Merge branch 'master' into core-updates

9 files changed, 551 insertions, 25 deletions

diff --git a/gnu/packages/patches/gpsbabel-minizip.patch b/gnu/packages/patches/gpsbabel-minizip.patch
new file mode 100644
index 0000000000..8f3bb36f57
--- /dev/null
+++ b/gnu/packages/patches/gpsbabel-minizip.patch
@@ -0,0 +1,13 @@
+Patch taken from https://sources.debian.org/data/main/g/gpsbabel/1.5.3-2/debian/patches/use_minizip.
+
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -120,7 +120,7 @@ LIBOBJS = queue.o route.o waypt.o filter
+ 	  src/core/usasciicodec.o\
+ 	  src/core/ziparchive.o \
+ 	  $(GARMIN) $(JEEPS) $(SHAPE) @ZLIB@ $(FMTS) $(FILTERS)
+-OBJS = main.o globals.o $(LIBOBJS) @FILEINFO@
++OBJS = main.o globals.o $(MINIZIP) $(LIBOBJS) @FILEINFO@
+ 
+ DEPFILES = $(OBJS:.o=.d)
+ 
\ No newline at end of file
diff --git a/gnu/packages/patches/gpsbabel-qstring.patch b/gnu/packages/patches/gpsbabel-qstring.patch
new file mode 100644
index 0000000000..8ba1a7213b
--- /dev/null
+++ b/gnu/packages/patches/gpsbabel-qstring.patch
@@ -0,0 +1,69 @@
+Extracted from following patch of gpsbabel:
+https://github.com/gpsbabel/gpsbabel/commit/604178aa8ad4d3c3ad218df24c1e9a6a1f683bb3
+
+From 604178aa8ad4d3c3ad218df24c1e9a6a1f683bb3 Mon Sep 17 00:00:00 2001
+From: Harel Mazor <harel.mazor@gmail.com>
+Date: Tue, 24 Jan 2017 00:35:04 +0200
+Subject: [PATCH] Added geojson read capablity, moved magic strings to
+ constants, fixed windows compilation issues.
+
+--- a/tef_xml.cc
++++ b/tef_xml.cc
+@@ -72,11 +72,11 @@ tef_start(xg_string args, const QXmlStreamAttributes* attrv)
+   bool valid = false;
+ 
+   foreach(QXmlStreamAttribute attr, *attrv) {
+-    if (attr.name().compare("Comment", Qt::CaseInsensitive) == 0) {
+-      if (attr.value().compare("TourExchangeFormat", Qt::CaseInsensitive) == 0) {
++    if (attr.name().compare(QString("Comment"), Qt::CaseInsensitive) == 0) {
++      if (attr.value().compare(QString("TourExchangeFormat"), Qt::CaseInsensitive) == 0) {
+         valid = true;
+       }
+-    } else if (attr.name().compare("Version", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("Version"), Qt::CaseInsensitive) == 0) {
+       version = attr.value().toString().toDouble();
+     }
+   }
+@@ -95,9 +95,9 @@ tef_header(xg_string args, const QXmlStreamAttributes* attrv)
+ {
+   route = route_head_alloc();
+   foreach(QXmlStreamAttribute attr, *attrv) {
+-    if (attr.name().compare("Name", Qt::CaseInsensitive) == 0) {
++    if (attr.name().compare(QString("Name"), Qt::CaseInsensitive) == 0) {
+       route->rte_name = attr.value().toString().trimmed();
+-    } else if (attr.name().compare("Software", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("Software"), Qt::CaseInsensitive) == 0) {
+       route->rte_desc = attr.value().toString().trimmed();
+     }
+   }
+@@ -248,20 +248,20 @@ tef_item_start(xg_string args, const QXmlStreamAttributes* attrv)
+     QString attrstr = attr.value().toString();
+     QByteArray attrtext = attrstr.toUtf8();
+ 
+-    if (attr.name().compare("SegDescription", Qt::CaseInsensitive) == 0) {
++    if (attr.name().compare(QString("SegDescription"), Qt::CaseInsensitive) == 0) {
+       wpt_tmp->shortname = attrstr.trimmed();
+-    } else if (attr.name().compare("PointDescription", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("PointDescription"), Qt::CaseInsensitive) == 0) {
+       wpt_tmp->description = attrstr.trimmed();
+-    } else if (attr.name().compare("ViaStation", Qt::CaseInsensitive) == 0 &&
+-               attr.value().compare("true", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("ViaStation"), Qt::CaseInsensitive) == 0 &&
++               attr.value().compare(QString("true"), Qt::CaseInsensitive) == 0) {
+       wpt_tmp->wpt_flags.fmt_use = 1;  /* only a flag */
+ 
+       /* new in TEF V2 */
+-    } else if (attr.name().compare("Instruction", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("Instruction"), Qt::CaseInsensitive) == 0) {
+       wpt_tmp->description = attrstr.trimmed();
+-    } else if (attr.name().compare("Altitude", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("Altitude"), Qt::CaseInsensitive) == 0) {
+       wpt_tmp->altitude = attrstr.toDouble();
+-    } else if (attr.name().compare("TimeStamp", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("TimeStamp"), Qt::CaseInsensitive) == 0) {
+       /* nothing for the moment */
+     }
+   }
+-- 
+2.16.1
+
diff --git a/gnu/packages/patches/hwloc-tests-without-sysfs.patch b/gnu/packages/patches/hwloc-tests-without-sysfs.patch
new file mode 100644
index 0000000000..ea6ec41616
--- /dev/null
+++ b/gnu/packages/patches/hwloc-tests-without-sysfs.patch
@@ -0,0 +1,42 @@
+Fix a test failure in the build environment, where /sys is missing.
