summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--doc/guix.texi38
-rw-r--r--gnu/local.mk18
-rw-r--r--gnu/packages/audio.scm2
-rw-r--r--gnu/packages/base.scm24
-rw-r--r--gnu/packages/boost.scm26
-rw-r--r--gnu/packages/build-tools.scm4
-rw-r--r--gnu/packages/certs.scm4
-rw-r--r--gnu/packages/cmake.scm4
-rw-r--r--gnu/packages/compression.scm12
-rw-r--r--gnu/packages/cups.scm8
-rw-r--r--gnu/packages/curl.scm18
-rw-r--r--gnu/packages/cyrus-sasl.scm9
-rw-r--r--gnu/packages/databases.scm5
-rw-r--r--gnu/packages/emacs.scm10
-rw-r--r--gnu/packages/freedesktop.scm12
-rw-r--r--gnu/packages/geo.scm3
-rw-r--r--gnu/packages/ghostscript.scm8
-rw-r--r--gnu/packages/gl.scm23
-rw-r--r--gnu/packages/glib.scm15
-rw-r--r--gnu/packages/gnome.scm51
-rw-r--r--gnu/packages/gnuzilla.scm8
-rw-r--r--gnu/packages/gstreamer.scm28
-rw-r--r--gnu/packages/gtk.scm44
-rw-r--r--gnu/packages/icu4c.scm4
-rw-r--r--gnu/packages/image.scm12
-rw-r--r--gnu/packages/imagemagick.scm4
-rw-r--r--gnu/packages/inkscape.scm19
-rw-r--r--gnu/packages/kerberos.scm4
-rw-r--r--gnu/packages/libevent.scm4
-rw-r--r--gnu/packages/libreoffice.scm42
-rw-r--r--gnu/packages/linux.scm51
-rw-r--r--gnu/packages/llvm.scm20
-rw-r--r--gnu/packages/maths.scm4
-rw-r--r--gnu/packages/mpd.scm2
-rw-r--r--gnu/packages/nettle.scm4
-rw-r--r--gnu/packages/openldap.scm10
-rw-r--r--gnu/packages/patches/cairo-CVE-2016-9082.patch122
-rw-r--r--gnu/packages/patches/cairo-setjmp-wrapper.patch78
-rw-r--r--gnu/packages/patches/cyrus-sasl-CVE-2013-4122.patch130
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2018-16509.patch193
-rw-r--r--gnu/packages/patches/ghostscript-bug-699708.patch160
-rw-r--r--gnu/packages/patches/glib-networking-ssl-cert-file.patch29
-rw-r--r--gnu/packages/patches/gnutls-skip-pkgconfig-test.patch24
-rw-r--r--gnu/packages/patches/inkscape-poppler-compat3.patch499
-rw-r--r--gnu/packages/patches/json-glib-fix-tests-32bit.patch174
-rw-r--r--gnu/packages/patches/libtiff-CVE-2017-18013.patch45
-rw-r--r--gnu/packages/patches/libtiff-CVE-2017-9935.patch162
-rw-r--r--gnu/packages/patches/libtiff-CVE-2018-10963.patch40
-rw-r--r--gnu/packages/patches/libtiff-CVE-2018-8905.patch61
-rw-r--r--gnu/packages/patches/poppler-CVE-2018-19149.patch80
-rw-r--r--gnu/packages/patches/postgresql-disable-resolve_symlinks.patch25
-rw-r--r--gnu/packages/patches/texlive-bin-luatex-poppler-compat.patch318
-rw-r--r--gnu/packages/patches/texlive-bin-pdftex-poppler-compat.patch188
-rw-r--r--gnu/packages/patches/texlive-bin-xetex-poppler-compat.patch31
-rw-r--r--gnu/packages/pdf.scm13
-rw-r--r--gnu/packages/ruby.scm25
-rw-r--r--gnu/packages/scribus.scm54
-rw-r--r--gnu/packages/spice.scm6
-rw-r--r--gnu/packages/storage.scm2
-rw-r--r--gnu/packages/tex.scm10
-rw-r--r--gnu/packages/tls.scm17
-rw-r--r--gnu/packages/video.scm4
-rw-r--r--gnu/packages/vulkan.scm11
-rw-r--r--gnu/packages/web.scm26
-rw-r--r--gnu/packages/xdisorg.scm8
-rw-r--r--gnu/services/databases.scm63
66 files changed, 1519 insertions, 1633 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 20b5013fd9..c47ba4e3f6 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -14214,13 +14214,49 @@ The @code{(gnu services databases)} module provides the following services.
 
 @deffn {Scheme Procedure} postgresql-service [#:postgresql postgresql] @
        [#:config-file] [#:data-directory ``/var/lib/postgresql/data''] @
-       [#:port 5432] [#:locale ``en_US.utf8'']
+       [#:port 5432] [#:locale ``en_US.utf8''] [#:extension-packages '()]
 Return a service that runs @var{postgresql}, the PostgreSQL database
 server.
 
 The PostgreSQL daemon loads its runtime configuration from @var{config-file},
 creates a database cluster with @var{locale} as the default
 locale, stored in @var{data-directory}.  It then listens on @var{port}.
+
+@cindex postgresql extension-packages
+Additional extensions are loaded from packages listed in
+@var{extension-packages}.  Extensions are available at runtime.  For instance,
+to create a geographic database using the @code{postgis} extension, a user can
+configure the postgresql-service as in this example:
+
+@cindex postgis
+@example
+(use-package-modules databases geo)
+
+(operating-system
+  ...
+  ;; postgresql is required to run `psql' but postgis is not required for
+  ;; proper operation.
+  (packages (cons* postgresql %base-packages))
+  (services
+    (cons*
+      (postgresql-service #:extension-packages (list postgis))
+      %base-services)))
+@end example
+
+Then the extension becomes visible and you can initialise an empty geographic
+database in this way:
+
+@example
+psql -U postgres
+> create database postgistest;
+> \connect postgistest;
+> create extension postgis;
+> create extension postgis_topology;
+@end example
+
+There is no need to add this field for contrib extensions such as hstore or
+dblink as they are already loadable by postgresql.  This field is only
+required to add extensions provided by other packages.
 @end deffn
 
 @deffn {Scheme Procedure} mysql-service [#:config (mysql-configuration)]
diff --git a/gnu/local.mk b/gnu/local.mk
index 4f2437befa..41c94235a7 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -608,8 +608,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/blender-newer-ffmpeg.patch		\
   %D%/packages/patches/boost-fix-icu-build.patch		\
   %D%/packages/patches/byobu-writable-status.patch		\
-  %D%/packages/patches/cairo-CVE-2016-9082.patch			\
-  %D%/packages/patches/cairo-setjmp-wrapper.patch		\
   %D%/packages/patches/calibre-no-updates-dialog.patch		\
   %D%/packages/patches/calibre-use-packaged-feedparser.patch	\
   %D%/packages/patches/casync-renameat2-declaration.patch	\
@@ -651,7 +649,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/cube-nocheck.patch			\
   %D%/packages/patches/cursynth-wave-rand.patch			\
   %D%/packages/patches/cvs-2017-12836.patch			\
-  %D%/packages/patches/cyrus-sasl-CVE-2013-4122.patch		\
   %D%/packages/patches/datamash-arm-tests.patch			\
   %D%/packages/patches/dbus-helper-search-path.patch		\
   %D%/packages/patches/deja-dup-use-ref-keyword-for-iter.patch	\
@@ -740,13 +737,10 @@ dist_patch_DATA =						\
   %D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \
   %D%/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch	\
   %D%/packages/patches/ghc-haddock-library-unbundle.patch		\
-  %D%/packages/patches/ghostscript-CVE-2018-16509.patch		\
-  %D%/packages/patches/ghostscript-bug-699708.patch		\
   %D%/packages/patches/ghostscript-no-header-id.patch		\
   %D%/packages/patches/ghostscript-no-header-uuid.patch		\
   %D%/packages/patches/ghostscript-no-header-creationdate.patch \
   %D%/packages/patches/giflib-make-reallocarray-private.patch	\
-  %D%/packages/patches/glib-networking-ssl-cert-file.patch	\
   %D%/packages/patches/glib-tests-timer.patch			\
   %D%/packages/patches/glibc-CVE-2015-5180.patch		\
   %D%/packages/patches/glibc-CVE-2015-7547.patch		\
@@ -777,7 +771,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/gnucash-price-quotes-perl.patch		\
   %D%/packages/patches/gnucash-disable-failing-tests.patch	\
   %D%/packages/patches/gnutls-skip-trust-store-test.patch	\
-  %D%/packages/patches/gnutls-skip-pkgconfig-test.patch		\
   %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
   %D%/packages/patches/gobject-introspection-cc.patch		\
   %D%/packages/patches/gobject-introspection-girepository.patch	\
@@ -832,6 +825,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/icedtea-7-hotspot-gcc-segfault-workaround.patch  \
   %D%/packages/patches/id3lib-CVE-2007-4460.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
+  %D%/packages/patches/inkscape-poppler-compat3.patch		\
   %D%/packages/patches/intltool-perl-compatibility.patch	\
   %D%/packages/patches/irrlicht-use-system-libs.patch		\
   %D%/packages/patches/isl-0.11.1-aarch64-support.patch	\
@@ -846,7 +840,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/java-xerces-build_dont_unzip.patch	\
   %D%/packages/patches/java-xerces-xjavac_taskdef.patch	\
   %D%/packages/patches/jbig2dec-ignore-testtest.patch		\
-  %D%/packages/patches/json-glib-fix-tests-32bit.patch		\
   %D%/packages/patches/kdbusaddons-kinit-file-name.patch	\
   %D%/packages/patches/khmer-use-libraries.patch                \
   %D%/packages/patches/libziparchive-add-includes.patch		\
@@ -916,10 +909,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch	\
   %D%/packages/patches/libtar-CVE-2013-4420.patch 		\
   %D%/packages/patches/libtheora-config-guess.patch		\
-  %D%/packages/patches/libtiff-CVE-2017-9935.patch		\
-  %D%/packages/patches/libtiff-CVE-2017-18013.patch		\
-  %D%/packages/patches/libtiff-CVE-2018-8905.patch		\
-  %D%/packages/patches/libtiff-CVE-2018-10963.patch		\
   %D%/packages/patches/libtool-skip-tests2.patch		\
   %D%/packages/patches/libusb-0.1-disable-tests.patch		\
   %D%/packages/patches/libusb-for-axoloti.patch			\
@@ -1064,9 +1053,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/plotutils-libpng-jmpbuf.patch		\
   %D%/packages/patches/podofo-cmake-3.12.patch			\
   %D%/packages/patches/polkit-CVE-2018-19788.patch		\
-  %D%/packages/patches/poppler-CVE-2018-19149.patch		\
   %D%/packages/patches/portaudio-audacity-compat.patch		\
   %D%/packages/patches/portmidi-modular-build.patch		\
+  %D%/packages/patches/postgresql-disable-resolve_symlinks.patch	\
   %D%/packages/patches/potrace-tests.patch			\
   %D%/packages/patches/procmail-ambiguous-getline-debian.patch  \
   %D%/packages/patches/procmail-CVE-2014-3618.patch		\
@@ -1188,6 +1177,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/teeworlds-use-latest-wavpack.patch	\
   %D%/packages/patches/texinfo-perl-compat.patch		\
   %D%/packages/patches/texinfo-5-perl-compat.patch		\
+  %D%/packages/patches/texlive-bin-luatex-poppler-compat.patch	\
+  %D%/packages/patches/texlive-bin-pdftex-poppler-compat.patch	\
+  %D%/packages/patches/texlive-bin-xetex-poppler-compat.patch	\
   %D%/packages/patches/telegram-purple-adjust-test.patch	\
   %D%/packages/patches/texi2html-document-encoding.patch	\
   %D%/packages/patches/texi2html-i18n.patch			\
diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm
index 2786f62163..7f72531664 100644
--- a/gnu/packages/audio.scm
+++ b/gnu/packages/audio.scm
@@ -2274,7 +2274,7 @@ external_libraries/yaml-cpp/include)"))
        ("eudev" ,eudev)                 ;for user interactions with devices
        ("avahi" ,avahi)                 ;zeroconf service discovery support
        ("icu4c" ,icu4c)
-       ("boost" ,boost-cxx14)
+       ("boost" ,boost)
        ("boost-sync" ,boost-sync)
        ("yaml-cpp" ,yaml-cpp)))
     (home-page "https://github.com/supercollider/supercollider")
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 60f8051dc6..932416a60d 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -1097,7 +1097,7 @@ command.")
 (define-public tzdata
   (package
     (name "tzdata")
-    (version "2018e")
+    (version "2018g")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -1105,7 +1105,7 @@ command.")
                    version ".tar.gz"))
              (sha256
               (base32
-               "0bk97fv2i5ns42prpmlaadsswdjwv0ifi7whj2s4q6l44rcqwa3b"))))
+               "05kayi3w9pvhj6ljx1hvwd0r8mxfzn436fjmwhx53xkj919xxpq2"))))
     (build-system gnu-build-system)
     (arguments
      '(#:tests? #f
@@ -1155,7 +1155,7 @@ command.")
                                 version ".tar.gz"))
                           (sha256
                            (base32
-                            "1kpb02631s58i068mwq63xlamcv1ffj4p6y4wpb9kdl01vr0qd6a"))))))
+                            "09y44fzcdq3c06saa8iqqa0a59cyw6ni3p31ps0j1w3hcpxz8lxa"))))))
     (home-page "https://www.iana.org/time-zones")
     (synopsis "Database of current and historical time zones")
     (description "The Time Zone Database (often called tz or zoneinfo)
@@ -1173,23 +1173,7 @@ and daylight-saving rules.")
 (define-public tzdata-for-tests
   (hidden-package
    (package
-     (inherit tzdata)
-     (version "2018d")
-     (source (origin
-               (method url-fetch)
-               (uri (string-append "https://www.iana.org/time-zones/repository"
-                                   "/releases/tzdata" version ".tar.gz"))
-               (sha256
-                (base32
-                 "0m6020dnk9r40z7k36jp13fa06xip3hn0fdx3nly66jzxgffs1ji"))))
-     (inputs `(("tzcode" ,(origin
-                            (method url-fetch)
-                            (uri (string-append
-                                  "http://www.iana.org/time-zones/repository/releases/tzcode"
-                                  version ".tar.gz"))
-                            (sha256
-                             (base32
-                              "1nd882yhsazmcfqmcqyfig3axycryl30gmizgqhqsx5dpa2lxr3x")))))))))
+     (inherit tzdata))))
 
 (define-public libiconv
   (package
diff --git a/gnu/packages/boost.scm b/gnu/packages/boost.scm
index f9108b3ad6..2fab703ed2 100644
--- a/gnu/packages/boost.scm
+++ b/gnu/packages/boost.scm
@@ -45,16 +45,19 @@
 (define-public boost
   (package
     (name "boost")
-    (version "1.68.0")
+    (version "1.69.0")
     (source (origin
               (method url-fetch)
-              (uri (string-append
-                    "mirror://sourceforge/boost/boost/" version "/boost_"
-                    (string-map (lambda (x) (if (eq? x #\.) #\_ x)) version)
-                    ".tar.bz2"))
+              (uri (let ((version-with-underscores
+                          (string-map (lambda (x) (if (eq? x #\.) #\_ x)) version)))
+                     (list (string-append "mirror://sourceforge/boost/boost/" version
+                                          "/boost_" version-with-underscores ".tar.bz2")
+                           (string-append "https://dl.bintray.com/boostorg/release/"
+                                          version "/source/boost_"
+                                          version-with-underscores ".tar.bz2"))))
               (sha256
                (base32
-                "1dyqsr9yb01y0nnjdq9b8q5s2kvhxbayk34832k5cpzn7jy30qbz"))
+                "01j4n142dz20lcgqji8d8hspp04p1nv7m8i6dz8w5lchfdhx8clg"))
               (patches (search-patches "boost-fix-icu-build.patch"))))
     (build-system gnu-build-system)
     (inputs `(("icu4c" ,icu4c)
@@ -67,6 +70,7 @@
      `(#:tests? #f
        #:make-flags
        (list "threading=multi" "link=shared"
+             "cxxflags=-std=c++14"
 
              ;; Set the RUNPATH to $libdir so that the libs find each other.
              (string-append "linkflags=-Wl,-rpath="
@@ -122,16 +126,6 @@ across a broad spectrum of applications.")
     (license (license:x11-style "https://www.boost.org/LICENSE_1_0.txt"
                                 "Some components have other similar licences."))))
 
-;; Some programs need Boost to be built with C++14 support.
-(define-public boost-cxx14
-  (package (inherit boost)
-    (arguments
-      (substitute-keyword-arguments (package-arguments boost)
-        ((#:make-flags flags)
-         `(append ,flags
-                  '("cxxflags=-std=c++14")))))
-    (properties '((hidden? . #t)))))
-
 (define-public boost-for-mysql
   ;; Older version for MySQL 5.7.23.
   (package
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index a34e7ebff4..628b36fff5 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -158,7 +158,7 @@ files and generates build instructions for the Ninja build system.")
 (define-public meson
   (package
     (name "meson")
-    (version "0.47.2")
+    (version "0.49.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/mesonbuild/meson/"
@@ -166,7 +166,7 @@ files and generates build instructions for the Ninja build system.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1swmycf6p9p0ag6yiywyyri42ffkxxj38r2ic7in24km47cszn4j"))))
+                "0l8m1v7cl5ybm7psfqmmdqbvmnsbb1qhb8ni3hwap3i0mk29a0zv"))))
     (build-system python-build-system)
     (arguments
      `(;; FIXME: Tests require many additional inputs, a fix for the RUNPATH
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 6af6877423..bb66d27026 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -76,7 +76,7 @@
 (define-public nss-certs
   (package
     (name "nss-certs")
-    (version "3.39")
+    (version "3.41")
     (source (origin
               (method url-fetch)
               (uri (let ((version-with-underscores
@@ -87,7 +87,7 @@
                       "nss-" version ".tar.gz")))
               (sha256
                (base32
-                "0jw6qlfl2g47hhx056nvnj6h92bk3sn46hy3ig61a911dzblvrkb"))))
+                "0bbif42fzz5gk451sv3yphdrl7m4p6zgk5jk0307j06xs3sihbmb"))))
     (build-system gnu-build-system)
     (outputs '("out"))
     (native-inputs
diff --git a/gnu/packages/cmake.scm b/gnu/packages/cmake.scm
index 5abf087557..7186cf98df 100644
--- a/gnu/packages/cmake.scm
+++ b/gnu/packages/cmake.scm
@@ -44,7 +44,7 @@
 (define-public cmake
   (package
     (name "cmake")
-    (version "3.12.2")
+    (version "3.13.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://www.cmake.org/files/v"
@@ -52,7 +52,7 @@
                                   "/cmake-" version ".tar.gz"))
               (sha256
                (base32
-                "19410mxgcyvk5q42phaclb1hz6rl08z4yj8iriq706p5k5bli5qg"))
+                "04123d7fgnn1fs5p0nwyq397ss89r0y4wkg9a09qiwkjsvk1rzmy"))
               (modules '((guix build utils)))
               (snippet
                '(begin
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index e8a50c676c..c87ccda304 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -796,13 +796,13 @@ writing of compressed data created with the zlib and bzip2 libraries.")
     (version "1.8.1.2")
     (source
      (origin
-       (method url-fetch)
-       (uri (string-append "https://github.com/lz4/lz4/archive/"
-                           "v" version ".tar.gz"))
+       (method git-fetch)
+       (uri (git-reference (url "https://github.com/lz4/lz4")
+                           (commit (string-append "v" version))))
        (sha256
         (base32
-         "1y93h6dyi3026gvpzdv310ldcylnnhwf32n75mdjf8x9fvkskwqj"))
-       (file-name (string-append name "-" version ".tar.gz"))))
+         "1jggv4lvfav53advnj0pwqgxzn868lrj8dc9zp73iwvqlj82mhmx"))
+       (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (native-inputs `(("valgrind" ,valgrind)))   ; for tests
     (arguments
@@ -2263,7 +2263,7 @@ single-member files which can't be decompressed in parallel.")
    (build-system cmake-build-system)
    (arguments
     `(#:tests? #f)) ;; No tests available.
-   (inputs `(("boost" ,boost-cxx14)
+   (inputs `(("boost" ,boost)
              ("libiconv" ,libiconv)
              ("xz" ,xz)))
    (native-inputs `(("pkg-config" ,pkg-config)))
diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm
index 4343910d59..5eb66feed5 100644
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@@ -53,7 +53,7 @@
 (define-public cups-filters
   (package
     (name "cups-filters")
-    (version "1.21.0")
+    (version "1.21.5")
     (source(origin
               (method url-fetch)
               (uri
@@ -61,7 +61,7 @@
                               "cups-filters-" version ".tar.xz"))
               (sha256
                (base32
-                "0fs90xx9i4h8gbpligf5kkh21llv4kf5g3bgfbx4z272xkm7bsfi"))
+                "0azq9j7kqy18g6vgmvrbw8i4mcqdp3cbgh7q79x1b8p92w4si6rq"))
               (modules '((guix build utils)))
               (snippet
                ;; install backends, banners and filters to cups-filters output
@@ -176,7 +176,7 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
 (define-public cups-minimal
   (package
     (name "cups-minimal")
-    (version "2.2.8")
+    (version "2.2.10")
     (source
      (origin
        (method url-fetch)
@@ -184,7 +184,7 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
                            version "/cups-" version "-source.tar.gz"))
        (sha256
         (base32
-         "1r7r7b3nqpzc1a9dczqpj2mr8rkcwf01676v11sp4j7w4qfzqs1r"))))
+         "1fq52aw1mini3ld2czv5gg37wbbvh4n7yc7wzzxvbs3zpfrv5j3p"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 61313af7d2..24180e0073 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -50,15 +50,14 @@
 (define-public curl
   (package
    (name "curl")
-   (version "7.61.1")
-   (replacement curl-7.62.0)
+   (version "7.63.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://curl.haxx.se/download/curl-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "148qv1f32290r9pwg07mccawihz4srznkzsdwdl2xllvlgb16n9x"))))
+              "1i38v49233jirzlfqd8fy6jyf80assa953hk7w6qmysbg562604n"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -142,19 +141,6 @@ tunneling, and so on.")
                                   "See COPYING in the distribution."))
    (home-page "https://curl.haxx.se/")))
 
