in readSeparateStripsIntoBuffer():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2619
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is
+missing.
+        Reported by Agostina Sarubo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1180; previous revision: 1.1179
+/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v  <--  tools/tiffcrop.c
+new revision: 1.49; previous revision: 1.48
+
+Index: libtiff/tools/tiffcrop.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
+retrieving revision 1.48
+retrieving revision 1.49
+diff -u -r1.48 -r1.49
+--- libtiff/tools/tiffcrop.c	3 Dec 2016 12:19:32 -0000	1.48
++++ libtiff/tools/tiffcrop.c	3 Dec 2016 13:00:04 -0000	1.49
+@@ -1,4 +1,4 @@
+-/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */
++/* $Id: tiffcrop.c,v 1.49 2016-12-03 13:00:04 erouault Exp $ */
+ 
+ /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
+  * the image data through additional options listed below
+@@ -1164,7 +1164,7 @@
+   tdata_t  obuf;
+ 
+   (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+-  (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++  (void) TIFFGetFieldDefaulted(out, TIFFTAG_BITSPERSAMPLE, &bps);
+   bytes_per_sample = (bps + 7) / 8;
+   if( width == 0 ||
+       (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width ||
+@@ -4760,7 +4760,7 @@
+   int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
+   uint32 j;
+   int32  bytes_read = 0;
+-  uint16 bps, planar;
++  uint16 bps = 0, planar;
+   uint32 nstrips;
+   uint32 strips_per_sample;
+   uint32 src_rowsize, dst_rowsize, rows_processed, rps;
+@@ -4780,7 +4780,7 @@
+     }
+ 
+   memset (srcbuffs, '\0', sizeof(srcbuffs));
+-  TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++  TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+   TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &planar);
+   TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
+   if (rps > length)
diff --git a/gnu/packages/patches/libtiff-divide-by-zero.patch b/gnu/packages/patches/libtiff-divide-by-zero.patch
new file mode 100644
index 0000000000..6dbd4666cd
--- /dev/null
+++ b/gnu/packages/patches/libtiff-divide-by-zero.patch
@@ -0,0 +1,67 @@
+Fix an integer overflow in TIFFReadEncodedStrip() that led to division-by-zero:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2596
+
+2016-12-02 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
+        TIFFReadEncodedStrip() that caused an integer division by zero.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1173; previous revision: 1.1172
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v  <--  libtiff/tif_read.c
+new revision: 1.50; previous revision: 1.49
+/cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v  <--  libtiff/tiffiop.h
+new revision: 1.90; previous revision: 1.89
+
+Index: libtiff/libtiff/tif_read.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v
+retrieving revision 1.49
+retrieving revision 1.50
+diff -u -r1.49 -r1.50
+--- libtiff/libtiff/tif_read.c	10 Jul 2016 18:00:21 -0000	1.49
++++ libtiff/libtiff/tif_read.c	2 Dec 2016 21:56:56 -0000	1.50
+@@ -1,4 +1,4 @@
+-/* $Id: tif_read.c,v 1.49 2016-07-10 18:00:21 erouault Exp $ */
++/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -346,7 +346,7 @@
+ 	rowsperstrip=td->td_rowsperstrip;
+ 	if (rowsperstrip>td->td_imagelength)
+ 		rowsperstrip=td->td_imagelength;
+-	stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
++	stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
+ 	stripinplane=(strip%stripsperplane);
+ 	plane=(uint16)(strip/stripsperplane);
+ 	rows=td->td_imagelength-stripinplane*rowsperstrip;
+Index: libtiff/libtiff/tiffiop.h
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v
+retrieving revision 1.89
+retrieving revision 1.90
+diff -u -r1.89 -r1.90
+--- libtiff/libtiff/tiffiop.h	23 Jan 2016 21:20:34 -0000	1.89
++++ libtiff/libtiff/tiffiop.h	2 Dec 2016 21:56:56 -0000	1.90
+@@ -1,4 +1,4 @@
+-/* $Id: tiffiop.h,v 1.89 2016-01-23 21:20:34 erouault Exp $ */
++/* $Id: tiffiop.h,v 1.90 2016-12-02 21:56:56 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -250,6 +250,10 @@
+ #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
+ 			   ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
+ 			   0U)
++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
++#define TIFFhowmany_32_maxuint_compat(x, y) \
++			   (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
+ #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
+ #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
+ #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))
diff --git a/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch b/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch
new file mode 100644
index 0000000000..2d5e23586d
--- /dev/null
+++ b/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch
@@ -0,0 +1,131 @@
+Fix heap-based buffer overflow in _TIFFmemcpy():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2604
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
+        overflow on generation of PixarLog / LUV compressed files, with
+        ColorMap, TransferFunction attached and nasty plays with bitspersample.
+        The fix for LUV has not been tested, but suffers from the same kind
+        of issue of PixarLog.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1175; previous revision: 1.1174
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v  <--  libtiff/tif_luv.c
+new revision: 1.44; previous revision: 1.43
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v  <-- 
+libtiff/tif_pixarlog.c
+new revision: 1.49; previous revision: 1.48
+
+Index: libtiff/libtiff/tif_luv.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v
+retrieving revision 1.43
+retrieving revision 1.44
+diff -u -r1.43 -r1.44
+--- libtiff/libtiff/tif_luv.c	4 Sep 2016 21:32:56 -0000	1.43
++++ libtiff/libtiff/tif_luv.c	2 Dec 2016 23:05:51 -0000	1.44
+@@ -1,4 +1,4 @@
+-/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */
++/* $Id: tif_luv.c,v 1.44 2016-12-02 23:05:51 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1997 Greg Ward Larson
+@@ -158,6 +158,7 @@
+ typedef struct logLuvState LogLuvState;
+ 
+ struct logLuvState {
++        int                     encoder_state;  /* 1 if encoder correctly initialized */
+ 	int                     user_datafmt;   /* user data format */
+ 	int                     encode_meth;    /* encoding method */
+ 	int                     pixel_size;     /* bytes per pixel */
+@@ -1552,6 +1553,7 @@
+ 		    td->td_photometric, "must be either LogLUV or LogL");
+ 		break;
+ 	}
++	sp->encoder_state = 1;
+ 	return (1);
+ notsupported:
+ 	TIFFErrorExt(tif->tif_clientdata, module,
+@@ -1563,19 +1565,27 @@
+ static void
+ LogLuvClose(TIFF* tif)
+ {
++        LogLuvState* sp = (LogLuvState*) tif->tif_data;
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 
++	assert(sp != 0);
+ 	/*
+ 	 * For consistency, we always want to write out the same
+ 	 * bitspersample and sampleformat for our TIFF file,
+ 	 * regardless of the data format being used by the application.
+ 	 * Since this routine is called after tags have been set but
+ 	 * before they have been recorded in the file, we reset them here.
++         * Note: this is really a nasty approach. See PixarLogClose
+ 	 */
+-	td->td_samplesperpixel =
+-	    (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+-	td->td_bitspersample = 16;
+-	td->td_sampleformat = SAMPLEFORMAT_INT;
++        if( sp->encoder_state )
++        {
++            /* See PixarLogClose. Might avoid issues with tags whose size depends
++             * on those below, but not completely sure this is enough. */
++            td->td_samplesperpixel =
++                (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
++            td->td_bitspersample = 16;
++            td->td_sampleformat = SAMPLEFORMAT_INT;
++        }
+ }
+ 
+ static void
+Index: libtiff/libtiff/tif_pixarlog.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
+retrieving revision 1.48
+retrieving revision 1.49
+diff -u -r1.48 -r1.49
+--- libtiff/libtiff/tif_pixarlog.c	23 Sep 2016 22:12:18 -0000	1.48
++++ libtiff/libtiff/tif_pixarlog.c	2 Dec 2016 23:05:51 -0000	1.49
+@@ -1,4 +1,4 @@
+-/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */
++/* $Id: tif_pixarlog.c,v 1.49 2016-12-02 23:05:51 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1996-1997 Sam Leffler
+@@ -1233,8 +1233,10 @@
+ static void
+ PixarLogClose(TIFF* tif)
+ {
++        PixarLogState* sp = (PixarLogState*) tif->tif_data;
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 
++	assert(sp != 0);
+ 	/* In a really sneaky (and really incorrect, and untruthful, and
+ 	 * troublesome, and error-prone) maneuver that completely goes against
+ 	 * the spirit of TIFF, and breaks TIFF, on close, we covertly
+@@ -1243,8 +1245,19 @@
+ 	 * readers that don't know about PixarLog, or how to set
+ 	 * the PIXARLOGDATFMT pseudo-tag.
+ 	 */
+-	td->td_bitspersample = 8;
+-	td->td_sampleformat = SAMPLEFORMAT_UINT;
++
++        if (sp->state&PLSTATE_INIT) {
++            /* We test the state to avoid an issue such as in
++             * http://bugzilla.maptools.org/show_bug.cgi?id=2604
++             * What appends in that case is that the bitspersample is 1 and
++             * a TransferFunction is set. The size of the TransferFunction
++             * depends on 1<<bitspersample. So if we increase it, an access
