summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk9
-rw-r--r--gnu/packages/admin.scm7
-rw-r--r--gnu/packages/bioinformatics.scm8
-rw-r--r--gnu/packages/commencement.scm3
-rw-r--r--gnu/packages/cross-base.scm67
-rw-r--r--gnu/packages/databases.scm53
-rw-r--r--gnu/packages/games.scm4
-rw-r--r--gnu/packages/gcc.scm15
-rw-r--r--gnu/packages/gnupg.scm42
-rw-r--r--gnu/packages/java.scm190
-rw-r--r--gnu/packages/linux.scm26
-rw-r--r--gnu/packages/maths.scm39
-rw-r--r--gnu/packages/messaging.scm25
-rw-r--r--gnu/packages/music.scm73
-rw-r--r--gnu/packages/ocaml.scm3
-rw-r--r--gnu/packages/patches/4store-fix-buildsystem.patch56
-rw-r--r--gnu/packages/patches/gcc-cross-environment-variables.patch51
-rw-r--r--gnu/packages/patches/ocaml-CVE-2015-8869.patch72
-rw-r--r--gnu/packages/patches/portmidi-modular-build.patch325
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2016-4476.patch82
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt1.patch51
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt2.patch82
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt3.patch62
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt4.patch50
-rw-r--r--gnu/packages/tls.scm20
-rw-r--r--gnu/packages/version-control.scm56
-rw-r--r--guix/build/syscalls.scm16
-rw-r--r--tests/syscalls.scm2
28 files changed, 1416 insertions, 73 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 6f93386687..aba73d49d9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -403,6 +403,7 @@ GNU_SYSTEM_MODULES =				\
 
 patchdir = $(guilemoduledir)/gnu/packages/patches
 dist_patch_DATA =						\
+  gnu/packages/patches/4store-fix-buildsystem.patch		\
   gnu/packages/patches/abiword-explictly-cast-bools.patch	\
   gnu/packages/patches/abiword-wmf-version-lookup-fix.patch	\
   gnu/packages/patches/acl-hurd-path-max.patch			\
@@ -640,6 +641,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/nvi-assume-preserve-path.patch		\
   gnu/packages/patches/nvi-dbpagesize-binpower.patch		\
   gnu/packages/patches/nvi-db4.patch				\
+  gnu/packages/patches/ocaml-CVE-2015-8869.patch		\
   gnu/packages/patches/ocaml-findlib-make-install.patch	\
   gnu/packages/patches/openexr-missing-samples.patch		\
   gnu/packages/patches/openimageio-boost-1.60.patch		\
@@ -678,7 +680,9 @@ dist_patch_DATA =						\
   gnu/packages/patches/plink-1.07-unclobber-i.patch		\
   gnu/packages/patches/plotutils-libpng-jmpbuf.patch		\
   gnu/packages/patches/polkit-drop-test.patch			\
+  gnu/packages/patches/poppler-CVE-2015-8868.patch		\
   gnu/packages/patches/portaudio-audacity-compat.patch		\
+  gnu/packages/patches/portmidi-modular-build.patch		\
   gnu/packages/patches/procmail-ambiguous-getline-debian.patch  \
   gnu/packages/patches/pt-scotch-build-parallelism.patch	\
   gnu/packages/patches/pulseaudio-fix-mult-test.patch		\
@@ -788,6 +792,11 @@ dist_patch_DATA =						\
   gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch	\
   gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch	\
   gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch	\
+  gnu/packages/patches/wpa-supplicant-CVE-2016-4476.patch	\
+  gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt1.patch	\
+  gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt2.patch	\
+  gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt3.patch	\
+  gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt4.patch	\
   gnu/packages/patches/xdotool-fix-makefile.patch               \
   gnu/packages/patches/xf86-video-ark-remove-mibstore.patch	\
   gnu/packages/patches/xf86-video-ast-remove-mibstore.patch	\
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 11a2d1622b..d815dfb8b5 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -874,7 +874,12 @@ commands and their arguments.")
                (search-patches "wpa-supplicant-CVE-2015-5310.patch"
                                "wpa-supplicant-CVE-2015-5314.patch"
                                "wpa-supplicant-CVE-2015-5315.patch"
-                               "wpa-supplicant-CVE-2015-5316.patch"))))
+                               "wpa-supplicant-CVE-2015-5316.patch"
+                               "wpa-supplicant-CVE-2016-4476.patch"
+                               "wpa-supplicant-CVE-2016-4477-pt1.patch"
+                               "wpa-supplicant-CVE-2016-4477-pt2.patch"
+                               "wpa-supplicant-CVE-2016-4477-pt3.patch"
+                               "wpa-supplicant-CVE-2016-4477-pt4.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases (alist-replace
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 079fd467cc..5c1ad57a80 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -1535,14 +1535,14 @@ data and settings.")
 (define-public edirect
   (package
     (name "edirect")
-    (version "3.50")
+    (version "4.10")
     (source (origin
               (method url-fetch)
-              ;; Note: older versions are not retained.
-              (uri "ftp://ftp.ncbi.nlm.nih.gov/entrez/entrezdirect/edirect.tar.gz")
+              (uri (string-append "ftp://ftp.ncbi.nlm.nih.gov/entrez/entrezdirect/"
+                                  "versions/2016-05-03/edirect.tar.gz"))
               (sha256
                (base32
-                "1cr3gzcs3flmgnnbj5iz93vh9w0fca1ilzi2q82cl63ln3mwvpz0"))))
+                "15zsprak5yh8c1yrz4r1knmb5s8qcmdid4xdhkh3lqcv64l60hli"))))
     (build-system perl-build-system)
     (arguments
      `(#:tests? #f ;no "check" target
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 6dfe5c9cb7..c52b6e8389 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -879,4 +879,7 @@ and binaries, plus debugging symbols in the 'debug' output), and Binutils.")
 (define-public gcc-toolchain-5
   (gcc-toolchain gcc-5))
 
+(define-public gcc-toolchain-6
+  (gcc-toolchain gcc-6))
+
 ;;; commencement.scm ends here
diff --git a/gnu/packages/cross-base.scm b/gnu/packages/cross-base.scm
index aa67d21c19..73ac76a48a 100644
--- a/gnu/packages/cross-base.scm
+++ b/gnu/packages/cross-base.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -166,34 +167,38 @@ may be either a libc package or #f.)"
               `(alist-cons-before
                 'configure 'set-cross-path
                 (lambda* (#:key inputs #:allow-other-keys)
-                  ;; Add the cross Linux headers to CROSS_CPATH, and remove them
-                  ;; from CPATH.
+                  ;; Add the cross Linux headers to CROSS_C_*_INCLUDE_PATH,
+                  ;; and remove them from C_*INCLUDE_PATH.
                   (let ((libc  (assoc-ref inputs "libc"))
                         (linux (assoc-ref inputs "xlinux-headers")))
                     (define (cross? x)
                       ;; Return #t if X is a cross-libc or cross Linux.
                       (or (string-prefix? libc x)
                           (string-prefix? linux x)))
-
-                    (setenv "CROSS_CPATH"
-                            (string-append libc "/include:"
-                                           linux "/include"))
+                    (let ((cpath (string-append
+                                  libc "/include"
+                                  ":" linux "/include")))
+                      (for-each (cut setenv <> cpath)
+                                '("CROSS_C_INCLUDE_PATH"
+                                  "CROSS_CPLUS_INCLUDE_PATH"
+                                  "CROSS_OBJC_INCLUDE_PATH"
+                                  "CROSS_OBJCPLUS_INCLUDE_PATH")))
                     (setenv "CROSS_LIBRARY_PATH"
                             (string-append libc "/lib"))
-
-                    (let ((cpath   (search-path-as-string->list
-                                    (getenv "C_INCLUDE_PATH")))
-                          (libpath (search-path-as-string->list
-                                    (getenv "LIBRARY_PATH"))))
-                      (setenv "CPATH"
-                              (list->search-path-as-string
-                               (remove cross? cpath) ":"))
-                      (for-each unsetenv
-                                '("C_INCLUDE_PATH" "CPLUS_INCLUDE_PATH"))
-                      (setenv "LIBRARY_PATH"
-                              (list->search-path-as-string
-                               (remove cross? libpath) ":"))
-                      #t)))
+                    (for-each
+                     (lambda (var)
+                       (and=> (getenv var)
+                              (lambda (value)
+                                (let* ((path (search-path-as-string->list value))
+                                       (native-path (list->search-path-as-string
+                                                     (remove cross? path) ":")))
+                                  (setenv var native-path)))))
+                              '("C_INCLUDE_PATH"
+                                "CPLUS_INCLUDE_PATH"
+                                "OBJC_INCLUDE_PATH"
+                                "OBJCPLUS_INCLUDE_PATH"
+                                "LIBRARY_PATH"))
+                    #t))
                 ,phases)
               phases)))))))
 