-(define-public curl-7.62.0
-  (package
-    (inherit curl)
-    (version "7.62.0")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (string-append "https://curl.haxx.se/download/curl-"
-                            version ".tar.xz"))
-        (sha256
-         (base32
-          "1hbm29r3pirhn4gkcnd94ylc4jzgn3v3v7qbay9awxg7bwx69dfs"))))))
-
 (define-public kurly
   (package
     (name "kurly")
diff --git a/gnu/packages/cyrus-sasl.scm b/gnu/packages/cyrus-sasl.scm
index 60c1e0ef94..0a5e464719 100644
--- a/gnu/packages/cyrus-sasl.scm
+++ b/gnu/packages/cyrus-sasl.scm
@@ -31,7 +31,7 @@
 (define-public cyrus-sasl
   (package
    (name "cyrus-sasl")
-   (version "2.1.26")
+   (version "2.1.27")
    (source (origin
             (method url-fetch)
             (uri (list (string-append
@@ -40,13 +40,14 @@
                        (string-append
                         "ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-"
                         version ".tar.gz")))
-            (patches (search-patches "cyrus-sasl-CVE-2013-4122.patch"))
             (sha256 (base32
-                     "1hvvbcsg21nlncbgs0cgn3iwlnb3vannzwsp6rwvnn9ba4v53g4g"))))
+                     "1m85zcpgfdhm43cavpdkhb1s2zq1b31472hq1w1gs3xh94anp1i6"))))
    (build-system gnu-build-system)
    (inputs `(("gdbm" ,gdbm)
-             ("mit-krb5" ,mit-krb5)
              ("openssl" ,openssl)))
+   (propagated-inputs
+    `(;; cyrus-sasl.pc refers to -lkrb5, so propagate it.
+      ("mit-krb5" ,mit-krb5)))
    (arguments
     '(#:configure-flags (list (string-append "--with-plugindir="
                                              (assoc-ref %outputs "out")
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 0fa6d451ed..7647328361 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -18,7 +18,7 @@
 ;;; Copyright © 2016 Andy Patterson <ajpatter@uwaterloo.ca>
 ;;; Copyright © 2016 Danny Milosavljevic <dannym+a@scratchpost.org>
 ;;; Copyright © 2016, 2017, 2018 Marius Bakke <mbakke@fastmail.com>
-;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu>
+;;; Copyright © 2017, 2018 Julien Lepiller <julien@lepiller.eu>
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright © 2017 Jelle Licht <jlicht@fsfe.org>
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
@@ -811,7 +811,8 @@ as a drop-in replacement of MySQL.")
                                   version "/postgresql-" version ".tar.bz2"))
               (sha256
                (base32
-                "0jv26y3f10svrjxzsgqxg956c86b664azyk2wppzpa5x11pjga38"))))
+                "0jv26y3f10svrjxzsgqxg956c86b664azyk2wppzpa5x11pjga38"))
+              (patches (search-patches "postgresql-disable-resolve_symlinks.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags '("--with-uuid=e2fs")
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index 358f32cabd..be30198ded 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -1634,7 +1634,15 @@ filters, new key bindings and faces.  It can be enabled by
               (sha256
                (base32
                 "1i4647vax5na73basc5dz4lh9kprir00fh8ps4i0l1y3ippnjs2s"))
-              (patches (search-patches "emacs-pdf-tools-poppler.patch"))))
+              (patches (search-patches "emacs-pdf-tools-poppler.patch"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  ;; In addition to the above patch, we need this additional
+                  ;; provision for compatibility with Poppler 0.72:
+                  (substitute* "server/poppler-hack.cc"
+                    (("getCString") "c_str"))
+                  #t))))
     (build-system gnu-build-system)
     (arguments
      `(#:tests? #f ; there are no tests
diff --git a/gnu/packages/freedesktop.scm b/gnu/packages/freedesktop.scm
index 8982c0ec35..536895cba8 100644
--- a/gnu/packages/freedesktop.scm
+++ b/gnu/packages/freedesktop.scm
@@ -147,14 +147,14 @@ freedesktop.org project.")
 (define-public libinput
   (package
     (name "libinput")
-    (version "1.12.1")
+    (version "1.12.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://freedesktop.org/software/libinput/"
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "14l6bvgq76ls63qc9c448r435q9xiig0rv8ilx6rnjvlgg64h32p"))))
+                "0mg2zqbjcgj0aq7d9nwawvyhx43vakilahrc83hrfyif3a3gyrpj"))))
     (build-system meson-build-system)
     (arguments
      `(#:configure-flags '("-Ddocumentation=false")))
@@ -432,7 +432,7 @@ applications, X servers (rootless or fullscreen) or other display servers.")
 (define-public wayland-protocols
   (package
     (name "wayland-protocols")
-    (version "1.15")
+    (version "1.17")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -440,7 +440,7 @@ applications, X servers (rootless or fullscreen) or other display servers.")
                     "wayland-protocols-" version ".tar.xz"))
               (sha256
                (base32
-                "1qlyf9cllr2p339xxplznh023qcwj5iisp02ikx7ps349dx75fys"))))
+                "0bw1sqixqk2a7mqw630cs4dlgcp5yib90vyikzm3lr05jz7ij4yz"))))
     (build-system gnu-build-system)
     (inputs
      `(("wayland" ,wayland)))
@@ -763,7 +763,7 @@ which speak the Mobile Interface Broadband Model (MBIM) protocol.")
 (define-public libqmi
   (package
     (name "libqmi")
-    (version "1.20.0")
+    (version "1.20.2")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -771,7 +771,7 @@ which speak the Mobile Interface Broadband Model (MBIM) protocol.")
                     name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1d3fca477sdwbv4bsq1cl98qc8sixrzp0gqjcmjj8mlwfk9qqhi1"))))
+                "0i6aw8jyxv84d5x8lj2g9lb8xxf1dyad8n3q0kw164pyig55jd67"))))
     (build-system gnu-build-system)
     (inputs
      `(("libgudev" ,libgudev)))
diff --git a/gnu/packages/geo.scm b/gnu/packages/geo.scm
index fa2b259d7c..26f566a18b 100644
--- a/gnu/packages/geo.scm
+++ b/gnu/packages/geo.scm
@@ -753,7 +753,8 @@ utilities for data translation and processing.")
     (synopsis "Spatial database extender for PostgreSQL")
     (description "PostGIS is a spatial database extender for PostgreSQL
 object-relational database.  It adds support for geographic objects allowing
-location queries to be run in SQL.")
+location queries to be run in SQL.  This package provides a PostgreSQL
+extension.")
     (license (list
                ;; General license
                license:gpl2+
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index b46451d94e..d8c0050513 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -135,7 +135,7 @@ printing, and psresize, for adjusting page sizes.")
 (define-public ghostscript
   (package
     (name "ghostscript")
-    (version "9.24")
+    (version "9.26")
     (source
       (origin
         (method url-fetch)
@@ -145,10 +145,8 @@ printing, and psresize, for adjusting page sizes.")
                             "/ghostscript-" version ".tar.xz"))
         (sha256
          (base32
-          "1mk922rnml93w2g42yxiyn8xqanc50cm65irrgh0b6lp4kgifjfl"))
-        (patches (search-patches "ghostscript-CVE-2018-16509.patch"
-                                 "ghostscript-bug-699708.patch"
-                                 "ghostscript-no-header-creationdate.patch"
+          "1645f47all5w27bfhiq15vycdm954lmr6agqkrp68ksq6xglgvch"))
+        (patches (search-patches "ghostscript-no-header-creationdate.patch"
                                  "ghostscript-no-header-id.patch"
                                  "ghostscript-no-header-uuid.patch"))
         (modules '((guix build utils)))
diff --git a/gnu/packages/gl.scm b/gnu/packages/gl.scm
index d7c112928f..1c2632b9aa 100644
--- a/gnu/packages/gl.scm
+++ b/gnu/packages/gl.scm
@@ -53,6 +53,7 @@
   #:use-module (guix build utils)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system cmake)
+  #:use-module (guix build-system meson)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix utils)
@@ -220,7 +221,7 @@ also known as DXTn or DXTC) for Mesa.")
 (define-public mesa
   (package
     (name "mesa")
-    (version "18.1.8")
+    (version "18.3.1")
     (source
       (origin
         (method url-fetch)
@@ -232,7 +233,7 @@ also known as DXTn or DXTC) for Mesa.")
                                   version "/mesa-" version ".tar.xz")))
         (sha256
          (base32
-          "06y28hpynb8w1qagznr85ml48hf8264w4ji6cmvm2fy7x5zyc6xx"))
+          "0qyw9dj2p9n91qzc4ylck2an7ibssjvzi2bjcpv2ajk851yq47sv"))
         (patches
          (search-patches "mesa-skip-disk-cache-test.patch"))))
     (build-system gnu-build-system)
@@ -252,11 +253,11 @@ also known as DXTn or DXTC) for Mesa.")
         ("libva" ,(force libva-without-mesa))
         ("libxml2" ,libxml2)
         ;; TODO: Add 'libxml2-python' for OpenGL ES 1.1 and 2.0 support
+        ("libxrandr" ,libxrandr)
         ("libxvmc" ,libxvmc)
         ,@(match (%current-system)
             ((or "x86_64-linux" "i686-linux")
-             ;; FIXME: Change to 'llvm' in the next rebuild cycle.
-             `(("llvm" ,llvm-without-rtti)))
+             `(("llvm" ,llvm)))
             (_
              `()))
         ("makedepend" ,makedepend)
@@ -264,8 +265,8 @@ also known as DXTn or DXTC) for Mesa.")
         ("wayland-protocols" ,wayland-protocols)))
     (native-inputs
       `(("pkg-config" ,pkg-config)
-        ("python" ,python-2)
-        ("python2-mako" ,python2-mako)
+        ("python" ,python)
+        ("python-mako" ,python-mako)
         ("which" ,(@ (gnu packages base) which))))
     (arguments
      `(#:configure-flags
@@ -290,9 +291,6 @@ also known as DXTn or DXTC) for Mesa.")
          "--enable-gles2"
          "--enable-gbm"
          "--enable-shared-glapi"
-         ;; Without floating point texture support, drivers such as Nouveau
-         ;; are stuck at OpenGL 2.1 instead of OpenGL 3.0+.
-         "--enable-texture-float"
 
          ;; Enable Vulkan on i686-linux and x86-64-linux.
          ,@(match (%current-system)
@@ -547,7 +545,7 @@ OpenGL graphics API.")
 (define-public libepoxy
   (package
     (name "libepoxy")
-    (version "1.5.2")
+    (version "1.5.3")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -555,10 +553,11 @@ OpenGL graphics API.")
                     version "/libepoxy-" version ".tar.xz"))
               (sha256
                (base32
-                "1n57xj5i6giw4mp5s59w1m9bm33sd6gjg7r00dzzvcwya6326mm9"))))
+                "0ga3qjv50x37my6pw5xr14g5n6z78hy5s8s06kays8c3ab2mha80"))))
     (arguments
      `(#:phases
        (modify-phases %standard-phases
+         (delete 'bootstrap)
          (add-before
            'configure 'patch-paths
            (lambda* (#:key inputs #:allow-other-keys)
@@ -570,7 +569,7 @@ OpenGL graphics API.")
                  (("libGL.so.1") (string-append mesa "/lib/libGL.so.1"))
                  (("libEGL.so.1") (string-append mesa "/lib/libEGL.so.1")))
                #t))))))
-    (build-system gnu-build-system)
+    (build-system meson-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)
        ("python" ,python)))
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index cd9b48caff..dee349395d 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -79,7 +79,7 @@
 (define dbus
   (package
     (name "dbus")
-    (version "1.12.10")
+    (version "1.12.12")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -87,7 +87,7 @@
                     version ".tar.gz"))
               (sha256
                (base32
-                "1xywijmgfad4m3cxp0b4l6kvypwc53ckmhwwzbrc6n32jwj3ssab"))
+                "1y7mxhkw2shd9mi9s62k81lz8npjkrafapr4fyfms7hs04kg4ilm"))
               (patches (search-patches "dbus-helper-search-path.patch"))))
     (build-system gnu-build-system)
     (arguments
@@ -149,7 +149,7 @@ shared NFS home directories.")
 (define glib
   (package
    (name "glib")
-   (version "2.56.2")
+   (version "2.56.3")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/"
@@ -157,7 +157,7 @@ shared NFS home directories.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "12d738n1wpvrn39zvy9xazg5h6vzyiwsw8z1qibcj09mh4bbsjnn"))
+              "1cjcqz77m62zrx7224vl3f2cxwqf28r5xpqb2jy7av0vr2scb959"))
             (patches (search-patches "glib-tests-timer.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"           ; everything
@@ -184,9 +184,6 @@ shared NFS home directories.")
       (modify-phases %standard-phases
         (add-before 'build 'pre-build
           (lambda* (#:key inputs outputs #:allow-other-keys)
-            ;; For building deterministic pyc files
-            (setenv "DETERMINISTIC_BUILD" "1")
-
             ;; For tests/gdatetime.c.
             (setenv "TZDIR"
                     (string-append (assoc-ref inputs "tzdata")
@@ -485,7 +482,7 @@ by GDBus included in Glib.")
 (define libsigc++
   (package
     (name "libsigc++")
-    (version "2.10.0")
+    (version "2.10.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnome/sources/libsigc++/"
@@ -493,7 +490,7 @@ by GDBus included in Glib.")
                                  name "-" version ".tar.xz"))
              (sha256
               (base32
-               "10cd54l4zihss9qxfhd2iip2k7mr292k37i54r2cpgv0c8sdchzq"))))
+               "00v08km4wwzbh6vjxb21388wb9dm6g2xh14rgwabnv4c2wk5z8n9"))))
     (build-system gnu-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)
                      ("m4" ,m4)))
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 415398eeee..95bfcaf564 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -360,12 +360,6 @@ formats like PNG, SVG, PDF and EPS.")
     (arguments
      '(#:phases
        (modify-phases %standard-phases
-         (add-before 'check 'use-empty-ssl-cert-file
-           (lambda _
-             ;; The ca-certificates.crt is not available in the build
-             ;; environment.
-             (setenv "SSL_CERT_FILE" "/dev/null")
-             #t))
          (add-before 'check 'disable-failing-tests
            (lambda _
              ;; The PicasaWeb API tests fail with gnome-online-accounts@3.24.2.
@@ -2295,16 +2289,15 @@ configuration storage systems.")
 (define-public json-glib
   (package
     (name "json-glib")
-    (version "1.4.2")
+    (version "1.4.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
                                   (version-major+minor version) "/"
                                   name "-" version ".tar.xz"))
-              (patches (search-patches "json-glib-fix-tests-32bit.patch"))
               (sha256
                (base32
-                "1j3dd2xj1l9fi12m1gpmfgf5p4c1w0i970m6k62k3is98yj0jxrd"))))
+                "0ixwyis47v5bkx6h8a1iqlw3638cxcv57ivxv4gw2gaig51my33j"))))
     (build-system meson-build-system)
     (native-inputs
      `(("gettext" ,gettext-minimal)
@@ -2397,7 +2390,7 @@ library.")
 (define-public glib-networking
   (package
     (name "glib-networking")
-    (version "2.54.1")
+    (version "2.58.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/glib-networking/"
@@ -2405,29 +2398,17 @@ library.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0bq16m9nh3gcz9x2fvygr0iwxd2pxcbrm3lj3kihsnh1afv8g9za"))
-              (patches
-               (search-patches "glib-networking-ssl-cert-file.patch"))))
-    (build-system gnu-build-system)
+                "0s006gs9nsq6mg31spqha1jffzmp6qjh10y27h0fxf1iw1ah5ymx"))))
+    (build-system meson-build-system)
     (arguments
-     `(#:configure-flags
-       '("--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt")
-       #:phases
-       (modify-phases %standard-phases
-         (add-before 'configure 'patch-giomoduledir
-           ;; Install GIO modules into $out/lib/gio/modules.
-           (lambda _
-             (substitute* "configure"
-               (("GIO_MODULE_DIR=.*")
-                (string-append "GIO_MODULE_DIR=" %output
-                               "/lib/gio/modules\n")))
-             #t))
-         (add-before 'check 'use-empty-ssl-cert-file
-           (lambda _
-             ;; The ca-certificates.crt is not available in the build
-             ;; environment.
-             (setenv "SSL_CERT_FILE" "/dev/null")
-             #t)))))
+     `(#:configure-flags '("-Dlibproxy_support=false")
+       #:phases (modify-phases %standard-phases
+                  (add-before 'check 'disable-TLSv1.3
+                    (lambda _
+                      ;; XXX: One test fails when TLS 1.3 is enabled, fixed in 2.60.0:
+                      ;; <https://gitlab.com/gnutls/gnutls/issues/615>.
+                      (setenv "G_TLS_GNUTLS_PRIORITY" "NORMAL:-VERS-TLS1.3")
+                      #t)))))
     (native-inputs
      `(("pkg-config" ,pkg-config)
        ("intltool" ,intltool)))
@@ -2517,9 +2498,6 @@ libxml to ease remote use of the RESTful API.")
              ;; The 'check-local' target runs 'env LANG=C sort -u',
              ;; unset 'LC_ALL' to make 'LANG' working.
              (unsetenv "LC_ALL")
-             ;; The ca-certificates.crt is not available in the build
-             ;; environment.
-             (setenv "SSL_CERT_FILE" "/dev/null")
              ;; HTTPD in Guix uses mod_event and does not build prefork.
              (substitute* "tests/httpd.conf"
                (("^LoadModule mpm_prefork_module.*$") "\n"))
@@ -2557,7 +2535,8 @@ libxml to ease remote use of the RESTful API.")
                            ""               ;URI of subject
                            "127.0.0.1"      ;IP address of subject
                            ""               ;signing?
-                           ""               ;encryption?
+                           ""               ;encryption (RSA)?
+                           ""               ;data encryption?
                            ""               ;sign OCSP requests?
                            ""               ;sign code?
                            ""               ;time stamping?
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 9eb989a0b8..5582077162 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -365,7 +365,7 @@ in the Mozilla clients.")
 (define-public nss
   (package
     (name "nss")
-    (version "3.39")
+    (version "3.41")
     (source (origin
               (method url-fetch)
               (uri (let ((version-with-underscores
@@ -376,7 +376,7 @@ in the Mozilla clients.")
                       "nss-" version ".tar.gz")))
               (sha256
                (base32
-                "0jw6qlfl2g47hhx056nvnj6h92bk3sn46hy3ig61a911dzblvrkb"))
+                "0bbif42fzz5gk451sv3yphdrl7m4p6zgk5jk0307j06xs3sihbmb"))
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-pkgconfig.patch"
                                        "nss-increase-test-timeout.patch"))))
@@ -416,7 +416,7 @@ in the Mozilla clients.")
            (lambda _
              ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for testing.
              ;; The later requires a working DNS or /etc/hosts.
-             (setenv "DOMSUF" "(none)")
+             (setenv "DOMSUF" "localdomain")
              (setenv "USE_IP" "TRUE")
              (setenv "IP_ADDRESS" "127.0.0.1")
 
@@ -424,7 +424,7 @@ in the Mozilla clients.")
              ;; leading to test failures:
              ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
              ;; work around that, set the time to roughly the release date.
-             (invoke "faketime" "2018-09-01" "./nss/tests/all.sh")))
+             (invoke "faketime" "2018-12-01" "./nss/tests/all.sh")))
            (replace 'install
              (lambda* (#:key outputs #:allow-other-keys)
                (let* ((out (assoc-ref outputs "out"))
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index f43a0fc2f5..755904231b 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -102,7 +102,7 @@ arrays of data.")
 (define-public gstreamer
   (package
     (name "gstreamer")
-    (version "1.14.3")
+    (version "1.14.4")
     (source
      (origin
       (method url-fetch)
@@ -111,7 +111,7 @@ arrays of data.")
             version ".tar.xz"))
       (sha256
        (base32
-        "0mh4755an4gk0z3ygqhjpdjk0r2cwswbpwfgl0x6qmnln4757bhk"))))
+        "1izzhnlsy83rgr4zl3jcl1sryxqbbigrrqw3j4x3nnphqnb6ckzr"))))
     (build-system gnu-build-system)
     (outputs '("out" "doc"))
     (arguments
@@ -150,7 +150,7 @@ This package provides the core library and elements.")
 (define-public gst-plugins-base
   (package
     (name "gst-plugins-base")
-    (version "1.14.3")
+    (version "1.14.4")
     (source
      (origin
       (method url-fetch)
@@ -158,7 +158,7 @@ This package provides the core library and elements.")
                           name "-" version ".tar.xz"))
       (sha256
        (base32
-        "0lkr1fm3bz21nqq9vi5v74mlxw6dd6i7piw00fhc5zz0dg1ikczh"))))
+        "0qbllw4kphchwhy4p7ivdysigx69i97gyw6q0rvkx1j81r4kjqfa"))))
     (build-system gnu-build-system)
     (outputs '("out" "doc"))
     (propagated-inputs
@@ -209,7 +209,7 @@ for the GStreamer multimedia library.")
 (define-public gst-plugins-good
   (package
     (name "gst-plugins-good")
-    (version "1.14.3")
+    (version "1.14.4")
     (source
      (origin
       (method url-fetch)
@@ -218,7 +218,7 @@ for the GStreamer multimedia library.")
             name "-" version ".tar.xz"))
       (sha256
        (base32
-        "0pgzgfqbfp8lz2ns68797xfxdr0cr5rpi93wd1h2grhbmzkbq4ji"))))
+        "0y89qynb4b6fry3h43z1r99qslmi3m8xhlq0i5baq2nbc0r5b2sz"))))
     (build-system gnu-build-system)
     (inputs
      `(("aalib" ,aalib)
@@ -271,14 +271,14 @@ developers consider to have good quality code and correct functionality.")
 (define-public gst-plugins-bad
   (package
     (name "gst-plugins-bad")
-    (version "1.14.3")
+    (version "1.14.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://gstreamer.freedesktop.org/src/"
                                   name "/" name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1mczcna91f3kkk3yv5fkfa8nmqdr9d93aq9z4d8sv18vkiflw8mj"))))
+                "1r8dma3x127rbx42yab7kwq7q1bhkmvz2ykn0rnqnzl95q74w2wi"))))
     (outputs '("out" "doc"))
     (build-system gnu-build-system)
     (arguments
@@ -346,7 +346,7 @@ par compared to the rest.")
 (define-public gst-plugins-ugly
   (package
     (name "gst-plugins-ugly")
-    (version "1.14.3")
+    (version "1.14.4")
     (source
      (origin
        (method url-fetch)
@@ -354,7 +354,7 @@ par compared to the rest.")
                            name "/" name "-" version ".tar.xz"))
        (sha256
         (base32
-         "01i31g5rvw36rjlyi9w24n0g1xa6053d14vaiba6vqpas727z123"))))
+         "08vd1xgwmapnviah47zv5h2r02qdd20y4f07rvv5zhv6y4vxh0mc"))))
     (build-system gnu-build-system)
     (inputs
      `(("gst-plugins-base" ,gst-plugins-base)
@@ -381,7 +381,7 @@ distribution problems in some jurisdictions, e.g. due to patent threats.")
 (define-public gst-libav
   (package
     (name "gst-libav")
-    (version "1.14.3")
+    (version "1.14.4")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -389,7 +389,7 @@ distribution problems in some jurisdictions, e.g. due to patent threats.")
                     name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0xxnb80yhfa42x4wx1928zydaal35b2mcj0zdcdsv1apnjdm40wv"))
+                "1nk5g24z2xx5kaw5cg8dv8skdc516inahmkymcz8bxqxj28qbmyz"))
               (modules '((guix build utils)))
               (snippet
                '(begin
@@ -417,7 +417,7 @@ compression formats through the use of the libav library.")
 (define-public python-gst
   (package
     (name "python-gst")
-    (version "1.14.3")
+    (version "1.14.4")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -425,7 +425,7 @@ compression formats through the use of the libav library.")
                     "gst-python-" version ".tar.xz"))
               (sha256
                (base32
-                "01w3mpimbm8drifhrkvpns79h15kd9h9v0dynr7yb12kjrnfghsg"))))
+                "06ssx19fs6pg4d32p9ph9w4f0xwmxaw2dxfj17rqkn5njd7v5zfh"))))
     (build-system gnu-build-system)
     (arguments
      ;; XXX: Factorize python-sitedir with python-build-system.
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 08f92df96c..1776d91f33 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -76,7 +76,9 @@
   #:use-module (gnu packages cups)
   #:use-module (gnu packages xml)
   #:use-module (gnu packages xorg)
-  #:use-module (gnu packages xdisorg))
+  #:use-module (gnu packages xdisorg)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-26))
 