++             * out of the buffer will happen at directory flushing.
++             * Another option would be to clear those targs. 
++             */
++            td->td_bitspersample = 8;
++            td->td_sampleformat = SAMPLEFORMAT_UINT;
++        }
+ }
+ 
+ static void
diff --git a/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch b/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch
new file mode 100644
index 0000000000..68889b121b
--- /dev/null
+++ b/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch
@@ -0,0 +1,132 @@
+Fix heap-based buffer overflow in TIFFFillStrip():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2608
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
+        instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength,
+rowsperstrip),
+        instead of a logic based on the total size of data. Which is faulty is
+        the total size of data is not sufficient to fill the whole image, and
+thus
+        results in reading outside of the StripByCounts/StripOffsets arrays
+when
+        using TIFFReadScanline().
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
+
+        * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
+        for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273
+since
+        the above change is a better fix that makes it unnecessary.
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1176; previous revision: 1.1175
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v  <-- 
+libtiff/tif_dirread.c
+new revision: 1.205; previous revision: 1.204
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v  <--  libtiff/tif_strip.c
+new revision: 1.38; previous revision: 1.37
+
+Index: libtiff/libtiff/tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.204
+retrieving revision 1.205
+diff -u -r1.204 -r1.205
+--- libtiff/libtiff/tif_dirread.c	16 Nov 2016 15:14:15 -0000	1.204
++++ libtiff/libtiff/tif_dirread.c	3 Dec 2016 11:02:15 -0000	1.205
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */
++/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -5502,8 +5502,7 @@
+ 	uint64 rowblockbytes;
+ 	uint64 stripbytes;
+ 	uint32 strip;
+-	uint64 nstrips64;
+-	uint32 nstrips32;
++	uint32 nstrips;
+ 	uint32 rowsperstrip;
+ 	uint64* newcounts;
+ 	uint64* newoffsets;
+@@ -5534,18 +5533,17 @@
+ 	    return;
+ 
+ 	/*
+-	 * never increase the number of strips in an image
++	 * never increase the number of rows per strip
+ 	 */
+ 	if (rowsperstrip >= td->td_rowsperstrip)
+ 		return;
+-	nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
+-	if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
+-	    return;
+-	nstrips32 = (uint32)nstrips64;
++        nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
++        if( nstrips == 0 )
++            return;
+ 
+-	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ 				"for chopped \"StripByteCounts\" array");
+-	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ 				"for chopped \"StripOffsets\" array");
+ 	if (newcounts == NULL || newoffsets == NULL) {
+ 		/*
+@@ -5562,18 +5560,18 @@
+ 	 * Fill the strip information arrays with new bytecounts and offsets
+ 	 * that reflect the broken-up format.
+ 	 */
+-	for (strip = 0; strip < nstrips32; strip++) {
++	for (strip = 0; strip < nstrips; strip++) {
+ 		if (stripbytes > bytecount)
+ 			stripbytes = bytecount;
+ 		newcounts[strip] = stripbytes;
+-		newoffsets[strip] = offset;
++		newoffsets[strip] = stripbytes ? offset : 0;
+ 		offset += stripbytes;
+ 		bytecount -= stripbytes;
+ 	}
+ 	/*
+ 	 * Replace old single strip info with multi-strip info.
+ 	 */
+-	td->td_stripsperimage = td->td_nstrips = nstrips32;
++	td->td_stripsperimage = td->td_nstrips = nstrips;
+ 	TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+ 
+ 	_TIFFfree(td->td_stripbytecount);
+Index: libtiff/libtiff/tif_strip.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v
+retrieving revision 1.37
+retrieving revision 1.38
+diff -u -r1.37 -r1.38
+--- libtiff/libtiff/tif_strip.c	9 Nov 2016 23:00:49 -0000	1.37
++++ libtiff/libtiff/tif_strip.c	3 Dec 2016 11:02:15 -0000	1.38
+@@ -1,4 +1,4 @@
+-/* $Id: tif_strip.c,v 1.37 2016-11-09 23:00:49 erouault Exp $ */
++/* $Id: tif_strip.c,v 1.38 2016-12-03 11:02:15 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1991-1997 Sam Leffler
+@@ -63,15 +63,6 @@
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 	uint32 nstrips;
+ 
+-    /* If the value was already computed and store in td_nstrips, then return it,
+-       since ChopUpSingleUncompressedStrip might have altered and resized the
+-       since the td_stripbytecount and td_stripoffset arrays to the new value
+-       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
+-       tif_dirread.c ~line 3612.
+-       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
+-    if( td->td_nstrips )
+-        return td->td_nstrips;
+-
+ 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
+ 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
+ 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch
new file mode 100644
index 0000000000..f0fef08bf3
--- /dev/null
+++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch
@@ -0,0 +1,67 @@
+Fix heap buffer overflow in tiffcp when parsing number of inks:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2599
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is
+called,
+        limit the return number of inks to SamplesPerPixel, so that code that
+parses
+        ink names doesn't go past the end of the buffer.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1184; previous revision: 1.1183
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v  <--  libtiff/tif_dir.c
+new revision: 1.128; previous revision: 1.127
+
+Index: libtiff/libtiff/tif_dir.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v
+retrieving revision 1.127
+retrieving revision 1.128
+diff -u -r1.127 -r1.128
+--- libtiff/libtiff/tif_dir.c	25 Oct 2016 21:35:15 -0000	1.127
++++ libtiff/libtiff/tif_dir.c	3 Dec 2016 15:30:31 -0000	1.128
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */
++/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -854,6 +854,32 @@
+ 	if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
+ 	    return 0;
+ 	
++        if( tag == TIFFTAG_NUMBEROFINKS )
++        {
++            int i;
++            for (i = 0; i < td->td_customValueCount; i++) {
++                uint16 val;
++                TIFFTagValue *tv = td->td_customValues + i;
++                if (tv->info->field_tag != tag)
++                    continue;
++                val = *(uint16 *)tv->value;
++                /* Truncate to SamplesPerPixel, since the */
++                /* setting code for INKNAMES assume that there are SamplesPerPixel */
++                /* inknames. */
++                /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
++                if( val > td->td_samplesperpixel )
++                {
++                    TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
++                                   "Truncating NumberOfInks from %u to %u",
++                                   val, td->td_samplesperpixel);
++                    val = td->td_samplesperpixel;
++                }
++                *va_arg(ap, uint16*) = val;
++                return 1;
++            }
++            return 0;
++        }
++
+ 	/*
+ 	 * We want to force the custom code to be used for custom
+ 	 * fields even if the tag happens to match a well known 
diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch
new file mode 100644
index 0000000000..8166c55758
--- /dev/null
+++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch
@@ -0,0 +1,60 @@
+Fix heap-based buffer overflow in combineSeparateSamples16bits():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2621
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
+        readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
+buffer.
+        Reported by Agostina Sarubo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1179; previous revision: 1.1178
+/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v  <--  tools/tiffcrop.c
+new revision: 1.48; previous revision: 1.47
+
+Index: libtiff/tools/tiffcrop.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
+retrieving revision 1.47
+retrieving revision 1.48
+diff -u -r1.47 -r1.48
+--- libtiff/tools/tiffcrop.c	3 Dec 2016 11:35:56 -0000	1.47
++++ libtiff/tools/tiffcrop.c	3 Dec 2016 12:19:32 -0000	1.48
+@@ -1,4 +1,4 @@
+-/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */
++/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */
+ 
+ /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
+  * the image data through additional options listed below
+@@ -4815,10 +4815,17 @@
+   nstrips = TIFFNumberOfStrips(in);
+   strips_per_sample = nstrips /spp;
+ 
++  /* Add 3 padding bytes for combineSeparateSamples32bits */
++  if( (size_t) stripsize > 0xFFFFFFFFU - 3U )
++  {
++      TIFFError("readSeparateStripsIntoBuffer", "Integer overflow when calculating buffer size.");
++      exit(-1);
++  }
++
+   for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+     {
+     srcbuffs[s] = NULL;
+-    buff = _TIFFmalloc(stripsize);
++    buff = _TIFFmalloc(stripsize + 3);
+     if (!buff)
+       {
+       TIFFError ("readSeparateStripsIntoBuffer", 
+@@ -4827,6 +4834,9 @@
+         _TIFFfree (srcbuffs[i]);
+       return 0;
+       }