+From <https://github.com/bgoglin/hwloc/commit/a2cc4f2e2bf4a8bbdd61b578a62e27e7482799cf.patch>.
+
+From a2cc4f2e2bf4a8bbdd61b578a62e27e7482799cf Mon Sep 17 00:00:00 2001
+From: Brice Goglin <Brice.Goglin@inria.fr>
+Date: Tue, 6 Feb 2018 17:13:26 +0100
+Subject: [PATCH] linux: honor the filtering cores and packages when reading
+ topology from cpuinfo
+
+Caused a make check crash in lstopo --filter all:none in chroot without sysfs.
+
+Thanks to Ludovic Courtes for the report.
+
+Signed-off-by: Brice Goglin <Brice.Goglin@inria.fr>
+---
+ hwloc/topology-linux.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/hwloc/topology-linux.c b/hwloc/topology-linux.c
+index 290da0d72..e1bbf94e1 100644
+--- a/hwloc/topology-linux.c
++++ b/hwloc/topology-linux.c
+@@ -4101,7 +4101,8 @@ look_cpuinfo(struct hwloc_topology *topology,
+     }
+   /* create package objects */
+   hwloc_debug("%u pkgs%s\n", numpkgs, missingpkg ? ", but some missing package" : "");
+-  if (!missingpkg && numpkgs>0) {
++  if (!missingpkg && numpkgs>0
++      && hwloc_filter_check_keep_object_type(topology, HWLOC_OBJ_PACKAGE)) {
+     for (i = 0; i < numpkgs; i++) {
+       struct hwloc_obj *obj = hwloc_alloc_setup_object(topology, HWLOC_OBJ_PACKAGE, Lpkg_to_Ppkg[i]);
+       int doneinfos = 0;
+@@ -4145,7 +4146,8 @@ look_cpuinfo(struct hwloc_topology *topology,
+     }
+   /* create Core objects */
+   hwloc_debug("%u cores%s\n", numcores, missingcore ? ", but some missing core" : "");
+-  if (!missingcore && numcores>0) {
++  if (!missingcore && numcores>0
++      && hwloc_filter_check_keep_object_type(topology, HWLOC_OBJ_CORE)) {
+     for (i = 0; i < numcores; i++) {
+       struct hwloc_obj *obj = hwloc_alloc_setup_object(topology, HWLOC_OBJ_CORE, Lcore_to_Pcore[i]);
+       obj->cpuset = hwloc_bitmap_alloc();
diff --git a/gnu/packages/patches/luajit-symlinks.patch b/gnu/packages/patches/luajit-symlinks.patch
deleted file mode 100644
index 2466c34144..0000000000
--- a/gnu/packages/patches/luajit-symlinks.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 0a54a8f125d7ab508c7c88d5ad4ed1b0c63cb5b6 Mon Sep 17 00:00:00 2001
-From: =?utf8?q?Tom=C3=A1=C5=A1=20=C4=8Cech?= <sleep_walker@suse.cz>
-Date: Wed, 4 Feb 2015 11:32:55 +0100
-Subject: [PATCH 1/2] Provide two symlinks for dynamic library during install
-
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 0891b71..343ecb5 100644
---- a/Makefile
-+++ b/Makefile
-@@ -56,7 +56,7 @@ INSTALL_PCNAME= luajit.pc
- INSTALL_STATIC= $(INSTALL_LIB)/$(INSTALL_ANAME)
- INSTALL_DYN= $(INSTALL_LIB)/$(INSTALL_SONAME)
- INSTALL_SHORT1= $(INSTALL_LIB)/$(INSTALL_SOSHORT)
--INSTALL_SHORT2= $(INSTALL_LIB)/$(INSTALL_SOSHORT)
-+INSTALL_SHORT2= $(INSTALL_LIB)/$(INSTALL_SOSHORT).$(MAJVER)
- INSTALL_T= $(INSTALL_BIN)/$(INSTALL_TNAME)
- INSTALL_TSYM= $(INSTALL_BIN)/$(INSTALL_TSYMNAME)
- INSTALL_PC= $(INSTALL_PKGCONFIG)/$(INSTALL_PCNAME)
--- 
-2.2.2
-
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch
new file mode 100644
index 0000000000..55fc7daaf3
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch
@@ -0,0 +1,138 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43
+
+To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4
+checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available
+for the 0.28.0 release. So it should be safe to remove hunk #4.