 (define-public atk
   (package
@@ -113,16 +115,14 @@ tools have full access to view and control running applications.")
 (define-public cairo
   (package
    (name "cairo")
-   (version "1.14.12")
+   (version "1.16.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://cairographics.org/releases/cairo-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "05mzyxkvsfc1annjw2dja8vka01ampp9pp93lg09j8hba06g144c"))
-            (patches (search-patches "cairo-CVE-2016-9082.patch"
-                                     "cairo-setjmp-wrapper.patch"))))
+              "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy"))))
    (build-system gnu-build-system)
    (propagated-inputs
     `(("fontconfig" ,fontconfig)
@@ -180,7 +180,7 @@ affine transformation (scale, rotation, shear, etc.).")
 (define-public harfbuzz
   (package
    (name "harfbuzz")
-   (version "1.8.8")
+   (version "2.2.0")
    (source (origin
              (method url-fetch)
              (uri (string-append "https://www.freedesktop.org/software/"
@@ -188,7 +188,7 @@ affine transformation (scale, rotation, shear, etc.).")
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "1ag3scnm1fcviqgx2p4858y433mr0ndqw6zccnccrqcr9mpcird8"))))
+               "047q63jr513azf3g1y7f5xn60b4jdjs9zsmrx04sfw5rasyzrk5p"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "bin")) ; 160K, only hb-view depend on cairo
@@ -456,7 +456,7 @@ highlighting and other features typical of a source code editor.")
               "0ixfmnxjylx06mjaw116apymwi1a8rnkmkbbvqaxxg2pfwy9fl6x"))))
    (build-system meson-build-system)
    (arguments
-    '(#:configure-flags '("-Dinstalled-tests=false")
+    `(#:configure-flags '("-Dinstalled_tests=false")
       #:phases
       (modify-phases %standard-phases
         (add-after
@@ -471,12 +471,15 @@ highlighting and other features typical of a source code editor.")
              ;; ERROR:pixbuf-jpeg.c:74:test_type9_rotation_exif_tag:
              ;; assertion failed (error == NULL): Data differ
              ;; (gdk-pixbuf-error-quark, 0)
-             ((".*'pixbuf-jpeg'.*") "")
-             ;; Extend the timeout of the test suite.
-             ;; TODO: Check upstreaming effort:
-             ;; https://gitlab.gnome.org/GNOME/gdk-pixbuf/merge_requests/21
-             (("300") "1800"))
+             ((".*'pixbuf-jpeg'.*") ""))
            #t))
+        ;; The slow tests take longer than the specified timeout.
+        ,@(if (any (cute string=? <> (%current-system))
+                   '("armhf-linux" "aarch64-linux"))
+            '((replace 'check
+              (lambda _
+                (invoke "meson" "test" "--timeout-multiplier" "5"))))
+            '())
         (add-before 'configure 'aid-install-script
           (lambda* (#:key outputs #:allow-other-keys)
             ;; "build-aux/post-install.sh" invokes `gdk-pixbuf-query-loaders`
@@ -688,7 +691,7 @@ application suites.")
    (name "gtk+")
    ;; NOTE: When updating the version of 'gtk+', the hash of 'mate-themes' in
    ;;       mate.scm will also need to be updated.
-   (version "3.24.0")
+   (version "3.24.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -696,9 +699,18 @@ application suites.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "1a1jbsh9fg5ykmwrcl3svy7xfvx0b87d314qsx9n483pj8w93s82"))
+              "14l8mimdm44r3h5pn5hzigl1z25jna8jxvb16l88v4nc4zj0afsv"))
             (patches (search-patches "gtk3-respect-GUIX_GTK3_PATH.patch"
-                                     "gtk3-respect-GUIX_GTK3_IM_MODULE_FILE.patch"))))
+                                     "gtk3-respect-GUIX_GTK3_IM_MODULE_FILE.patch"))
+            (modules '((guix build utils)))
+            (snippet
+             '(begin
+                ;; Version 3.24.2 was released with a typo that broke the build.
+                ;; See upstream commit 2905fc861acda3d134a198e56ef2f6c962ad3061
+                ;; at <https://gitlab.gnome.org/GNOME/gtk/tree/gtk-3-24>
+                (substitute* "docs/tools/shooter.c"
+                  (("gdk_screen_get_dfeault") "gdk_screen_get_default"))
+                #t))))
    (outputs '("out" "bin" "doc"))
    (propagated-inputs
     `(("at-spi2-atk" ,at-spi2-atk)
diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm
index 2d28107e81..6e93d6aed9 100644
--- a/gnu/packages/icu4c.scm
+++ b/gnu/packages/icu4c.scm
@@ -32,7 +32,7 @@
 (define-public icu4c
   (package
    (name "icu4c")
-   (version "62.1")
+   (version "63.1")
    (source (origin
             (method url-fetch)
             (uri (string-append
@@ -42,7 +42,7 @@
                   (string-map (lambda (x) (if (char=? x #\.) #\_ x)) version)
                   "-src.tgz"))
             (sha256
-             (base32 "18ssgnwzzpm1g1fvbm9h1fvryiwxvvn5wc3fdakdsl33cs6qdn9x"))))
+             (base32 "17fbk0lm2clsxbmjzvyp245ayx0n4chji3ky1f3fbz2ljjv91i05"))))
    (build-system gnu-build-system)
    (inputs
     `(("perl" ,perl)))
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 207faede91..1a6b8fe1c9 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -461,7 +461,7 @@ extracting icontainer icon files.")
 (define-public libtiff
   (package
    (name "libtiff")
-   (version "4.0.9")
+   (version "4.0.10")
    (source
      (origin
        (method url-fetch)
@@ -469,11 +469,7 @@ extracting icontainer icon files.")
                            version ".tar.gz"))
        (sha256
         (base32
-         "1kfg4q01r4mqn7dj63ifhi6pmqzbf4xax6ni6kkk81ri5kndwyvf"))
-       (patches (search-patches "libtiff-CVE-2017-9935.patch"
-                                "libtiff-CVE-2017-18013.patch"
-                                "libtiff-CVE-2018-8905.patch"
-                                "libtiff-CVE-2018-10963.patch"))))
+         "1r4np635gr6zlc0bic38dzvxia6iqzcrary4n1ylarzpr8fd2lic"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                           ;1.3 MiB of HTML documentation
@@ -1297,14 +1293,14 @@ PNG, and performs PNG integrity checks and corrections.")
 (define-public libjpeg-turbo
   (package
     (name "libjpeg-turbo")
-    (version "2.0.0")
+    (version "2.0.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/" name "/" version "/"
                                   name "-" version ".tar.gz"))
               (sha256
                (base32
-                "0s48zz6awd493hmb200abmsizh68fh1jmz98r41n4c8dbl87d23p"))))
+                "1zv6z093l3x3jzygvni7b819j7xhn6d63jhcdrckj7fz67n6ry75"))))
     (build-system cmake-build-system)
     (native-inputs
      `(("nasm" ,nasm)))
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index fe0923f479..dafe8c76ed 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -48,14 +48,14 @@
     ;; The 7 release series has an incompatible API, while the 6 series is still
     ;; maintained. Don't update to 7 until we've made sure that the ImageMagick
     ;; users are ready for the 7-series API.
-    (version "6.9.10-14")
+    (version "6.9.10-16")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://imagemagick/ImageMagick-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "0vcfjvdk9in92x808djvy94l5gylpgds4a7mlr8jrxsv9snx88yi"))))
+               "1ylbv69r8l3d4za4i8q41cs6lq06mnhiq4qm03rvs3vp3gyp1m9x"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags '("--with-frozenpaths" "--without-gcc-arch")
diff --git a/gnu/packages/inkscape.scm b/gnu/packages/inkscape.scm
index 1673cc602e..eae8ac962b 100644
--- a/gnu/packages/inkscape.scm
+++ b/gnu/packages/inkscape.scm
@@ -71,7 +71,24 @@
                        (file-name "inkscape-poppler-compat2.patch")
                        (sha256
                         (base32
-                         "14k9yrfjz4nx3bz9dk91q74mc0i7rvl2qzkwhcy1br71yqjvngn5")))))))
+                         "14k9yrfjz4nx3bz9dk91q74mc0i7rvl2qzkwhcy1br71yqjvngn5")))
+                     (search-patch "inkscape-poppler-compat3.patch")
+                     (origin
+                       (method url-fetch)
+                       (uri (string-append "https://gitlab.com/inkscape/inkscape/commit/"
+                                           "d047859d90cef3784e2d13e40887a70d8d517897.diff"))
+                       (file-name "inkscape-poppler-compat4.patch")
+                       (sha256
+                        (base32
+                         "0xdfg3q4g4m15z7wna4brjn5j4kr15qiqc2f25vcw2nnr6x54qcp")))
+                     (origin
+                       (method url-fetch)
+                       (uri (string-append "https://gitlab.com/inkscape/inkscape/commit/"
+                                           "b3d59cc8106da3bf6020a6c47eeb3b8a7bbae1a9.diff"))
+                       (file-name "inkscape-poppler-compat5.patch")
+                       (sha256
+                        (base32
+                         "0haviy66q9szizmvb82msfj80bb3wgi1fnq3ml8fyfp8l90a1217")))))))
     (build-system cmake-build-system)
     (inputs
      `(("aspell" ,aspell)
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 508f9c4bd2..ad19f60ec1 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -48,7 +48,7 @@
 (define-public mit-krb5
   (package
     (name "mit-krb5")
-    (version "1.16.1")
+    (version "1.16.2")
     (source (origin
               (method url-fetch)
               (uri (list
@@ -60,7 +60,7 @@
                                    "/krb5-" version ".tar.gz")))
               (sha256
                (base32
-                "05qis9l93hhxaknbp0a2v5cr24fsy52fqx20aqqcgl1s9qwzwkr1"))))
+                "09zhhzj19bmjjxsvxdrysabql8n72kjivis08wbikhlkwlgiwwlz"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("bison" ,bison)
diff --git a/gnu/packages/libevent.scm b/gnu/packages/libevent.scm
index 2de29707ca..c9ed941202 100644
--- a/gnu/packages/libevent.scm
+++ b/gnu/packages/libevent.scm
@@ -122,14 +122,14 @@ limited support for fork events.")
 (define-public libuv
   (package
     (name "libuv")
-    (version "1.23.0")
+    (version "1.24.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://dist.libuv.org/dist/v" version
                                   "/libuv-v" version ".tar.gz"))
               (sha256
                (base32
-                "09yf7c71n8b80nbsv4lsmq5nqmb0rylhpx3z9jgkv5za9lr6sx6i"))))
+                "01pg0zsfr8mxlpipkbpw0dpsl26x5s966f5br7dx9ac29abk419q"))))
     (build-system gnu-build-system)
     (arguments
      '(;; XXX: Some tests want /dev/tty, attempt to make connections, etc.
diff --git a/gnu/packages/libreoffice.scm b/gnu/packages/libreoffice.scm
index 45e2f63767..451adb0eff 100644
--- a/gnu/packages/libreoffice.scm
+++ b/gnu/packages/libreoffice.scm
@@ -984,9 +984,47 @@ converting QuarkXPress file format.  It supports versions 3.1 to 4.1.")
                         (file-name "libreoffice-mdds.patch")
                         (sha256
                          (base32
-                          "0apbmammmp4pk473xiv5vk50r4c5gjvqzf9jkficksvz58q6114f"))))
+                          "0apbmammmp4pk473xiv5vk50r4c5gjvqzf9jkficksvz58q6114f")))
+                      ;; The Poppler API changed rapidly in the versions leading 0.72.
+                      ;; Thus, we need several patches from upstream, each adapting to
+                      ;; different Poppler changes since version 0.68.
+                      (origin
+                        (method url-fetch)
+                        (uri (string-append "https://github.com/LibreOffice/core/commit/"
+                                            "1688a395d05125b83eac6cd5c43f0e3f2f66c491"
+                                            ".patch"))
+                        (file-name "libreoffice-poppler-compat.patch")
+                        (sha256
+                         (base32
+                          "0ia5avmj772mrgs6m4qqf01hs8hzpy3nafidj7w7gqx2zz2s5ih9")))
+                      (origin
+                        (method url-fetch)
+                        (uri (string-append "https://github.com/LibreOffice/core/commit/"
+                                            "5e8bdd9203dd642111c62a6668ee665a20d4ba19"
+                                            ".patch"))
+                        (file-name "libreoffice-poppler-gbool.patch")
+                        (sha256
+                         (base32
+                          "19kc74h5vnk48l2vny8zmm2lkxpwc7g8n9d3wwpg99748dvbmikd")))
+                      (origin
+                        (method url-fetch)
+                        (uri (string-append "https://github.com/LibreOffice/core/commit/"
+                                            "8ff41a26caf51544699863c89598d37d93dc1b21"
+                                            ".patch"))
+                        (file-name "libreoffice-poppler-0.71.patch")
+                        (sha256
+                         (base32
+                          "1dsd0gynjf7d6412dd2sx70xa2s8kld7ibyjdkwg5w9hhi2zxw2f"))))
                 (search-patches "libreoffice-icu.patch"
-                                "libreoffice-glm.patch")))))
+                                "libreoffice-glm.patch")))
+       (modules '((guix build utils)))
+       (snippet
+        '(begin
+           (for-each (lambda (file)
+                       ;; Adjust to renamed function in Poppler 0.72.
+                       (substitute* file (("getCString") "c_str")))
+                     (find-files "sdext/source/pdfimport/xpdfwrapper"))
+           #t))))
     (build-system glib-or-gtk-build-system)
     (native-inputs
      `(("bison" ,bison)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 1cdf2bf478..18a95eda28 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -993,7 +993,7 @@ intercept and print the system calls executed by the program.")
 (define-public alsa-lib
   (package
     (name "alsa-lib")
-    (version "1.1.6")
+    (version "1.1.7")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -1001,7 +1001,7 @@ intercept and print the system calls executed by the program.")
                    version ".tar.bz2"))
              (sha256
               (base32
-               "096pwrnhj36yndldvs2pj4r871zhcgisks0is78f1jkjn9sd4b2z"))))
+               "02fw7dw202mjid49w9ki3dsfcyvid5fj488561bdzcm3haw00q4x"))))
     (build-system gnu-build-system)
     (home-page "https://www.alsa-project.org/")
     (synopsis "The Advanced Linux Sound Architecture libraries")
@@ -1013,14 +1013,14 @@ MIDI functionality to the Linux-based operating system.")
 (define-public alsa-utils
   (package
     (name "alsa-utils")
-    (version "1.1.6")
+    (version "1.1.7")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://ftp.alsa-project.org/pub/utils/"
                                  name "-" version ".tar.bz2"))
              (sha256
               (base32
-               "0vnkyymgwj9rfdb11nvab30dnfrylmakdfildxl0y8mj836awp0m"))))
+               "02jlw6a22j2rr7inggfgk2hzx3w0fjhvhs0dn1afpzdp9aspzchx"))))
     (build-system gnu-build-system)
     (arguments
      ;; XXX: Disable man page creation until we have DocBook.
@@ -1060,14 +1060,14 @@ MIDI functionality to the Linux-based operating system.")
 (define-public alsa-plugins
   (package
     (name "alsa-plugins")
-    (version "1.1.6")
+    (version "1.1.7")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://ftp.alsa-project.org/pub/plugins/"
                                  name "-" version ".tar.bz2"))
              (sha256
               (base32
-               "04qcwkisbh0d6lnh0rw1k6n869fbs6zbfq6yvb41rymiwgmk27bg"))))
+               "0iys4zl1davzyg3mn9lvil1n3k1ifrg3v1caj3k4dqyrnrd40jx7"))))
     (build-system gnu-build-system)
     ;; TODO: Split libavcodec and speex if possible. It looks like they can not
     ;; be split, there are references to both in files.
@@ -1076,7 +1076,12 @@ MIDI functionality to the Linux-based operating system.")
     ;; obsolete.
     (outputs '("out" "pulseaudio" "jack"))
     (arguments
-     `(#:phases
+     `(#:configure-flags '(;; Do not install a "local" configuration targeted
+                           ;; for /etc/alsa.  On GuixSD plugins are loaded from
+                           ;; the ALSA service, and other distributions likely
+                           ;; won't use these files.
+                           "--with-alsalconfdir=/tmp/noop")
+       #:phases
        (modify-phases %standard-phases
          (add-after 'install 'split
            (lambda* (#:key inputs outputs #:allow-other-keys)
@@ -1085,27 +1090,17 @@ MIDI functionality to the Linux-based operating system.")
                     (jack (assoc-ref outputs "jack"))
                     (jacklib (string-append jack "/lib/alsa-lib"))
                     (pua (assoc-ref outputs "pulseaudio"))
-                    (pualib (string-append pua "/lib/alsa-lib"))
-                    (puaconf (string-append pua "/share/alsa/alsa.conf.d")))
+                    (pualib (string-append pua "/lib/alsa-lib")))
                ;; For jack.
                (mkdir-p jacklib)
                (for-each (lambda (file)
                            (rename-file file (string-append jacklib "/" (basename file))))
                          (find-files out ".*jack\\.(la|so)"))
-               ;; For pluseaudio.
-               (mkdir-p puaconf)
+               ;; For pulseaudio.
                (mkdir-p pualib)
-               (chdir (string-append out "/share"))
-               (for-each (lambda (file)
-                           (rename-file file (string-append puaconf "/" (basename file))))
-                         (find-files out "\\.(conf|example)"))
                (for-each (lambda (file)
                            (rename-file file (string-append pualib "/" (basename file))))
                          (find-files out ".*pulse\\.(la|so)"))
-               (chdir "..")
-               ;; We have moved the files to output pulsaudio, the
-               ;; directory is now empty.
-               (delete-file-recursively (string-append out "/share"))
                #t))))))
     (inputs
      `(("alsa-lib" ,alsa-lib)
@@ -2038,20 +2033,26 @@ from the module-init-tools project.")
   ;; The post-systemd fork, maintained by Gentoo.
   (package
     (name "eudev")
-    (version "3.2.5")
+    (version "3.2.7")
     (source (origin
-              (method url-fetch)
-              (uri (string-append "https://github.com/gentoo/eudev/archive/v"
-                                  version ".tar.gz"))
-              (file-name (string-append name "-" version ".tar.gz"))
+              (method git-fetch)
+              (uri (git-reference (url "https://github.com/gentoo/eudev")
+                                  (commit (string-append "v" version))))
+              (file-name (git-file-name name version))
               (sha256
                (base32
-                "0dlkcgy7j4fdcksqrpc373zfybiif1bal3n6lpy1kfc5280j02c7"))
+                "1la7x7v7yqb84wnc7w0kj53sa0an0m9xp6wn01ypi8drh02wjjy2"))
               (patches (search-patches "eudev-rules-directory.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases
        (modify-phases %standard-phases
+         (add-after 'unpack 'make-source-writable
+           (lambda _
+             ;; XXX: Git checkouts are read-only, but this package needs to
+             ;; modify some of its files.
+             (for-each make-file-writable (find-files "."))
+             #t))
          (add-before 'bootstrap 'patch-file-names
            (lambda* (#:key inputs #:allow-other-keys)
             (substitute* "man/make.sh"
diff --git a/gnu/packages/llvm.scm b/gnu/packages/llvm.scm
index 8a9d1d312b..4be86f3d21 100644
--- a/gnu/packages/llvm.scm
+++ b/gnu/packages/llvm.scm
@@ -95,26 +95,6 @@ languages is in development.  The compiler infrastructure includes mirror sets
 of programming tools as well as libraries with equivalent functionality.")
     (license license:ncsa)))
 