++    buff[stripsize] = 0;
++    buff[stripsize+1] = 0;
++    buff[stripsize+2] = 0;
+     srcbuffs[s] = buff;
+     }
+ 
diff --git a/gnu/packages/patches/libtiff-invalid-read.patch b/gnu/packages/patches/libtiff-invalid-read.patch
new file mode 100644
index 0000000000..92742d8757
--- /dev/null
+++ b/gnu/packages/patches/libtiff-invalid-read.patch
@@ -0,0 +1,64 @@
+Fix invalid read in t2p_writeproc():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2639
+
+2016-12-20 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiff2pdf.c: avoid potential invalid memory read in
+        t2p_writeproc.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1198; previous revision: 1.1197
+/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v  <--  tools/tiff2pdf.c
+new revision: 1.100; previous revision: 1.99
+
+Index: libtiff/tools/tiff2pdf.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
+retrieving revision 1.99
+retrieving revision 1.100
+diff -u -r1.99 -r1.100
+--- libtiff/tools/tiff2pdf.c	20 Dec 2016 17:13:26 -0000	1.99
++++ libtiff/tools/tiff2pdf.c	20 Dec 2016 17:24:35 -0000	1.100
+@@ -2896,6 +2896,7 @@
+ 			}
+ 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
+ 				if (count >= 4) {
++                                        int retTIFFReadRawTile;
+                     /* Ignore EOI marker of JpegTables */
+ 					_TIFFmemcpy(buffer, jpt, count - 2);
+ 					bufferoffset += count - 2;
+@@ -2903,22 +2904,23 @@
+ 					table_end[0] = buffer[bufferoffset-2];
+ 					table_end[1] = buffer[bufferoffset-1];
+ 					xuint32 = bufferoffset;
+-                    bufferoffset -= 2;
+-					bufferoffset += TIFFReadRawTile(
++                                        bufferoffset -= 2;
++                                        retTIFFReadRawTile= TIFFReadRawTile(
+ 						input, 
+ 						tile, 
+ 						(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), 
+ 						-1);
++                                        if( retTIFFReadRawTile < 0 )
++                                        {
++                                            _TIFFfree(buffer);
++                                            t2p->t2p_error = T2P_ERR_ERROR;
++                                            return(0);
++                                        }
++					bufferoffset += retTIFFReadRawTile;
+                     /* Overwrite SOI marker of image scan with previously */
+                     /* saved end of JpegTables */
+ 					buffer[xuint32-2]=table_end[0];
+ 					buffer[xuint32-1]=table_end[1];
+-				} else {
+-					bufferoffset += TIFFReadRawTile(
+-						input, 
+-						tile, 
+-						(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), 
+-						-1);
+ 				}
+ 			}
+ 			t2pWriteFile(output, (tdata_t) buffer, bufferoffset);
diff --git a/gnu/packages/patches/libtiff-null-dereference.patch b/gnu/packages/patches/libtiff-null-dereference.patch
new file mode 100644
index 0000000000..8c6345b804
--- /dev/null
+++ b/gnu/packages/patches/libtiff-null-dereference.patch
@@ -0,0 +1,42 @@
+Fix NULL pointer dereference in TIFFReadRawData():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2594
+
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffinfo.c: fix null pointer dereference in -r mode when
+        * the
+image has
+        no StripByteCount tag.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1182; previous revision: 1.1181
+/cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v  <--  tools/tiffinfo.c
+new revision: 1.26; previous revision: 1.25
+
+Index: libtiff/tools/tiffinfo.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v
+retrieving revision 1.25
+retrieving revision 1.26
+diff -u -r1.25 -r1.26
+--- libtiff/tools/tiffinfo.c	12 Nov 2016 20:06:05 -0000	1.25
++++ libtiff/tools/tiffinfo.c	3 Dec 2016 14:18:49 -0000	1.26
+@@ -1,4 +1,4 @@
+-/* $Id: tiffinfo.c,v 1.25 2016-11-12 20:06:05 bfriesen Exp $ */
++/* $Id: tiffinfo.c,v 1.26 2016-12-03 14:18:49 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -417,7 +417,7 @@
+ 	uint64* stripbc=NULL;
+ 
+ 	TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &stripbc);
+-	if (nstrips > 0) {
++	if (stripbc != NULL && nstrips > 0) {
+ 		uint32 bufsize = (uint32) stripbc[0];
+ 		tdata_t buf = _TIFFmalloc(bufsize);
+ 		tstrip_t s;
diff --git a/gnu/packages/patches/libtiff-tiffcp-underflow.patch b/gnu/packages/patches/libtiff-tiffcp-underflow.patch
new file mode 100644
index 0000000000..5615cbb3e1
--- /dev/null
+++ b/gnu/packages/patches/libtiff-tiffcp-underflow.patch
@@ -0,0 +1,41 @@
+Fix a integer underflow in tiffcp that led to heap overflows in
+TIFFReverseBits():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2598
+
+2016-12-02 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that 
+        can cause various issues, such as buffer overflows in the library.
+        Reported by Agostino Sarubbo.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1174; previous revision: 1.1173
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
+new revision: 1.56; previous revision: 1.55
+
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.55
+retrieving revision 1.56
+diff -u -r1.55 -r1.56
+--- libtiff/tools/tiffcp.c	8 Oct 2016 15:54:57 -0000	1.55
++++ libtiff/tools/tiffcp.c	2 Dec 2016 22:13:32 -0000	1.56
+@@ -1,4 +1,4 @@
+-/* $Id: tiffcp.c,v 1.55 2016-10-08 15:54:57 erouault Exp $ */
++/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -985,7 +985,7 @@
+ 		tstrip_t s, ns = TIFFNumberOfStrips(in);
+ 		uint32 row = 0;
+ 		_TIFFmemset(buf, 0, stripsize);
+-		for (s = 0; s < ns; s++) {
++		for (s = 0; s < ns && row < imagelength; s++) {
+ 			tsize_t cc = (row + rowsperstrip > imagelength) ?
+ 			    TIFFVStripSize(in, imagelength - row) : stripsize;
+ 			if (TIFFReadEncodedStrip(in, s, buf, cc) < 0
diff --git a/gnu/packages/patches/libxt-guix-search-paths.patch b/gnu/packages/patches/libxt-guix-search-paths.patch
new file mode 100644
index 0000000000..c618f48da5
--- /dev/null
+++ b/gnu/packages/patches/libxt-guix-search-paths.patch
@@ -0,0 +1,126 @@
+--- libXt-1.1.5/src/Intrinsic.c	2015-05-01 07:36:20.000000000 +0200
++++ Intrinsic.c	2016-12-12 00:42:16.567388450 +0100
+@@ -1303,21 +1303,101 @@
+     } else (void) strcpy(*rest, string);
+ }
+ 
+-/*
+- * default path used if environment variable XFILESEARCHPATH
+- * is not defined.  Also substitued for %D.
+- * The exact value should be documented in the implementation
+- * notes for any Xt implementation.
++
++
++/* 
++   Return the default search path for the function
++   XtResolvePathname to use if XFILESEARCHPATH is 
++   not defined.
++
++   It returns the combination the set of values which are the 6 "stems" below,
++   prepended with "/run/current-system/profile", and $GUIX_PROFILE and 
++   "$HOME/.guix-profile"
++
++   These values provide the default paths where Guix/GuixSD  can expect
++   to find resources for installed packages.
+  */
+-static const char *implementation_default_path(void)
++static const char *guix_default_path(void)
+ {
+-#if defined(WIN32)
+-    static char xfilesearchpath[] = "";
+-
+-    return xfilesearchpath;
+-#else
+-    return XFILESEARCHPATHDEFAULT;
+-#endif
++  static const char *search_path_default_stem[] = {
++    "/lib/X11/%L/%T/%N%C%S",
++    "/lib/X11/%l/%T/%N%C%S",
++    "/lib/X11/%T/%N%C%S",
++    "/lib/X11/%L/%T/%N%S",
++    "/lib/X11/%l/%T/%N%S",
++    "/lib/X11/%T/%N%S"
++  };
++
++#define SIZEOF_STEMS  (strlen (search_path_default_stem[0])	\
++		       + strlen (search_path_default_stem[1])	\
++		       + strlen (search_path_default_stem[2])	\
++		       + strlen (search_path_default_stem[3])	\
++		       + strlen (search_path_default_stem[4])	\
++		       + strlen (search_path_default_stem[5]))
++
++
++  int i;
++  const char *current_profile = "/run/current-system/profile";
++  char *home = getenv ("HOME");
++  char *guix_profile = getenv ("GUIX_PROFILE");
++
++  size_t bytesAllocd = SIZEOF_STEMS + 1; 
++
++  /* This function is evaluated multiple times and the calling
++     code assumes that it is idempotent. So we must not allow
++     (say) a changed environment variable to cause it to return
++     something different. */
++  static char *path = NULL;
++  if (path)
++    return path;
++
++  bytesAllocd += 6 * (1 + strlen (current_profile));
++
++  if (guix_profile != NULL)
++    {
++      bytesAllocd += SIZEOF_STEMS;
++      bytesAllocd += 6 * (1 + strlen (guix_profile));
++    }
++
++  if (home != NULL)
++    {
++      bytesAllocd += SIZEOF_STEMS;
++      bytesAllocd += 6 * (1 + strlen(home) + strlen ("/.guix-profile"));
++    }
++
++  path = XtMalloc(bytesAllocd);
++  if (path == NULL) _XtAllocError(NULL);
++
++  memset (path, 0, bytesAllocd);
++  
++  for (i = 0 ; i < 6 ; ++i)
++    {
++      strcat (path, current_profile);
++      strcat (path, search_path_default_stem[i]);
++      strcat (path, ":");
++    }
++
++  if (guix_profile != NULL)
++    for (i = 0 ; i < 6 ; ++i)
++      {
++	strcat (path, guix_profile);
++	strcat (path, search_path_default_stem[i]);
++	strcat (path, ":");
++      }
++
++  if (home != NULL)
++    for (i = 0 ; i < 6 ; ++i)
++      {
++	strcat (path, home);
++	strcat (path, "/.guix-profile");
++	strcat (path, search_path_default_stem[i]);
++	strcat (path, ":");
++      }
++
++  /* Remove final : */
++  path[strlen(path) - 1] = '\0';
++  
++  return path;
+ }
+ 
+ 
+@@ -1345,7 +1425,7 @@
+ {
+     XtPerDisplay pd;
+     static const char *defaultPath = NULL;