+
+From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <wiiaboo@gmail.com>
+Date: Fri, 26 Jan 2018 01:19:04 +0000
+Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from
+ youtube-dl
+
+Not very clean since there's a lot of potential unsafe urls that youtube-dl
+can give us, depending on whether it's a single url, split tracks,
+playlists, segmented dash, etc.
+---
+ player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 47 insertions(+), 7 deletions(-)
+
+diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
+index dd96ecc01d..b480c21625 100644
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -16,6 +16,18 @@ local ytdl = {
+ 
+ local chapter_list = {}
+ 
++function Set (t)
++    local set = {}
++    for _, v in pairs(t) do set[v] = true end
++    return set
++end
++
++local safe_protos = Set {
++    "http", "https", "ftp", "ftps",
++    "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",
++    "data"
++}
++
+ local function exec(args)
+     local ret = utils.subprocess({args = args})
+     return ret.status, ret.stdout, ret
+@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, is_live, base)
+ 
+     for i = offset, #fragments do
+         local fragment = fragments[i]
++        if not url_is_safe(join_url(base, fragment)) then
++            return nil
++        end
+         table.insert(parts, edl_escape(join_url(base, fragment)))
+         if fragment.duration then
+             parts[#parts] =
+@@ -208,6 +223,15 @@ local function proto_is_dash(json)
+            or json["protocol"] == "http_dash_segments"
+ end
+ 
++local function url_is_safe(url)
++    local proto = type(url) == "string" and url:match("^(.+)://") or nil
++    local safe = proto and safe_protos[proto]
++    if not safe then
++        msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
++    end
++    return safe
++end
++
+ local function add_single_video(json)
+     local streamurl = ""
+     local max_bitrate = 0
+@@ -238,14 +264,18 @@ local function add_single_video(json)
+             edl_track = edl_track_joined(track.fragments,
+                 track.protocol, json.is_live,
+                 track.fragment_base_url)
++            local url = edl_track or track.url
++            if not url_is_safe(url) then
++                return
++            end
+             if track.acodec and track.acodec ~= "none" then
+                 -- audio track
+                 mp.commandv("audio-add",
+-                    edl_track or track.url, "auto",
++                    url, "auto",
+                     track.format_note or "")
+             elseif track.vcodec and track.vcodec ~= "none" then
+                 -- video track
+-                streamurl = edl_track or track.url
++                streamurl = url
+             end
+         end
+ 
+@@ -264,7 +294,13 @@ local function add_single_video(json)
+ 
+     msg.debug("streamurl: " .. streamurl)
+ 
+-    mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
++    streamurl = streamurl:gsub("^data:", "data://", 1)
++
++    if not url_is_safe(streamurl) then
++        return
++    end
++
++    mp.set_property("stream-open-filename", streamurl)
+ 
+     mp.set_property("file-local-options/force-media-title", json.title)
+ 
+@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
+                         site = entry["webpage_url"]
+                     end
+ 
+-                    if not (site:find("https?://") == 1) then
+-                        site = "ytdl://" .. site
++                    -- links with only youtube id as returned by --flat-playlist
++                    if not site:find("://") then
++                        table.insert(playlist, "ytdl://" .. site)
++                    elseif url_is_safe(site) then
++                        table.insert(playlist, site)
+                     end
+-                    table.insert(playlist, site)
+ 
+                 end
+ 
+-                mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
++                if #playlist > 0 then
++                    mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
++                end
+             end
+ 
+         else -- probably a video
+-- 
+2.16.1
+
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
new file mode 100644
index 0000000000..b37e33a641
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
@@ -0,0 +1,59 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f
+
+From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <wiiaboo@gmail.com>
+Date: Fri, 26 Jan 2018 11:26:27 +0000
+Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code
+
+lua isn't javascript.