@@ -259,9 +264,19 @@ GCC that does not target a libc; otherwise, target that libc."
     (inputs '())
 
     ;; Only search target inputs, not host inputs.
+    ;; Note: See <http://bugs.gnu.org/22186> for why not 'CPATH'.
     (search-paths
      (list (search-path-specification
-            (variable "CROSS_CPATH")
+            (variable "CROSS_C_INCLUDE_PATH")
+            (files '("include")))
+           (search-path-specification
+            (variable "CROSS_CPLUS_INCLUDE_PATH")
+            (files '("include")))
+           (search-path-specification
+            (variable "CROSS_OBJC_INCLUDE_PATH")
+            (files '("include")))
+           (search-path-specification
+            (variable "CROSS_OBJCPLUS_INCLUDE_PATH")
             (files '("include")))
            (search-path-specification
             (variable "CROSS_LIBRARY_PATH")
@@ -316,9 +331,13 @@ XBINUTILS and the cross tool chain."
         `(alist-cons-before
           'configure 'set-cross-linux-headers-path
           (lambda* (#:key inputs #:allow-other-keys)
-            (let ((linux (assoc-ref inputs "linux-headers")))
-              (setenv "CROSS_CPATH"
-                      (string-append linux "/include"))
+            (let* ((linux (assoc-ref inputs "linux-headers"))
+                   (cpath (string-append linux "/include")))
+              (for-each (cut setenv <> cpath)
+                        '("CROSS_C_INCLUDE_PATH"
+                          "CROSS_CPLUS_INCLUDE_PATH"
+                          "CROSS_OBJC_INCLUDE_PATH"
+                          "CROSS_OBJCPLUS_INCLUDE_PATH"))
               #t))
           ,phases))))
 
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 9aee7b796a..63ca754688 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -9,6 +9,7 @@
 ;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Nils Gillmann <niasterisk@grrlz.net>
+;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -27,8 +28,12 @@
 
 (define-module (gnu packages databases)
   #:use-module (gnu packages)
+  #:use-module (gnu packages autotools)
+  #:use-module (gnu packages avahi)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages boost)
+  #:use-module (gnu packages gettext)
+  #:use-module (gnu packages glib)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages language)
   #:use-module (gnu packages linux)
@@ -40,9 +45,12 @@
   #:use-module (gnu packages check)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages curl)
+  #:use-module (gnu packages cyrus-sasl)
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages python)
   #:use-module (gnu packages pcre)
+  #:use-module (gnu packages pkg-config)
+  #:use-module (gnu packages rdf)
   #:use-module (gnu packages xml)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages jemalloc)
@@ -58,6 +66,51 @@
   #:use-module (srfi srfi-26)
   #:use-module (ice-9 match))
 
+(define-public 4store
+  (package
+    (name "4store")
+    (version "1.1.6")
+    (source (origin
+      (method url-fetch)
+      (uri (string-append "https://github.com/garlik/4store/archive/v"
+                          version ".tar.gz"))
+      (file-name (string-append name "-" version ".tar.gz"))
+      (sha256
+       (base32 "004fmcf1w75zhc1x3zc6kc97j4jqn2v5nhk6yb3z3cpfrhzi9j50"))
+      (patches (list (search-patch "4store-fix-buildsystem.patch")))))
+    (build-system gnu-build-system)
+    (native-inputs
+     `(("perl" ,perl)
+       ("python" ,python-2)
+       ("autoconf" ,autoconf)
+       ("automake" ,automake)
+       ("gettext" ,gnu-gettext)
+       ("libtool" ,libtool)
+       ("pkg-config" ,pkg-config)))
+    (inputs
+     `(("glib" ,glib)
+       ("rasqal" ,rasqal)
+       ("libxml2" ,libxml2)
+       ("raptor2" ,raptor2)
+       ("readline" ,readline)
+       ("avahi" ,avahi)
+       ("pcre" ,pcre)
+       ("cyrus-sasl" ,cyrus-sasl)
+       ("openssl" ,openssl)
+       ("util-linux" ,util-linux)))
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-before 'configure 'generate-configure
+           (lambda _
+             (zero? (system* "./autogen.sh")))))))
+    ;; http://www.4store.org has been down for a while now.
+    (home-page "https://github.com/garlik/4store")
+    (synopsis "Clustered RDF storage and query engine")
+    (description "4store is a RDF/SPARQL store written in C, supporting
+either single machines or networked clusters.")
+      (license gpl3+)))
+
 (define-public gdbm
   (package
     (name "gdbm")
diff --git a/gnu/packages/games.scm b/gnu/packages/games.scm
index 34998cea28..55bffe9539 100644
--- a/gnu/packages/games.scm
+++ b/gnu/packages/games.scm
@@ -2097,7 +2097,7 @@ the chat server psyced with the specific config located at
 http://lavachat.symlynx.com/unix/")
     (license license:gpl2+)))
 
-(define-public redeclipse
+(define-public red-eclipse
   (let ((data-sources
          '(("acerspyro"   "0gxxr6nbac918b49x1cp72nw951hqm5m4iyi2shb1612ly384w8q")
            ("actors"      "1jq9q82m6nx07nwpb5cnpdcwa33jrcgg0j2yir8zk6zpnxdmp0il")
@@ -2133,7 +2133,7 @@ http://lavachat.symlynx.com/unix/")
            ("weapons"     "1ghn6nfcnd5lyl8dnj22csldvf9hrb32wjzpab4sjjz3iyv0zmr3")
            ("wicked"      "0q9badvg6ix5rhl05s83kw2v6a49jpnbkqk4ls89qahaddfagi8g"))))
     (package
-      (name "redeclipse")
+      (name "red-eclipse")
       (version "1.5.3")
       (source (origin
                 (method url-fetch)
diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm
index a2b8126872..c390a6659b 100644
--- a/gnu/packages/gcc.scm
+++ b/gnu/packages/gcc.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014, 2015, 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
@@ -354,6 +354,19 @@ Go.  It also includes runtime support libraries for these languages.")
                 "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq"))
               (patches (search-patches "gcc-5.0-libvtv-runpath.patch"))))))
 
+(define-public gcc-6
+  (package
+    (inherit gcc-5)
+    (version "6.1.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnu/gcc/gcc-"
+                                  version "/gcc-" version ".tar.bz2"))
+              (sha256
+               (base32
+                "0ld3y4rgimyqgx1nwvzqyl5gr4wzc0ch4akkvsqp3fgbmdfcii09"))
+              (patches (search-patches "gcc-5.0-libvtv-runpath.patch"))))))
+
 ;; Note: When changing the default gcc version, update
 ;;       the gcc-toolchain-* definitions accordingly.
 (define-public gcc gcc-4.9)
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index d447007260..b7c661257c 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -31,6 +31,7 @@
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pth)
   #:use-module (gnu packages python)
+  #:use-module (gnu packages qt)
   #:use-module (gnu packages readline)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages databases)
@@ -568,9 +569,9 @@ including tools for signing keys, keyring analysis, and party preparation.
    (license license:gpl2)
    (home-page "http://pgp-tools.alioth.debian.org/")))
 
-(define-public pinentry
+(define-public pinentry-tty
   (package
-    (name "pinentry")
+    (name "pinentry-tty")
     (version "0.9.7")
     (source (origin
               (method url-fetch)
@@ -580,21 +581,48 @@ including tools for signing keys, keyring analysis, and party preparation.
                (base32
                 "1cp7wjqr6nx31mdclr61s2h84ijqjl0ph99kgj4vyawpjj1j1633"))))
     (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags '("--enable-pinentry-tty")))
     (inputs
      `(("ncurses" ,ncurses)
        ("libassuan" ,libassuan)
-       ("libsecret" ,libsecret "out")
-       ("gtk+" ,gtk+-2)
-       ("glib" ,glib)))
+       ("libsecret" ,libsecret "out")))
     (native-inputs
      `(("pkg-config" ,pkg-config)))
     (home-page "https://gnupg.org/aegypten2/")
     (synopsis "GnuPG's interface to passphrase input")
     (description
-     "Pinentry provides a console and a GTK+ GUI that allows users to
-enter a passphrase when `gpg' or `gpg2' is run and needs it.")
+     "Pinentry provides a console that allows users to enter a passphrase when
+@code{gpg} or @code{gpg2} is run and needs it.")
     (license license:gpl2+)))
 