+-    const char *impl_default = implementation_default_path();
++    const char *impl_default = guix_default_path();
+     int idef_len = strlen(impl_default);
+     char *massagedPath;
+     int bytesAllocd, bytesLeft;
diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch
new file mode 100644
index 0000000000..e752e57ec5
--- /dev/null
+++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch
@@ -0,0 +1,188 @@
+Fix CVE-2016-10132:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697381
+http://seclists.org/oss-sec/2017/q1/74
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10132
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569
+
+From fd003eceda531e13fbdd1aeb6e9c73156496e569 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor@ccxvii.net>
+Date: Fri, 2 Dec 2016 14:56:20 -0500
+Subject: [PATCH] Fix 697381: check allocation when compiling regular
+ expressions.
+
+Also use allocator callback function.
+---
+ thirdparty/mujs/jsgc.c     |  2 +-
+ thirdparty/mujs/jsregexp.c |  2 +-
+ thirdparty/mujs/jsstate.c  |  6 ------
+ thirdparty/mujs/regexp.c   | 45 +++++++++++++++++++++++++++++++++++----------
+ thirdparty/mujs/regexp.h   |  7 +++++++
+ 5 files changed, 44 insertions(+), 18 deletions(-)
+
+diff --git a/thirdparty/mujs/jsgc.c b/thirdparty/mujs/jsgc.c
+index 4f7e7dc..f80111e 100644
+--- a/thirdparty/mujs/jsgc.c
++++ b/thirdparty/mujs/jsgc.c
+@@ -46,7 +46,7 @@ static void jsG_freeobject(js_State *J, js_Object *obj)
+ 		jsG_freeproperty(J, obj->head);
+ 	if (obj->type == JS_CREGEXP) {
+ 		js_free(J, obj->u.r.source);
+-		js_regfree(obj->u.r.prog);
++		js_regfreex(J->alloc, J->actx, obj->u.r.prog);
+ 	}
+ 	if (obj->type == JS_CITERATOR)
+ 		jsG_freeiterator(J, obj->u.iter.head);
+diff --git a/thirdparty/mujs/jsregexp.c b/thirdparty/mujs/jsregexp.c
+index a2d5156..7b09c06 100644
+--- a/thirdparty/mujs/jsregexp.c
++++ b/thirdparty/mujs/jsregexp.c
+@@ -16,7 +16,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags)
+ 	if (flags & JS_REGEXP_I) opts |= REG_ICASE;
+ 	if (flags & JS_REGEXP_M) opts |= REG_NEWLINE;
+ 
+-	prog = js_regcomp(pattern, opts, &error);
++	prog = js_regcompx(J->alloc, J->actx, pattern, opts, &error);
+ 	if (!prog)
+ 		js_syntaxerror(J, "regular expression: %s", error);
+ 
+diff --git a/thirdparty/mujs/jsstate.c b/thirdparty/mujs/jsstate.c
+index 638cab3..fd5bcf6 100644
+--- a/thirdparty/mujs/jsstate.c
++++ b/thirdparty/mujs/jsstate.c
+@@ -9,12 +9,6 @@
+ 
+ static void *js_defaultalloc(void *actx, void *ptr, int size)
+ {
+-	if (size == 0) {
+-		free(ptr);
+-		return NULL;
+-	}
+-	if (!ptr)
+-		return malloc((size_t)size);
+ 	return realloc(ptr, (size_t)size);
+ }
+ 
+diff --git a/thirdparty/mujs/regexp.c b/thirdparty/mujs/regexp.c
+index 9852be2..01c18a3 100644
+--- a/thirdparty/mujs/regexp.c
++++ b/thirdparty/mujs/regexp.c
+@@ -807,23 +807,31 @@ static void dumpprog(Reprog *prog)
+ }
+ #endif
+ 
+-Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
++	const char *pattern, int cflags, const char **errorp)
+ {
+ 	struct cstate g;
+ 	Renode *node;
+ 	Reinst *split, *jump;
+ 	int i;
+ 
+-	g.prog = malloc(sizeof (Reprog));
+-	g.pstart = g.pend = malloc(sizeof (Renode) * strlen(pattern) * 2);
++	g.pstart = NULL;
++	g.prog = NULL;
+ 
+ 	if (setjmp(g.kaboom)) {
+ 		if (errorp) *errorp = g.error;
+-		free(g.pstart);
+-		free(g.prog);
++		alloc(ctx, g.pstart, 0);
++		alloc(ctx, g.prog, 0);
+ 		return NULL;
+ 	}
+ 
++	g.prog = alloc(ctx, NULL, sizeof (Reprog));
++	if (!g.prog)
++		die(&g, "cannot allocate regular expression");
++	g.pstart = g.pend = alloc(ctx, NULL, sizeof (Renode) * strlen(pattern) * 2);
++	if (!g.pstart)
++		die(&g, "cannot allocate regular expression parse list");
++
+ 	g.source = pattern;
+ 	g.ncclass = 0;
+ 	g.nsub = 1;
+@@ -840,7 +848,9 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
+ 		die(&g, "syntax error");
+ 
+ 	g.prog->nsub = g.nsub;
+-	g.prog->start = g.prog->end = malloc((count(node) + 6) * sizeof (Reinst));
++	g.prog->start = g.prog->end = alloc(ctx, NULL, (count(node) + 6) * sizeof (Reinst));
++	if (!g.prog->start)
++		die(&g, "cannot allocate regular expression instruction list");
+ 
+ 	split = emit(g.prog, I_SPLIT);
+ 	split->x = split + 3;
+@@ -859,20 +869,35 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
+ 	dumpprog(g.prog);
+ #endif
+ 
+-	free(g.pstart);
++	alloc(ctx, g.pstart, 0);
+ 
+ 	if (errorp) *errorp = NULL;
+ 	return g.prog;
+ }
+ 
+-void regfree(Reprog *prog)
++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, Reprog *prog)
+ {
+ 	if (prog) {
+-		free(prog->start);
+-		free(prog);
++		alloc(ctx, prog->start, 0);
++		alloc(ctx, prog, 0);
+ 	}
+ }
+ 
++static void *default_alloc(void *ctx, void *p, int n)
++{
++	return realloc(p, (size_t)n);
++}
++
++Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
++{
++	return regcompx(default_alloc, NULL, pattern, cflags, errorp);
++}
++
++void regfree(Reprog *prog)
++{
++	regfreex(default_alloc, NULL, prog);
++}
++
+ /* Match */
+ 
+ static int isnewline(int c)
+diff --git a/thirdparty/mujs/regexp.h b/thirdparty/mujs/regexp.h
+index 4bb4615..6bb73e8 100644
+--- a/thirdparty/mujs/regexp.h
++++ b/thirdparty/mujs/regexp.h
+@@ -1,6 +1,8 @@
+ #ifndef regexp_h
+ #define regexp_h
+ 
++#define regcompx js_regcompx
++#define regfreex js_regfreex
+ #define regcomp js_regcomp
+ #define regexec js_regexec
+ #define regfree js_regfree
+@@ -8,6 +10,11 @@
+ typedef struct Reprog Reprog;
+ typedef struct Resub Resub;
+ 
++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
++	const char *pattern, int cflags, const char **errorp);
++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
++	Reprog *prog);
++
+ Reprog *regcomp(const char *pattern, int cflags, const char **errorp);
+ int regexec(Reprog *prog, const char *string, Resub *sub, int eflags);
+ void regfree(Reprog *prog);
+-- 
+2.9.1
+
diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch
new file mode 100644
index 0000000000..d73849262c
--- /dev/null
+++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch
@@ -0,0 +1,36 @@
+Fix CVE-2016-10133:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697401
+http://seclists.org/oss-sec/2017/q1/74
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10133
+
+Patch lifted from upstream source repository:
+
+https://git.ghostscript.com/?p=mujs.git;h=77ab465f1c394bb77f00966cd950650f3f53cb24
+
+From 77ab465f1c394bb77f00966cd950650f3f53cb24 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@gmail.com>
+Date: Thu, 12 Jan 2017 14:47:01 +0100
+Subject: [PATCH] Fix 697401: Error when dropping extra arguments to
+ lightweight functions.
+
+---
+ thirdparty/mujs/jsrun.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/thirdparty/mujs/jsrun.c b/thirdparty/mujs/jsrun.c
+index ee80845..782a6f9 100644
+--- a/thirdparty/mujs/jsrun.c
++++ b/thirdparty/mujs/jsrun.c
+@@ -937,7 +937,7 @@ static void jsR_calllwfunction(js_State *J, int n, js_Function *F, js_Environmen
+ 	jsR_savescope(J, scope);
+ 
+ 	if (n > F->numparams) {
+-		js_pop(J, F->numparams - n);
++		js_pop(J, n - F->numparams);
+ 		n = F->numparams;
+ 	}
+ 	for (i = n; i < F->varlen; ++i)
+-- 
+2.9.1
+
diff --git a/gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch b/gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch
new file mode 100644
index 0000000000..1f7a4cadb7
--- /dev/null
+++ b/gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch
@@ -0,0 +1,69 @@
+Fix test failure of test_XXX caused by upgrade of gpgme from 1.6.0 to
+1.8.0:
+
+======================================================================
+FAIL: test_encrypt_to_signonly (tests.test_encrypt_decrypt.EncryptDecryptTestCase)
+----------------------------------------------------------------------
+Traceback (most recent call last):
+  File "/tmp/guix-build-python2-pygpgme-0.3.drv-0/pygpgme-0.3/tests/test_encrypt_decrypt.py", line 185, in test_encrypt_to_signonly
+    self.assertEqual(exc.args[0], gpgme.ERR_SOURCE_UNKNOWN)
+AssertionError: 7 != 0
+
+----------------------------------------------------------------------
+
+Patch copied from the Debian package pygpgme-0.3-1.2:
+
+https://sources.debian.net/src/pygpgme/0.3-1.2/debian/patches/0005-Fix-test-failures-with-pinentry.patch/
+
+From: "Dr. Tobias Quathamer" <toddy@debian.org>
+Date: Thu, 24 Nov 2016 12:20:54 +0100
+Subject: Fix test failures with pinentry
+
+---
+ tests/test_encrypt_decrypt.py | 5 +++--
+ tests/test_passphrase.py      | 2 ++
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tests/test_encrypt_decrypt.py b/tests/test_encrypt_decrypt.py
+index 21ae83e..05707e1 100644
+--- a/tests/test_encrypt_decrypt.py
++++ b/tests/test_encrypt_decrypt.py
+@@ -132,6 +132,7 @@ class EncryptDecryptTestCase(GpgHomeTestCase):
+             os.write(fd, b'Symmetric passphrase\n')
+         ctx = gpgme.Context()
+         ctx.armor = True
++        ctx.pinentry_mode = gpgme.PINENTRY_MODE_LOOPBACK
+         ctx.passphrase_cb = passphrase
+         ctx.encrypt(None, 0, plaintext, ciphertext)
+         self.assertTrue(
+@@ -182,8 +183,8 @@ class EncryptDecryptTestCase(GpgHomeTestCase):
+             ctx.encrypt([recipient], gpgme.ENCRYPT_ALWAYS_TRUST,
+                         plaintext, ciphertext)
+         except gpgme.GpgmeError as exc:
+-            self.assertEqual(exc.args[0], gpgme.ERR_SOURCE_UNKNOWN)
+-            self.assertEqual(exc.args[1], gpgme.ERR_GENERAL)
++            self.assertEqual(exc.args[0], gpgme.ERR_SOURCE_GPGME)