+---
+ player/lua/ytdl_hook.lua | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
+index b480c21625..458c94af38 100644
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -84,6 +84,15 @@ local function edl_escape(url)
+     return "%" .. string.len(url) .. "%" .. url
+ end
+ 
++local function url_is_safe(url)
++    local proto = type(url) == "string" and url:match("^(.+)://") or nil
++    local safe = proto and safe_protos[proto]
++    if not safe then
++        msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
++    end
++    return safe
++end
++
+ local function time_to_secs(time_string)
+     local ret
+ 
+@@ -223,15 +232,6 @@ local function proto_is_dash(json)
+            or json["protocol"] == "http_dash_segments"
+ end
+ 
+-local function url_is_safe(url)
+-    local proto = type(url) == "string" and url:match("^(.+)://") or nil
+-    local safe = proto and safe_protos[proto]
+-    if not safe then
+-        msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
+-    end
+-    return safe
+-end
+-
+ local function add_single_video(json)
+     local streamurl = ""
+     local max_bitrate = 0
+-- 
+2.16.1
+
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch
new file mode 100644
index 0000000000..dc3e272d37
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch
@@ -0,0 +1,84 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828
+
+From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <wiiaboo@gmail.com>
+Date: Fri, 26 Jan 2018 18:54:17 +0000
+Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls
+
+---
+ player/lua/ytdl_hook.lua | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
+index 458c94af38..6c8e78657d 100644
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -264,18 +264,17 @@ local function add_single_video(json)
+             edl_track = edl_track_joined(track.fragments,
+                 track.protocol, json.is_live,
+                 track.fragment_base_url)
+-            local url = edl_track or track.url
+-            if not url_is_safe(url) then
++            if not edl_track and not url_is_safe(track.url) then
+                 return
+             end
+             if track.acodec and track.acodec ~= "none" then
+                 -- audio track
+                 mp.commandv("audio-add",
+-                    url, "auto",
++                    edl_track or track.url, "auto",
+                     track.format_note or "")
+             elseif track.vcodec and track.vcodec ~= "none" then
+                 -- video track
+-                streamurl = url
++                streamurl = edl_track or track.url
+             end
+         end
+ 
+@@ -284,6 +283,9 @@ local function add_single_video(json)
+         edl_track = edl_track_joined(json.fragments, json.protocol,
+             json.is_live, json.fragment_base_url)
+ 
++        if not edl_track and not url_is_safe(json.url) then
++            return
++        end
+         -- normal video or single track
+         streamurl = edl_track or json.url
+         set_http_headers(json.http_headers)
+@@ -294,13 +296,7 @@ local function add_single_video(json)
+ 
+     msg.debug("streamurl: " .. streamurl)
+ 
+-    streamurl = streamurl:gsub("^data:", "data://", 1)
+-
+-    if not url_is_safe(streamurl) then
+-        return
+-    end
+-
+-    mp.set_property("stream-open-filename", streamurl)
++    mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
+ 
+     mp.set_property("file-local-options/force-media-title", json.title)
+ 
+@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
+ 
+                 msg.debug("EDL: " .. playlist)
+ 
++                if not playlist then
++                    return
++                end
++
+                 -- can't change the http headers for each entry, so use the 1st
+                 if json.entries[1] then
+                     set_http_headers(json.entries[1].http_headers)
+-- 
+2.16.1
+
diff --git a/gnu/packages/patches/mupdf-CVE-2017-17858.patch b/gnu/packages/patches/mupdf-CVE-2017-17858.patch
new file mode 100644
index 0000000000..66df127509
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-17858.patch
@@ -0,0 +1,111 @@
+Fix CVE-2017-17858:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17858
+https://bugs.ghostscript.com/show_bug.cgi?id=698819
+https://github.com/mzet-/Security-Advisories/blob/master/mzet-adv-2017-01.md
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=mupdf.git;a=commit;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731
+
+From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Mon, 11 Dec 2017 14:09:15 +0100
+Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below
+ limit.