+(define-public pinentry-gtk2
+  (package
+    (inherit pinentry-tty)
+    (name "pinentry-gtk2")
+    (inputs
+     `(("gtk+" ,gtk+-2)
+       ("glib" ,glib)
+       ,@(package-inputs pinentry-tty)))
+    (description
+     "Pinentry provides a console and a GTK+ GUI that allows users to enter a
+passphrase when @code{gpg} or @code{gpg2} is run and needs it.")))
+
+(define-public pinentry-qt
+  (package
+    (inherit pinentry-tty)
+    (name "pinentry-qt")
+    (inputs
+     `(("qt" ,qt)
+       ,@(package-inputs pinentry-tty)))
+  (description
+   "Pinentry provides a console and a Qt GUI that allows users to enter a
+passphrase when @code{gpg} or @code{gpg2} is run and needs it.")))
+
+(define-public pinentry
+  (package (inherit pinentry-gtk2)
+    (name "pinentry")))
+
 (define-public paperkey
   (package
     (name "paperkey")
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index c94f2e4b28..fbee1a3fb3 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -859,3 +859,193 @@ build process and its dependencies, whereas Make uses Makefile format.")
 compression in pure Java.  Single-threaded streamed compression and
 decompression and random access decompression have been fully implemented.")
    (license license:public-domain)))
+
+;; java-hamcrest-core uses qdox version 1.12.  We package this version instead
+;; of the latest release.
+(define-public java-qdox-1.12
+  (package
+    (name "java-qdox")
+    (version "1.12.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "http://central.maven.org/maven2/"
+                                  "com/thoughtworks/qdox/qdox/" version
+                                  "/qdox-" version "-sources.jar"))
+              (sha256
+               (base32
+                "0hlfbqq2avf5s26wxkksqmkdyk6zp9ggqn37c468m96mjv0n9xfl"))))
+    (build-system ant-build-system)
+    (arguments
+     `(;; Tests require junit
+       #:tests? #f
+       #:jar-name "qdox.jar"
+       #:phases
+       (modify-phases %standard-phases
+         (replace 'unpack
+           (lambda* (#:key source #:allow-other-keys)
+             (mkdir "src")
+             (with-directory-excursion "src"
+               (zero? (system* "jar" "-xf" source)))))
+         ;; At this point we don't have junit, so we must remove the API
+         ;; tests.
+         (add-after 'unpack 'delete-tests
+           (lambda _
+             (delete-file-recursively "src/com/thoughtworks/qdox/junit")
+             #t)))))
+    (home-page "http://qdox.codehaus.org/")
+    (synopsis "Parse definitions from Java source files")
+    (description
+     "QDox is a high speed, small footprint parser for extracting
+class/interface/method definitions from source files complete with JavaDoc
+@code{@tags}.  It is designed to be used by active code generators or
+documentation tools.")
+    (license license:asl2.0)))
+
+(define-public java-jarjar
+  (package
+    (name "java-jarjar")
+    (version "1.4")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://storage.googleapis.com/google-code-archive-downloads/v2/"
+                    "code.google.com/jarjar/jarjar-src-" version ".zip"))
+              (sha256
+               (base32
+                "1v8irhni9cndcw1l1wxqgry013s2kpj0qqn57lj2ji28xjq8ndjl"))))
+    (build-system ant-build-system)
+    (arguments
+     `(;; Tests require junit, which ultimately depends on this package.
+       #:tests? #f
+       #:build-target "jar"
+       #:phases
+       (modify-phases %standard-phases
+         (replace 'install
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((target (string-append (assoc-ref outputs "out")
+                                          "/share/java")))
+               (install-file (string-append "dist/jarjar-" ,version ".jar")
+                             target))
+             #t)))))
+    (native-inputs
+     `(("unzip" ,unzip)))
+    (home-page "https://code.google.com/archive/p/jarjar/")
+    (synopsis "Repackage Java libraries")
+    (description
+     "Jar Jar Links is a utility that makes it easy to repackage Java
+libraries and embed them into your own distribution.  Jar Jar Links includes
+an Ant task that extends the built-in @code{jar} task.")
+    (license license:asl2.0)))
+
+(define-public java-hamcrest-core
+  (package
+    (name "java-hamcrest-core")
+    (version "1.3")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://hamcrest.googlecode.com/files/"
+                                  "hamcrest-" version ".tgz"))
+              (sha256
+               (base32
+                "1hi0jv0zrgsf4l25aizxrgvxpsrmdklsmvw0jzwz7zv9s108whn6"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  ;; Delete bundled jar archives.
+                  (for-each delete-file (find-files "." "\\.jar$"))
+                  #t))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:tests? #f ; Tests require junit
+       #:make-flags (list (string-append "-Dversion=" ,version))
+       #:build-target "core"
+       #:phases
+       (modify-phases %standard-phases
+         ;; Disable unit tests, because they require junit, which requires
+         ;; hamcrest-core.  We also give a fixed value to the "Built-Date"
+         ;; attribute from the manifest for reproducibility.
+         (add-before 'configure 'patch-build.xml
+           (lambda _
+             (substitute* "build.xml"
+               (("unit-test, ") "")
+               (("\\$\\{build.timestamp\\}") "guix"))
+             #t))
+         ;; Java's "getMethods()" returns methods in an unpredictable order.
+         ;; To make the output of the generated code deterministic we must
+         ;; sort the array of methods.
+         (add-after 'unpack 'make-method-order-deterministic
+           (lambda _
+             (substitute* "hamcrest-generator/src/main/java/org/hamcrest/generator/ReflectiveFactoryReader.java"
+               (("import java\\.util\\.Iterator;" line)
+                (string-append line "\n"
+                               "import java.util.Arrays; import java.util.Comparator;"))
+               (("allMethods = cls\\.getMethods\\(\\);" line)
+                (string-append "_" line
+                               "
+private Method[] getSortedMethods() {
+  Arrays.sort(_allMethods, new Comparator<Method>() {
+    @Override
+    public int compare(Method a, Method b) {
+      return a.toString().compareTo(b.toString());
+    }
+  });
+  return _allMethods;
+}
+
+private Method[] allMethods = getSortedMethods();")))))
+         (add-before 'build 'do-not-use-bundled-qdox
+           (lambda* (#:key inputs #:allow-other-keys)
+             (substitute* "build.xml"
+               (("lib/generator/qdox-1.12.jar")
+                (string-append (assoc-ref inputs "java-qdox-1.12")
+                               "/share/java/qdox.jar")))
+             #t))
+         (replace 'install
+           (lambda* (#:key outputs #:allow-other-keys)
+             (install-file (string-append "build/hamcrest-core-"
+                                          ,version ".jar")
+                           (string-append (assoc-ref outputs "out")
+                                          "/share/java")))))))
+    (native-inputs
+     `(("java-qdox-1.12" ,java-qdox-1.12)
+       ("java-jarjar" ,java-jarjar)))
+    (home-page "http://hamcrest.org/")
+    (synopsis "Library of matchers for building test expressions")
+    (description
+     "This package provides a library of matcher objects (also known as
+constraints or predicates) allowing @code{match} rules to be defined
+declaratively, to be used in other frameworks.  Typical scenarios include
+testing frameworks, mocking libraries and UI validation rules.")
+    (license license:bsd-2)))
+
+(define-public java-junit
+  (package
+    (name "java-junit")
+    (version "4.12")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/junit-team/junit/"
+                                  "archive/r" version ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "090dn5v1vs0b3acyaqc0gjf6p8lmd2h24wfzsbq7sly6b214anws"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  ;; Delete bundled jar archives.
+                  (delete-file-recursively "lib")
+                  #t))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:tests? #f ; no tests
+       #:jar-name "junit.jar"))
+    (inputs
+     `(("java-hamcrest-core" ,java-hamcrest-core)))
+    (home-page "http://junit.org/")
+    (synopsis "Test framework for Java")
+    (description
+     "JUnit is a simple framework to write repeatable tests for Java projects.
+JUnit provides assertions for testing expected results, test fixtures for
+sharing common test data, and test runners for running tests.")
+    (license license:epl1.0)))
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index a26e641342..aa778beefb 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1203,11 +1203,31 @@ devices.  It replaces 'iwconfig', which is deprecated.")
         (base32
          "0nlwazxbnn0k6q5f5b09wdhw0f194lpzkp3l7vxansqhfczmcyx8"))))
     (build-system gnu-build-system)
+    (arguments
+     '(#:phases
+       (modify-phases %standard-phases
+         ;; TODO: Patch some hardcoded "wlan0" in calibrate/calibrate.cpp to
+         ;; allow calibrating the network interface in GuixSD.
+         (add-after 'unpack 'patch-absolute-file-names
+           (lambda* (#:key inputs #:allow-other-keys)
+             (let ((kmod (assoc-ref inputs "kmod")))
+               (substitute* (find-files "src" "\\.cpp$")
+                 ;; Give the right 'modprobe' file name so that essential
+                 ;; modules such as msr.ko can be loaded.
+                 (("/sbin/modprobe") (string-append kmod "/bin/modprobe"))
+                 ;; These programs are only needed to calibrate, so using
+                 ;; relative file names avoids adding extra inputs.  When they
+                 ;; are missing powertop gracefully handles it.
+                 (("/usr/bin/hcitool") "hcitool")
+                 (("/usr/bin/xset") "xset")
+                 (("/usr/sbin/hciconfig") "hciconfig"))
+               #t))))))
     (inputs
-     `(("zlib" ,zlib)
-       ("pciutils" ,pciutils)
+     `(("kmod" ,kmod)
+       ("libnl" ,libnl)
        ("ncurses" ,ncurses)
-       ("libnl" ,libnl)))
+       ("pciutils" ,pciutils)
+       ("zlib" ,zlib)))
     (native-inputs
      `(("pkg-config" ,pkg-config)))
     (home-page "https://01.org/powertop/")
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index d37897da20..9ba7138f88 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -59,6 +59,7 @@
   #:use-module (gnu packages less)
   #:use-module (gnu packages lisp)
   #:use-module (gnu packages gnome)
+  #:use-module (gnu packages guile)
   #:use-module (gnu packages xorg)
   #:use-module (gnu packages gl)
   #:use-module (gnu packages m4)
@@ -430,6 +431,44 @@ extremely large and complex data collections.")
     (license (license:x11-style
               "http://www.hdfgroup.org/ftp/HDF5/current/src/unpacked/COPYING"))))
 