++            self.assertEqual(exc.args[1], gpgme.ERR_UNUSABLE_PUBKEY)
+         else:
+             self.fail('gpgme.GpgmeError not raised')
+ 
+diff --git a/tests/test_passphrase.py b/tests/test_passphrase.py
+index 35b3c59..05e6811 100644
+--- a/tests/test_passphrase.py
++++ b/tests/test_passphrase.py
+@@ -34,6 +34,7 @@ class PassphraseTestCase(GpgHomeTestCase):
+         ctx = gpgme.Context()
+         key = ctx.get_key('EFB052B4230BBBC51914BCBB54DCBBC8DBFB9EB3')
+         ctx.signers = [key]
++        ctx.pinentry_mode = gpgme.PINENTRY_MODE_LOOPBACK
+         plaintext = BytesIO(b'Hello World\n')
+         signature = BytesIO()
+ 
+@@ -55,6 +56,7 @@ class PassphraseTestCase(GpgHomeTestCase):
+         ctx = gpgme.Context()
+         key = ctx.get_key('EFB052B4230BBBC51914BCBB54DCBBC8DBFB9EB3')
+         ctx.signers = [key]
++        ctx.pinentry_mode = gpgme.PINENTRY_MODE_LOOPBACK
+         ctx.passphrase_cb = self.passphrase_cb
+         plaintext = BytesIO(b'Hello World\n')
+         signature = BytesIO()
diff --git a/gnu/packages/patches/qemu-CVE-2016-10155.patch b/gnu/packages/patches/qemu-CVE-2016-10155.patch
new file mode 100644
index 0000000000..825edaa815
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2016-10155.patch
@@ -0,0 +1,49 @@
+From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 28 Nov 2016 17:49:04 -0800
+Subject: [PATCH] watchdog: 6300esb: add exit function
+
+When the Intel 6300ESB watchdog is hot unplug. The timer allocated
+in realize isn't freed thus leaking memory leak. This patch avoid
+this through adding the exit function.
+
+http://git.qemu.org/?p=qemu.git;a=patch;h=eb7a20a3616085d46aa6b4b4224e15587ec67e6e
+this patch is from qemu-git.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/watchdog/wdt_i6300esb.c |    9 +++++++++
+ 1 files changed, 9 insertions(+), 0 deletions(-)
+
+diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
+index a83d951..49b3cd1 100644
+--- a/hw/watchdog/wdt_i6300esb.c
++++ b/hw/watchdog/wdt_i6300esb.c
+@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
+     /* qemu_register_coalesced_mmio (addr, 0x10); ? */
+ }
+ 
++static void i6300esb_exit(PCIDevice *dev)
++{
++    I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
++
++    timer_del(d->timer);
++    timer_free(d->timer);
++}
++
+ static WatchdogTimerModel model = {
+     .wdt_name = "i6300esb",
+     .wdt_description = "Intel 6300ESB",
+@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
+     k->config_read = i6300esb_config_read;
+     k->config_write = i6300esb_config_write;
+     k->realize = i6300esb_realize;
++    k->exit = i6300esb_exit;
+     k->vendor_id = PCI_VENDOR_ID_INTEL;
+     k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
+     k->class_id = PCI_CLASS_SYSTEM_OTHER;
+-- 
+1.7.0.4
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5525.patch b/gnu/packages/patches/qemu-CVE-2017-5525.patch
new file mode 100644
index 0000000000..d0c0c82a4a
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5525.patch
@@ -0,0 +1,55 @@
+From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Wed, 14 Dec 2016 18:30:21 -0800
+Subject: [PATCH] audio: ac97: add exit function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+http://git.qemu.org/?p=qemu.git;a=patch;h=12351a91da97b414eec8cdb09f1d9f41e535a401
+this patch is from qemu-git
+
+Currently the ac97 device emulation doesn't have a exit function,
+hot unplug this device will leak some memory. Add a exit function to
+avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/audio/ac97.c |   11 +++++++++++
+ 1 files changed, 11 insertions(+), 0 deletions(-)
+
+diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
+index cbd959e..c306575 100644
+--- a/hw/audio/ac97.c
++++ b/hw/audio/ac97.c
+@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
+     ac97_on_reset (&s->dev.qdev);
+ }
+ 
++static void ac97_exit(PCIDevice *dev)
++{
++    AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
++
++    AUD_close_in(&s->card, s->voice_pi);
++    AUD_close_out(&s->card, s->voice_po);
++    AUD_close_in(&s->card, s->voice_mc);
++    AUD_remove_card(&s->card);
++}
++
+ static int ac97_init (PCIBus *bus)
+ {
+     pci_create_simple (bus, -1, "AC97");
+@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
+     PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
+ 
+     k->realize = ac97_realize;
++    k->exit = ac97_exit;
+     k->vendor_id = PCI_VENDOR_ID_INTEL;
+     k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
+     k->revision = 0x01;
+-- 
+1.7.0.4
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5526.patch b/gnu/packages/patches/qemu-CVE-2017-5526.patch
new file mode 100644
index 0000000000..5a6d796458
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5526.patch
@@ -0,0 +1,58 @@
+From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Wed, 14 Dec 2016 18:32:22 -0800
+Subject: [PATCH] audio: es1370: add exit function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+http://git.qemu.org/?p=qemu.git;a=patch;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da
+this patch is from qemu-git.
+
+Currently the es1370 device emulation doesn't have a exit function,
+hot unplug this device will leak some memory. Add a exit function to
+avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/audio/es1370.c |   14 ++++++++++++++
+ 1 files changed, 14 insertions(+), 0 deletions(-)
+
+diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
+index 8449b5f..883ec69 100644
+--- a/hw/audio/es1370.c
++++ b/hw/audio/es1370.c
+@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
+     es1370_reset (s);
+ }
+ 
++static void es1370_exit(PCIDevice *dev)
++{
++    ES1370State *s = ES1370(dev);
++    int i;
++
++    for (i = 0; i < 2; ++i) {
++        AUD_close_out(&s->card, s->dac_voice[i]);
++    }
++
++    AUD_close_in(&s->card, s->adc_voice);
++    AUD_remove_card(&s->card);
++}
++
+ static int es1370_init (PCIBus *bus)
+ {
+     pci_create_simple (bus, -1, TYPE_ES1370);
+@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
+     PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
+ 
+     k->realize = es1370_realize;
++    k->exit = es1370_exit;
+     k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
+     k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
+     k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
+-- 
+1.7.0.4
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5552.patch b/gnu/packages/patches/qemu-CVE-2017-5552.patch
new file mode 100644
index 0000000000..50911f4f36
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5552.patch
@@ -0,0 +1,44 @@
+From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@gmail.com>
+Date: Thu, 29 Dec 2016 03:11:26 -0500
+Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+If the virgl_renderer_resource_attach_iov function fails the
+'res_iovs' will be leaked. Add check of the return value to
+free the 'res_iovs' when failing.
+
+http://git.qemu.org/?p=qemu.git;a=patch;h=33243031dad02d161225ba99d782616da133f689
+this patch is from qemu-git.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/virtio-gpu-3d.c |    7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index e29f099..b13ced3 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
+         return;
+     }
+ 
+-    virgl_renderer_resource_attach_iov(att_rb.resource_id,
+-                                       res_iovs, att_rb.nr_entries);
++    ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
++                                             res_iovs, att_rb.nr_entries);
++
++    if (ret != 0)
++        virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
+ }
+ 
+ static void virgl_resource_detach_backing(VirtIOGPU *g,
+-- 
+1.7.0.4
+
diff --git a/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch b/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch
deleted file mode 100644
index f592f5cd51..0000000000
--- a/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-The tests currently fail due to use of 'skip' rather than 'pending' to skip a
-test usually not skipped by upstream.  This patch has been proposed upstream
-at https://github.com/lsegal/yard/pull/1033
-
-diff --git a/spec/templates/helpers/html_helper_spec.rb b/spec/templates/helpers/html_helper_spec.rb
-index 84624c3..9c4fc2b 100644
---- a/spec/templates/helpers/html_helper_spec.rb
-+++ b/spec/templates/helpers/html_helper_spec.rb
-@@ -184,7 +184,7 @@ describe YARD::Templates::Helpers::HtmlHelper do
-     it "creates tables (markdown specific)" do
-       log.enter_level(Logger::FATAL) do
-         unless markup_class(:markdown).to_s == "RedcarpetCompat"
--          skip "This test depends on a markdown engine that supports tables"
-+          pending "This test depends on a markdown engine that supports tables"
-         end
-       end
- 
diff --git a/gnu/packages/patches/tipp10-fix-compiling.patch b/gnu/packages/patches/tipp10-fix-compiling.patch
new file mode 100644
index 0000000000..4c206d4d83
--- /dev/null
+++ b/gnu/packages/patches/tipp10-fix-compiling.patch
@@ -0,0 +1,213 @@
+Description: Debian patches to make tipp10 compile
+Author: Christoph Martin <chrism@debian.org>
+Last-Update: 2016-07-20
+
+https://sources.debian.net/data/main/t/tipp10/2.1.0-2/debian/patches/0001-FixCompiling
+
+--- a/widget/tickerboard.cpp
++++ b/widget/tickerboard.cpp
+@@ -97,7 +97,8 @@ void TickerBoard::startTicker(bool wasPa
+ 