-;; FIXME: This package is here to prevent many rebuilds on x86_64 and i686
-;; from commit fc9dbf41311d99d0fd8befc789ea7c0e35911890.  Update users of
-;; this in the next rebuild cycle.
-(define-public llvm-without-rtti
-  (package
-    (inherit llvm)
-    (arguments
-     `(#:configure-flags '("-DCMAKE_SKIP_BUILD_RPATH=FALSE"
-                           "-DCMAKE_BUILD_WITH_INSTALL_RPATH=FALSE"
-                           "-DBUILD_SHARED_LIBS:BOOL=TRUE"
-                           "-DLLVM_ENABLE_FFI:BOOL=TRUE"
-                           "-DLLVM_INSTALL_UTILS=ON")
-       #:build-type "Release"
-       #:phases (modify-phases %standard-phases
-                  (add-before 'build 'shared-lib-workaround
-                    (lambda _
-                      (setenv "LD_LIBRARY_PATH"
-                              (string-append (getcwd) "/lib"))
-                      #t)))))))
-
 (define* (clang-runtime-from-llvm llvm hash
                                   #:optional (patches '()))
   (package
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index 96a1ecb043..8e98f929f7 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -2978,7 +2978,7 @@ parts of it.")
 (define-public openblas
   (package
     (name "openblas")
-    (version "0.3.3")
+    (version "0.3.4")
     (source
      (origin
        (method url-fetch)
@@ -2987,7 +2987,7 @@ parts of it.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "0cvlixnpc3cdvvn3f30phfvsgnqljqix6wn72ps9rj7xdhvw06jg"))))
+         "1s56lgilyyw86dzmj3jkci9zsg24n60wq4d0zri1hrxlxb6ihimj"))))
     (build-system gnu-build-system)
     (arguments
      `(#:test-target "test"
diff --git a/gnu/packages/mpd.scm b/gnu/packages/mpd.scm
index 0a81a3b8b8..fe8610ab94 100644
--- a/gnu/packages/mpd.scm
+++ b/gnu/packages/mpd.scm
@@ -244,7 +244,7 @@ terminal using ncurses.")
                 "0m0mjb049sl62vx13h9waavysa30mk0rphacksnvf94n13la62v5"))))
     (build-system gnu-build-system)
     (inputs `(("libmpdclient" ,libmpdclient)
-              ("boost"  ,boost-cxx14)
+              ("boost"  ,boost)
               ("readline" ,readline)
               ("ncurses" ,ncurses)
               ("taglib" ,taglib)
diff --git a/gnu/packages/nettle.scm b/gnu/packages/nettle.scm
index 1212f32812..1f91b74d8b 100644
--- a/gnu/packages/nettle.scm
+++ b/gnu/packages/nettle.scm
@@ -75,14 +75,14 @@ themselves.")
   ;; This version is not API-compatible with version 2.  In particular, lsh
   ;; cannot use it yet.  So keep it separate.
   (package (inherit nettle-2)
-    (version "3.4")
+    (version "3.4.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/nettle/nettle-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "150y8655h629wn946dvzasq16qxsc1m9nf58mifvhl350bgl4ymf"))))
+                "1bcji95n1iz9p9vsgdgr26v6s7zhpsxfbjjwpqcihpfd6lawyhgr"))))
     (arguments
      (substitute-keyword-arguments (package-arguments nettle-2)
        ((#:configure-flags flags)
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index 850223cd4c..3cba8142bf 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -91,11 +91,15 @@
           ;; Give -L arguments for cyrus-sasl to avoid propagation.
           (lambda* (#:key inputs outputs #:allow-other-keys)
             (let ((out (assoc-ref outputs "out"))
-                  (sasl (assoc-ref inputs "cyrus-sasl")))
+                  (krb5 (assoc-ref inputs "mit-krb5"))) ;propagated from cyrus-sasl
+
+              ;; The ancient Libtool bundled with OpenLDAP copies the linker flags
+              ;; from Cyrus-SASL and embeds them into its own .la files.  Add an
+              ;; absolute reference to Kerberos so it does not have to be propagated.
               (substitute* (map (lambda (f) (string-append out "/" f))
                                 '("lib/libldap.la" "lib/libldap_r.la"))
-                (("-lsasl2" lib)
-                 (string-append "-L" sasl "/lib " lib)))
+                (("-lkrb5" lib)
+                 (string-append "-L" krb5 "/lib " lib)))
               #t))))))
    (synopsis "Implementation of the Lightweight Directory Access Protocol")
    (description
diff --git a/gnu/packages/patches/cairo-CVE-2016-9082.patch b/gnu/packages/patches/cairo-CVE-2016-9082.patch
deleted file mode 100644
index ad83404194..0000000000
--- a/gnu/packages/patches/cairo-CVE-2016-9082.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From: Adrian Johnson <ajohnson@redneon.com>
-Date: Thu, 20 Oct 2016 21:12:30 +1030
-Subject: [PATCH] image: prevent invalid ptr access for > 4GB images
-
-Image data is often accessed using:
-
-  image->data + y * image->stride
-
-On 64-bit achitectures if the image data is > 4GB, this computation
-will overflow since both y and stride are 32-bit types.
-
-bug report: https://bugs.freedesktop.org/show_bug.cgi?id=98165
-patch: https://bugs.freedesktop.org/attachment.cgi?id=127421
----
- boilerplate/cairo-boilerplate.c     | 4 +++-
- src/cairo-image-compositor.c        | 4 ++--
- src/cairo-image-surface-private.h   | 2 +-
- src/cairo-mesh-pattern-rasterizer.c | 2 +-
- src/cairo-png.c                     | 2 +-
- src/cairo-script-surface.c          | 3 ++-
- 6 files changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/boilerplate/cairo-boilerplate.c b/boilerplate/cairo-boilerplate.c
-index 7fdbf79..4804dea 100644
---- a/boilerplate/cairo-boilerplate.c
-+++ b/boilerplate/cairo-boilerplate.c
-@@ -42,6 +42,7 @@
- #undef CAIRO_VERSION_H
- #include "../cairo-version.h"
- 
-+#include <stddef.h>
- #include <stdlib.h>
- #include <ctype.h>
- #include <assert.h>
-@@ -976,7 +977,8 @@ cairo_surface_t *
- cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file)
- {
-     char format;
--    int width, height, stride;
-+    int width, height;
-+    ptrdiff_t stride;
-     int x, y;
-     unsigned char *data;
-     cairo_surface_t *image = NULL;
-diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
-index 48072f8..3ca0006 100644
---- a/src/cairo-image-compositor.c
-+++ b/src/cairo-image-compositor.c
-@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer {
-     pixman_image_t *src, *mask;
-     union {
- 	struct fill {
--	    int stride;
-+	    ptrdiff_t stride;
- 	    uint8_t *data;
- 	    uint32_t pixel;
- 	} fill;
-@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer {
- 	struct finish {
- 	    cairo_rectangle_int_t extents;
- 	    int src_x, src_y;
--	    int stride;
-+	    ptrdiff_t stride;
- 	    uint8_t *data;
- 	} mask;
-     } u;
-diff --git a/src/cairo-image-surface-private.h b/src/cairo-image-surface-private.h
-index 8ca694c..7e78d61 100644
---- a/src/cairo-image-surface-private.h
-+++ b/src/cairo-image-surface-private.h
-@@ -71,7 +71,7 @@ struct _cairo_image_surface {
- 
-     int width;
-     int height;
--    int stride;
-+    ptrdiff_t stride;
-     int depth;
- 
-     unsigned owns_data : 1;
-diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-pattern-rasterizer.c
-index 1b63ca8..e7f0db6 100644
---- a/src/cairo-mesh-pattern-rasterizer.c
-+++ b/src/cairo-mesh-pattern-rasterizer.c
-@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height, int stride,
- 	tg += tg >> 16;
- 	tb += tb >> 16;
- 
--	*((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) |
-+	*((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 0xff000000) |
- 	    ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24);
-     }
- }
-diff --git a/src/cairo-png.c b/src/cairo-png.c
-index 562b743..aa8c227 100644
---- a/src/cairo-png.c
-+++ b/src/cairo-png.c
-@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure)
-     }
- 
-     for (i = 0; i < png_height; i++)
--        row_pointers[i] = &data[i * stride];
-+        row_pointers[i] = &data[i * (ptrdiff_t)stride];
- 
-     png_read_image (png, row_pointers);
-     png_read_end (png, info);
-diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
-index ea0117d..91e4baa 100644
---- a/src/cairo-script-surface.c
-+++ b/src/cairo-script-surface.c
-@@ -1202,7 +1202,8 @@ static cairo_status_t
- _write_image_surface (cairo_output_stream_t *output,
- 		      const cairo_image_surface_t *image)
- {
--    int stride, row, width;
-+    int row, width;
-+    ptrdiff_t stride;
-     uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE];
-     uint8_t *rowdata;
-     uint8_t *data;
--- 
-2.1.4
-
diff --git a/gnu/packages/patches/cairo-setjmp-wrapper.patch b/gnu/packages/patches/cairo-setjmp-wrapper.patch
deleted file mode 100644
index bffac6e041..0000000000
--- a/gnu/packages/patches/cairo-setjmp-wrapper.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-Revert faulty commit to avoid undefined behaviour:
-https://bugs.freedesktop.org/show_bug.cgi?id=104325
-
-Taken from this upstream commit:
-https://cgit.freedesktop.org/cairo/commit/?h=1.14&id=2acc4382c54bd8239361ceed14423412a343d311
-
-diff --git a/src/cairo-bentley-ottmann-rectangular.c b/src/cairo-bentley-ottmann-rectangular.c
-index cb2e30c..5541bdc 100644
---- a/src/cairo-bentley-ottmann-rectangular.c
-+++ b/src/cairo-bentley-ottmann-rectangular.c
-@@ -593,12 +593,6 @@ sweep_line_insert (sweep_line_t	*sweep, rectangle_t *rectangle)
-     pqueue_push (sweep, rectangle);
- }
- 
--static int
--sweep_line_setjmp (sweep_line_t *sweep_line)
--{
--    return setjmp (sweep_line->unwind);
--}
--
- static cairo_status_t
- _cairo_bentley_ottmann_tessellate_rectangular (rectangle_t	**rectangles,
- 					       int			  num_rectangles,
-@@ -615,7 +609,7 @@ _cairo_bentley_ottmann_tessellate_rectangular (rectangle_t	**rectangles,
- 		     rectangles, num_rectangles,
- 		     fill_rule,
- 		     do_traps, container);
--    if ((status = sweep_line_setjmp (&sweep_line)))
-+    if ((status = setjmp (sweep_line.unwind)))
- 	return status;
- 
-     rectangle = rectangle_pop_start (&sweep_line);
-diff --git a/src/cairo-png.c b/src/cairo-png.c
-index e64b14a..068617d 100644
---- a/src/cairo-png.c
-+++ b/src/cairo-png.c
-@@ -158,14 +158,6 @@ png_simple_warning_callback (png_structp png,
-      */
- }
- 
--static int
--png_setjmp (png_struct *png)
--{
--#ifdef PNG_SETJMP_SUPPORTED
--    return setjmp (png_jmpbuf (png));
--#endif
--    return 0;
--}
- 
- /* Starting with libpng-1.2.30, we must explicitly specify an output_flush_fn.
-  * Otherwise, we will segfault if we are writing to a stream. */
-@@ -237,8 +229,10 @@ write_png (cairo_surface_t	*surface,
- 	goto BAIL4;
-     }
- 
--    if (png_setjmp (png))
-+#ifdef PNG_SETJMP_SUPPORTED
-+    if (setjmp (png_jmpbuf (png)))
- 	goto BAIL4;
-+#endif
- 
-     png_set_write_fn (png, closure, write_func, png_simple_output_flush_fn);
- 
-@@ -577,11 +571,12 @@ read_png (struct png_read_closure_t *png_closure)
-     png_set_read_fn (png, png_closure, stream_read_func);
- 
-     status = CAIRO_STATUS_SUCCESS;
--
--    if (png_setjmp (png)) {
-+#ifdef PNG_SETJMP_SUPPORTED
-+    if (setjmp (png_jmpbuf (png))) {
- 	surface = _cairo_surface_create_in_error (status);
- 	goto BAIL;
-     }
-+#endif
- 
-     png_read_info (png, info);
- 
diff --git a/gnu/packages/patches/cyrus-sasl-CVE-2013-4122.patch b/gnu/packages/patches/cyrus-sasl-CVE-2013-4122.patch
deleted file mode 100644
index fc72e42e03..0000000000
--- a/gnu/packages/patches/cyrus-sasl-CVE-2013-4122.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-Fix CVE-2013-4122.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4122
-
-Patch copied from upstream source repository:
-https://github.com/cyrusimap/cyrus-sasl/commit/dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d
-
-From dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d Mon Sep 17 00:00:00 2001
-From: mancha <mancha1@hush.com>
-Date: Thu, 11 Jul 2013 10:08:07 +0100
-Subject: Handle NULL returns from glibc 2.17+ crypt()
-
-Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL
-(w/ NULL return) if the salt violates specifications. Additionally,
-on FIPS-140 enabled Linux systems, DES/MD5-encrypted passwords
-passed to crypt() fail with EPERM (w/ NULL return).
-
-When using glibc's crypt(), check return value to avoid a possible
-NULL pointer dereference.
-
-Patch by mancha1@hush.com.
----
- pwcheck/pwcheck_getpwnam.c | 3 ++-
- pwcheck/pwcheck_getspnam.c | 4 +++-
- saslauthd/auth_getpwent.c  | 4 +++-
- saslauthd/auth_shadow.c    | 8 +++-----
- 4 files changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/pwcheck/pwcheck_getpwnam.c b/pwcheck/pwcheck_getpwnam.c
-index 4b34222..400289c 100644
---- a/pwcheck/pwcheck_getpwnam.c
-+++ b/pwcheck/pwcheck_getpwnam.c
-@@ -32,6 +32,7 @@ char *userid;
- char *password;
- {
-     char* r;
-+    char* crpt_passwd;
-     struct passwd *pwd;
- 
-     pwd = getpwnam(userid);
-@@ -41,7 +42,7 @@ char *password;
-     else if (pwd->pw_passwd[0] == '*') {
- 	r = "Account disabled";
-     }
--    else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
-+    else if (!(crpt_passwd = crypt(password, pwd->pw_passwd)) || strcmp(pwd->pw_passwd, (const char *)crpt_passwd) != 0) {
- 	r = "Incorrect password";
-     }
-     else {
-diff --git a/pwcheck/pwcheck_getspnam.c b/pwcheck/pwcheck_getspnam.c
-index 2b11286..6d607bb 100644
---- a/pwcheck/pwcheck_getspnam.c
-+++ b/pwcheck/pwcheck_getspnam.c
-@@ -32,13 +32,15 @@ char *userid;
- char *password;
- {
-     struct spwd *pwd;
-+    char *crpt_passwd;
- 
-     pwd = getspnam(userid);
-     if (!pwd) {
- 	return "Userid not found";
-     }
-     
--    if (strcmp(pwd->sp_pwdp, crypt(password, pwd->sp_pwdp)) != 0) {
-+    crpt_passwd = crypt(password, pwd->sp_pwdp);
-+    if (!crpt_passwd || strcmp(pwd->sp_pwdp, (const char *)crpt_passwd) != 0) {
- 	return "Incorrect password";
-     }
-     else {
-diff --git a/saslauthd/auth_getpwent.c b/saslauthd/auth_getpwent.c
-index fc8029d..d4ebe54 100644
---- a/saslauthd/auth_getpwent.c
-+++ b/saslauthd/auth_getpwent.c
-@@ -77,6 +77,7 @@ auth_getpwent (
- {
-     /* VARIABLES */
-     struct passwd *pw;			/* pointer to passwd file entry */
-+    char *crpt_passwd;			/* encrypted password */
-     int errnum;
-     /* END VARIABLES */
-   
-@@ -105,7 +106,8 @@ auth_getpwent (
- 	}
-     }
- 
--    if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
-+    crpt_passwd = crypt(password, pw->pw_passwd);
-+    if (!crpt_passwd || strcmp(pw->pw_passwd, (const char *)crpt_passwd)) {
- 	if (flags & VERBOSE) {
- 	    syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
- 	}
-diff --git a/saslauthd/auth_shadow.c b/saslauthd/auth_shadow.c
-index 677131b..1988afd 100644
---- a/saslauthd/auth_shadow.c
-+++ b/saslauthd/auth_shadow.c
-@@ -210,8 +210,8 @@ auth_shadow (
- 	RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
-     }
- 
--    cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
--    if (strcmp(sp->sp_pwdp, cpw)) {
-+    cpw = crypt(password, sp->sp_pwdp);
-+    if (!cpw || strcmp(sp->sp_pwdp, (const char *)cpw)) {
- 	if (flags & VERBOSE) {
- 	    /*
- 	     * This _should_ reveal the SHADOW_PW_LOCKED prefix to an
-@@ -221,10 +221,8 @@ auth_shadow (
- 	    syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
- 		   sp->sp_pwdp, cpw);
- 	}
--	free(cpw);
- 	RETURN("NO Incorrect password");
-     }
--    free(cpw);
- 
-     /*
-      * The following fields will be set to -1 if:
-@@ -286,7 +284,7 @@ auth_shadow (
- 	RETURN("NO Invalid username");
-     }
-   
--    if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
-+    if (!(cpw = crypt(password, upw->upw_passwd)) || (strcmp(upw->upw_passwd, (const char *)cpw) != 0)) {
- 	if (flags & VERBOSE) {
- 	    syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
- 		   password, upw->upw_passwd);
--- 
-cgit v0.12
-
diff --git a/gnu/packages/patches/ghostscript-CVE-2018-16509.patch b/gnu/packages/patches/ghostscript-CVE-2018-16509.patch
deleted file mode 100644
index 50ffa3cb98..0000000000
--- a/gnu/packages/patches/ghostscript-CVE-2018-16509.patch
+++ /dev/null
@@ -1,193 +0,0 @@
-Ghostscript 9.24 was released with an incomplete fix for CVE-2018-16509:
-https://nvd.nist.gov/vuln/detail/CVE-2018-16509
-https://bugs.chromium.org/p/project-zero/issues/detail?id=1640#c19
-https://bugs.ghostscript.com/show_bug.cgi?id=699718
-
-The reproducers no longer work after applying these commits:
-
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5812b1b78fc4d36fdc293b7859de69241140d590
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e914f1da46e33decc534486598dc3eadf69e6efb
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3e5d316b72e3965b7968bb1d96baa137cd063ac6
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=643b24dbd002fb9c131313253c307cf3951b3d47
-
-This patch is a "squashed" version of those.
-
-diff --git a/Resource/Init/gs_setpd.ps b/Resource/Init/gs_setpd.ps
-index bba3c8c0e..8fa7c51df 100644
---- a/Resource/Init/gs_setpd.ps
-+++ b/Resource/Init/gs_setpd.ps
-@@ -95,27 +95,41 @@ level2dict begin
-  {	% Since setpagedevice doesn't create new device objects,
-         % we must (carefully) reinstall the old parameters in
-         % the same device.
--   .currentpagedevice pop //null currentdevice //null .trysetparams
-+   .currentpagedevice pop //null currentdevice //null
-+   { .trysetparams } .internalstopped
-+   {
-+     //null
-+   } if
-    dup type /booleantype eq
-     { pop pop }
--    {		% This should never happen!
-+    {
-       SETPDDEBUG { (Error in .trysetparams!) = pstack flush } if
--      cleartomark pop pop pop
-+      {cleartomark pop pop pop} .internalstopped pop
-+      % if resetting the entire device state failed, at least put back the
-+      % security related key
-+      currentdevice //null //false mark /.LockSafetyParams
-+      currentpagedevice /.LockSafetyParams .knownget not
-+      {systemdict /SAFER .knownget not {//false} } if
-+      .putdeviceparamsonly
-       /.installpagedevice cvx /rangecheck signalerror
-     }
-    ifelse pop pop
-         % A careful reading of the Red Book reveals that an erasepage
-         % should occur, but *not* an initgraphics.
-    erasepage .beginpage
-- } bind def
-+ } bind executeonly def
- 
- /.uninstallpagedevice
-- { 2 .endpage { .currentnumcopies //false .outputpage } if
-+ {
-+   {2 .endpage { .currentnumcopies //false .outputpage } if} .internalstopped pop
-    nulldevice
-  } bind def
- 
- (%grestorepagedevice) cvn
-- { .uninstallpagedevice grestore .installpagedevice
-+ {
-+ .uninstallpagedevice
-+ grestore
-+ .installpagedevice
-  } bind def
- 
- (%grestoreallpagedevice) cvn
-diff --git a/psi/zdevice2.c b/psi/zdevice2.c
-index 0c7080d57..159a0c0d9 100644
---- a/psi/zdevice2.c
-+++ b/psi/zdevice2.c
-@@ -251,8 +251,8 @@ z2currentgstate(i_ctx_t *i_ctx_p)
- /* ------ Wrappers for operators that reset the graphics state. ------ */
- 
- /* Check whether we need to call out to restore the page device. */
--static bool
--restore_page_device(const gs_gstate * pgs_old, const gs_gstate * pgs_new)
-+static int
-+restore_page_device(i_ctx_t *i_ctx_p, const gs_gstate * pgs_old, const gs_gstate * pgs_new)
- {
-     gx_device *dev_old = gs_currentdevice(pgs_old);
-     gx_device *dev_new;
-@@ -260,9 +260,10 @@ restore_page_device(const gs_gstate * pgs_old, const gs_gstate * pgs_new)
-     gx_device *dev_t2;
-     bool samepagedevice = obj_eq(dev_old->memory, &gs_int_gstate(pgs_old)->pagedevice,
-         &gs_int_gstate(pgs_new)->pagedevice);
-+    bool LockSafetyParams = dev_old->LockSafetyParams;
- 
-     if ((dev_t1 = (*dev_proc(dev_old, get_page_device)) (dev_old)) == 0)
--        return false;
-+        return 0;
-     /* If we are going to putdeviceparams in a callout, we need to */
-     /* unlock temporarily.  The device will be re-locked as needed */
-     /* by putdeviceparams from the pgs_old->pagedevice dict state. */
-@@ -271,23 +272,51 @@ restore_page_device(const gs_gstate * pgs_old, const gs_gstate * pgs_new)
-     dev_new = gs_currentdevice(pgs_new);
-     if (dev_old != dev_new) {
-         if ((dev_t2 = (*dev_proc(dev_new, get_page_device)) (dev_new)) == 0)
--            return false;
--        if (dev_t1 != dev_t2)
--            return true;
-+            samepagedevice = true;
-+        else if (dev_t1 != dev_t2)
-+            samepagedevice = false;
-+    }
-+
-+    if (LockSafetyParams && !samepagedevice) {
-+        const int required_ops = 512;
-+        const int required_es = 32;
-+
-+        /* The %grestorepagedevice must complete: the biggest danger
-+           is operand stack overflow. As we use get/putdeviceparams
-+           that means pushing all the device params onto the stack,
-+           pdfwrite having by far the largest number of parameters
-+           at (currently) 212 key/value pairs - thus needing (currently)
-+           424 entries on the op stack. Allowing for working stack
-+           space, and safety margin.....
-+         */
-+        if (required_ops + ref_stack_count(&o_stack) >= ref_stack_max_count(&o_stack)) {
-+           gs_currentdevice(pgs_old)->LockSafetyParams = LockSafetyParams;
-+           return_error(gs_error_stackoverflow);
-+        }
-+        /* We also want enough exec stack space - 32 is an overestimate of
-+           what we need to complete the Postscript call out.
-+         */
-+        if (required_es + ref_stack_count(&e_stack) >= ref_stack_max_count(&e_stack)) {
-+           gs_currentdevice(pgs_old)->LockSafetyParams = LockSafetyParams;
-+           return_error(gs_error_execstackoverflow);
-+        }
-     }
-     /*
-      * The current implementation of setpagedevice just sets new
-      * parameters in the same device object, so we have to check
-      * whether the page device dictionaries are the same.
-      */
--    return !samepagedevice;
-+    return samepagedevice ? 0 : 1;
- }
- 
- /* - grestore - */
- static int
- z2grestore(i_ctx_t *i_ctx_p)
- {
--    if (!restore_page_device(igs, gs_gstate_saved(igs)))
-+    int code = restore_page_device(i_ctx_p, igs, gs_gstate_saved(igs));
-+    if (code < 0) return code;
-+
-+    if (code == 0)
-         return gs_grestore(igs);
-     return push_callout(i_ctx_p, "%grestorepagedevice");
- }
-@@ -297,7 +326,9 @@ static int
- z2grestoreall(i_ctx_t *i_ctx_p)
- {
-     for (;;) {
--        if (!restore_page_device(igs, gs_gstate_saved(igs))) {
-+        int code = restore_page_device(i_ctx_p, igs, gs_gstate_saved(igs));
-+        if (code < 0) return code;
-+        if (code == 0) {
-             bool done = !gs_gstate_saved(gs_gstate_saved(igs));
- 
-             gs_grestore(igs);
-@@ -328,11 +359,15 @@ z2restore(i_ctx_t *i_ctx_p)
-     if (code < 0) return code;
- 
-     while (gs_gstate_saved(gs_gstate_saved(igs))) {
--        if (restore_page_device(igs, gs_gstate_saved(igs)))
-+        code = restore_page_device(i_ctx_p, igs, gs_gstate_saved(igs));
-+        if (code < 0) return code;
-+        if (code > 0)
-             return push_callout(i_ctx_p, "%restore1pagedevice");
-         gs_grestore(igs);
-     }
--    if (restore_page_device(igs, gs_gstate_saved(igs)))
-+    code = restore_page_device(i_ctx_p, igs, gs_gstate_saved(igs));
-+    if (code < 0) return code;
-+    if (code > 0)
-         return push_callout(i_ctx_p, "%restorepagedevice");
- 
-     code = dorestore(i_ctx_p, asave);
-@@ -355,9 +390,12 @@ static int
- z2setgstate(i_ctx_t *i_ctx_p)
- {
-     os_ptr op = osp;
-+    int code;
- 
-     check_stype(*op, st_igstate_obj);
--    if (!restore_page_device(igs, igstate_ptr(op)))
-+    code = restore_page_device(i_ctx_p, igs, igstate_ptr(op));
-+    if (code < 0) return code;
-+    if (code == 0)
-         return zsetgstate(i_ctx_p);
-     return push_callout(i_ctx_p, "%setgstatepagedevice");
- }
diff --git a/gnu/packages/patches/ghostscript-bug-699708.patch b/gnu/packages/patches/ghostscript-bug-699708.patch
deleted file mode 100644
index 1567be1c6f..0000000000
--- a/gnu/packages/patches/ghostscript-bug-699708.patch
+++ /dev/null
@@ -1,160 +0,0 @@
-Additional security fix that missed 9.24.
-
-Taken from upstream:
-http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624
-
-From fb713b3818b52d8a6cf62c951eba2e1795ff9624 Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Thu, 6 Sep 2018 09:16:22 +0100
-Subject: [PATCH] Bug 699708 (part 1): 'Hide' non-replaceable error handlers
- for SAFER
-
-We already had a 'private' dictionary for non-standard errors: gserrordict.
-
-This now includes all the default error handlers, the dictionary is made
-noaccess and all the prodedures are bound and executeonly.
-
-When running with -dSAFER, in the event of a Postscript error, instead of
-pulling the handler from errordict, we'll pull it from gserrordict - thus
-malicious input cannot trigger problems by the use of custom error handlers.
-
-errordict remains open and writeable, so files such as the Quality Logic tests
-that install their own handlers will still 'work', with the exception that the
-custom error handlers will not be called.
-
-This is a 'first pass', 'sledgehammer' approach: a nice addition would to allow
-an integrator to specify a list of errors that are not to be replaced (for
-example, embedded applications would probably want to ensure that VMerror is
-always handled as they intend).
----
- Resource/Init/gs_init.ps | 29 ++++++++++++++++++-----------
- psi/interp.c             | 30 +++++++++++++++++++++---------
- 2 files changed, 39 insertions(+), 20 deletions(-)
-
-diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
-index 071c39205..bc8b7951c 100644
---- a/Resource/Init/gs_init.ps
-+++ b/Resource/Init/gs_init.ps
-@@ -881,7 +881,7 @@ userdict /.currentresourcefile //null put
-        { not exch pop exit } { pop } ifelse
-     }
-    for exch pop .quit
-- } bind def
-+ } bind executeonly def
- /.errorhandler		% <command> <errorname> .errorhandler -
-   {		% Detect an internal 'stopped'.
-     1 .instopped { //null eq { pop pop stop } if } if
-@@ -926,7 +926,7 @@ userdict /.currentresourcefile //null put
-     $error /globalmode get $error /.nosetlocal get and .setglobal
-     $error /.inerror //false put
-     stop
--  } bind def
-+  } bind executeonly def
- % Define the standard handleerror.  We break out the printing procedure
- % (.printerror) so that it can be extended for binary output
- % if the Level 2 facilities are present.
-@@ -976,7 +976,7 @@ userdict /.currentresourcefile //null put
-      ifelse	% newerror
-      end
-      flush
--    } bind def
-+    } bind executeonly def
-   /.printerror_long			% long error printout,
-                                         % $error is on the dict stack
-    {	% Push the (anonymous) stack printing procedure.
-@@ -1053,14 +1053,14 @@ userdict /.currentresourcefile //null put
-         { (Current file position is ) print position = }
-        if
- 
--   } bind def
-+   } bind executeonly def
- % Define a procedure for clearing the error indication.
- /.clearerror
-  { $error /newerror //false put
-    $error /errorname //null put
-    $error /errorinfo //null put
-    0 .setoserrno
-- } bind def
-+ } bind executeonly def
- 
- % Define $error.  This must be in local VM.
- .currentglobal //false .setglobal
-@@ -1086,11 +1086,15 @@ end
- /errordict ErrorNames length 3 add dict
- .forcedef		% errordict is local, systemdict is global
- .setglobal		% back to global VM
--% For greater Adobe compatibility, we put all non-standard errors in a
--%   separate dictionary, gserrordict.  It does not need to be in local VM,
--%   because PostScript programs do not access it.
-+%  gserrordict contains all the default error handling methods, but unlike
-+%  errordict it is noaccess after creation (also it is in global VM).
-+%  When running 'SAFER', we'll ignore the contents of errordict, which
-+%  may have been tampered with by the running job, and always use gserrordict
-+%  gserrordict also contains any non-standard errors, for better compatibility
-+%  with Adobe.
-+%
- %   NOTE: the name gserrordict is known to the interpreter.
--/gserrordict 5 dict def
-+/gserrordict ErrorNames length 3 add dict def
- % Register an error in errordict.  We make this a procedure because we only
- % register the Level 1 errors here: the rest are registered by "feature"
- % files.  However, ErrorNames contains all of the error names regardless of
-@@ -1119,8 +1123,11 @@ errordict begin
-  } bind def
- end		% errordict
- 
--% Put non-standard errors in gserrordict.
--gserrordict /unknownerror errordict /unknownerror get put
-+% Put all the default handlers in gserrordict
-+gserrordict
-+errordict {2 index 3 1 roll put} forall
-+noaccess pop
-+% remove the non-standard errors from errordict
- errordict /unknownerror .undef
- % Define a stable private copy of handleerror that we will always use under
- % JOBSERVER mode.
-diff --git a/psi/interp.c b/psi/interp.c
-index c27b70dca..d41a9d3f5 100644
---- a/psi/interp.c
-+++ b/psi/interp.c
-@@ -661,16 +661,28 @@ again:
-         return code;
-     if (gs_errorname(i_ctx_p, code, &error_name) < 0)
-         return code;            /* out-of-range error code! */
--    /*
--     * For greater Adobe compatibility, only the standard PostScript errors
--     * are defined in errordict; the rest are in gserrordict.
-+
-+    /*  If LockFilePermissions is true, we only refer to gserrordict, which
-+     *  is not accessible to Postcript jobs
-      */
--    if (dict_find_string(systemdict, "errordict", &perrordict) <= 0 ||
--        (dict_find(perrordict, &error_name, &epref) <= 0 &&
--         (dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 ||
--          dict_find(perrordict, &error_name, &epref) <= 0))
--        )
--        return code;            /* error name not in errordict??? */
-+    if (i_ctx_p->LockFilePermissions) {
-+        if (((dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 ||
-+              dict_find(perrordict, &error_name, &epref) <= 0))
-+            )
-+            return code;            /* error name not in errordict??? */
-+    }
-+    else {
-+        /*
-+         * For greater Adobe compatibility, only the standard PostScript errors
-+         * are defined in errordict; the rest are in gserrordict.
-+         */
-+        if (dict_find_string(systemdict, "errordict", &perrordict) <= 0 ||
-+            (dict_find(perrordict, &error_name, &epref) <= 0 &&
-+             (dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 ||
-+              dict_find(perrordict, &error_name, &epref) <= 0))
-+            )
-+            return code;            /* error name not in errordict??? */
-+    }
-     doref = *epref;
-     epref = &doref;
-     /* Push the error object on the operand stack if appropriate. */
--- 
-2.18.0
-
diff --git a/gnu/packages/patches/glib-networking-ssl-cert-file.patch b/gnu/packages/patches/glib-networking-ssl-cert-file.patch
deleted file mode 100644
index 32bdd0790f..0000000000
--- a/gnu/packages/patches/glib-networking-ssl-cert-file.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From b010e41346d418220582c20ab8d7f3971e4fb78a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= <iyzsong@gmail.com>
-Date: Fri, 14 Aug 2015 17:28:36 +0800
-Subject: [PATCH] gnutls: Allow overriding the anchor file location by
- 'SSL_CERT_FILE'
-
----
- tls/gnutls/gtlsbackend-gnutls.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/tls/gnutls/gtlsbackend-gnutls.c b/tls/gnutls/gtlsbackend-gnutls.c
-index 55ec1a5..217d3c8 100644
---- a/tls/gnutls/gtlsbackend-gnutls.c
-+++ b/tls/gnutls/gtlsbackend-gnutls.c
-@@ -101,8 +101,10 @@ g_tls_backend_gnutls_real_create_database (GTlsBackendGnutls  *self,
-                                            GError            **error)
- {
-   const gchar *anchor_file = NULL;
-+  anchor_file = g_getenv ("SSL_CERT_FILE");
- #ifdef GTLS_SYSTEM_CA_FILE
--  anchor_file = GTLS_SYSTEM_CA_FILE;
-+  if (!anchor_file)
-+    anchor_file = GTLS_SYSTEM_CA_FILE;
- #endif
-   return g_tls_file_database_new (anchor_file, error);
- }
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch b/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
deleted file mode 100644
index 1fad7c14e3..0000000000
--- a/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-FIXME: The static test fails with an error such as:
-
-/tmp/guix-build-gnutls-3.5.13.drv-0/ccOnGPmc.o: In function `main':
-c.29617.tmp.c:(.text+0x5): undefined reference to `gnutls_global_init'
-collect2: error: ld returned 1 exit status
-FAIL pkgconfig.sh (exit status: 1)
-
-diff --git a/tests/pkgconfig.sh b/tests/pkgconfig.sh
-index 6bd4e62f9..05aab8278 100755
---- a/tests/pkgconfig.sh
-+++ b/tests/pkgconfig.sh
-@@ -57,11 +57,7 @@ echo "Trying dynamic linking with:"
- echo "  * flags: $(${PKGCONFIG} --libs gnutls)"
- echo "  * common: ${COMMON}"
- echo "  * lib: ${CFLAGS}"
--cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
--
--echo ""
--echo "Trying static linking with $(${PKGCONFIG} --libs --static gnutls)"
--cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --static --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
-+gcc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
- 
- rm -f ${TMPFILE} ${TMPFILE_O}
- 
diff --git a/gnu/packages/patches/inkscape-poppler-compat3.patch b/gnu/packages/patches/inkscape-poppler-compat3.patch
new file mode 100644
index 0000000000..eaaf7d93f1
--- /dev/null
+++ b/gnu/packages/patches/inkscape-poppler-compat3.patch
@@ -0,0 +1,499 @@
+Fix compatibility with Poppler >= 0.69.
+
+This is a combination of these upstream commits:
+https://gitlab.com/inkscape/inkscape/commit/722e121361d0f784083d10e897155b7d4e44e515
+https://gitlab.com/inkscape/inkscape/commit/402c0274420fe39fd2f3393bc7d8d8879d436358
+
+...with slight adjustments for the 0.92.3 release tarball.
+
+diff --git a/CMakeScripts/DefineDependsandFlags.cmake b/CMakeScripts/DefineDependsandFlags.cmake
+--- a/CMakeScripts/DefineDependsandFlags.cmake
++++ b/CMakeScripts/DefineDependsandFlags.cmake
+@@ -116,18 +116,6 @@ if(ENABLE_POPPLER)
+ 		set(HAVE_POPPLER_GLIB ON)
+ 	    endif()
+ 	endif()
+-	if(POPPLER_VERSION VERSION_GREATER "0.26.0" OR
+-		POPPLER_VERSION VERSION_EQUAL   "0.26.0")
+-	    set(POPPLER_EVEN_NEWER_COLOR_SPACE_API ON)
+-	endif()
+-	if(POPPLER_VERSION VERSION_GREATER "0.29.0" OR
+-		POPPLER_VERSION VERSION_EQUAL   "0.29.0")
+-	    set(POPPLER_EVEN_NEWER_NEW_COLOR_SPACE_API ON)
+-	endif()
+-	if(POPPLER_VERSION VERSION_GREATER "0.58.0" OR
+-		POPPLER_VERSION VERSION_EQUAL   "0.58.0")
+-            set(POPPLER_NEW_OBJECT_API ON)
+-	endif()
+     else()
+ 	set(ENABLE_POPPLER_CAIRO OFF)
+     endif()
+diff --git a/src/extension/internal/pdfinput/pdf-input.cpp b/src/extension/internal/pdfinput/pdf-input.cpp
+--- a/src/extension/internal/pdfinput/pdf-input.cpp
++++ b/src/extension/internal/pdfinput/pdf-input.cpp
+@@ -793,7 +793,7 @@ PdfInput::open(::Inkscape::Extension::Input * /*mod*/, const gchar * uri) {
+             dlg->getImportSettings(prefs);
+ 
+         // Apply crop settings
+-        PDFRectangle *clipToBox = NULL;
++        _POPPLER_CONST PDFRectangle *clipToBox = NULL;
+         double crop_setting;
+         sp_repr_get_double(prefs, "cropTo", &crop_setting);
+ 
+diff --git a/src/extension/internal/pdfinput/pdf-input.h b/src/extension/internal/pdfinput/pdf-input.h
+--- a/src/extension/internal/pdfinput/pdf-input.h
++++ b/src/extension/internal/pdfinput/pdf-input.h
+@@ -15,6 +15,7 @@
+ #endif
+ 
+ #ifdef HAVE_POPPLER
++#include "poppler-transition-api.h"
+ 
+ #include <gtkmm/dialog.h>
+ 
+diff --git a/src/extension/internal/pdfinput/pdf-parser.cpp b/src/extension/internal/pdfinput/pdf-parser.cpp
+--- a/src/extension/internal/pdfinput/pdf-parser.cpp
++++ b/src/extension/internal/pdfinput/pdf-parser.cpp
+@@ -36,6 +36,7 @@ extern "C" {
+ #include "pdf-parser.h"
+ #include "util/units.h"
+ 
++#include "glib/poppler-features.h"
+ #include "goo/gmem.h"
+ #include "goo/GooString.h"
+ #include "GlobalParams.h"
+@@ -294,8 +295,8 @@ PdfParser::PdfParser(XRef *xrefA,
+                      int /*pageNum*/,
+ 		     int rotate,
+ 		     Dict *resDict,
+-                     PDFRectangle *box,
+-		     PDFRectangle *cropBox) :
++                     _POPPLER_CONST PDFRectangle *box,
++                     _POPPLER_CONST PDFRectangle *cropBox) :
+     xref(xrefA),
+     builder(builderA),
+     subPage(gFalse),
+@@ -317,7 +318,7 @@ PdfParser::PdfParser(XRef *xrefA,
+   builder->setDocumentSize(Inkscape::Util::Quantity::convert(state->getPageWidth(), "pt", "px"),
+                            Inkscape::Util::Quantity::convert(state->getPageHeight(), "pt", "px"));
+ 
+-  double *ctm = state->getCTM();
++  const double *ctm = state->getCTM();
+   double scaledCTM[6];
+   for (int i = 0; i < 6; ++i) {
+     baseMatrix[i] = ctm[i];
+@@ -352,7 +353,7 @@ PdfParser::PdfParser(XRef *xrefA,
+ PdfParser::PdfParser(XRef *xrefA,
+ 		     Inkscape::Extension::Internal::SvgBuilder *builderA,
+                      Dict *resDict,
+-		     PDFRectangle *box) :
++		     _POPPLER_CONST PDFRectangle *box) :
+     xref(xrefA),
+     builder(builderA),
+     subPage(gTrue),
+@@ -571,7 +572,7 @@ const char *PdfParser::getPreviousOperator(unsigned int look_back) {
+ 
+ void PdfParser::execOp(Object *cmd, Object args[], int numArgs) {
+   PdfOperator *op;
+-  char *name;
++  const char *name;
+   Object *argPtr;
+   int i;
+ 
+@@ -619,7 +620,7 @@ void PdfParser::execOp(Object *cmd, Object args[], int numArgs) {
+   (this->*op->func)(argPtr, numArgs);
+ }
+ 
+-PdfOperator* PdfParser::findOp(char *name) {
++PdfOperator* PdfParser::findOp(const char *name) {
+   int a = -1;
+   int b = numOps;
+   int cmp = -1;
+@@ -1751,7 +1752,7 @@ void PdfParser::doShadingPatternFillFallback(GfxShadingPattern *sPat,
+                                              GBool stroke, GBool eoFill) {
+   GfxShading *shading;
+   GfxPath *savedPath;
+-  double *ctm, *btm, *ptm;
++  const double *ctm, *btm, *ptm;
+   double m[6], ictm[6], m1[6];
+   double xMin, yMin, xMax, yMax;
+   double det;
+@@ -1993,7 +1994,7 @@ void PdfParser::doFunctionShFill1(GfxFunctionShading *shading,
+   GfxColor color0M, color1M, colorM0, colorM1, colorMM;
+   GfxColor colors2[4];
+   double functionColorDelta = colorDeltas[pdfFunctionShading-1];
+-  double *matrix;
++  const double *matrix;
+   double xM, yM;
+   int nComps, i, j;
+ 
+@@ -2173,7 +2174,7 @@ void PdfParser::doPatchMeshShFill(GfxPatchMeshShading *shading) {
+   }
+ }
+ 
+-void PdfParser::fillPatch(GfxPatch *patch, int nComps, int depth) {
++void PdfParser::fillPatch(_POPPLER_CONST GfxPatch *patch, int nComps, int depth) {
+   GfxPatch patch00 = blankPatch();
+   GfxPatch patch01 = blankPatch();
+   GfxPatch patch10 = blankPatch();
+@@ -2581,7 +2582,11 @@ void PdfParser::opShowSpaceText(Object args[], int /*numArgs*/)
+   }
+ }
+ 
++#if POPPLER_CHECK_VERSION(0,64,0)
+ void PdfParser::doShowText(const GooString *s) {
++#else
++void PdfParser::doShowText(GooString *s) {
++#endif
+   GfxFont *font;
+   int wMode;
+   double riseX, riseY;
+@@ -2590,11 +2595,15 @@ void PdfParser::doShowText(const GooString *s) {
+   double x, y, dx, dy, tdx, tdy;
+   double originX, originY, tOriginX, tOriginY;
+   double oldCTM[6], newCTM[6];
+-  double *mat;
++  const double *mat;
+   Object charProc;
+   Dict *resDict;
+   Parser *oldParser;
++#if POPPLER_CHECK_VERSION(0,64,0)
++  const char *p;
++#else
+   char *p;
++#endif
+   int len, n, uLen;
+ 
+   font = state->getFont();
+@@ -2630,7 +2639,7 @@ void PdfParser::doShowText(const GooString *s) {
+     double lineX = state->getLineX();
+     double lineY = state->getLineY();
+     oldParser = parser;
+-    p = g_strdup(s->getCString());
++    p = s->getCString();
+     len = s->getLength();
+     while (len > 0) {
+       n = font->getNextChar(p, len, &code,
+@@ -2685,7 +2694,7 @@ void PdfParser::doShowText(const GooString *s) {
+ 
+   } else {
+     state->textTransformDelta(0, state->getRise(), &riseX, &riseY);
+-    p = g_strdup(s->getCString());
++    p = s->getCString();
+     len = s->getLength();
+     while (len > 0) {
+       n = font->getNextChar(p, len, &code,
+@@ -2731,7 +2740,11 @@ void PdfParser::opXObject(Object args[], int /*numArgs*/)
+ {
+   Object obj1, obj2, obj3, refObj;
+ 
+-  char *name = g_strdup(args[0].getName());
++#if POPPLER_CHECK_VERSION(0,64,0)
++  const char *name = args[0].getName();
++#else
++  char *name = args[0].getName();
++#endif
+ #if defined(POPPLER_NEW_OBJECT_API)
+   if ((obj1 = res->lookupXObject(name)).isNull()) {
+ #else
+@@ -3656,7 +3669,6 @@ void PdfParser::opBeginImage(Object /*args*/[], int /*numArgs*/)
+ Stream *PdfParser::buildImageStream() {
+   Object dict;
+   Object obj;
+-  char *key;
+   Stream *str;
+ 
+   // build dictionary
+@@ -3674,26 +3686,17 @@ Stream *PdfParser::buildImageStream() {
+       obj.free();
+ #endif
+     } else {
+-      key = copyString(obj.getName());
+-#if defined(POPPLER_NEW_OBJECT_API)
+-      obj = parser->getObj();
+-#else
+-      obj.free();
+-      parser->getObj(&obj);
+-#endif
+-      if (obj.isEOF() || obj.isError()) {
+-	gfree(key);
++      Object obj2;
++      _POPPLER_CALL(obj2, parser->getObj);
++      if (obj2.isEOF() || obj2.isError()) {
++        _POPPLER_FREE(obj);
+ 	break;
+       }
+-#if defined(POPPLER_NEW_OBJECT_API)
+-      dict.dictAdd(key, std::move(obj));
+-    }
+-    obj = parser->getObj();
+-#else
+-      dict.dictAdd(key, &obj);
++      _POPPLER_DICTADD(dict, obj.getName(), obj2);
++      _POPPLER_FREE(obj);
++      _POPPLER_FREE(obj2);
+     }
+-    parser->getObj(&obj);
+-#endif
++    _POPPLER_CALL(obj, parser->getObj);
+   }
+   if (obj.isEOF()) {
+     error(errSyntaxError, getPos(), "End of file in inline image");
+diff --git a/src/extension/internal/pdfinput/pdf-parser.h b/src/extension/internal/pdfinput/pdf-parser.h
+--- a/src/extension/internal/pdfinput/pdf-parser.h
++++ b/src/extension/internal/pdfinput/pdf-parser.h
+@@ -9,6 +9,7 @@
+ #define PDF_PARSER_H
+ 
+ #ifdef HAVE_POPPLER
++#include "poppler-transition-api.h"
+ 
+ #ifdef USE_GCC_PRAGMAS
+ #pragma interface
+@@ -25,6 +26,7 @@ namespace Inkscape {
+ // TODO clean up and remove using:
+ using Inkscape::Extension::Internal::SvgBuilder;
+ 
++#include "glib/poppler-features.h"
+ #include "goo/gtypes.h"
+ #include "Object.h"
+ 
+@@ -127,11 +129,14 @@ public:
+ 
+   // Constructor for regular output.
+   PdfParser(XRef *xrefA, SvgBuilder *builderA, int pageNum, int rotate,
+-            Dict *resDict, PDFRectangle *box, PDFRectangle *cropBox);
++            Dict *resDict,
++            _POPPLER_CONST PDFRectangle *box,
++            _POPPLER_CONST PDFRectangle *cropBox);
+ 
+   // Constructor for a sub-page object.
+   PdfParser(XRef *xrefA, Inkscape::Extension::Internal::SvgBuilder *builderA,
+-            Dict *resDict, PDFRectangle *box);
++            Dict *resDict,
++            _POPPLER_CONST PDFRectangle *box);
+ 
+   virtual ~PdfParser();
+ 
+@@ -185,7 +190,7 @@ private:
+ 
+   void go(GBool topLevel);
+   void execOp(Object *cmd, Object args[], int numArgs);
+-  PdfOperator *findOp(char *name);
++  PdfOperator *findOp(const char *name);
+   GBool checkArg(Object *arg, TchkType type);
+   int getPos();
+ 
+@@ -256,7 +261,7 @@ private:
+ 			   double x2, double y2, GfxColor *color2,
+ 			   int nComps, int depth);
+   void doPatchMeshShFill(GfxPatchMeshShading *shading);
+-  void fillPatch(GfxPatch *patch, int nComps, int depth);
++  void fillPatch(_POPPLER_CONST GfxPatch *patch, int nComps, int depth);
+   void doEndPath();
+ 
+   // path clipping operators
+@@ -287,7 +292,12 @@ private:
+   void opMoveShowText(Object args[], int numArgs);
+   void opMoveSetShowText(Object args[], int numArgs);
+   void opShowSpaceText(Object args[], int numArgs);
++#if POPPLER_CHECK_VERSION(0,64,0)
+   void doShowText(const GooString *s);
++#else
++  void doShowText(GooString *s);
++#endif
++  
+ 
+   // XObject operators
+   void opXObject(Object args[], int numArgs);
+diff --git a/src/extension/internal/pdfinput/poppler-transition-api.h b/src/extension/internal/pdfinput/poppler-transition-api.h
+new file mode 100644
+--- /dev/null
++++ b/src/extension/internal/pdfinput/poppler-transition-api.h
+@@ -0,0 +1,39 @@
++#ifndef SEEN_POPPLER_TRANSITION_API_H
++#define SEEN_POPPLER_TRANSITION_API_H
++
++#include <glib/poppler-features.h>
++
++#if POPPLER_CHECK_VERSION(0,70,0)
++#define _POPPLER_CONST const
++#else
++#define _POPPLER_CONST
++#endif
++
++#if POPPLER_CHECK_VERSION(0,69,0)
++#define _POPPLER_DICTADD(dict, key, obj) (dict).dictAdd(key, std::move(obj))
++#elif POPPLER_CHECK_VERSION(0,58,0)
++#define _POPPLER_DICTADD(dict, key, obj) (dict).dictAdd(copyString(key), std::move(obj))
++#else
++#define _POPPLER_DICTADD(dict, key, obj) (dict).dictAdd(copyString(key), &obj)
++#endif
++
++#if POPPLER_CHECK_VERSION(0,58,0)
++#define POPPLER_NEW_OBJECT_API
++#define _POPPLER_FREE(obj)
++#define _POPPLER_CALL(ret, func) (ret = func())
++#define _POPPLER_CALL_ARGS(ret, func, ...) (ret = func(__VA_ARGS__))
++#else
++#define _POPPLER_FREE(obj) (obj).free()
++#define _POPPLER_CALL(ret, func) (*func(&ret))
++#define _POPPLER_CALL_ARGS(ret, func, ...) (*func(__VA_ARGS__, &ret))
++#endif
++
++#if POPPLER_CHECK_VERSION(0, 29, 0)
++#define POPPLER_EVEN_NEWER_NEW_COLOR_SPACE_API
++#endif
++
++#if POPPLER_CHECK_VERSION(0, 25, 0)
++#define POPPLER_EVEN_NEWER_COLOR_SPACE_API
++#endif
++
++#endif
+diff --git a/src/extension/internal/pdfinput/svg-builder.cpp b/src/extension/internal/pdfinput/svg-builder.cpp
+--- a/src/extension/internal/pdfinput/svg-builder.cpp
++++ b/src/extension/internal/pdfinput/svg-builder.cpp
+@@ -625,7 +625,7 @@ gchar *SvgBuilder::_createPattern(GfxPattern *pattern, GfxState *state, bool is_
+     if ( pattern != NULL ) {
+         if ( pattern->getType() == 2 ) {  // Shading pattern
+             GfxShadingPattern *shading_pattern = static_cast<GfxShadingPattern *>(pattern);
+-            double *ptm;
++            const double *ptm;
+             double m[6] = {1, 0, 0, 1, 0, 0};
+             double det;
+ 
+@@ -672,7 +672,7 @@ gchar *SvgBuilder::_createTilingPattern(GfxTilingPattern *tiling_pattern,
+ 
+     Inkscape::XML::Node *pattern_node = _xml_doc->createElement("svg:pattern");
+     // Set pattern transform matrix
+-    double *p2u = tiling_pattern->getMatrix();
++    const double *p2u = tiling_pattern->getMatrix();
+     double m[6] = {1, 0, 0, 1, 0, 0};
+     double det;
+     det = _ttm[0] * _ttm[3] - _ttm[1] * _ttm[2];    // see LP Bug 1168908
+@@ -698,7 +698,7 @@ gchar *SvgBuilder::_createTilingPattern(GfxTilingPattern *tiling_pattern,
+     pattern_node->setAttribute("patternUnits", "userSpaceOnUse");
+     // Set pattern tiling
+     // FIXME: don't ignore XStep and YStep
+-    double *bbox = tiling_pattern->getBBox();
++    const double *bbox = tiling_pattern->getBBox();
+     sp_repr_set_svg_double(pattern_node, "x", 0.0);
+     sp_repr_set_svg_double(pattern_node, "y", 0.0);
+     sp_repr_set_svg_double(pattern_node, "width", bbox[2] - bbox[0]);
+@@ -751,7 +751,7 @@ gchar *SvgBuilder::_createTilingPattern(GfxTilingPattern *tiling_pattern,
+  */
+ gchar *SvgBuilder::_createGradient(GfxShading *shading, double *matrix, bool for_shading) {
+     Inkscape::XML::Node *gradient;
+-    Function *func;
++    _POPPLER_CONST Function *func;
+     int num_funcs;
+     bool extend0, extend1;
+ 
+@@ -865,7 +865,7 @@ static bool svgGetShadingColorRGB(GfxShading *shading, double offset, GfxRGB *re
+ 
+ #define INT_EPSILON 8
+ bool SvgBuilder::_addGradientStops(Inkscape::XML::Node *gradient, GfxShading *shading,
+-                                   Function *func) {
++                                   _POPPLER_CONST Function *func) {
+     int type = func->getType();
+     if ( type == 0 || type == 2 ) {  // Sampled or exponential function
+         GfxRGB stop1, stop2;
+@@ -877,9 +877,9 @@ bool SvgBuilder::_addGradientStops(Inkscape::XML::Node *gradient, GfxShading *sh
+             _addStopToGradient(gradient, 1.0, &stop2, 1.0);
+         }
+     } else if ( type == 3 ) { // Stitching
+-        StitchingFunction *stitchingFunc = static_cast<StitchingFunction*>(func);
+-        double *bounds = stitchingFunc->getBounds();
+-        double *encode = stitchingFunc->getEncode();
++        auto stitchingFunc = static_cast<_POPPLER_CONST StitchingFunction*>(func);
++        const double *bounds = stitchingFunc->getBounds();
++        const double *encode = stitchingFunc->getEncode();
+         int num_funcs = stitchingFunc->getNumFuncs();
+ 
+         // Add stops from all the stitched functions
+@@ -890,7 +890,7 @@ bool SvgBuilder::_addGradientStops(Inkscape::XML::Node *gradient, GfxShading *sh
+             svgGetShadingColorRGB(shading, bounds[i + 1], &color);
+             // Add stops
+             if (stitchingFunc->getFunc(i)->getType() == 2) {    // process exponential fxn
+-                double expE = (static_cast<ExponentialFunction*>(stitchingFunc->getFunc(i)))->getE();
++                double expE = (static_cast<_POPPLER_CONST ExponentialFunction*>(stitchingFunc->getFunc(i)))->getE();
+                 if (expE > 1.0) {
+                     expE = (bounds[i + 1] - bounds[i])/expE;    // approximate exponential as a single straight line at x=1
+                     if (encode[2*i] == 0) {    // normal sequence
+@@ -1020,9 +1020,9 @@ void SvgBuilder::updateFont(GfxState *state) {
+     GfxFont *font = state->getFont();
+     // Store original name
+     if (font->getName()) {
+-        _font_specification = g_strdup(font->getName()->getCString());
++        _font_specification = font->getName()->getCString();
+     } else {
+-        _font_specification = (char*) "Arial";
++        _font_specification = "Arial";
+     }
+ 
+     // Prune the font name to get the correct font family name
+@@ -1030,7 +1030,7 @@ void SvgBuilder::updateFont(GfxState *state) {
+     char *font_family = NULL;
+     char *font_style = NULL;
+     char *font_style_lowercase = NULL;
+-    char *plus_sign = strstr(_font_specification, "+");
++    const char *plus_sign = strstr(_font_specification, "+");
+     if (plus_sign) {
+         font_family = g_strdup(plus_sign + 1);
+         _font_specification = plus_sign + 1;
+@@ -1148,7 +1148,7 @@ void SvgBuilder::updateFont(GfxState *state) {
+     Inkscape::CSSOStringStream os_font_size;
+     double css_font_size = _font_scaling * state->getFontSize();
+     if ( font->getType() == fontType3 ) {
+-        double *font_matrix = font->getFontMatrix();
++        const double *font_matrix = font->getFontMatrix();
+         if ( font_matrix[0] != 0.0 ) {
+             css_font_size *= font_matrix[3] / font_matrix[0];
+         }
+@@ -1193,7 +1193,7 @@ void SvgBuilder::updateTextPosition(double tx, double ty) {
+ void SvgBuilder::updateTextMatrix(GfxState *state) {
+     _flushText();
+     // Update text matrix
+-    double *text_matrix = state->getTextMat();
++    const double *text_matrix = state->getTextMat();
+     double w_scale = sqrt( text_matrix[0] * text_matrix[0] + text_matrix[2] * text_matrix[2] );
+     double h_scale = sqrt( text_matrix[1] * text_matrix[1] + text_matrix[3] * text_matrix[3] );
+     double max_scale;
+diff --git a/src/extension/internal/pdfinput/svg-builder.h b/src/extension/internal/pdfinput/svg-builder.h
+--- a/src/extension/internal/pdfinput/svg-builder.h
++++ b/src/extension/internal/pdfinput/svg-builder.h
+@@ -15,6 +15,7 @@
+ #endif
+ 
+ #ifdef HAVE_POPPLER
++#include "poppler-transition-api.h"
+ 
+ class SPDocument;
+ namespace Inkscape {
+@@ -80,7 +81,7 @@ struct SvgGlyph {
+     bool style_changed;  // Set to true if style has to be reset
+     SPCSSAttr *style;
+     int render_mode;    // Text render mode
+-    char *font_specification;   // Pointer to current font specification
++    const char *font_specification;   // Pointer to current font specification
+ };
+ 
+ /**
+@@ -174,7 +175,7 @@ private:
+     void _addStopToGradient(Inkscape::XML::Node *gradient, double offset,
+                             GfxRGB *color, double opacity);
+     bool _addGradientStops(Inkscape::XML::Node *gradient, GfxShading *shading,
+-                           Function *func);
++                           _POPPLER_CONST Function *func);
+     gchar *_createTilingPattern(GfxTilingPattern *tiling_pattern, GfxState *state,
+                                 bool is_stroke=false);
+     // Image/mask creation
+@@ -202,7 +203,7 @@ private:
+ 
+     SPCSSAttr *_font_style;          // Current font style
+     GfxFont *_current_font;
+-    char *_font_specification;
++    const char *_font_specification;
+     double _font_scaling;
+     bool _need_font_update;
+     Geom::Affine _text_matrix;
diff --git a/gnu/packages/patches/json-glib-fix-tests-32bit.patch b/gnu/packages/patches/json-glib-fix-tests-32bit.patch
deleted file mode 100644
index 77ea134915..0000000000
--- a/gnu/packages/patches/json-glib-fix-tests-32bit.patch
+++ /dev/null
@@ -1,174 +0,0 @@
-Fix floating point issues on 32-bit platforms:
-
-https://gitlab.gnome.org/GNOME/json-glib/issues/27
-
-This is an amalgamation of the following upstream commits:
-https://gitlab.gnome.org/GNOME/json-glib/commit/70e2648e02232c1a439a7418388f18fee9afb3fe
-https://gitlab.gnome.org/GNOME/json-glib/commit/675e27505776a1d77fa1ffd1974284890caec1f4
-
-diff --git a/json-glib/tests/json-test-utils.h b/json-glib/tests/json-test-utils.h
-new file mode 100644
-index 0000000..83a02c6
---- /dev/null
-+++ b/json-glib/tests/json-test-utils.h
-@@ -0,0 +1,21 @@
-+#include <string.h>
-+#include <math.h>
-+#include <float.h>
-+#include <glib.h>
-+#include <json-glib/json-glib.h>
-+
-+#define json_fuzzy_equals(n1,n2,epsilon) \
-+  (((n1) > (n2) ? ((n1) - (n2)) : ((n2) - (n1))) < (epsilon))
-+
-+#define json_assert_fuzzy_equals(n1,n2,epsilon) \
-+  G_STMT_START { \
-+    double __n1 = (n1), __n2 = (n2), __epsilon = (epsilon); \
-+    if (json_fuzzy_equals (__n1, __n2, __epsilon)) ; else { \
-+      g_assertion_message_cmpnum (G_LOG_DOMAIN, __FILE__, __LINE__, G_STRFUNC, \
-+                                  #n1 " == " #n2 " (+/- " #epsilon ")", \
-+                                  __n1, "==", __n2, 'f'); \
-+    } \
-+  } G_STMT_END
-+
-+#define json_assert_almost_equals(n1,n2) \
-+  json_assert_fuzzy_equals (n1, n2, DBL_EPSILON)
-diff --git a/json-glib/tests/array.c b/json-glib/tests/array.c
-index 98afeab..426cd72 100644
---- a/json-glib/tests/array.c
-+++ b/json-glib/tests/array.c
-@@ -1,9 +1,4 @@
--#include <stdio.h>
--#include <stdlib.h>
--#include <string.h>
--
--#include <glib.h>
--#include <json-glib/json-glib.h>
-+#include "json-test-utils.h"
- 
- static void
- test_empty_array (void)
-@@ -37,7 +32,7 @@ test_add_element (void)
- 
-   json_array_add_double_element (array, 3.14);
-   g_assert_cmpint (json_array_get_length (array), ==, 3);
--  g_assert_cmpfloat (json_array_get_double_element (array, 2), ==, 3.14);
-+  json_assert_fuzzy_equals (json_array_get_double_element (array, 2), 3.14, 0.001);
- 
-   json_array_add_boolean_element (array, TRUE);
-   g_assert_cmpint (json_array_get_length (array), ==, 4);
-diff --git a/json-glib/tests/node.c b/json-glib/tests/node.c
-index 23bda63..80beb78 100644
---- a/json-glib/tests/node.c
-+++ b/json-glib/tests/node.c
-@@ -1,6 +1,4 @@
--#include <glib.h>
--#include <json-glib/json-glib.h>
--#include <string.h>
-+#include "json-test-utils.h"
- 
- static void
- test_init_int (void)
-@@ -19,7 +17,7 @@ test_init_double (void)
-   JsonNode *node = json_node_new (JSON_NODE_VALUE);
- 
-   json_node_set_double (node, 3.14159);
--  g_assert_cmpfloat (json_node_get_double (node), ==, 3.14159);
-+  json_assert_fuzzy_equals (json_node_get_double (node), 3.14159, 0.00001);
- 
-   json_node_free (node);
- }
-@@ -119,13 +117,13 @@ test_get_int (void)
- 
-   json_node_set_int (node, 0);
-   g_assert_cmpint (json_node_get_int (node), ==, 0);
--  g_assert_cmpfloat (json_node_get_double (node), ==, 0.0);
-+  json_assert_almost_equals (json_node_get_double (node), 0.0);
-   g_assert (!json_node_get_boolean (node));
-   g_assert (!json_node_is_null (node));
- 
-   json_node_set_int (node, 42);
-   g_assert_cmpint (json_node_get_int (node), ==, 42);
--  g_assert_cmpfloat (json_node_get_double (node), ==, 42.0);
-+  json_assert_almost_equals (json_node_get_double (node), 42.0);
-   g_assert (json_node_get_boolean (node));
-   g_assert (!json_node_is_null (node));
- 
-@@ -138,7 +136,7 @@ test_get_double (void)
-   JsonNode *node = json_node_new (JSON_NODE_VALUE);
- 
-   json_node_set_double (node, 3.14);
--  g_assert_cmpfloat (json_node_get_double (node), ==, 3.14);
-+  json_assert_fuzzy_equals (json_node_get_double (node), 3.14, 0.001);
-   g_assert_cmpint (json_node_get_int (node), ==, 3);
-   g_assert (json_node_get_boolean (node));
- 
-@@ -232,9 +230,9 @@ test_gvalue_autopromotion (void)
-     g_print ("Expecting a gdouble, got a %s\n", g_type_name (G_VALUE_TYPE (&check))); 
- 
-   g_assert_cmpint (G_VALUE_TYPE (&check), ==, G_TYPE_DOUBLE);
--  g_assert_cmpfloat ((float) g_value_get_double (&check), ==, 3.14159f);
-+  json_assert_fuzzy_equals (g_value_get_double (&check), 3.14159, 0.00001);
-   g_assert_cmpint (G_VALUE_TYPE (&value), !=, G_VALUE_TYPE (&check));
--  g_assert_cmpfloat ((gdouble) g_value_get_float (&value), ==, g_value_get_double (&check));
-+  json_assert_almost_equals (g_value_get_float (&value), g_value_get_double (&check));
- 
-   g_value_unset (&value);
-   g_value_unset (&check);
-diff --git a/json-glib/tests/parser.c b/json-glib/tests/parser.c
-index f71584a..8c52a1d 100644
---- a/json-glib/tests/parser.c
-+++ b/json-glib/tests/parser.c
-@@ -1,11 +1,5 @@
--#include "config.h"
--
-+#include "json-test-utils.h"
- #include <stdlib.h>
--#include <stdio.h>
--
--#include <glib.h>
--
--#include <json-glib/json-glib.h>
- 
- static const gchar *test_empty_string = "";
- static const gchar *test_empty_array_string = "[ ]";
-@@ -38,13 +32,13 @@ verify_string_value (JsonNode *node)
- static void
- verify_double_value (JsonNode *node)
- {
--  g_assert_cmpfloat (10.2e3, ==, json_node_get_double (node));
-+  json_assert_fuzzy_equals (10.2e3, json_node_get_double (node), 0.1);
- }
- 
- static void
- verify_negative_double_value (JsonNode *node)
- {
--  g_assert_cmpfloat (-3.14, ==, json_node_get_double (node));
-+  json_assert_fuzzy_equals (-3.14, json_node_get_double (node), 0.01);
- }
- 
- static const struct {
-diff --git a/json-glib/tests/reader.c b/json-glib/tests/reader.c
-index 43a6aac..9bab312 100644
---- a/json-glib/tests/reader.c
-+++ b/json-glib/tests/reader.c
-@@ -1,9 +1,4 @@
--#include <stdlib.h>
--#include <stdio.h>
--
--#include <glib.h>
--
--#include <json-glib/json-glib.h>
-+#include "json-test-utils.h"
- 
- static const gchar *test_base_array_data =
- "[ 0, true, null, \"foo\", 3.14, [ false ], { \"bar\" : 42 } ]";
-@@ -78,7 +73,7 @@ test_base_object (void)
-   g_assert (json_reader_get_error (reader) == NULL);
- 
-   json_reader_read_member (reader, "double");
--  g_assert_cmpfloat (json_reader_get_double_value (reader), ==, 42.47);
-+  json_assert_fuzzy_equals (json_reader_get_double_value (reader), 42.47, 0.01);
-   json_reader_end_element (reader);
- 
-   g_object_unref (reader);
diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013.patch b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
deleted file mode 100644
index ba03c83847..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2017-18013.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Fix CVE-2017-18013:
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2770
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
-
-Patch copied from upstream source repository:
-
-https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
-
-From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sun, 31 Dec 2017 15:09:41 +0100
-Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
- dereference on corrupted file. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2770
-
----
- libtiff/tif_print.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
-index 9959d353..8deceb2b 100644
---- a/libtiff/tif_print.c
-+++ b/libtiff/tif_print.c
-@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
- 			    (unsigned long) s,
--			    (unsigned __int64) td->td_stripoffset[s],
--			    (unsigned __int64) td->td_stripbytecount[s]);
-+			    td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
-+			    td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
- #else
- 			fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
- 			    (unsigned long) s,
--			    (unsigned long long) td->td_stripoffset[s],
--			    (unsigned long long) td->td_stripbytecount[s]);
-+			    td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
-+			    td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
- #endif
- 	}
- }
--- 
-2.16.1
-
diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935.patch b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
deleted file mode 100644
index 5685d81f68..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2017-9935.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-Fix CVE-2017-9935
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935
-http://bugzilla.maptools.org/show_bug.cgi?id=2704
-
-Patch copied from upstream source repository:
-
-https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
-
-From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
-From: Brian May <brian@linuxpenguins.xyz>
-Date: Thu, 7 Dec 2017 07:46:47 +1100
-Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
-
-Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
-
-This vulnerability - at least for the supplied test case - is because we
-assume that a tiff will only have one transfer function that is the same
-for all pages. This is not required by the TIFF standards.
-
-We than read the transfer function for every page.  Depending on the
-transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
-We allocate this memory after we read in the transfer function for the
-page.
-
-For the first exploit - POC1, this file has 3 pages. For the first page
-we allocate 2 extra extra XREF entries. Then for the next page 2 more
-entries. Then for the last page the transfer function changes and we
-allocate 4 more entries.
-
-When we read the file into memory, we assume we have 4 bytes extra for
-each and every page (as per the last transfer function we read). Which
-is not correct, we only have 2 bytes extra for the first 2 pages. As a
-result, we end up writing past the end of the buffer.
-
-There are also some related issues that this also fixes. For example,
-TIFFGetField can return uninitalized pointer values, and the logic to
-detect a N=3 vs N=1 transfer function seemed rather strange.
-
-It is also strange that we declare the transfer functions to be of type
-float, when the standard says they are unsigned 16 bit values. This is
-fixed in another patch.
-
-This patch will check to ensure that the N value for every transfer
-function is the same for every page. If this changes, we abort with an
-error. In theory, we should perhaps check that the transfer function
-itself is identical for every page, however we don't do that due to the
-confusion of the type of the data in the transfer function.
----
- libtiff/tif_dir.c |  3 +++
- tools/tiff2pdf.c  | 65 +++++++++++++++++++++++++++++++++++++------------------
- 2 files changed, 47 insertions(+), 21 deletions(-)
-
-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
-index 2ccaf448..cbf2b693 100644
---- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
- 			if (td->td_samplesperpixel - td->td_extrasamples > 1) {
- 				*va_arg(ap, uint16**) = td->td_transferfunction[1];
- 				*va_arg(ap, uint16**) = td->td_transferfunction[2];
-+			} else {
-+				*va_arg(ap, uint16**) = NULL;
-+				*va_arg(ap, uint16**) = NULL;
- 			}
- 			break;
- 		case TIFFTAG_REFERENCEBLACKWHITE:
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index d1a9b095..c3ec0746 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- 	uint16 pagen=0;
- 	uint16 paged=0;
- 	uint16 xuint16=0;
-+	uint16 tiff_transferfunctioncount=0;
-+	float* tiff_transferfunction[3];
- 
- 	directorycount=TIFFNumberOfDirectories(input);
- 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
-@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
-                 }
- #endif
- 		if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
--                                 &(t2p->tiff_transferfunction[0]),
--                                 &(t2p->tiff_transferfunction[1]),
--                                 &(t2p->tiff_transferfunction[2]))) {
--			if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
--                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&
--                           (t2p->tiff_transferfunction[1] !=
--                            t2p->tiff_transferfunction[0])) {
--				t2p->tiff_transferfunctioncount = 3;
--				t2p->tiff_pages[i].page_extra += 4;
--				t2p->pdf_xrefcount += 4;
--			} else {
--				t2p->tiff_transferfunctioncount = 1;
--				t2p->tiff_pages[i].page_extra += 2;
--				t2p->pdf_xrefcount += 2;
--			}
--			if(t2p->pdf_minorversion < 2)
--				t2p->pdf_minorversion = 2;
-+                                 &(tiff_transferfunction[0]),
-+                                 &(tiff_transferfunction[1]),
-+                                 &(tiff_transferfunction[2]))) {
-+
-+                        if((tiff_transferfunction[1] != (float*) NULL) &&
-+                           (tiff_transferfunction[2] != (float*) NULL)
-+                          ) {
-+                            tiff_transferfunctioncount=3;
-+                        } else {
-+                            tiff_transferfunctioncount=1;
-+                        }
-                 } else {
--			t2p->tiff_transferfunctioncount=0;
-+			tiff_transferfunctioncount=0;
- 		}
-+
-+                if (i > 0){
-+                    if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
-+                        TIFFError(
-+                            TIFF2PDF_MODULE,
-+                            "Different transfer function on page %d",
-+                            i);
-+                        t2p->t2p_error = T2P_ERR_ERROR;
-+                        return;
-+                    }
-+                }
-+
-+                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
-+                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
-+                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
-+                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
-+                if(tiff_transferfunctioncount == 3){
-+                        t2p->tiff_pages[i].page_extra += 4;
-+                        t2p->pdf_xrefcount += 4;
-+                        if(t2p->pdf_minorversion < 2)
-+                                t2p->pdf_minorversion = 2;
-+                } else if (tiff_transferfunctioncount == 1){
-+                        t2p->tiff_pages[i].page_extra += 2;
-+                        t2p->pdf_xrefcount += 2;
-+                        if(t2p->pdf_minorversion < 2)
-+                                t2p->pdf_minorversion = 2;
-+                }
-+
- 		if( TIFFGetField(
- 			input, 
- 			TIFFTAG_ICCPROFILE, 
-@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
- 			 &(t2p->tiff_transferfunction[1]),
- 			 &(t2p->tiff_transferfunction[2]))) {
- 		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
--                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&
--                   (t2p->tiff_transferfunction[1] !=
--                    t2p->tiff_transferfunction[0])) {
-+                   (t2p->tiff_transferfunction[2] != (float*) NULL)
-+                  ) {
- 			t2p->tiff_transferfunctioncount=3;
- 		} else {
- 			t2p->tiff_transferfunctioncount=1;
--- 
-2.16.1
-
diff --git a/gnu/packages/patches/libtiff-CVE-2018-10963.patch b/gnu/packages/patches/libtiff-CVE-2018-10963.patch
deleted file mode 100644
index d31c12399d..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2018-10963.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Fix CVE-2018-10963:
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2795
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963
-
-Patch copied from upstream source repository:
-
-https://gitlab.com/libtiff/libtiff/commit/de144fd228e4be8aa484c3caf3d814b6fa88c6d9
-
-From de144fd228e4be8aa484c3caf3d814b6fa88c6d9 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 12 May 2018 14:24:15 +0200
-Subject: [PATCH] TIFFWriteDirectorySec: avoid assertion. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
-
----
- libtiff/tif_dirwrite.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
-index 2430de6d..c15a28db 100644
---- a/libtiff/tif_dirwrite.c
-+++ b/libtiff/tif_dirwrite.c
-@@ -695,8 +695,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
- 								}
- 								break;
- 							default:
--								assert(0);   /* we should never get here */
--								break;
-+								TIFFErrorExt(tif->tif_clientdata,module,
-+								            "Cannot write tag %d (%s)",
-+								            TIFFFieldTag(o),
-+                                                                            o->field_name ? o->field_name : "unknown");
-+								goto bad;
- 						}
- 					}
- 				}
--- 
-2.17.0
-
diff --git a/gnu/packages/patches/libtiff-CVE-2018-8905.patch b/gnu/packages/patches/libtiff-CVE-2018-8905.patch
deleted file mode 100644
index f49815789e..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2018-8905.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-Fix CVE-2018-8095:
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2780
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905
-
-Patch copied from upstream source repository:
-
-https://gitlab.com/libtiff/libtiff/commit/58a898cb4459055bb488ca815c23b880c242a27d
-
-From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 12 May 2018 15:32:31 +0200
-Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write.
- Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
-
-The fix consists in using the similar code LZWDecode() to validate we
-don't write outside of the output buffer.
----
- libtiff/tif_lzw.c | 18 ++++++++++++------
- 1 file changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
-index 4ccb443c..94d85e38 100644
---- a/libtiff/tif_lzw.c
-+++ b/libtiff/tif_lzw.c
-@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- 	char *tp;
- 	unsigned char *bp;
- 	int code, nbits;
-+	int len;
- 	long nextbits, nextdata, nbitsmask;
- 	code_t *codep, *free_entp, *maxcodep, *oldcodep;
- 
-@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- 				}  while (--occ);
- 				break;
- 			}
--			assert(occ >= codep->length);
--			op += codep->length;
--			occ -= codep->length;
--			tp = op;
-+			len = codep->length;
-+			tp = op + len;
- 			do {
--				*--tp = codep->value;
--			} while( (codep = codep->next) != NULL );
-+				int t;
-+				--tp;
-+				t = codep->value;
-+				codep = codep->next;
-+				*tp = (char)t;
-+			} while (codep && tp > op);
-+			assert(occ >= len);
-+			op += len;
-+			occ -= len;
- 		} else {
- 			*op++ = (char)code;
- 			occ--;
--- 
-2.17.0
-
diff --git a/gnu/packages/patches/poppler-CVE-2018-19149.patch b/gnu/packages/patches/poppler-CVE-2018-19149.patch
deleted file mode 100644
index 3641f5f078..0000000000
--- a/gnu/packages/patches/poppler-CVE-2018-19149.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-Fix CVE-2018-19149:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19149
-https://gitlab.freedesktop.org/poppler/poppler/issues/664
-
-Patch copied from upstream source repository:
-
-https://gitlab.freedesktop.org/poppler/poppler/commit/f162ecdea0dda5dbbdb45503c1d55d9afaa41d44
-
-From f162ecdea0dda5dbbdb45503c1d55d9afaa41d44 Mon Sep 17 00:00:00 2001
-From: Marek Kasik <mkasik@redhat.com>
-Date: Fri, 20 Apr 2018 11:38:13 +0200
-Subject: [PATCH] Fix crash on missing embedded file
-
-Check whether an embedded file is actually present in the PDF
-and show warning in that case.
-
-https://bugs.freedesktop.org/show_bug.cgi?id=106137
-https://gitlab.freedesktop.org/poppler/poppler/issues/236
----
- glib/poppler-attachment.cc | 26 +++++++++++++++++---------
- glib/poppler-document.cc   |  3 ++-
- 2 files changed, 19 insertions(+), 10 deletions(-)
-
-diff --git a/glib/poppler-attachment.cc b/glib/poppler-attachment.cc
-index c6502e9d..11ba5bb5 100644
---- a/glib/poppler-attachment.cc
-+++ b/glib/poppler-attachment.cc
-@@ -111,17 +111,25 @@ _poppler_attachment_new (FileSpec *emb_file)
-     attachment->description = _poppler_goo_string_to_utf8 (emb_file->getDescription ());
- 
-   embFile = emb_file->getEmbeddedFile();
--  attachment->size = embFile->size ();
-+  if (embFile != NULL && embFile->streamObject()->isStream())
-+    {
-+      attachment->size = embFile->size ();
- 
--  if (embFile->createDate ())
--    _poppler_convert_pdf_date_to_gtime (embFile->createDate (), (time_t *)&attachment->ctime);
--  if (embFile->modDate ())
--    _poppler_convert_pdf_date_to_gtime (embFile->modDate (), (time_t *)&attachment->mtime);
-+      if (embFile->createDate ())
-+        _poppler_convert_pdf_date_to_gtime (embFile->createDate (), (time_t *)&attachment->ctime);
-+      if (embFile->modDate ())
-+        _poppler_convert_pdf_date_to_gtime (embFile->modDate (), (time_t *)&attachment->mtime);
- 
--  if (embFile->checksum () && embFile->checksum ()->getLength () > 0)
--    attachment->checksum = g_string_new_len (embFile->checksum ()->getCString (),
--                                             embFile->checksum ()->getLength ());
--  priv->obj_stream = embFile->streamObject()->copy();
-+      if (embFile->checksum () && embFile->checksum ()->getLength () > 0)
-+        attachment->checksum = g_string_new_len (embFile->checksum ()->getCString (),
-+                                                 embFile->checksum ()->getLength ());
-+      priv->obj_stream = embFile->streamObject()->copy();
-+    }
-+  else
-+    {
-+      g_warning ("Missing stream object for embedded file");
-+      g_clear_object (&attachment);
-+    }
- 
-   return attachment;
- }
-diff --git a/glib/poppler-document.cc b/glib/poppler-document.cc
-index 83f6aea6..ea319344 100644
---- a/glib/poppler-document.cc
-+++ b/glib/poppler-document.cc
-@@ -670,7 +670,8 @@ poppler_document_get_attachments (PopplerDocument *document)
-       attachment = _poppler_attachment_new (emb_file);
-       delete emb_file;
- 
--      retval = g_list_prepend (retval, attachment);
-+      if (attachment != NULL)
-+        retval = g_list_prepend (retval, attachment);
-     }
-   return g_list_reverse (retval);
- }
--- 
-2.19.1
-
diff --git a/gnu/packages/patches/postgresql-disable-resolve_symlinks.patch b/gnu/packages/patches/postgresql-disable-resolve_symlinks.patch
new file mode 100644
index 0000000000..97ef6928fe
--- /dev/null
+++ b/gnu/packages/patches/postgresql-disable-resolve_symlinks.patch
@@ -0,0 +1,25 @@
+From 223c82d1d6ed1f29f26307249827ff679e09c780 Mon Sep 17 00:00:00 2001
+From: Julien Lepiller <julien@lepiller.eu>
+Date: Sat, 28 Jul 2018 12:22:12 +0200
+Subject: [PATCH] disable resolve_symlink
+
+---
+ src/common/exec.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/common/exec.c b/src/common/exec.c
+index 878fc29..6b3e283 100644
+--- a/src/common/exec.c
++++ b/src/common/exec.c
+@@ -218,6 +218,8 @@ find_my_exec(const char *argv0, char *retpath)
+ static int
+ resolve_symlinks(char *path)
+ {
++	// On GuixSD we *want* stuff relative to symlinks.
++	return 0;
+ #ifdef HAVE_READLINK
+ 	struct stat buf;
+ 	char		orig_wd[MAXPGPATH],
+--
+2.18.0
+
diff --git a/gnu/packages/patches/texlive-bin-luatex-poppler-compat.patch b/gnu/packages/patches/texlive-bin-luatex-poppler-compat.patch
new file mode 100644
index 0000000000..d8b9bf172a
--- /dev/null
+++ b/gnu/packages/patches/texlive-bin-luatex-poppler-compat.patch
@@ -0,0 +1,318 @@
+Fix LuaTeX compatibility with Poppler 0.72.
+
+Upstream LuaTeX have moved from Poppler to "pplib" and thus upstream
+fixes are unavailable.  This is based on Arch Linux patches, with minor
+changes for Poppler 0.72:
+https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/texlive-bin&id=f1b424435c8fa31d9296c7a6dc17f939a8332780
+
+diff --git a/texk/web2c/luatexdir/image/pdftoepdf.w b/texk/web2c/luatexdir/image/pdftoepdf.w
+--- a/texk/web2c/luatexdir/image/pdftoepdf.w
++++ b/texk/web2c/luatexdir/image/pdftoepdf.w
+@@ -35,7 +35,7 @@
+ 
+ extern void md5(Guchar *msg, int msgLen, Guchar *digest);
+ 
+-static GBool isInit = gFalse;
++static bool isInit = false;
+ 
+ /* Maintain AVL tree of all PDF files for embedding */
+ 
+@@ -363,10 +363,10 @@ void copyReal(PDF pdf, double d)
+ 
+ static void copyString(PDF pdf, GooString * string)
+ {
+-    char *p;
++    const char *p;
+     unsigned char c;
+     size_t i, l;
+-    p = string->getCString();
++    p = string->c_str();
+     l = (size_t) string->getLength();
+     if (pdf->cave)
+         pdf_out(pdf, ' ');
+@@ -393,7 +393,7 @@ static void copyString(PDF pdf, GooString * string)
+     pdf->cave = true;
+ }
+ 
+-static void copyName(PDF pdf, char *s)
++static void copyName(PDF pdf, const char *s)
+ {
+     pdf_out(pdf, '/');
+     for (; *s != 0; s++) {
+@@ -468,14 +468,14 @@ static void copyObject(PDF pdf, PdfDocument * pdf_doc, Object * obj)
+         break;
+     /*
+     case objNum:
+-        GBool isNum() { return type == objInt || type == objReal; }
++        bool isNum() { return type == objInt || type == objReal; }
+         break;
+     */
+     case objString:
+         copyString(pdf, (GooString *)obj->getString());
+         break;
+     case objName:
+-        copyName(pdf, (char *)obj->getName());
++        copyName(pdf, obj->getName());
+         break;
+     case objNull:
+         pdf_add_null(pdf);
+@@ -531,22 +531,22 @@ static PDFRectangle *get_pagebox(Page * page, int pagebox_spec)
+ {
+     switch (pagebox_spec) {
+         case PDF_BOX_SPEC_MEDIA:
+-            return page->getMediaBox();
++            return (PDFRectangle *) page->getMediaBox();
+             break;
+         case PDF_BOX_SPEC_CROP:
+-            return page->getCropBox();
++            return (PDFRectangle *) page->getCropBox();
+             break;
+         case PDF_BOX_SPEC_BLEED:
+-            return page->getBleedBox();
++            return (PDFRectangle *) page->getBleedBox();
+             break;
+         case PDF_BOX_SPEC_TRIM:
+-            return page->getTrimBox();
++            return (PDFRectangle *) page->getTrimBox();
+             break;
+         case PDF_BOX_SPEC_ART:
+-            return page->getArtBox();
++            return (PDFRectangle *) page->getArtBox();
+             break;
+         default:
+-            return page->getMediaBox();
++            return (PDFRectangle *) page->getMediaBox();
+             break;
+     }
+ }
+@@ -587,11 +587,11 @@ void read_pdf_info(image_dict * idict)
+     PDFRectangle *pagebox;
+     int pdf_major_version_found, pdf_minor_version_found;
+     float xsize, ysize, xorig, yorig;
+-    if (isInit == gFalse) {
++    if (isInit == false) {
+         if (!(globalParams))
+             globalParams = new GlobalParams();
+-        globalParams->setErrQuiet(gFalse);
+-        isInit = gTrue;
++        globalParams->setErrQuiet(false);
++        isInit = true;
+     }
+     if (img_type(idict) == IMG_TYPE_PDF)
+         pdf_doc = refPdfDocument(img_filepath(idict), FE_FAIL);
+@@ -966,7 +966,7 @@ void epdf_free()
+     if (PdfDocumentTree != NULL)
+         avl_destroy(PdfDocumentTree, destroyPdfDocument);
+     PdfDocumentTree = NULL;
+-    if (isInit == gTrue)
++    if (isInit == true)
+         delete globalParams;
+-    isInit = gFalse;
++    isInit = false;
+ }
+diff --git a/texk/web2c/luatexdir/lua/lepdflib.cc b/texk/web2c/luatexdir/lua/lepdflib.cc
+--- a/texk/web2c/luatexdir/lua/lepdflib.cc
++++ b/texk/web2c/luatexdir/lua/lepdflib.cc
+@@ -240,7 +240,7 @@ static int l_new_Attribute(lua_State * L)
+        if (uobj->pd != NULL && uobj->pd->pc != uobj->pc)
+           pdfdoc_changed_error(L);
+        uout = new_Attribute_userdata(L);
+-       uout->d = new Attribute(n, nlen, (Object *)uobj->d);
++       uout->d = new Attribute((GooString)n, (Object *)uobj->d);
+        uout->atype = ALLOC_LEPDF;
+        uout->pc = uobj->pc;
+        uout->pd = uobj->pd;
+@@ -439,7 +439,7 @@ static int l_new_Object(lua_State * L)
+       break;
+     case 1:
+       if (lua_isboolean (L,1)) {
+-	uout->d = new Object(lua_toboolean(L, 1)? gTrue : gFalse);
++	uout->d = new Object(lua_toboolean(L, 1)? true : false);
+ 	uout->atype = ALLOC_LEPDF;
+ 	uout->pc = 0;
+ 	uout->pd = NULL;
+@@ -596,7 +596,7 @@ static int m_##in##_##function(lua_State * L)                  \
+     uin = (udstruct *) luaL_checkudata(L, 1, M_##in);          \
+     if (uin->pd != NULL && uin->pd->pc != uin->pc)             \
+         pdfdoc_changed_error(L);                               \
+-    o = ((in *) uin->d)->function();                           \
++    o = (out *) ((in *) uin->d)->function();                           \
+     if (o != NULL) {                                           \
+         uout = new_##out##_userdata(L);                        \
+         uout->d = o;                                           \
+@@ -676,7 +676,7 @@ static int m_##in##_##function(lua_State * L)                  \
+         pdfdoc_changed_error(L);                               \
+     gs = (GooString *)((in *) uin->d)->function();             \
+     if (gs != NULL)                                            \
+-        lua_pushlstring(L, gs->getCString(), gs->getLength()); \
++        lua_pushlstring(L, gs->c_str(), gs->getLength()); \
+     else                                                       \
+         lua_pushnil(L);                                        \
+     return 1;                                                  \
+@@ -911,7 +911,7 @@ static int m_Array_getString(lua_State * L)
+     if (i > 0 && i <= len) {
+         gs = new GooString();
+         if (((Array *) uin->d)->getString(i - 1, gs))
+-            lua_pushlstring(L, gs->getCString(), gs->getLength());
++            lua_pushlstring(L, gs->c_str(), gs->getLength());
+         else
+             lua_pushnil(L);
+         delete gs;
+@@ -1063,7 +1063,7 @@ static int m_Catalog_getJS(lua_State * L)
+     if (i > 0 && i <= len) {
+         gs = ((Catalog *) uin->d)->getJS(i - 1);
+         if (gs != NULL)
+-            lua_pushlstring(L, gs->getCString(), gs->getLength());
++            lua_pushlstring(L, gs->c_str(), gs->getLength());
+         else
+             lua_pushnil(L);
+         delete gs;
+@@ -1125,12 +1125,12 @@ m_poppler_get_INT(Dict, getLength);
+ 
+ static int m_Dict_add(lua_State * L)
+ {
+-    char *s;
++    const char *s;
+     udstruct *uin, *uobj;
+     uin = (udstruct *) luaL_checkudata(L, 1, M_Dict);
+     if (uin->pd != NULL && uin->pd->pc != uin->pc)
+         pdfdoc_changed_error(L);
+-    s = copyString(luaL_checkstring(L, 2));
++    s = luaL_checkstring(L, 2);
+     uobj = (udstruct *) luaL_checkudata(L, 3, M_Object);
+     ((Dict *) uin->d)->add(s, std::move(*((Object *) uobj->d)));
+     return 0;
+@@ -1378,7 +1378,7 @@ static int m_GooString__tostring(lua_State * L)
+     uin = (udstruct *) luaL_checkudata(L, 1, M_GooString);
+     if (uin->pd != NULL && uin->pd->pc != uin->pc)
+         pdfdoc_changed_error(L);
+-    lua_pushlstring(L, ((GooString *) uin->d)->getCString(),
++    lua_pushlstring(L, ((GooString *) uin->d)->c_str(),
+                     ((GooString *) uin->d)->getLength());
+     return 1;
+ }
+@@ -1527,9 +1527,9 @@ static int m_Object_initBool(lua_State * L)
+         pdfdoc_changed_error(L);
+     luaL_checktype(L, 2, LUA_TBOOLEAN);
+     if (lua_toboolean(L, 2) != 0)
+-        *((Object *) uin->d) = Object(gTrue);
++        *((Object *) uin->d) = Object(true);
+     else
+-        *((Object *) uin->d) = Object(gFalse);
++        *((Object *) uin->d) = Object(false);
+     return 0;
+ }
+ 
+@@ -1814,7 +1814,7 @@ static int m_Object_getString(lua_State * L)
+         pdfdoc_changed_error(L);
+     if (((Object *) uin->d)->isString()) {
+         gs = (GooString *)((Object *) uin->d)->getString();
+-        lua_pushlstring(L, gs->getCString(), gs->getLength());
++        lua_pushlstring(L, gs->c_str(), gs->getLength());
+     } else
+         lua_pushnil(L);
+     return 1;
+@@ -2051,7 +2051,7 @@ static int m_Object_dictAdd(lua_State * L)
+         pdfdoc_changed_error(L);
+     if (!((Object *) uin->d)->isDict())
+         luaL_error(L, "Object is not a Dict");
+-    ((Object *) uin->d)->dictAdd(copyString(s), std::move(*((Object *) uobj->d)));
++    ((Object *) uin->d)->dictAdd(s, std::move(*((Object *) uobj->d)));
+     return 0;
+ }
+ 
+@@ -2470,9 +2470,9 @@ static int m_PDFDoc_getFileName(lua_State * L)
+     uin = (udstruct *) luaL_checkudata(L, 1, M_PDFDoc);
+     if (uin->pd != NULL && uin->pd->pc != uin->pc)
+         pdfdoc_changed_error(L);
+-    gs = ((PdfDocument *) uin->d)->doc->getFileName();
++    gs = (GooString *) ((PdfDocument *) uin->d)->doc->getFileName();
+     if (gs != NULL)
+-        lua_pushlstring(L, gs->getCString(), gs->getLength());
++        lua_pushlstring(L, gs->c_str(), gs->getLength());
+     else
+         lua_pushnil(L);
+     return 1;
+@@ -2559,9 +2559,9 @@ static int m_PDFDoc_readMetadata(lua_State * L)
+     if (uin->pd != NULL && uin->pd->pc != uin->pc)
+         pdfdoc_changed_error(L);
+     if (((PdfDocument *) uin->d)->doc->getCatalog()->isOk()) {
+-        gs = ((PdfDocument *) uin->d)->doc->readMetadata();
++        gs = (GooString *) ((PdfDocument *) uin->d)->doc->readMetadata();
+         if (gs != NULL)
+-            lua_pushlstring(L, gs->getCString(), gs->getLength());
++            lua_pushlstring(L, gs->c_str(), gs->getLength());
+         else
+             lua_pushnil(L);
+     } else
+@@ -2577,7 +2577,7 @@ static int m_PDFDoc_getStructTreeRoot(lua_State * L)
+     if (uin->pd != NULL && uin->pd->pc != uin->pc)
+         pdfdoc_changed_error(L);
+     if (((PdfDocument *) uin->d)->doc->getCatalog()->isOk()) {
+-        obj = ((PdfDocument *) uin->d)->doc->getStructTreeRoot();
++        obj = (StructTreeRoot *) ((PdfDocument *) uin->d)->doc->getStructTreeRoot();
+         uout = new_StructTreeRoot_userdata(L);
+         uout->d = obj;
+         uout->pc = uin->pc;
+@@ -3038,12 +3038,12 @@ m_poppler_get_BOOL(Attribute, isHidden);
+ 
+ static int m_Attribute_setHidden(lua_State * L)
+ {
+-    GBool i;
++    bool i;
+     udstruct *uin;
+     uin = (udstruct *) luaL_checkudata(L, 1, M_Attribute);
+     if (uin->pd != NULL && uin->pd->pc != uin->pc)
+         pdfdoc_changed_error(L);
+-    i = (GBool) lua_toboolean(L, 2);
++    i = (bool) lua_toboolean(L, 2);
+     ((Attribute *) uin->d)->setHidden(i);
+     return 0;
+ }
+@@ -3180,7 +3180,7 @@ static int m_StructElement_getParentRef(lua_State * L)
+ // Ref is false if the C++ functione return false
+ static int m_StructElement_getPageRef(lua_State * L)
+ {
+-    GBool b;
++    bool b;
+     Ref *r;
+     udstruct *uin, *uout;
+     uin = (udstruct *) luaL_checkudata(L, 1, M_StructElement);
+@@ -3226,16 +3226,16 @@ static int m_StructElement_setRevision(lua_State * L)
+ 
+ static int m_StructElement_getText(lua_State * L)
+ {
+-    GBool i;
++    bool i;
+     GooString *gs;
+     udstruct *uin;
+     uin = (udstruct *) luaL_checkudata(L, 1, M_StructElement);
+     if (uin->pd != NULL && uin->pd->pc != uin->pc)
+         pdfdoc_changed_error(L);
+-    i = (GBool) lua_toboolean(L, 2);
++    i = (bool) lua_toboolean(L, 2);
+     gs =  ((StructElement *) uin->d)->getText(i);
+     if (gs != NULL)
+-        lua_pushlstring(L, gs->getCString(), gs->getLength());
++        lua_pushlstring(L, gs->c_str(), gs->getLength());
+     else
+         lua_pushnil(L);
+     return 1;
+@@ -3321,7 +3321,7 @@ static int m_StructElement_findAttribute(lua_State * L)
+ {
+     Attribute::Type t;
+     Attribute::Owner o;
+-    GBool g;
++    bool g;
+     udstruct *uin, *uout;
+     const Attribute *a;
+     uin = (udstruct *) luaL_checkudata(L, 1, M_StructElement);
+@@ -3329,7 +3329,7 @@ static int m_StructElement_findAttribute(lua_State * L)
+         pdfdoc_changed_error(L);
+     t = (Attribute::Type) luaL_checkint(L,1);
+     o = (Attribute::Owner) luaL_checkint(L,2);
+-    g = (GBool) lua_toboolean(L, 3);
++    g = (bool) lua_toboolean(L, 3);
+     a = ((StructElement *) uin->d)->findAttribute(t,g,o);
+ 
+     if (a!=NULL){
diff --git a/gnu/packages/patches/texlive-bin-pdftex-poppler-compat.patch b/gnu/packages/patches/texlive-bin-pdftex-poppler-compat.patch
new file mode 100644
index 0000000000..eba4733f32
--- /dev/null
+++ b/gnu/packages/patches/texlive-bin-pdftex-poppler-compat.patch
@@ -0,0 +1,188 @@
+Fix compatibility with Poppler 0.72.
+
+These files are taken from the upstream "poppler0.72.0.cc" variants and
+diffed against the "newpoppler" files from the 20180414 distribution.
+
+See revision 49336:
+https://tug.org/svn/texlive/trunk/Build/source/texk/web2c/pdftexdir/
+
+--- a/texk/web2c/pdftexdir/pdftoepdf-newpoppler.cc	1970-01-01 01:00:00.000000000 +0100
++++ b/texk/web2c/pdftexdir/pdftoepdf-newpoppler.cc	2018-12-09 21:14:58.479732695 +0100
+@@ -22,7 +22,7 @@
+ https://git.archlinux.org/svntogit/packages.git/plain/texlive-bin/trunk
+ by Arch Linux. A little modifications are made to avoid a crash for
+ some kind of pdf images, such as figure_missing.pdf in gnuplot.
+-The poppler should be 0.59.0 or newer versions.
++The poppler should be 0.72.0 or newer versions.
+ POPPLER_VERSION should be defined.
+ */
+ 
+@@ -120,7 +120,7 @@
+ 
+ static InObj *inObjList;
+ static UsedEncoding *encodingList;
+-static GBool isInit = gFalse;
++static bool isInit = false;
+ 
+ // --------------------------------------------------------------------
+ // Maintain list of open embedded PDF files
+@@ -317,7 +317,7 @@
+     pdf_puts("<<\n");
+     assert(r->type == objFont); // FontDescriptor is in fd_tree
+     for (i = 0, l = obj->dictGetLength(); i < l; ++i) {
+-        key = obj->dictGetKey(i);
++        key = (char *)obj->dictGetKey(i);
+         if (strncmp("FontDescriptor", key, strlen("FontDescriptor")) == 0
+             || strncmp("BaseFont", key, strlen("BaseFont")) == 0
+             || strncmp("Encoding", key, strlen("Encoding")) == 0)
+@@ -427,7 +427,7 @@
+         charset = fontdesc.dictLookup("CharSet");
+         if (!charset.isNull() &&
+             charset.isString() && is_subsetable(fontmap))
+-            epdf_mark_glyphs(fd, (char *)charset.getString()->getCString());
++            epdf_mark_glyphs(fd, (char *)charset.getString()->c_str());
+         else
+             embed_whole_font(fd);
+         addFontDesc(fontdescRef.getRef(), fd);
+@@ -454,7 +454,7 @@
+     for (i = 0, l = obj->dictGetLength(); i < l; ++i) {
+         fontRef = obj->dictGetValNF(i);
+         if (fontRef.isRef())
+-            copyFont(obj->dictGetKey(i), &fontRef);
++            copyFont((char *)obj->dictGetKey(i), &fontRef);
+         else if (fontRef.isDict()) {   // some programs generate pdf with embedded font object
+             copyName((char *)obj->dictGetKey(i));
+             pdf_puts(" ");
+@@ -566,7 +566,7 @@
+         pdf_printf("%s", convertNumToPDF(obj->getNum()));
+     } else if (obj->isString()) {
+         s = (GooString *)obj->getString();
+-        p = s->getCString();
++        p = (char *)s->c_str();
+         l = s->getLength();
+         if (strlen(p) == (unsigned int) l) {
+             pdf_puts("(");
+@@ -664,7 +664,7 @@
+                     ("PDF inclusion: CID fonts are not supported"
+                      " (try to disable font replacement to fix this)");
+             }
+-            if ((s = ((Gfx8BitFont *) r->font)->getCharName(i)) != 0)
++            if ((s = (char *)((Gfx8BitFont *) r->font)->getCharName(i)) != 0)
+                 glyphNames[i] = s;
+             else
+                 glyphNames[i] = notdef;
+@@ -683,7 +683,7 @@
+ }
+ 
+ // get the pagebox according to the pagebox_spec
+-static PDFRectangle *get_pagebox(Page * page, int pagebox_spec)
++static const PDFRectangle *get_pagebox(Page * page, int pagebox_spec)
+ {
+     if (pagebox_spec == pdfboxspecmedia)
+         return page->getMediaBox();
+@@ -715,7 +715,7 @@
+ {
+     PdfDocument *pdf_doc;
+     Page *page;
+-    PDFRectangle *pagebox;
++    const PDFRectangle *pagebox;
+ #ifdef POPPLER_VERSION
+     int pdf_major_version_found, pdf_minor_version_found;
+ #else
+@@ -724,8 +724,8 @@
+     // initialize
+     if (!isInit) {
+         globalParams = new GlobalParams();
+-        globalParams->setErrQuiet(gFalse);
+-        isInit = gTrue;
++        globalParams->setErrQuiet(false);
++        isInit = true;
+     }
+     // open PDF file
+     pdf_doc = find_add_document(image_name);
+@@ -849,7 +849,7 @@
+     pageObj = xref->fetch(pageRef->num, pageRef->gen);
+     pageDict = pageObj.getDict();
+     rotate = page->getRotate();
+-    PDFRectangle *pagebox;
++    const PDFRectangle *pagebox;
+     // write the Page header
+     pdf_puts("/Type /XObject\n");
+     pdf_puts("/Subtype /Form\n");
+@@ -977,7 +977,7 @@
+             }
+             l = dic1.getLength();
+             for (i = 0; i < l; i++) {
+-                groupDict.dictAdd(copyString(dic1.getKey(i)),
++                groupDict.dictAdd((const char *)copyString(dic1.getKey(i)),
+                                   dic1.getValNF(i));
+             }
+ // end modification
+@@ -1001,14 +1001,14 @@
+         pdf_puts("/Resources <<\n");
+         for (i = 0, l = obj1->dictGetLength(); i < l; ++i) {
+             obj2 = obj1->dictGetVal(i);
+-            key = obj1->dictGetKey(i);
++            key = (char *)obj1->dictGetKey(i);
+             if (strcmp("Font", key) == 0)
+                 copyFontResources(&obj2);
+             else if (strcmp("ProcSet", key) == 0)
+                 copyProcSet(&obj2);
+             else
+-                copyOtherResources(&obj2, key);
++                copyOtherResources(&obj2, (char *)key);
+         }
+         pdf_puts(">>\n");
+     }
+
+--- a/texk/web2c/pdftexdir/pdftosrc-newpoppler.cc	1970-01-01 01:00:00.000000000 +0100
++++ b/texk/web2c/pdftexdir/pdftosrc-newpoppler.cc	2018-12-09 21:14:58.479732695 +0100
+@@ -20,7 +20,7 @@
+ /*
+ This is based on the patch texlive-poppler-0.59.patch <2017-09-19> at
+ https://git.archlinux.org/svntogit/packages.git/plain/texlive-bin/trunk
+-by Arch Linux. The poppler should be 0.59.0 or newer versions.
++by Arch Linux. The poppler should be 0.72.0 or newer versions.
+ POPPLER_VERSION should be defined.
+ */
+ 
+@@ -109,7 +109,7 @@
+             fprintf(stderr, "No SourceName found\n");
+             exit(1);
+         }
+-        outname = (char *)srcName.getString()->getCString();
++        outname = (char *)srcName.getString()->c_str();
+         // We cannot free srcName, as objname shares its string.
+         // srcName.free();
+     } else if (objnum > 0) {
+@@ -118,7 +118,7 @@
+             fprintf(stderr, "Not a Stream object\n");
+             exit(1);
+         }
+-        sprintf(buf, "%s", fileName->getCString());
++        sprintf(buf, "%s", fileName->c_str());
+         if ((p = strrchr(buf, '.')) == 0)
+             p = strchr(buf, 0);
+         if (objgen == 0)
+@@ -128,7 +128,7 @@
+         outname = buf;
+     } else {                    // objnum < 0 means we are extracting the XRef table
+         extract_xref_table = true;
+-        sprintf(buf, "%s", fileName->getCString());
++        sprintf(buf, "%s", fileName->c_str());
+         if ((p = strrchr(buf, '.')) == 0)
+             p = strchr(buf, 0);
+         sprintf(p, ".xref");
+@@ -173,9 +173,9 @@
+ 
+                 // parse the header: object numbers and offsets
+                 objStr.streamReset();
+-                str = new EmbedStream(objStr.getStream(), Object(objNull), gTrue, first);
++                str = new EmbedStream(objStr.getStream(), Object(objNull), true, first);
+                 lexer = new Lexer(xref, str);
+-                parser = new Parser(xref, lexer, gFalse);
++                parser = new Parser(xref, lexer, false);
+                 for (n = 0; n < nObjects; ++n) {
+                     obj1 = parser->getObj();
+                     obj2 = parser->getObj();
+
diff --git a/gnu/packages/patches/texlive-bin-xetex-poppler-compat.patch b/gnu/packages/patches/texlive-bin-xetex-poppler-compat.patch
new file mode 100644
index 0000000000..cac716cc59
--- /dev/null
+++ b/gnu/packages/patches/texlive-bin-xetex-poppler-compat.patch
@@ -0,0 +1,31 @@
+Fix compatibility with Poppler 0.72.
+
+Patch taken from upstream:
+https://tug.org/svn/texlive/trunk/Build/source/texk/web2c/xetexdir/pdfimage.cpp?r1=44964&r2=48969&diff_format=u
+
+--- a/texk/web2c/xetexdir/pdfimage.cpp	2017/08/06 07:12:02	44964
++++ b/texk/web2c/xetexdir/pdfimage.cpp	2018/10/22 04:01:42	48969
+@@ -82,19 +82,19 @@
+ 	switch (pdf_box) {
+ 		default:
+ 		case pdfbox_crop:
+-			r = page->getCropBox();
++			r = (PDFRectangle *)page->getCropBox();
+ 			break;
+ 		case pdfbox_media:
+-			r = page->getMediaBox();
++			r = (PDFRectangle *)page->getMediaBox();
+ 			break;
+ 		case pdfbox_bleed:
+-			r = page->getBleedBox();
++			r = (PDFRectangle *)page->getBleedBox();
+ 			break;
+ 		case pdfbox_trim:
+-			r = page->getTrimBox();
++			r = (PDFRectangle *)page->getTrimBox();
+ 			break;
+ 		case pdfbox_art:
+-			r = page->getArtBox();
++			r = (PDFRectangle *)page->getArtBox();
+ 			break;
+ 	}
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index c34a0bc8ca..5a9bc2d64b 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -82,15 +82,14 @@
 (define-public poppler
   (package
    (name "poppler")
-   (replacement poppler/fixed)
-   (version "0.68.0")
+   (version "0.72.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://poppler.freedesktop.org/poppler-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0n0f7mv24lzv9p3dlzakpdhqg7ygcvl6l40grcz95xldzgq083gr"))))
+              "0lfs1b1jfamxl13zbl5n448dqvl9n8frbv8180y7b7kfyaw7wx61"))))
    (build-system cmake-build-system)
    ;; FIXME:
    ;;  use libcurl:        no
@@ -132,14 +131,6 @@
    (license license:gpl2+)
    (home-page "https://poppler.freedesktop.org/")))
 