+(define-public nlopt
+  (package
+    (name "nlopt")
+    (version "2.4.2")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "http://ab-initio.mit.edu/nlopt/nlopt-"
+                                  version ".tar.gz"))
+              (sha256
+               (base32 "12cfkkhcdf4zmb6h7y6qvvdvqjs2xf9sjpa3rl3bq76px4yn76c0"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(;; Shared libraries are not built by default.  They are required to
+       ;; build the Guile, Octave, and Python bindings.
+       #:configure-flags '("--enable-shared")
+
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'configure 'set-libnlopt-file-name
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; Make sure the Scheme module refers to the library by its
+             ;; absolute file name (we cannot do that from a snippet
+             ;; because the expansion of @libdir@ contains
+             ;; ${exec_prefix}.)
+             (let ((out (assoc-ref outputs "out")))
+               (substitute* "swig/nlopt.scm.in"
+                 (("libnlopt")
+                  (string-append out "/lib/libnlopt")))
+               #t))))))
+    (inputs `(("guile" ,guile-2.0)))
+    (native-inputs `(("pkg-config" ,pkg-config)))
+    (home-page "http://ab-initio.mit.edu/wiki/")
+    (synopsis "Library for nonlinear optimization")
+    (description "NLopt is a library for nonlinear optimization, providing a
+common interface for a number of different free optimization routines available
+online as well as original implementations of various other algorithms.")
+    (license license:lgpl2.1+)))
+
 
 ;; For a fully featured Octave, users  are strongly recommended also to install
 ;; the following packages: texinfo, less, ghostscript, gnuplot.
diff --git a/gnu/packages/messaging.scm b/gnu/packages/messaging.scm
index fbe84f58b2..a79efc3366 100644
--- a/gnu/packages/messaging.scm
+++ b/gnu/packages/messaging.scm
@@ -91,16 +91,37 @@ keys, no previous conversation is compromised.")
     (home-page "https://otr.cypherpunks.ca/")
     (license (list lgpl2.1 gpl2))))
 
+;; These patches together fix https://github.com/bitlbee/bitlbee/pull/55, are
+;; already upstream, and should be unnecessary when the next bitlbee comes
+;; out.
+(define %bitlbee-buddy-nick-change-patch
+  (origin
+    (method url-fetch)
+    (uri "https://github.com/bitlbee/bitlbee/commit/a42fda42.patch")
+    (sha256
+     (base32
+      "1mzjhcdn0rxir5mzgqz9kv142ai38p1iq2lajqx89wb7x0bp51zx"))))
+(define %bitlbee-always-use-nicks-patch
+  (origin
+    (method url-fetch)
+    (uri "https://github.com/bitlbee/bitlbee/commit/3320d6d9.patch")
+    (sha256
+     (base32
+      "14d9kb5zdzh5hzakdvrbviz83rix0j2lq9rzb58b2fn92fp8yixd"))))
+
 (define-public bitlbee
   (package
     (name "bitlbee")
-    (version "3.4.1")
+    (version "3.4.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://get.bitlbee.org/src/bitlbee-"
                                   version ".tar.gz"))
               (sha256
-               (base32 "1qf0ypa9ba5jvsnpg9slmaran16hcc5fnfzbb1sdch1hjhchn2jh"))))
+               (base32 "0mza8lnfwibmklz8hdzg4f7p83hblf4h6fbf7d732kzpvra5bj39"))
+              (patches
+               (list %bitlbee-buddy-nick-change-patch
+                     %bitlbee-always-use-nicks-patch))))
     (build-system gnu-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)
                      ("check" ,check)))
diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 346fefccdb..935e6e444c 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -825,6 +825,13 @@ mixing, FFT scopes, MIDI automation and full scriptability in Scheme.")
                             (string-prefix? "i686" system)))
                (substitute* "bristol/Makefile.in"
                  (("-msse -mfpmath=sse") "")))
+             #t))
+         ;; We know that Bristol has been linked with JACK and we don't have
+         ;; ldd, so we can just skip this check.
+         (add-after 'unpack 'do-not-grep-for-jack
+           (lambda _
+             (substitute* "bin/startBristol.in"
+               (("ldd `which bristol` | grep jack") "echo guix"))
              #t)))))
     (inputs
      `(("alsa-lib" ,alsa-lib)
@@ -952,6 +959,70 @@ programming methods as well as for realizing complex systems for large-scale
 projects.")
     (license license:bsd-3)))
 