+ 		if (tickerSpeed == 50) {

+ 			scrollOffset = 290;

+-			scroll(-290, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());

++			const QRect qr = QRect(10, 15, 590, 35);

++			scroll(-290, 0, qr); //contentsRect());

+ 		}

+ 

+ 		startFlag = true;

+@@ -153,7 +154,8 @@ void TickerBoard::changeChar() {
+ 			scrollOffset = 0;

+ 		} else {

+ 			scrollOffset = 290;

+-			scroll(-290, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());

++			const QRect qr = QRect(10, 15, 590, 35);

++			scroll(-290, 0, qr); //contentsRect());

+ 		}

+ 		splitLesson();

+ 	}

+@@ -242,7 +244,8 @@ void TickerBoard::progress() {
+ 

+ 				// Move ticker 1 pixel to left

+ 				scrollOffset++;

+-				scroll(-1, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());

++				const QRect qr = QRect(10, 15, 590, 35);

++				scroll(-1, 0, qr); //contentsRect());

+ 

+ 				if ((lessonOffset - scrollOffset) <= 30) {

+ 					setSpeed(tickerSpeed);

+@@ -265,14 +268,16 @@ void TickerBoard::progress() {
+ 			// 160 pixels overage (because the user must see at least the next word)

+ 			if ((lessonOffset - scrollOffset) > 200) {

+ 				scrollOffset += (lessonOffset - scrollOffset) - 200;

+-				scroll(-((lessonOffset - scrollOffset) - 200), 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());

++				const QRect qr = QRect(10, 15, 590, 35);

++				scroll(-((lessonOffset - scrollOffset) - 200), 0, qr); //contentsRect());

+ 			}

+ 		} else {

+ 			// If the user types faster than the ticker, move ticker faster after

+ 			// 160 pixels overage (because the user must see at least the next word)

+ 			if ((lessonOffset - scrollOffset) > 280) {

+ 				scrollOffset += 570;

+-				scroll(-570, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());

++				const QRect qr = QRect(10, 15, 590, 35);

++				scroll(-570, 0, qr); //contentsRect());

+ 			}

+ 

+ 		}

+--- a/widget/settingspages.cpp
++++ b/widget/settingspages.cpp
+@@ -501,7 +501,7 @@ void DatabasePage::writeSettings() {
+ 	QSettings settings;

+ 	#endif

+ 	settings.beginGroup("database");

+-	settings.setValue("pathpro", lineDatabasePath->text() + "/" + QString::QString(APP_USER_DB));

++	settings.setValue("pathpro", lineDatabasePath->text() + "/" + QString(APP_USER_DB));

+ 	settings.endGroup();

+ }

+ 

+--- a/widget/lessondialog.cpp
++++ b/widget/lessondialog.cpp
+@@ -89,7 +89,7 @@ void LessonDialog::updateContent() {
+ 			*lessonData = lineLessonContent->toPlainText().split("\n", QString::SkipEmptyParts);

+ 			// Delete empty lines

+ 			for (int i = 0; i < lessonData->size(); i++) {

+-				if (QString::QString(lessonData->at(i).toLocal8Bit().constData()).simplified() == "") {

++				if (QString(lessonData->at(i).toLocal8Bit().constData()).simplified() == "") {

+ 					lessonData->removeAt(i);

+ 				}

+ 			}

+@@ -259,7 +259,7 @@ void LessonDialog::clickSave() {
+ 	contentList = lineLessonContent->toPlainText().split("\n", QString::SkipEmptyParts);

+ 	// Delete empty lines

+ 	for (i = 0; i < contentList.size(); i++) {

+-		if (QString::QString(contentList.at(i).toLocal8Bit().constData()).simplified() == "") {

++		if (QString(contentList.at(i).toLocal8Bit().constData()).simplified() == "") {

+ 			contentList.removeAt(i);

+ 		}

+ 	}

+--- a/sql/chartablesql.cpp
++++ b/sql/chartablesql.cpp
+@@ -57,7 +57,7 @@ QVariant CharSqlModel::data(const QModel
+ 			// Read the unicode value

+ 			unicode = value.toInt();

+ 			// Convert unicode to a char

+-			unicodeToChar = QString::QString(QChar(unicode)); //"\'" + QString::QString(QChar(unicode)) + "\'";

++			unicodeToChar = QString(QChar(unicode)); //"\'" + QString::QString(QChar(unicode)) + "\'";

+ 			return unicodeToChar;

+ 		} else {

+ 			// Last column (error weight)

+--- a/sql/startsql.cpp
++++ b/sql/startsql.cpp
+@@ -344,7 +344,7 @@ bool StartSql::updateOwnLesson(QString l
+ 		for (i = 0; i < content.size(); i++) {

+ 			//simplifiedContent = QString::QString(

+ 			//	content.at(i)).replace(QChar(0x27), "''", Qt::CaseSensitive).simplified();

+-			simplifiedContent = trim(QString::QString(

++			simplifiedContent = trim(QString(

+ 				content.at(i)).replace(QChar(0x27), "''", Qt::CaseSensitive));

+ 

+ 			if (!query.exec("INSERT INTO own_content VALUES(NULL,'" +

+--- a/def/defines.h
++++ b/def/defines.h
+@@ -27,9 +27,9 @@ Foundation, Inc., 51 Franklin Street, Fi
+ #define DEFINES_H

+ 

+ // OS constants

+-#define APP_WIN						true

++#define APP_WIN						false

+ #define APP_MAC						false

+-#define APP_X11						false

++#define APP_X11						true

+ #define APP_PORTABLE				false //at least one of the 3 OS must be true too!

+ 

+ // Languages

+@@ -47,6 +47,7 @@ Foundation, Inc., 51 Franklin Street, Fi
+ #define APP_URL 					"http://www.tipp10.com"

+ #define APP_DB 						"tipp10v2.template"

+ #define APP_USER_DB					"tipp10v2.db"

++#define APP_SHARE_DIR					"/usr/share/tipp10"

+ 

+ // Update constants

+ #define UPDATE_URL 					"www.tipp10.com"

+--- a/tipp10.pro
++++ b/tipp10.pro
+@@ -88,3 +88,15 @@ SOURCES         += 	main.cpp \
+                     sql/startsql.cpp \

+                     games/abcrainwidget.cpp \

+                     games/charball.cpp

++

++target.path = /usr/bin/

++INSTALLS += target

++share.path = /usr/share/tipp10/

++share.files = release/* *wav

++INSTALLS += share

++desktop.path = /usr/share/applications/

++desktop.files = tipp10.desktop

++INSTALLS += desktop

++pixmap.path = /usr/share/pixmaps/

++pixmap.files = tipp10.png

++INSTALLS += pixmap

+--- a/sql/connection.h
++++ b/sql/connection.h
+@@ -179,11 +179,13 @@ static bool createConnection() {
+ 				CANCEL_NO, "Betroffener Pfad:\n" + dbPath);*/

+ 			// Try to create new databae in user path

+ 			// Exist a database in the program dir?

+-			if (QFile::exists(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate)) {

++			// if (QFile::exists(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate)) {

++		  	if (QFile::exists(QString(APP_SHARE_DIR) + "/" + dbNameTemplate)) {

+ 			//if (QFile::exists(":/" + dbNameTemplate)) {

+ 				// A database exist in the program dir

+ 				// -> copy database to user home dir

+-				QFile file(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate);

++				// QFile file(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate);

++			  	QFile file(QString(APP_SHARE_DIR) + "/" + dbNameTemplate);

+ 				//QFile file(":/" + dbNameTemplate);

+ 				if (file.copy(dbPath)) {

+ 					QFile::setPermissions(dbPath, QFile::permissions(dbPath) | QFile::WriteUser);

+@@ -229,7 +231,8 @@ static bool createConnection() {
+ 		// Exist a database in user's home dir?

+ 		if (!QFile::exists(dbPath)) {

+ 			// Exist a database template in the program dir?