+
+This ensures that:
+ * xref tables with objects pointers do not grow out of bounds.
+ * other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf.
+---
+ include/mupdf/pdf/object.h |  3 +++
+ source/pdf/pdf-repair.c    |  5 +----
+ source/pdf/pdf-xref.c      | 21 ++++++++++++---------
+ 3 files changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
+index 21ed8595..4177112b 100644
+--- a/include/mupdf/pdf/object.h
++++ b/include/mupdf/pdf/object.h
+@@ -3,6 +3,9 @@
+ 
+ typedef struct pdf_document_s pdf_document;
+ 
++/* Defined in PDF 1.7 according to Acrobat limit. */
++#define PDF_MAX_OBJECT_NUMBER 8388607
++
+ /*
+  * Dynamic objects.
+  * The same type of objects as found in PDF and PostScript.
+diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
+index ca149bd3..0c29758e 100644
+--- a/source/pdf/pdf-repair.c
++++ b/source/pdf/pdf-repair.c
+@@ -6,9 +6,6 @@
+ 
+ /* Scan file for objects and reconstruct xref table */
+ 
+-/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */
+-#define MAX_OBJECT_NUMBER (10 << 20)
+-
+ struct entry
+ {
+ 	int num;
+@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
+ 					break;
+ 				}
+ 
+-				if (num <= 0 || num > MAX_OBJECT_NUMBER)
++				if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER)
+ 				{
+ 					fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
+ 					goto have_next_token;
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 00586dbd..6284e70b 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ 			fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR);
+ 		}
+ 
+-		if (ofs < 0)
+-			fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs);
+-		if (ofs > INT64_MAX - len)
+-			fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big");
+-
++		if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER
++				|| len < 0 || len > PDF_MAX_OBJECT_NUMBER
++				|| ofs + len - 1 > PDF_MAX_OBJECT_NUMBER)
++		{
++			fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
++		}
+ 		/* broken pdfs where size in trailer undershoots entries in xref sections */
+ 		if (ofs + len > xref_len)
+ 		{
+@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, in
+ 	pdf_xref_entry *table;
+ 	int i, n;
+ 
+-	if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1)
+-		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
+-	//if (i0 + i1 > pdf_xref_len(ctx, doc))
+-	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
++	if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER)
++		fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
+ 
+ 	table = pdf_xref_find_subsection(ctx, doc, i0, i1);
+ 	for (i = i0; i < i0 + i1; i++)
+@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_document *doc)
+ 	/* TODO: reuse free object slots by properly linking free object chains in the ofs field */
+ 	pdf_xref_entry *entry;
+ 	int num = pdf_xref_len(ctx, doc);
++
++	if (num > PDF_MAX_OBJECT_NUMBER)
++		fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf");
++
+ 	entry = pdf_get_incremental_xref_entry(ctx, doc, num);
+ 	entry->type = 'f';
+ 	entry->ofs = -1;
+-- 
+2.16.1
+
diff --git a/gnu/packages/patches/p7zip-CVE-2017-17969.patch b/gnu/packages/patches/p7zip-CVE-2017-17969.patch
new file mode 100644
index 0000000000..51c24000e5
--- /dev/null
+++ b/gnu/packages/patches/p7zip-CVE-2017-17969.patch
@@ -0,0 +1,35 @@
+Fix CVE-2017-17969:
+
+https://sourceforge.net/p/p7zip/bugs/204/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17969
+
+Patch copied from Debian.
+
+Subject: Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp
+Origin: vendor, https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/27d7/attachment/CVE-2017-17969.patch
+Forwarded: https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/#27d7
+Bug: https://sourceforge.net/p/p7zip/bugs/204/
+Bug-Debian: https://bugs.debian.org/888297
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17969
+Author: Antoine Beaupré <anarcat@debian.org>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2018-02-01
+Applied-Upstream: 18.00-beta
+
+--- a/CPP/7zip/Compress/ShrinkDecoder.cpp
++++ b/CPP/7zip/Compress/ShrinkDecoder.cpp
+@@ -121,8 +121,13 @@ HRESULT CDecoder::CodeReal(ISequentialIn
+     {
+       _stack[i++] = _suffixes[cur];
+       cur = _parents[cur];
++      if (cur >= kNumItems || i >= kNumItems)
++        break;
+     }
+-    
++
++    if (cur >= kNumItems || i >= kNumItems)
++      break;
++
+     _stack[i++] = (Byte)cur;
+     lastChar2 = (Byte)cur;
+