+(define-public portmidi
+  (package
+    (name "portmidi")
+    (version "217")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://sourceforge/portmedia/portmidi/"
+                                  version "/portmidi-src-" version ".zip"))
+              (sha256
+               (base32
+                "03rfsk7z6rdahq2ihy5k13qjzgx757f75yqka88v3gc0pn9ais88"))
+              (patches (list (search-patch "portmidi-modular-build.patch")))))
+    (build-system cmake-build-system)
+    (arguments
+     `(#:tests? #f ; tests cannot be linked
+       #:configure-flags
+       (list "-DPORTMIDI_ENABLE_JAVA=Off"
+             "-DCMAKE_BUILD_TYPE=Release"    ; needed to have PMALSA set
+             "-DPORTMIDI_ENABLE_TEST=Off"))) ; tests fail linking
+    (inputs
+     `(("alsa-lib" ,alsa-lib)))
+    (native-inputs
+     `(("unzip" ,unzip)))
+    (home-page "http://portmedia.sourceforge.net/portmidi/")
+    (synopsis "Library for MIDI I/O")
+    (description
+     "PortMidi is a library supporting real-time input and output of MIDI data
+using a system-independent interface.")
+    (license license:expat)))
+
+(define-public python-pyportmidi
+  (package
+    (name "python-pyportmidi")
+    (version (package-version portmidi))
+    (source (package-source portmidi))
+    (build-system python-build-system)
+    (arguments
+     `(#:tests? #f ; no tests included
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'enter-dir
+           (lambda _ (chdir "pm_python") #t))
+         (add-after 'enter-dir 'fix-setup.py
+           (lambda _
+             (substitute* "setup.py"
+               ;; Use Python 3 syntax
+               (("print (\".*\")" _ text)
+                (string-append "print(" text ")\n"))
+               ;; TODO.txt and CHANGES.txt don't exist
+               (("CHANGES =.*") "CHANGES = \"\"\n")
+               (("TODO =.*") "TODO = \"\"\n"))
+             #t)))))
+    (inputs
+     `(("portmidi" ,portmidi)
+       ("alsa-lib" ,alsa-lib)
+       ("python-cython" ,python-cython)))
+    (native-inputs
+     `(("unzip" ,unzip)))
+    (home-page "http://portmedia.sourceforge.net/portmidi/")
+    (synopsis "Python bindings to PortMidi")
+    (description
+     "This package provides Python bindings to the PortMidi library.")
+    (license license:expat)))
+
 (define-public frescobaldi
   (package
     (name "frescobaldi")
@@ -967,8 +1038,10 @@ projects.")
     (build-system python-build-system)
     (inputs
      `(("lilypond" ,lilypond)
+       ("portmidi" ,portmidi)
        ("python-pyqt-4" ,python-pyqt-4)
        ("python-ly" ,python-ly)
+       ("python-pyportmidi" ,python-pyportmidi)
        ("poppler" ,poppler)
        ("python-poppler-qt4" ,python-poppler-qt4)
        ("python-sip" ,python-sip)))
diff --git a/gnu/packages/ocaml.scm b/gnu/packages/ocaml.scm
index 5d489532f7..434fb132bb 100644
--- a/gnu/packages/ocaml.scm
+++ b/gnu/packages/ocaml.scm
@@ -60,7 +60,8 @@
                     "/ocaml-" version ".tar.xz"))
               (sha256
                (base32
-                "1qwwvy8nzd87hk8rd9sm667nppakiapnx4ypdwcrlnav2dz6kil3"))))
+                "1qwwvy8nzd87hk8rd9sm667nppakiapnx4ypdwcrlnav2dz6kil3"))
+              (patches (search-patches "ocaml-CVE-2015-8869.patch"))))
     (build-system gnu-build-system)
     (native-search-paths
      (list (search-path-specification
diff --git a/gnu/packages/patches/4store-fix-buildsystem.patch b/gnu/packages/patches/4store-fix-buildsystem.patch
new file mode 100644
index 0000000000..383baa9461
--- /dev/null
+++ b/gnu/packages/patches/4store-fix-buildsystem.patch
@@ -0,0 +1,56 @@
+This patch sets a fixed version to avoid needing Git and the .git/ folder.
+It also removes the creation of "/var/lib/4store", which is not available
+during the install phase in GNU Guix.
+
+Patch by Roel Janssen <roel@gnu.org>
+*** a/configure.ac	Wed Feb  4 19:05:24 2015
+--- b/configure.ac	Wed Mar 23 11:20:38 2016
+***************
+*** 2,13 ****
+  # Process this file with autoconf to produce a configure script.
+
+  AC_PREREQ([2.50])
+! AC_INIT([4store], m4_esyscmd([./version.sh .version]), [http://4store.org/support/], [4store])
+  AC_CONFIG_SRCDIR([src/backend/backend-intl.h])
+! AM_INIT_AUTOMAKE([1.7 std-options -Wall])
+  AC_CONFIG_HEADERS(4store-config.h)
+
+  # Checks for programs.
+  AC_PROG_LIBTOOL
+  AC_PROG_AWK
+  AC_PROG_CC
+--- 2,14 ----
+  # Process this file with autoconf to produce a configure script.
+
+  AC_PREREQ([2.50])
+! AC_INIT([4store], [1.1.6], [http://4store.org/support/], [4store])
+  AC_CONFIG_SRCDIR([src/backend/backend-intl.h])
+! AM_INIT_AUTOMAKE([1.7 std-options foreign -Wall])
+  AC_CONFIG_HEADERS(4store-config.h)
+
+  # Checks for programs.
++ AM_PROG_AR
+  AC_PROG_LIBTOOL
+  AC_PROG_AWK
+  AC_PROG_CC
+
+*** a/src/utilities/Makefile.am	Wed Feb  4 19:05:24 2015
+--- b/src/utilities/Makefile.am	Wed Mar 23 14:05:56 2016
+***************
+*** 13,20 ****
+  noinst_PROGRAMS = lex-file-verify 4s-rid
+
+  install-data-local: 
+! 	mkdir -p $(DESTDIR)@FS_STORE_ROOT@
+! 	chmod 1777 $(DESTDIR)@FS_STORE_ROOT@
+
+  4s_backend_destroy_SOURCES = backend-destroy.c
+  4s_backend_destroy_LDADD = ../common/lib4sintl.a
+--- 13,19 ----
+  noinst_PROGRAMS = lex-file-verify 4s-rid
+
+  install-data-local: 
+! 	echo "Please create the following directory: " $(DESTDIR)@FS_STORE_ROOT@
+
+  4s_backend_destroy_SOURCES = backend-destroy.c
+  4s_backend_destroy_LDADD = ../common/lib4sintl.a
diff --git a/gnu/packages/patches/gcc-cross-environment-variables.patch b/gnu/packages/patches/gcc-cross-environment-variables.patch
index 0bd0be5984..ec4378e2d2 100644
--- a/gnu/packages/patches/gcc-cross-environment-variables.patch
+++ b/gnu/packages/patches/gcc-cross-environment-variables.patch
@@ -1,9 +1,23 @@
 Search path environment variables for cross-compilers.  See the discussion
 at <http://gcc.gnu.org/ml/gcc/2013-02/msg00124.html>.
 
---- gcc-4.7.2/gcc/incpath.c	2012-01-27 00:34:58.000000000 +0100
-+++ gcc-4.7.2/gcc/incpath.c	2013-02-12 10:11:27.000000000 +0100
-@@ -452,7 +452,7 @@ register_include_chains (cpp_reader *pfi
+Note: Touch 'C_INCLUDE_PATH' et al. rather than 'CPATH', as discussed
+at <http://bugs.gnu.org/22186>.
+
+--- a/gcc/incpath.c
++++ b/gcc/incpath.c
+@@ -461,8 +461,8 @@ register_include_chains (cpp_reader *pfile, const char *sysroot,
+ 			 int stdinc, int cxx_stdinc, int verbose)
+ {
+   static const char *const lang_env_vars[] =
+-    { "C_INCLUDE_PATH", "CPLUS_INCLUDE_PATH",
+-      "OBJC_INCLUDE_PATH", "OBJCPLUS_INCLUDE_PATH" };
++    { "CROSS_C_INCLUDE_PATH", "CROSS_CPLUS_INCLUDE_PATH",
++      "CROSS_OBJC_INCLUDE_PATH", "CROSS_OBJCPLUS_INCLUDE_PATH" };
+   cpp_options *cpp_opts = cpp_get_options (pfile);
+   size_t idx = (cpp_opts->objc ? 2: 0);
+ 
+@@ -473,7 +473,7 @@ register_include_chains (cpp_reader *pfile, const char *sysroot,
  
    /* CPATH and language-dependent environment variables may add to the
       include chain.  */
@@ -12,20 +26,22 @@ at <http://gcc.gnu.org/ml/gcc/2013-02/msg00124.html>.
    add_env_var_paths (lang_env_vars[idx], SYSTEM);
  
    target_c_incpath.extra_pre_includes (sysroot, iprefix, stdinc);
-
---- gcc-4.7.2/gcc/system.h	2012-02-17 00:16:28.000000000 +0100
-+++ gcc-4.7.2/gcc/system.h	2013-02-12 10:22:17.000000000 +0100
-@@ -1023,4 +1023,6 @@ helper_const_non_const_cast (const char
- #define DEBUG_VARIABLE
- #endif
+diff --git a/gcc/system.h b/gcc/system.h
+index 42bc509..af3b9ad 100644
+--- a/gcc/system.h
++++ b/gcc/system.h
+@@ -1063,4 +1063,6 @@ helper_const_non_const_cast (const char *p)
+ /* Get definitions of HOST_WIDE_INT and HOST_WIDEST_INT.  */
+ #include "hwint.h"
  