+-			dbPath = QCoreApplication::applicationDirPath() + "/" + dbNameTemplate;

++			// dbPath = QCoreApplication::applicationDirPath() + "/" + dbNameTemplate;

++		  	dbPath = QString(APP_SHARE_DIR) + "/" + dbNameTemplate;

+ 			//dbPath = ":/" + dbNameTemplate;

+ 			if (QFile::exists(dbPath)) {

+ 				// A database template exist in the program dir

+--- a/widget/helpbrowser.cpp
++++ b/widget/helpbrowser.cpp
+@@ -52,13 +52,15 @@ HelpBrowser::HelpBrowser(QString link, Q
+     textBrowser->setOpenExternalLinks(true);

+ 	

+     textBrowser->setSource(QString("file:///") + 

+-    	QCoreApplication::applicationDirPath() + 

++	// QCoreApplication::applicationDirPath() + 

++    	APP_SHARE_DIR + 

+     	QString("/help/") + language + QString("/index.html"));

+     	

+     if (link != "") {

+     

+ 		textBrowser->setSource(QString("file:///") + 

+-			QCoreApplication::applicationDirPath() + 

++			// QCoreApplication::applicationDirPath() + 

++			APP_SHARE_DIR + 

+ 			QString("/help/") + language + QString("/content/") + link);

+ 			

+ 	}

+--- a/tipp10.desktop
++++ b/tipp10.desktop
+@@ -1,10 +1,10 @@
+ [Desktop Entry]
+-Encoding=UTF-8
+ Name=TIPP10
+ Comment=Touch Typing Tutor
+ Comment[de]=10-Finger-Schreibtrainer
+-Exec=tipp10
++Exec=/usr/bin/tipp10
+ Icon=tipp10.png
+ Terminal=false
+ Type=Application
+ Categories=Education;
++Keywords=learning;touchtyping
diff --git a/gnu/packages/patches/tipp10-remove-license-code.patch b/gnu/packages/patches/tipp10-remove-license-code.patch
new file mode 100644
index 0000000000..4b7487e726
--- /dev/null
+++ b/gnu/packages/patches/tipp10-remove-license-code.patch
@@ -0,0 +1,332 @@
+Description: Remove license dialog and license key checking
+
+https://sources.debian.net/data/main/t/tipp10/2.1.0-2/debian/patches/0002-RemoveLicenseCode
+
+--- a/main.cpp
++++ b/main.cpp
+@@ -33,7 +33,6 @@ Foundation, Inc., 51 Franklin Street, Fi
+ #include "def/defines.h"

+ #include "sql/connection.h"

+ #include "widget/mainwindow.h"

+-#include "widget/licensedialog.h"

+ #include "widget/illustrationdialog.h"

+ 

+ int main(int argc, char *argv[]) {

+@@ -59,7 +58,7 @@ int main(int argc, char *argv[]) {
+ 	QSettings settings;

+ 	#endif

+ 

+-	// Read/write language, license key and show illustration flag

++	// Read/write language and show illustration flag

+ 	settings.beginGroup("general");

+ 	QString languageGui = settings.value("language_gui",

+ 		QLocale::system().name()).toString();

+@@ -101,7 +100,6 @@ int main(int argc, char *argv[]) {
+ 	QString languageLesson = settings.value("language_lesson",

+ 		"").toString();

+ 

+-	QString licenseKey = settings.value("licensekey", "").toString();

+ 	bool showIllustration = settings.value("check_illustration", true).toBool();

+ 	bool useNativeStyle = settings.value("check_native_style", false).toBool();

+ 	settings.endGroup();

+--- a/tipp10.pro
++++ b/tipp10.pro
+@@ -43,7 +43,6 @@ HEADERS         += 	def/defines.h \
+                     widget/helpbrowser.h \

+                     widget/companylogo.h \

+                     widget/errormessage.h \

+-                    widget/licensedialog.h \

+                     widget/txtmessagedialog.h \

+                     widget/checkversion.h \

+                     sql/connection.h \

+@@ -78,7 +77,6 @@ SOURCES         += 	main.cpp \
+                     widget/helpbrowser.cpp \

+                     widget/companylogo.cpp \

+                     widget/errormessage.cpp \

+-                    widget/licensedialog.cpp \

+                     widget/txtmessagedialog.cpp \

+                     widget/checkversion.cpp \

+                     sql/lessontablesql.cpp \

+--- a/widget/licensedialog.cpp
++++ /dev/null
+@@ -1,168 +0,0 @@
+-/*

+-Copyright (c) 2006-2009, Tom Thielicke IT Solutions

+-

+-This program is free software; you can redistribute it and/or

+-modify it under the terms of the GNU General Public License

+-as published by the Free Software Foundation; either version 2

+-of the License.

+-

+-This program is distributed in the hope that it will be useful,

+-but WITHOUT ANY WARRANTY; without even the implied warranty of

+-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+-GNU General Public License for more details.

+-

+-You should have received a copy of the GNU General Public License

+-along with this program; if not, write to the Free Software

+-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

+-02110-1301, USA.

+-*/

+-

+-/****************************************************************

+-**

+-** Implementation of the LicenseDialog class

+-** File name: licensedialog.cpp

+-**

+-****************************************************************/

+-

+-#include <QHBoxLayout>

+-#include <QVBoxLayout>

+-#include <QMessageBox>

+-#include <QSettings>

+-#include <QCoreApplication>

+-

+-#include "licensedialog.h"

+-#include "def/defines.h"

+-

+-LicenseDialog::LicenseDialog(QWidget *parent) : QDialog(parent) {

+-

+-	setWindowFlags(windowFlags() ^ Qt::WindowContextHelpButtonHint);

+-

+-	setWindowTitle(tr("Lizenznummer"));

+-	setWindowIcon(QIcon(":/img/" + QString(ICON_FILENAME)));

+-

+-	// Create texbox

+-    createLineEdit();

+-

+-	// Create buttons

+-    createButtons();

+-

+-	// Set the layout of all widgets created above

+-	createLayout();

+-

+-	lineLicensing->setFocus();

+-}

+-

+-void LicenseDialog::createButtons() {

+-	//Buttons

+-	buttonOk = new QPushButton(this);

+-	buttonDemo = new QPushButton(this);

+-

+-	buttonOk->setText(tr("&Ok"));

+-	buttonDemo->setText(tr("&Demo starten"));

+-	buttonDemo->setToolTip(tr("Im Demo-Modus koennen pro Lektion nur\n"

+-		"10 Schriftzeichen eingegeben werden"));

+-

+-	buttonOk->setDefault(true);

+-	// Widget connections

+-    connect(buttonOk, SIGNAL(clicked()), this, SLOT(clickOk()));

+-    connect(buttonDemo, SIGNAL(clicked()), this, SLOT(clickDemo()));

+-}

+-

+-void LicenseDialog::createLineEdit() {

+-

+-	lineLicensing = new QLineEdit();

+-	lineLicensing->setInputMask(">NNNNNNNNNNNNNN");

+-

+-	labelLicensing = new QLabel(tr("Bitte geben Sie Ihre Lizenznummer "

+-		"(ohne Leerzeichen) ein, "

+-		"die Sie im Arbeitsbuch (Schulbuch) auf Seite 3 finden:"));

+-

+-	labelLicensing->setWordWrap(true);

+-}

+-

+-void LicenseDialog::createLayout() {

+-	// Button layout horizontal

+-	QHBoxLayout *buttonLayoutHorizontal = new QHBoxLayout;

+-    buttonLayoutHorizontal->addStretch(1);

+-    buttonLayoutHorizontal->addWidget(buttonDemo);

+-    buttonLayoutHorizontal->addWidget(buttonOk);

+-	// Full layout of all widgets vertical

+-	QVBoxLayout *mainLayout = new QVBoxLayout;

+-    mainLayout->addSpacing(1);

+-    mainLayout->addWidget(labelLicensing);

+-    mainLayout->addSpacing(1);

+-    mainLayout->addWidget(lineLicensing);

+-    mainLayout->addSpacing(1);

+-    mainLayout->addLayout(buttonLayoutHorizontal);

+-    mainLayout->setMargin(15);

+-    mainLayout->setSpacing(15);

+-    // Pass layout to parent widget (this)

+-	this->setLayout(mainLayout);

+-}

+-

+-void LicenseDialog::clickOk() {

+-

+-	// Check license key

+-	if (!checkLicenseKey(lineLicensing->text())) {

+-

+-		// License key is wrong

+-

+-		// Message to the user

+-		QMessageBox::information(0, APP_NAME,

+-			tr("Die eingegebene Lizenznummer ist leider nicht "

+-			"korrekt.\nBitte ueberpruefen Sie die Schreibweise."));

+-

+-		lineLicensing->setFocus();

+-

+-	} else {

+-

+-		// License key is ok

+-		writeSettings();

+-		accept();

+-	}

+-}

+-

+-void LicenseDialog::clickDemo() {

+-	accept();

+-}

+-

+-bool LicenseDialog::checkLicenseKey(QString licenseKey) {

+-	if (licenseKey.size() == 14 &&

+-		licenseKey[0].isLetter() &&

+-		licenseKey[1].isLetter() &&

+-		(licenseKey.mid(2, 2) == "39" ||

+-		licenseKey.mid(2, 2) == "41" ||

+-		licenseKey.mid(2, 2) == "43" ||

+-		licenseKey.mid(2, 2) == "49" ||

+-		licenseKey.mid(2, 2) == "99") &&

+-		licenseKey[4].isDigit() &&

+-		licenseKey[5].isDigit() &&

+-		licenseKey[6].isDigit() &&

+-		licenseKey[7].isLetter() &&

+-		licenseKey[8].isDigit() &&

+-		licenseKey[9].isDigit() &&

+-		licenseKey[10].isDigit() &&

+-		licenseKey[11].isDigit() &&

+-		licenseKey[12].isLetter() &&

+-		licenseKey[13].isLetter()) {

+-

+-		return true;

+-	}

+-	return false;

+-}

+-

+-void LicenseDialog::writeSettings() {

+-	// Saves settings of the startwiget

+-	// (uses the default constructor of QSettings, passing

+-	// the application and company name see main function)

+-	#if APP_PORTABLE

+-	QSettings settings(QCoreApplication::applicationDirPath() +

+-    	"/portable/settings.ini", QSettings::IniFormat);

+-    #else

+-	QSettings settings;

+-	#endif

+-

+-	settings.beginGroup("general");

+-	settings.setValue("licensekey", lineLicensing->text());

+-	settings.endGroup();

+-}

+--- a/widget/licensedialog.h
++++ /dev/null
+@@ -1,85 +0,0 @@
+-/*

+-Copyright (c) 2006-2009, Tom Thielicke IT Solutions

+-

+-This program is free software; you can redistribute it and/or

+-modify it under the terms of the GNU General Public License

+-as published by the Free Software Foundation; either version 2

+-of the License.

+-

+-This program is distributed in the hope that it will be useful,

+-but WITHOUT ANY WARRANTY; without even the implied warranty of

+-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+-GNU General Public License for more details.