-(define poppler/fixed
-  (package
-    (inherit poppler)
-    (source (origin
-              (inherit (package-source poppler))
-              (patches (append (origin-patches (package-source poppler))
-                               (search-patches "poppler-CVE-2018-19149.patch")))))))
-
 (define-public poppler-data
   (package
     (name "poppler-data")
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 52832eeeb8..6a2eece734 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -55,7 +55,7 @@
 (define-public ruby
   (package
     (name "ruby")
-    (version "2.4.3")
+    (version "2.5.3")
     (source
      (origin
        (method url-fetch)
@@ -64,8 +64,7 @@
                            "/ruby-" version ".tar.xz"))
        (sha256
         (base32
-         "0l9bv67dgsphk42lmiskhrnh47hbyj6rfg2rcjx22xivpx07srr3"))
-       (patches (search-patches "ruby-rubygems-276-for-ruby24.patch"))
+         "0vrhrw7kcz9mg0jkqnihkcxqy5k05v8k1j0y2735z8wfk8sx1j8w"))
        (modules '((guix build utils)))
        (snippet `(begin
                    ;; Remove bundled libffi
@@ -107,6 +106,26 @@ a focus on simplicity and productivity.")
     (home-page "https://www.ruby-lang.org")
     (license license:ruby)))
 