 +#define LIBRARY_PATH_ENV "CROSS_LIBRARY_PATH"
 +
  #endif /* ! GCC_SYSTEM_H */
-
---- gcc-4.7.2/gcc/tlink.c	2012-02-11 09:50:23.000000000 +0100
-+++ gcc-4.7.2/gcc/tlink.c	2013-05-23 22:06:19.000000000 +0200
-@@ -461,7 +461,7 @@ recompile_files (void)
+diff --git a/gcc/tlink.c b/gcc/tlink.c
+index bc358b8..ad6242f 100644
+--- a/gcc/tlink.c
++++ b/gcc/tlink.c
+@@ -458,7 +458,7 @@ recompile_files (void)
    file *f;
  
    putenv (xstrdup ("COMPILER_PATH="));
@@ -34,10 +50,11 @@ at <http://gcc.gnu.org/ml/gcc/2013-02/msg00124.html>.
  
    while ((f = file_pop ()) != NULL)
      {
-
---- gcc-4.7.3/gcc/gcc.c	2013-03-08 08:25:09.000000000 +0100
-+++ gcc-4.7.3/gcc/gcc.c	2013-05-24 08:58:16.000000000 +0200
-@@ -3726,7 +3726,7 @@ process_command (unsigned int decoded_op
+diff --git a/gcc/gcc.c b/gcc/gcc.c
+index adbf0c4..70448c6 100644
+--- a/gcc/gcc.c
++++ b/gcc/gcc.c
+@@ -3853,7 +3853,7 @@ process_command (unsigned int decoded_options_count,
      }
  