+-

+-You should have received a copy of the GNU General Public License

+-along with this program; if not, write to the Free Software

+-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

+-02110-1301, USA.

+-*/

+-

+-/****************************************************************

+-**

+-** Definition of the LicenseDialog class

+-** File name: licensedialog.h

+-**

+-****************************************************************/

+-

+-#ifndef LICENSEDIALOG_H

+-#define LICENSEDIALOG_H

+-

+-#include <QDialog>

+-#include <QWidget>

+-#include <QPushButton>

+-#include <QLabel>

+-#include <QLineEdit>

+-#include <QString>

+-

+-//! The LicenseDialog class provides a license input widget.

+-/*!

+-	The LicenseDialog class shows a dialog to enter a license key.

+-

+-	@author Tom Thielicke, s712715

+-	@version 0.0.1

+-	@date 09.09.2008

+-*/

+-class LicenseDialog : public QDialog {

+-	Q_OBJECT

+-

+-	public:

+-

+-		//! Constructor, creates two table objects and provide it in two tabs.

+-		LicenseDialog(QWidget *parent = 0);

+-

+-		bool checkLicenseKey(QString licenseKey);

+-

+-	public slots:

+-

+-	private slots:

+-

+-		//! Start button pressed

+-		void clickOk();

+-

+-		//! Demo button pressed

+-		void clickDemo();

+-

+-	private:

+-

+-		//! Creates a cancel and a ok button.

+-		void createButtons();

+-

+-		//! Creates a textbox.

+-		void createLineEdit();

+-

+-		//! Creates the layout of the complete class.

+-		void createLayout();

+-

+-		//! Writes user settings

+-		void writeSettings();

+-

+-		QPushButton *buttonOk;

+-		QPushButton *buttonDemo;

+-		QLabel *labelLicensing;

+-		QLineEdit *lineLicensing;

+-};

+-

+-#endif //LICENSEDIALOG_H

+--- a/widget/mainwindow.cpp
++++ b/widget/mainwindow.cpp
+@@ -116,11 +116,6 @@ void MainWindow::closeEvent(QCloseEvent
+ 	}

+ }

+ 

+-bool MainWindow::checkLicenseKey(QString licenseKey) {

+-

+-    return false;

+-}

+-

+ void MainWindow::createMenu() {

+ 	//Mac-Version:

+ 	//-----------

+--- a/widget/mainwindow.h
++++ b/widget/mainwindow.h
+@@ -39,7 +39,6 @@ Foundation, Inc., 51 Franklin Street, Fi
+ #include "trainingwidget.h"

+ #include "evaluationwidget.h"

+ #include "illustrationdialog.h"

+-#include "licensedialog.h"

+ #include "games/abcrainwidget.h"

+ #include "helpbrowser.h"

+ 

diff --git a/gnu/packages/patches/totem-debug-format-fix.patch b/gnu/packages/patches/totem-debug-format-fix.patch
deleted file mode 100644
index 7ddd31ee10..0000000000
--- a/gnu/packages/patches/totem-debug-format-fix.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- totem-3.20.1/src/backend/bacon-video-widget.c.orig	2016-03-22 12:45:32.000000000 -0400
-+++ totem-3.20.1/src/backend/bacon-video-widget.c	2016-05-11 02:49:55.299109551 -0400
-@@ -2334,7 +2334,7 @@
-     if (!gst_toc_entry_get_start_stop_times (entry, &start, &stop)) {
-       GST_DEBUG ("Chapter #%d (couldn't get times)", i);
-     } else {
--      GST_DEBUG ("Chapter #%d (start: %li stop: %li)", i, start, stop);
-+      GST_DEBUG ("Chapter #%d (start: %li stop: %li)", i, (long) start, (long) stop);
-     }
-   }
- 
diff --git a/gnu/packages/patches/upower-builddir.patch b/gnu/packages/patches/upower-builddir.patch
index 13cef5876a..d59d4364b8 100644
--- a/gnu/packages/patches/upower-builddir.patch
+++ b/gnu/packages/patches/upower-builddir.patch
@@ -37,7 +37,7 @@ Patch by Andy Wingo <wingo@igalia.com>
 -	if (g_file_test ("../etc/UPower.conf", G_FILE_TEST_EXISTS))
 -		g_setenv ("UPOWER_CONF_FILE_NAME", "../etc/UPower.conf", TRUE);
 -	else
--		g_setenv ("UPOWER_CONF_FILE_NAME", "../../etc/UPower.conf", TRUE);
+-		g_setenv ("UPOWER_CONF_FILE_NAME", "../../../etc/UPower.conf", TRUE);
 -
  	/* tests go here */
  	g_test_add_func ("/power/backend", up_test_backend_func);
diff --git a/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch b/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch
deleted file mode 100644
index 969ed7e41e..0000000000
--- a/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Removes references to mibstore.h and miInitializeBackingStore, which
-have been removed from xorg-server.  Zack Rusin <zackr@vmware.com>
-wrote: "It was a noop for at least 5 years and it has been removed."
-See: http://patches.openembedded.org/patch/46133/
-
---- xf86-video-glint-1.2.8/src/glint_driver.c.~1~	2012-07-15 22:50:47.000000000 -0400
-+++ xf86-video-glint-1.2.8/src/glint_driver.c	2014-12-19 00:42:39.162714279 -0500
-@@ -52,8 +52,6 @@
- #include "compiler.h"
- #include "mipointer.h"
- 
--#include "mibstore.h"
--
- #include "pm3_regs.h"
- #include "glint_regs.h"
- #include "IBM.h"
-@@ -2904,7 +2902,6 @@
-         }
-     }
- 
--    miInitializeBackingStore(pScreen);
-     xf86SetBackingStore(pScreen);
-     xf86SetSilkenMouse(pScreen);
- 
diff --git a/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch b/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch
deleted file mode 100644
index 48588ed0e4..0000000000
--- a/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-Removes references to mibstore.h and miInitializeBackingStore, which
-have been removed from xorg-server.  Zack Rusin <zackr@vmware.com>
-wrote: "It was a noop for at least 5 years and it has been removed."
-See: http://patches.openembedded.org/patch/46133/
-
-diff -ru xf86-video-nv-2.1.20.orig/src/g80_driver.c xf86-video-nv-2.1.20/src/g80_driver.c
---- xf86-video-nv-2.1.20.orig/src/g80_driver.c	2012-07-17 02:47:02.000000000 -0400
-+++ xf86-video-nv-2.1.20/src/g80_driver.c	2014-12-17 10:11:42.197579082 -0500
-@@ -34,7 +34,6 @@
- #include <xf86Resources.h>
- #endif
- #include <mipointer.h>
--#include <mibstore.h>
- #include <micmap.h>
- #include <xf86cmap.h>
- #include <fb.h>
-@@ -833,7 +832,6 @@
-         }
-     }
- 
--    miInitializeBackingStore(pScreen);
-     xf86SetBackingStore(pScreen);
-     xf86SetSilkenMouse(pScreen);
- 
-diff -ru xf86-video-nv-2.1.20.orig/src/nv_driver.c xf86-video-nv-2.1.20/src/nv_driver.c
---- xf86-video-nv-2.1.20.orig/src/nv_driver.c	2012-07-17 02:47:02.000000000 -0400
-+++ xf86-video-nv-2.1.20/src/nv_driver.c	2014-12-17 10:11:39.037563413 -0500
-@@ -2550,7 +2550,6 @@
-     if (!pNv->NoAccel)
- 	NVAccelInit(pScreen);
-     
--    miInitializeBackingStore(pScreen);
-     xf86SetBackingStore(pScreen);
-     xf86SetSilkenMouse(pScreen);
- 
-diff -ru xf86-video-nv-2.1.20.orig/src/nv_include.h xf86-video-nv-2.1.20/src/nv_include.h
---- xf86-video-nv-2.1.20.orig/src/nv_include.h	2012-07-17 02:48:19.000000000 -0400
-+++ xf86-video-nv-2.1.20/src/nv_include.h	2014-12-17 10:11:22.089479372 -0500
-@@ -24,9 +24,6 @@
- /* All drivers initialising the SW cursor need this */
- #include "mipointer.h"
- 
--/* All drivers implementing backing store need this */
--#include "mibstore.h"
--
- #include "micmap.h"
- 
- #include "xf86DDC.h"
-diff -ru xf86-video-nv-2.1.20.orig/src/riva_driver.c xf86-video-nv-2.1.20/src/riva_driver.c
---- xf86-video-nv-2.1.20.orig/src/riva_driver.c	2012-07-17 02:47:02.000000000 -0400
-+++ xf86-video-nv-2.1.20/src/riva_driver.c	2014-12-17 10:11:31.101524060 -0500
-@@ -1168,7 +1168,6 @@
-     if (!pRiva->NoAccel)
- 	RivaAccelInit(pScreen);
-     
--    miInitializeBackingStore(pScreen);
-     xf86SetBackingStore(pScreen);
-     xf86SetSilkenMouse(pScreen);
- 
-diff -ru xf86-video-nv-2.1.20.orig/src/riva_include.h xf86-video-nv-2.1.20/src/riva_include.h
---- xf86-video-nv-2.1.20.orig/src/riva_include.h	2012-07-17 02:48:45.000000000 -0400
-+++ xf86-video-nv-2.1.20/src/riva_include.h	2014-12-17 10:11:12.229430478 -0500
-@@ -22,9 +22,6 @@
- /* All drivers initialising the SW cursor need this */
- #include "mipointer.h"
- 
--/* All drivers implementing backing store need this */
--#include "mibstore.h"
--
- #include "micmap.h"
- 
- #include "xf86DDC.h"