+(define-public ruby-2.4
+  (package
+    (inherit ruby)
+    (version "2.4.3")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
+                           (version-major+minor version)
+                           "/ruby-" version ".tar.xz"))
+       (sha256
+        (base32
+         "0l9bv67dgsphk42lmiskhrnh47hbyj6rfg2rcjx22xivpx07srr3"))
+       (patches (search-patches "ruby-rubygems-276-for-ruby24.patch"))
+       (modules '((guix build utils)))
+       (snippet `(begin
+                   ;; Remove bundled libffi
+                   (delete-file-recursively "ext/fiddle/libffi-3.2.1")
+                   #t))))))
+
 (define-public ruby-2.3
   (package
     (inherit ruby)
diff --git a/gnu/packages/scribus.scm b/gnu/packages/scribus.scm
index 615d7e23a2..20795da275 100644
--- a/gnu/packages/scribus.scm
+++ b/gnu/packages/scribus.scm
@@ -56,7 +56,59 @@
        (sha256
         (base32
          "00ys0p6h3iq77kh72dkl0qrf7qvznq18qdrgiq10gfxja1995034"))
-       (patches (search-patches "scribus-poppler.patch"))))
+       (patches (append
+                 ;; Scribus relies heavily on Poppler internals, which have
+                 ;; changed a lot since the latest Scribus release (2018-04).
+                 ;; Thus, we require a bunch of patches to stay compatible.
+                 (search-patches "scribus-poppler.patch")
+                 (list (origin
+                         (method url-fetch)
+                         (uri (string-append
+                               "https://github.com/scribusproject/scribus/commit/"
+                               "7d4ceeb5cac32287769e3c0238699e0b3e56c24d.patch"))
+                         (file-name "scribus-poppler-0.64.patch")
+                         (sha256
+                          (base32
+                           "1kr27bfzkpabrh42nsrrvlqyycdg9isbavpaa5spgmrhidcg02xj")))
+                       (origin
+                         (method url-fetch)
+                         (uri (string-append
+                               "https://github.com/scribusproject/scribus/commit/"
+                               "76561c1a55cd07c268f8f2b2fea888532933700b.patch"))
+                         (file-name "scribus-poppler-config.patch")
+                         (sha256
+                          (base32
+                           "01k18xjj82c3ndzp89dlpfhhdccc8z0acf8b04r592jyr5y9rc19")))
+                       (origin
+                         (method url-fetch)
+                         (uri (string-append
+                               "https://github.com/scribusproject/scribus/commit/"
+                               "8e05d26c19097ac2ad5b4ebbf40a3771ee6faf9c.patch"))
+                         (file-name "scribus-poppler-0.69.patch")
+                         (sha256
+                          (base32
+                           "1avdmsj5l543j0irq18nxgiw99n395jj56ih5dsal59fn0wbqk42")))
+                       (origin
+                         (method url-fetch)
+                         (uri (string-append "https://git.archlinux.org/svntogit/"
+                                             "community.git/plain/trunk/scribus-"
+                                             "poppler-0.70.patch?h=packages/scribus&id="
+                                             "8ef43ee2fceb0753ed5a76bb0a11c84775898ffc"))
+                         (file-name "scribus-poppler-0.70.patch")
+                         (sha256
+                          (base32
+                           "0dw7ix3jaj0y1q97cmmqwb2qgdx760yhxx86wa8rnx0xhfi5x6qr"))))))
+       (modules '((guix build utils)))
+       (snippet
+        '(begin
+           (for-each (lambda (file)
+                       (substitute* file
+                         ;; These are required for compatibility with Poppler 0.71.
+                         (("GBool") "bool") (("gTrue") "true") (("gFalse") "false")
+                         ;; ...and this for Poppler 0.72.
+                         (("getCString") "c_str")))
+                     (find-files "scribus/plugins/import/pdf"))
+           #t))))
     (build-system cmake-build-system)
     (arguments
      `(#:tests? #f                      ;no test target
diff --git a/gnu/packages/spice.scm b/gnu/packages/spice.scm
index 94e6aa8438..8ab5a335c8 100644
--- a/gnu/packages/spice.scm
+++ b/gnu/packages/spice.scm
@@ -213,11 +213,7 @@ which allows users to view a desktop computing environment.")
           "--enable-automated-tests")
 