    temp = getenv (LIBRARY_PATH_ENV);
diff --git a/gnu/packages/patches/ocaml-CVE-2015-8869.patch b/gnu/packages/patches/ocaml-CVE-2015-8869.patch
new file mode 100644
index 0000000000..0a4cb34d25
--- /dev/null
+++ b/gnu/packages/patches/ocaml-CVE-2015-8869.patch
@@ -0,0 +1,72 @@
+Adapted from upstream commit 659615c7b100a89eafe6253e7a5b9d84d0e8df74,
+this patch omits the upstream changes to 'Changes' and 'VERSION'.
+
+http://seclists.org/oss-sec/2016/q2/170
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
+https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74
+---
+ byterun/alloc.c  | 4 ++--
+ byterun/intern.c | 2 +-
+ byterun/str.c    | 4 ++--
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/byterun/alloc.c b/byterun/alloc.c
+index 96a21bf..0db9947 100644
+--- a/byterun/alloc.c
++++ b/byterun/alloc.c
+@@ -153,7 +153,7 @@ CAMLexport int caml_convert_flag_list(value list, int *flags)
+ /* [size] is a [value] representing number of words (fields) */
+ CAMLprim value caml_alloc_dummy(value size)
+ {
+-  mlsize_t wosize = Int_val(size);
++  mlsize_t wosize = Long_val(size);
+ 
+   if (wosize == 0) return Atom(0);
+   return caml_alloc (wosize, 0);
+@@ -169,7 +169,7 @@ CAMLprim value caml_alloc_dummy_function(value size,value arity)
+ /* [size] is a [value] representing number of floats. */
+ CAMLprim value caml_alloc_dummy_float (value size)
+ {
+-  mlsize_t wosize = Int_val(size) * Double_wosize;
++  mlsize_t wosize = Long_val(size) * Double_wosize;
+ 
+   if (wosize == 0) return Atom(0);
+   return caml_alloc (wosize, 0);
+diff --git a/byterun/intern.c b/byterun/intern.c
+index 89d13d1..7b8d049 100644
+--- a/byterun/intern.c
++++ b/byterun/intern.c
+@@ -291,7 +291,7 @@ static void intern_rec(value *dest)
+   case OFreshOID:
+     /* Refresh the object ID */
+     /* but do not do it for predefined exception slots */
+-    if (Int_val(Field((value)dest, 1)) >= 0)
++    if (Long_val(Field((value)dest, 1)) >= 0)
+       caml_set_oo_id((value)dest);
+     /* Pop item and iterate */
+     sp--;
+diff --git a/byterun/str.c b/byterun/str.c
+index 5ad4e29..885772f 100644
+--- a/byterun/str.c
++++ b/byterun/str.c
+@@ -266,7 +266,7 @@ CAMLprim value caml_string_greaterequal(value s1, value s2)
+ CAMLprim value caml_blit_string(value s1, value ofs1, value s2, value ofs2,
+                                 value n)
+ {
+-  memmove(&Byte(s2, Long_val(ofs2)), &Byte(s1, Long_val(ofs1)), Int_val(n));
++  memmove(&Byte(s2, Long_val(ofs2)), &Byte(s1, Long_val(ofs1)), Long_val(n));
+   return Val_unit;
+ }
+ 
+@@ -278,7 +278,7 @@ CAMLprim value caml_fill_string(value s, value offset, value len, value init)
+ 
+ CAMLprim value caml_bitvect_test(value bv, value n)
+ {
+-  int pos = Int_val(n);
++  intnat pos = Long_val(n);
+   return Val_int(Byte_u(bv, pos >> 3) & (1 << (pos & 7)));
+ }
+ 
+-- 
+2.7.4
+
diff --git a/gnu/packages/patches/portmidi-modular-build.patch b/gnu/packages/patches/portmidi-modular-build.patch
new file mode 100644
index 0000000000..25e64ae317
--- /dev/null
+++ b/gnu/packages/patches/portmidi-modular-build.patch
@@ -0,0 +1,325 @@
+We took this patch from Gentoo to break apart the portmidi build, so that we
+can disable the Java parts and cleanly disable the tests which fail to link
+(possibly because they are linked before “-lportmidi” is available).  The
+patch was downloaded from here:
+
+https://gitweb.gentoo.org/repo/gentoo.git/plain/media-libs/portmidi/files/portmidi-217-cmake.patch?id=56bd759df1d0c750a065b8c845e93d5dfa6b549d
+
+--- portmidi/CMakeLists.txt
++++ portmidi/CMakeLists.txt
+@@ -9,12 +9,11 @@
+   set(CMAKE_BUILD_TYPE Release CACHE STRING 
+       "Semicolon-separate list of supported configuration types")
+   # set default directories but don't override cached values...
+-  set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${CMAKE_CACHEFILE_DIR}/${CMAKE_BUILD_TYPE}
++  set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+       CACHE STRING "libraries go here")
+-  set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_CACHEFILE_DIR}/${CMAKE_BUILD_TYPE}
++  set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+       CACHE STRING "libraries go here")
+-  set(CMAKE_RUNTIME_OUTPUT_DIRECTORY 
+-      ${CMAKE_CACHEFILE_DIR}/${CMAKE_BUILD_TYPE}
++  set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+       CACHE STRING "executables go here")
+ 
+ else(UNIX)
+@@ -68,10 +67,20 @@
+ include_directories(pm_common porttime)
+ add_subdirectory(pm_common)
+ 
+-add_subdirectory(pm_test)
++option(PORTMIDI_ENABLE_JAVA "Enable Java bindings support" ON)
++option(PORTMIDI_ENABLE_STATIC "Build and install static libraries" OFF)
++option(PORTMIDI_ENABLE_TEST "Build test programs" ON)
++
++if(PORTMIDI_ENABLE_TEST)
++  add_subdirectory(pm_test)
++endif(PORTMIDI_ENABLE_TEST)
+ 
+ add_subdirectory(pm_dylib)
+ 
+ # Cannot figure out how to make an xcode Java application with CMake
+-add_subdirectory(pm_java)
++if(PORTMIDI_ENABLE_JAVA)
++  set(JAR_INSTALL_DIR share/java
++      CACHE STRING "Define directory name for jar installation")
++  add_subdirectory(pm_java)
++endif(PORTMIDI_ENABLE_JAVA)
+ 
+--- portmidi/pm_common/CMakeLists.txt
++++ portmidi/pm_common/CMakeLists.txt
+@@ -44,9 +44,6 @@
+ 
+ # first include the appropriate system-dependent file:
+ if(UNIX)
+-  # add the -g switch for Linux and Mac OS X (not used in Win32)
+-  set (CMAKE_C_FLAGS_DEBUG "-g ${CMAKE_C_FLAGS_DEBUG}" 
+-       CACHE STRING "enable extra checks for debugging" FORCE)
+   if(APPLE)
+     set(MACSRC pmmacosxcm pmmac readbinaryplist finddefault)
+     prepend_path(LIBSRC ../pm_mac/ ${MACSRC})
+@@ -62,19 +59,23 @@
+                              ${COREMIDI_LIB} ${CORESERVICES_LIB}
+         CACHE INTERNAL "")
+ 
+-    set(JAVAVM_LIB "${FRAMEWORK_PATH}/JavaVM.framework")
+-    set(JAVA_INCLUDE_PATHS ${JAVAVM_LIB}/Headers)
++    if(PORTMIDI_ENABLE_JAVA)
++      set(JAVAVM_LIB "${FRAMEWORK_PATH}/JavaVM.framework")
++      set(JAVA_INCLUDE_PATHS ${JAVAVM_LIB}/Headers)
++    endif(PORTMIDI_ENABLE_JAVA)
+     message(STATUS "SYSROOT: " ${CMAKE_OSX_SYSROOT})
+   else(APPLE)
+     # LINUX settings...
+-    include(FindJNI)
+-    message(STATUS "JAVA_JVM_LIB_PATH is " ${JAVA_JVM_LIB_PATH})
+-    message(STATUS "JAVA_INCLUDE_PATH is " ${JAVA_INCLUDE_PATH})
+-    message(STATUS "JAVA_INCLUDE_PATH2 is " ${JAVA_INCLUDE_PATH2})
+-    message(STATUS "JAVA_JVM_LIBRARY is " ${JAVA_JVM_LIBRARY})
+-    set(JAVA_INCLUDE_PATHS ${JAVA_INCLUDE_PATH} ${JAVA_INCLUDE_PATH2})
+-    # libjvm.so is found relative to JAVA_INCLUDE_PATH:
+-    set(JAVAVM_LIB ${JAVA_JVM_LIBRARY}/libjvm.so)
++    if(PORTMIDI_ENABLE_JAVA)
++      include(FindJNI)
++      message(STATUS "JAVA_JVM_LIB_PATH is " ${JAVA_JVM_LIB_PATH})
++      message(STATUS "JAVA_INCLUDE_PATH is " ${JAVA_INCLUDE_PATH})
++      message(STATUS "JAVA_INCLUDE_PATH2 is " ${JAVA_INCLUDE_PATH2})
++      message(STATUS "JAVA_JVM_LIBRARY is " ${JAVA_JVM_LIBRARY})
++      set(JAVA_INCLUDE_PATHS ${JAVA_INCLUDE_PATH} ${JAVA_INCLUDE_PATH2})
++      # libjvm.so is found relative to JAVA_INCLUDE_PATH:
++      set(JAVAVM_LIB ${JAVA_JVM_LIBRARY}/libjvm.so)
++    endif(PORTMIDI_ENABLE_JAVA)
+ 
+     set(LINUXSRC pmlinuxalsa pmlinux finddefault)
+     prepend_path(LIBSRC ../pm_linux/ ${LINUXSRC})
+@@ -88,10 +89,12 @@
+     # /MD is multithread DLL, /MT is multithread. Change to static:
+     include(../pm_win/static.cmake)
+     
+-    include(FindJNI)
++    if(PORTMIDI_ENABLE_JAVA)
++      include(FindJNI)
+ 
+-    set(JAVA_INCLUDE_PATHS ${JAVA_INCLUDE_PATH} ${JAVA_INCLUDE_PATH2})
+-    # message(STATUS "JAVA_INCLUDE_PATHS: " ${JAVA_INCLUDE_PATHS})
++      set(JAVA_INCLUDE_PATHS ${JAVA_INCLUDE_PATH} ${JAVA_INCLUDE_PATH2})
++      # message(STATUS "JAVA_INCLUDE_PATHS: " ${JAVA_INCLUDE_PATHS})
++    endif(PORTMIDI_ENABLE_JAVA)
+ 
+     set(WINSRC pmwin pmwinmm)
+     prepend_path(LIBSRC ../pm_win/ ${WINSRC})
+@@ -99,29 +102,43 @@
+     set(PM_NEEDED_LIBS winmm.lib)
+   endif(WIN32)
+ endif(UNIX)
+-set(JNI_EXTRA_LIBS ${PM_NEEDED_LIBS} ${JAVA_JVM_LIBRARY})
++
++if(PORTMIDI_ENABLE_JAVA)
++  set(JNI_EXTRA_LIBS ${PM_NEEDED_LIBS} ${JAVA_JVM_LIBRARY})
++endif(PORTMIDI_ENABLE_JAVA)
+ 
+ # this completes the list of library sources by adding shared code
+ list(APPEND LIBSRC pmutil portmidi)
+ 
+ # now add the shared files to make the complete list of library sources
+-add_library(portmidi-static ${LIBSRC})
+-set_target_properties(portmidi-static PROPERTIES OUTPUT_NAME "portmidi_s")
+-target_link_libraries(portmidi-static ${PM_NEEDED_LIBS})
+-
+-# define the jni library
+-include_directories(${JAVA_INCLUDE_PATHS})
+-
+-set(JNISRC ${LIBSRC} ../pm_java/pmjni/pmjni.c)
+-add_library(pmjni SHARED ${JNISRC})
+-target_link_libraries(pmjni ${JNI_EXTRA_LIBS})