         ;; Several tests appear to be opening the same sockets concurrently.
-        #:parallel-tests? #f
-
-        #:phases (modify-phases %standard-phases
-                   (add-before 'check 'use-empty-ssl-cert-file
-                     (lambda _ (setenv "SSL_CERT_FILE" "/dev/null") #t)))))
+        #:parallel-tests? #f))
     (synopsis "Server implementation of the SPICE protocol")
     (description "SPICE is a remote display system built for virtual
 environments which allows you to view a computing 'desktop' environment
diff --git a/gnu/packages/storage.scm b/gnu/packages/storage.scm
index 4eae37815e..5051ccd986 100644
--- a/gnu/packages/storage.scm
+++ b/gnu/packages/storage.scm
@@ -321,7 +321,7 @@
        ("python2-testtools" ,python2-testtools)
        ("python2-tox" ,python2-tox)))
     (inputs
-     `(("boost" ,boost-cxx14)
+     `(("boost" ,boost)
        ("curl" ,curl)
        ("cryptsetup" ,cryptsetup)
        ("expat" ,expat)
diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm
index 916aa54d58..d345e89430 100644
--- a/gnu/packages/tex.scm
+++ b/gnu/packages/tex.scm
@@ -102,15 +102,19 @@
       (patches
        (list
         ;; This is required for compatibility with Poppler 0.64.0 and to fix a
-        ;; segmentation fault in dvipdfm-x from XeTeX.
+        ;; segmentation fault in dvipdfm-x from XeTeX, and also contains a fix
+        ;; for CVE-2018-17407.
         (origin
           (method url-fetch)
           (uri (string-append "http://www.linuxfromscratch.org/patches/blfs/"
-                              "svn/texlive-" version "-source-upstream_fixes-1.patch"))
+                              "svn/texlive-" version "-source-upstream_fixes-2.patch"))
           (file-name "texlive-poppler-compat.patch")
           (sha256
            (base32
-            "0f8vhyj167y4xj0jx47vkybrcacfpxw0wdn1b777yq3xmhlahhlg")))))))
+            "04sxy1qv9y575mxwyg3y7rx7mh540pfjqx7yni7ncb5wjbq9pq1a")))
+        (search-patch "texlive-bin-luatex-poppler-compat.patch")
+        (search-patch "texlive-bin-pdftex-poppler-compat.patch")
+        (search-patch "texlive-bin-xetex-poppler-compat.patch")))))
    (build-system gnu-build-system)
    (inputs
     `(("texlive-extra-src" ,texlive-extra-src)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f9e21e1e3f..acd175fe09 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -162,7 +162,7 @@ living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
-    (version "3.5.18")
+    (version "3.6.5")
     (source (origin
              (method url-fetch)
              (uri
@@ -171,12 +171,19 @@ living in the same process.")
               (string-append "mirror://gnupg/gnutls/v"
                              (version-major+minor version)
                              "/gnutls-" version ".tar.xz"))
-             (patches
-              (search-patches "gnutls-skip-trust-store-test.patch"
-                              "gnutls-skip-pkgconfig-test.patch"))
+             (patches (search-patches "gnutls-skip-trust-store-test.patch"))
              (sha256
               (base32
-               "0d02x28fwkkx7xzn7807nww6idchizzq3plx8sfcyiw7wzclh8mf"))))
+               "0ddvg97dyrh8dkffv1mdc0knxx5my3qdbzv97s4a6jggmk9wwgh7"))
+             (modules '((guix build utils)))
+             (snippet
+              '(begin
+                 ;; XXX: The generated configure script in GnuTLS 3.6.5
+                 ;; apparently does not know about Guile 2.2.
+                 (substitute* "configure"
+                   (("guile_versions_to_search=\"2\\.0 1\\.8\"")
+                    "guile_versions_to_search=\"2.2 2.0 1.8\""))
+                 #t))))
     (build-system gnu-build-system)
     (arguments
      `(; Ensure we don't keep a reference to this buggy software.
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 2672a01ea4..d039bfe048 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -624,7 +624,7 @@ libebml is a C++ library to read and write EBML files.")
 (define-public libva
   (package
     (name "libva")
-    (version "2.2.0")
+    (version "2.3.0")
     (source
      (origin
        (method url-fetch)
@@ -636,7 +636,7 @@ libebml is a C++ library to read and write EBML files.")
              (string-append "https://www.freedesktop.org/software/vaapi/releases/"
                             "libva/libva-" version "/libva-" version ".tar.bz2")))
        (sha256
-        (base32 "1wjfrs261fp9wkhgpmrlz5smnhxrmsk31way646x6i2mg16a0v3g"))))
+        (base32 "1r6wiw4k044cpb39rfqqdw6qmzw0268whpz124hywck9v980x130"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
diff --git a/gnu/packages/vulkan.scm b/gnu/packages/vulkan.scm
index ff1088d2e1..3608196e5d 100644
--- a/gnu/packages/vulkan.scm
+++ b/gnu/packages/vulkan.scm
@@ -163,7 +163,7 @@ interpretation of the specifications for these languages.")
 (define-public vulkan-headers
   (package
     (name "vulkan-headers")
-    (version "1.1.85.0")
+    (version "1.1.92.0")
     (source
      (origin
        (method url-fetch)
@@ -172,7 +172,7 @@ interpretation of the specifications for these languages.")
              "archive/sdk-" version ".tar.gz"))
        (sha256
         (base32
-         "166hqqb97kjg6h9vp8yxb1cq02i1kqaxvl693482gf8v21fl7ink"))))
+         "06bgiz1dnp57597vd26r2smsadpcnr425n9gfdbp6xm4wba4l5l9"))))
     (build-system cmake-build-system)
     (arguments
      `(#:tests? #f)) ; No tests.
@@ -186,7 +186,8 @@ interpretation of the specifications for these languages.")
 (define-public vulkan-loader
   (package
     (name "vulkan-loader")
-    (version (package-version vulkan-headers))
+    ;; TODO: Inherit from vulkan-headers when version numbers match again
+    (version "1.1.92.1")
     (source
      (origin
        (method url-fetch)
@@ -195,7 +196,7 @@ interpretation of the specifications for these languages.")
              "archive/sdk-" version ".tar.gz"))
        (sha256
         (base32
-         "04d53ynlc0ww8r67hv4sxwg5sirjhpr1laaa9hc6j4niliw0166n"))))
+         "1kx07ypbwnmn6cxv9z0vbngq5l83f1sffzh7wmkzrl69y1cmazi0"))))
     (build-system cmake-build-system)
     (arguments
      `(#:tests? #f ;FIXME: 23/39 tests fail.  Try "tests/run_all_tests.sh".
@@ -251,7 +252,7 @@ and the ICD.")
              "archive/sdk-" version ".tar.gz"))
        (sha256
         (base32
-         "0r26px9rh09giddajlmafv21rx1la1y3bbnjgnpai8aw98wvq9mm"))))
+         "0yd9dgkyradlk9gx0ps65nans7b29jg5c67b4m34ghpmy933dwx6"))))
     (build-system cmake-build-system)
     (inputs
      `(("glslang" ,glslang)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index caf56e4119..0aa0b321ff 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -79,6 +79,7 @@
   #:use-module (gnu packages flex)
   #:use-module (gnu packages freedesktop)
   #:use-module (gnu packages kerberos)
+  #:use-module (gnu packages gcc)
   #:use-module (gnu packages gd)
   #:use-module (gnu packages gettext)
   #:use-module (gnu packages glib)
@@ -509,16 +510,18 @@ libraries for working with JNLP applets.")
 (define-public jansson
   (package
     (name "jansson")
-    (version "2.11")
+    (version "2.12")
     (source (origin
              (method url-fetch)
              (uri
               (string-append "http://www.digip.org/jansson/releases/jansson-"
-                             version ".tar.gz"))
+                             version ".tar.bz2"))
              (sha256
               (base32
-               "1x5jllzzqamq6kahx9d9a5mrarm9m3f30vfxvcqpi6p4mcnz91bf"))))
+               "1lp1mv8pjp5yziws66cy0dhpcam4bbjqhffk13v4vgdybp674pb4"))))
     (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags '("--disable-static")))
     (home-page "http://www.digip.org/jansson/")
     (synopsis "JSON C library")
     (description
@@ -4240,15 +4243,6 @@ you'd expect.")
         (base32
          "163py4klka423x7li2b685gmg3a6hjf074mlff2ajhmi3l0lm8x6"))))
     (build-system glib-or-gtk-build-system)
-    (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         (add-before 'check 'use-empty-ssl-cert-file
-           (lambda _
-             ;; Search for ca-certificates.crt files
-             ;; during the check phase.
-             (setenv "SSL_CERT_FILE" "/dev/null")
-             #t)))))
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
        ;; For check phase.
@@ -6696,7 +6690,7 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.")
 (define-public nghttp2
   (package
     (name "nghttp2")
-    (version "1.32.0")
+    (version "1.35.1")
     (source
      (origin
        (method url-fetch)
@@ -6705,12 +6699,13 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.")
                            name "-" version ".tar.xz"))
        (sha256
         (base32
-         "0zbgp8f80h2zlfn8cd2ldrmgl81jzcdh1141n71aqmfckzaqj2kh"))))
+         "0fi6qg2w82636wixwkqy7bclpgxslmvg82r431hs8h6aqc4mnzwv"))))
     (build-system gnu-build-system)
     (outputs (list "out"
                    "lib"))              ; only libnghttp2
     (native-inputs
      `(("pkg-config" ,pkg-config)
+       ("gcc" ,gcc-7)                   ; 1.35.0 requires GCC6 or later
 
        ;; Required by tests.
        ("cunit" ,cunit)
@@ -6742,6 +6737,9 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.")
                (("@prefix@")
                 (assoc-ref outputs "lib")))
              #t))
+         (add-before 'configure 'work-around-bug-30756
+           (lambda _
+             (for-each unsetenv '("C_INCLUDE_PATH" "CPLUS_INCLUDE_PATH")) #t))
          (add-before 'check 'set-timezone-directory
            (lambda* (#:key inputs #:allow-other-keys)
              (setenv "TZDIR" (string-append (assoc-ref inputs "tzdata")
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index 82ed065a3f..de4cac9e94 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -292,7 +292,7 @@ following the mouse.")
 (define-public pixman
   (package
     (name "pixman")
-    (version "0.34.0")
+    (version "0.36.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -300,7 +300,7 @@ following the mouse.")
                     version ".tar.gz"))
               (sha256
                (base32
-                "13m842m9ffac3m9r0b4lvwjhwzg3w4353djkjpf00s0wnm4v5di1"))
+                "1blzrx50ssdv0pn56hcv2v0zw0vrjwj1sx22pkgjls1p9n6rr88w"))
               (patches (search-patches "pixman-CVE-2016-5296.patch"))))
     (build-system gnu-build-system)
     (inputs
@@ -318,7 +318,7 @@ rasterisation.")
 (define-public libdrm
   (package
     (name "libdrm")
-    (version "2.4.93")
+    (version "2.4.96")
     (source
       (origin
         (method url-fetch)
@@ -328,7 +328,7 @@ rasterisation.")
                ".tar.bz2"))
         (sha256
          (base32
-          "0g6d9wsnb7lx8r1m4kq8js0wsc5jl20cz1csnlh6z9s8jpfd313f"))
+          "14xkip83qgljjaahzq40qgl60j54q7k00la1hbf5kk5lgg7ilmhd"))
         (patches (search-patches "libdrm-symbol-check.patch"))))
     (build-system gnu-build-system)
     (arguments
diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm
index aff78a0566..7113f1f2a1 100644
--- a/gnu/services/databases.scm
+++ b/gnu/services/databases.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Christopher Baines <mail@cbaines.net>
 ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
+;;; Copyright © 2018 Julien Lepiller <julien@lepiller.eu>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -26,7 +27,10 @@
   #:use-module (gnu system shadow)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages databases)
+  #:use-module (guix build-system trivial)
+  #:use-module (guix build union)
   #:use-module (guix modules)
+  #:use-module (guix packages)
   #:use-module (guix records)
   #:use-module (guix gexp)
   #:use-module (srfi srfi-1)
@@ -141,16 +145,18 @@ host	all	all	::1/128 	trust"))
 (define-record-type* <postgresql-configuration>
   postgresql-configuration make-postgresql-configuration
   postgresql-configuration?
-  (postgresql     postgresql-configuration-postgresql ;<package>
-                  (default postgresql))
-  (port           postgresql-configuration-port
-                  (default 5432))
-  (locale         postgresql-configuration-locale
-                  (default "en_US.utf8"))
-  (config-file    postgresql-configuration-file
-                  (default (postgresql-config-file)))
-  (data-directory postgresql-configuration-data-directory
-                  (default "/var/lib/postgresql/data")))
+  (postgresql         postgresql-configuration-postgresql ;<package>
+                      (default postgresql))
+  (port               postgresql-configuration-port
+                      (default 5432))
+  (locale             postgresql-configuration-locale
+                      (default "en_US.utf8"))
+  (config-file        postgresql-configuration-file
+                      (default (postgresql-config-file)))
+  (data-directory     postgresql-configuration-data-directory
+                      (default "/var/lib/postgresql/data"))
+  (extension-packages postgresql-configuration-extension-packages
+                      (default '())))
 
 (define %postgresql-accounts
   (list (user-group (name "postgres") (system? #t))
@@ -162,15 +168,36 @@ host	all	all	::1/128 	trust"))
          (home-directory "/var/empty")
          (shell (file-append shadow "/sbin/nologin")))))
 
+(define (final-postgresql postgresql extension-packages)
+  (if (null? extension-packages)
+    postgresql
+    (package
+      (inherit postgresql)
+      (source #f)
+      (build-system trivial-build-system)
+      (arguments
+       `(#:modules ((guix build utils) (guix build union))
+         #:builder
+         (begin
+           (use-modules (guix build utils) (guix build union) (srfi srfi-26))
+           (union-build (assoc-ref %outputs "out") (map (lambda (input) (cdr input)) %build-inputs))
+           #t)))
+      (inputs
+       `(("postgresql" ,postgresql)
+         ,@(map (lambda (extension) (list "extension" extension))
+                extension-packages))))))
+
 (define postgresql-activation
   (match-lambda
-    (($ <postgresql-configuration> postgresql port locale config-file data-directory)
+    (($ <postgresql-configuration> postgresql port locale config-file data-directory
+        extension-packages)
      #~(begin
          (use-modules (guix build utils)
                       (ice-9 match))
 
          (let ((user (getpwnam "postgres"))
-               (initdb (string-append #$postgresql "/bin/initdb"))
+               (initdb (string-append #$(final-postgresql postgresql extension-packages)
+                                      "/bin/initdb"))
                (initdb-args
                 (append
                  (if #$locale
@@ -202,7 +229,8 @@ host	all	all	::1/128 	trust"))
 
 (define postgresql-shepherd-service
   (match-lambda
-    (($ <postgresql-configuration> postgresql port locale config-file data-directory)
+    (($ <postgresql-configuration> postgresql port locale config-file data-directory
+        extension-packages)
      (let* ((pg_ctl-wrapper
              ;; Wrapper script that switches to the 'postgres' user before
              ;; launching daemon.
@@ -214,7 +242,8 @@ host	all	all	::1/128 	trust"))
                   (match (command-line)
                     ((_ mode)
                      (let ((user (getpwnam "postgres"))
-                           (pg_ctl #$(file-append postgresql "/bin/pg_ctl"))
+                           (pg_ctl #$(file-append (final-postgresql postgresql extension-packages)
+                                                  "/bin/pg_ctl"))
                            (options (format #f "--config-file=~a -p ~d"
                                             #$config-file #$port)))
                        (setgid (passwd:gid user))
@@ -253,7 +282,8 @@ host	all	all	::1/128 	trust"))
                              (port 5432)
                              (locale "en_US.utf8")
                              (config-file (postgresql-config-file))
-                             (data-directory "/var/lib/postgresql/data"))
+                             (data-directory "/var/lib/postgresql/data")
+                             (extension-packages '()))
   "Return a service that runs @var{postgresql}, the PostgreSQL database server.
 
 The PostgreSQL daemon loads its runtime configuration from @var{config-file}
@@ -264,7 +294,8 @@ and stores the database cluster in @var{data-directory}."
             (port port)
             (locale locale)
             (config-file config-file)
-            (data-directory data-directory))))
+            (data-directory data-directory)
+            (extension-packages extension-packages))))
 
 
 ;;;