+-set_target_properties(pmjni PROPERTIES EXECUTABLE_EXTENSION "jnilib")
++if(PORTMIDI_ENABLE_STATIC)
++  add_library(portmidi-static ${LIBSRC})
++  set_target_properties(portmidi-static PROPERTIES OUTPUT_NAME "portmidi")
++  target_link_libraries(portmidi-static ${PM_NEEDED_LIBS})
++endif(PORTMIDI_ENABLE_STATIC)
++
++if(PORTMIDI_ENABLE_JAVA)
++  # define the jni library
++  include_directories(${JAVA_INCLUDE_PATHS})
++
++  set(JNISRC ${LIBSRC} ../pm_java/pmjni/pmjni.c)
++  add_library(pmjni SHARED ${JNISRC})
++  target_link_libraries(pmjni ${JNI_EXTRA_LIBS})
++  set_target_properties(pmjni PROPERTIES EXECUTABLE_EXTENSION "jnilib")
++endif(PORTMIDI_ENABLE_JAVA)
+ 
+ # install the libraries (Linux and Mac OS X command line)
+ if(UNIX)
+-  INSTALL(TARGETS portmidi-static pmjni
+-    LIBRARY DESTINATION /usr/local/lib
+-    ARCHIVE DESTINATION /usr/local/lib)
++  if(PORTMIDI_ENABLE_STATIC)
++    INSTALL(TARGETS portmidi-static
++      LIBRARY DESTINATION lib${LIB_SUFFIX}
++      ARCHIVE DESTINATION lib${LIB_SUFFIX})
++  endif(PORTMIDI_ENABLE_STATIC)
++  if(PORTMIDI_ENABLE_JAVA)
++    INSTALL(TARGETS pmjni
++      LIBRARY DESTINATION lib${LIB_SUFFIX}
++      ARCHIVE DESTINATION lib${LIB_SUFFIX})
++  endif(PORTMIDI_ENABLE_JAVA)
+ # .h files installed by pm_dylib/CMakeLists.txt, so don't need them here
+ #  INSTALL(FILES portmidi.h ../porttime/porttime.h
+ #    DESTINATION /usr/local/include)
+--- portmidi/pm_dylib/CMakeLists.txt
++++ portmidi/pm_dylib/CMakeLists.txt
+@@ -39,9 +39,6 @@
+ 
+ # first include the appropriate system-dependent file:
+ if(UNIX)
+-  # add the -g switch for Linux and Mac OS X (not used in Win32)
+-  set (CMAKE_C_FLAGS_DEBUG "-g ${CMAKE_C_FLAGS_DEBUG}" 
+-       CACHE STRING "enable extra checks for debugging" FORCE)
+   if(APPLE)
+     set(MACSRC pmmacosxcm pmmac readbinaryplist finddefault)
+     prepend_path(LIBSRC ../pm_mac/ ${MACSRC})
+@@ -63,7 +60,8 @@
+     message(STATUS "SYSROOT: " ${CMAKE_OSX_SYSROOT})
+   else(APPLE)
+     # LINUX settings...
+-    include(FindJNI)
++    if(PORTMIDI_ENABLE_JAVA)
++      include(FindJNI)
+     # message(STATUS "JAVA_JVM_LIB_PATH is " ${JAVA_JVM_LIB_PATH})
+     # message(STATUS "JAVA_INCLUDE_PATH is " ${JAVA_INCLUDE_PATH})
+     # note: should use JAVA_JVM_LIB_PATH, but it is not set properly
+@@ -75,11 +73,8 @@
+     # JAVA_INCLUDE_PATH2; if no, then we need to make both JAVA_INCLUDE_PATH
+     # and JAVA_INCLUDE_PATH2 set by user (will need clear documentation
+     # because JAVA_INCLUDE_PATH2 is pretty obscure)
+-    set(JAVA_INCLUDE_PATH  ${JAVA_INCLUDE_PATH-UNKNOWN}
+-        CACHE STRING "where to find Java SDK include directory")
+-    set(JAVA_INCLUDE_PATHS ${JAVA_INCLUDE_PATH} ${JAVA_INCLUDE_PATH}/linux)
+-    # libjvm.so is found relative to JAVA_INCLUDE_PATH:
+-    set(JAVAVM_LIB ${JAVA_INCLUDE_PATH}/../jre/lib/i386/client/libjvm.so)
++      set(JAVAVM_LIB ${JAVA_JVM_LIBRARY})
++    endif(PORTMIDI_ENABLE_JAVA)
+ 
+     set(LINUXSRC pmlinuxalsa pmlinux finddefault)
+     prepend_path(LIBSRC ../pm_linux/ ${LINUXSRC})
+@@ -91,13 +86,15 @@
+   if(WIN32)
+     # /MDd is multithread debug DLL, /MTd is multithread debug
+     # /MD is multithread DLL, /MT is multithread 
+-    
+-    include(FindJNI)
+-    # note: should use JAVA_JVM_LIB_PATH, but it is not set properly
+-    set(JAVAVM_LIB ${JAVA_INCLUDE_PATH}/../lib/jvm.lib)
+ 
+-    set(JAVA_INCLUDE_PATHS ${JAVA_INCLUDE_PATH} ${JAVA_INCLUDE_PATH2})
+-    # message(STATUS "JAVA_INCLUDE_PATHS: " ${JAVA_INCLUDE_PATHS})
++    if(PORTMIDI_ENABLE_JAVA)
++      include(FindJNI)
++      # note: should use JAVA_JVM_LIB_PATH, but it is not set properly
++      set(JAVAVM_LIB ${JAVA_INCLUDE_PATH}/../lib/jvm.lib)
++
++      set(JAVA_INCLUDE_PATHS ${JAVA_INCLUDE_PATH} ${JAVA_INCLUDE_PATH2})
++      # message(STATUS "JAVA_INCLUDE_PATHS: " ${JAVA_INCLUDE_PATHS})
++    endif(PORTMIDI_ENABLE_JAVA)
+ 
+     set(WINSRC pmwin pmwinmm)
+     prepend_path(LIBSRC ../pm_win/ ${WINSRC})
+@@ -106,7 +103,10 @@
+     # message(STATUS "JAVAVM_LIB: " ${JAVAVM_LIB})
+   endif(WIN32)
+ endif(UNIX)
++
++if(PORTMIDI_ENABLE_JAVA)
+ set(JNI_EXTRA_LIBS ${PM_NEEDED_LIBS} ${JAVAVM_LIB})
++endif(PORTMIDI_ENABLE_JAVA)
+ 
+ # this completes the list of library sources by adding shared code
+ set(SHARED_FILES pmutil portmidi)
+@@ -120,8 +120,8 @@
+ # install the libraries (Linux and Mac OS X command line)
+ if(UNIX)
+   INSTALL(TARGETS portmidi-dynamic
+-    LIBRARY DESTINATION /usr/local/lib
+-    ARCHIVE DESTINATION /usr/local/lib)
++    LIBRARY DESTINATION lib${LIB_SUFFIX}
++    ARCHIVE DESTINATION lib${LIB_SUFFIX})
+   INSTALL(FILES ../pm_common/portmidi.h ../porttime/porttime.h
+-    DESTINATION /usr/local/include)
++    DESTINATION include)
+ endif(UNIX)
+--- portmidi/pm_java/CMakeLists.txt
++++ portmidi/pm_java/CMakeLists.txt
+@@ -5,43 +5,24 @@
+     # java not dealt with in CMake -- see pm_mac/pm_mac.xcodeproj
+   else(APPLE)
+     # linux
+-    set(JPORTMIDICLASS JPortMidi.class JPortMidiException.class
+-    		       JPortMidiApi.class)
+-    set(PMDEFAULTSCLASS PmDefaultsFrame.class PmDefaults.class)
+-    prepend_path(JPORTMIDICLASS2 jportmidi/ ${JPORTMIDICLASS})
+-    prepend_path(PMDEFAULTSCLASS2 pmdefaults/ ${PMDEFAULTSCLASS})
+-    set(PMDEFAULTS_ALL_CLASSES ${JPORTMIDICLASS2} ${PMDEFAULTSCLASS2})
+-    # message(STATUS "PMDEFAULTS_ALL_CLASSES is " ${PMDEFAULTS_ALL_CLASSES})
+-    add_custom_command(OUTPUT pmdefaults/PmDefaultsFrame.class
+-        COMMAND javac -classpath . pmdefaults/PmDefaultsFrame.java
+-	MAIN_DEPENDENCY pmdefaults/PmDefaultsFrame.java
+-	DEPENDS pmdefaults/PmDefaults.java
+-	WORKING_DIRECTORY pm_java)
+-    add_custom_command(OUTPUT pmdefaults/PmDefaults.class
+-        COMMAND javac -classpath . pmdefaults/PmDefaults.java
+-	MAIN_DEPENDENCY pmdefaults/PmDefaults.java
+-	DEPENDS pmdefaults/PmDefaultsFrame.java
+-	WORKING_DIRECTORY pm_java)
+-    add_custom_command(OUTPUT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/pmdefaults.jar
+-        COMMAND	cp pmdefaults/portmusic_logo.png .
+-        COMMAND	jar cmf pmdefaults/manifest.txt pmdefaults.jar
+-		pmdefaults/*.class portmusic_logo.png jportmidi/*.class
+-  	COMMAND chmod +x pmdefaults/pmdefaults
+-	COMMAND cp pmdefaults/pmdefaults ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}
+-	COMMAND mv pmdefaults.jar ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}
+-	COMMAND rm portmusic_logo.png
+-	MAIN_DEPENDENCY pmdefaults/PmDefaults.class
+-	DEPENDS ${PMDEFAULTS_ALL_CLASSES}
+-	WORKING_DIRECTORY pm_java)
+-    add_custom_target(pmdefaults_target ALL 
+-        DEPENDS ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/pmdefaults.jar)
+-    # message(STATUS "add_custom_target: pmdefaults.jar")
++	set(JAVA_CLASSES jportmidi pmdefaults)
++	add_custom_command(OUTPUT ${JAVA_CLASSES}
++		COMMAND javac -d ${CMAKE_CURRENT_BINARY_DIR} jportmidi/*.java pmdefaults/*.java
++		WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
++	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/pmdefaults.jar
++		DEPENDS ${JAVA_CLASSES}
++		COMMAND jar cmf pmdefaults/manifest.txt ${CMAKE_CURRENT_BINARY_DIR}/pmdefaults.jar
++		-C pmdefaults portmusic_logo.png -C ${CMAKE_CURRENT_BINARY_DIR} jportmidi
++		-C ${CMAKE_CURRENT_BINARY_DIR} pmdefaults
++		WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
++	add_custom_target(pmdefaults.jar ALL
++		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/pmdefaults.jar)
+ 
+     # install the libraries (Linux only)
+-    INSTALL(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/pmdefaults.jar
+-      DESTINATION /usr/share/java)
+-    INSTALL(PROGRAMS ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/pmdefaults
+-      DESTINATION /usr/local/bin)
++    INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/pmdefaults.jar
++      DESTINATION ${JAR_INSTALL_DIR})
++    INSTALL(PROGRAMS ${CMAKE_CURRENT_SOURCE_DIR}/pmdefaults/pmdefaults
++      DESTINATION bin)
+   endif(APPLE)
+ endif(UNIX)
+ # In windows, use pm_java/make.bat
+--- portmidi/pm_test/CMakeLists.txt
++++ portmidi/pm_test/CMakeLists.txt
+@@ -12,8 +12,8 @@
+ 
+ macro(make_a_test name)
+   add_executable(${name} ${name}.c)
+-  target_link_libraries(${name} portmidi-static ${PM_NEEDED_LIBS})
+-  add_dependencies(${name} portmidi-static)
++  target_link_libraries(${name} portmidi ${PM_NEEDED_LIBS})
++  add_dependencies(${name} portmidi)
+ endmacro(make_a_test)
+ 
+ make_a_test(test)
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4476.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4476.patch
new file mode 100644
index 0000000000..acad6be0a4
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-CVE-2016-4476.patch
@@ -0,0 +1,82 @@
+From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Fri, 4 Mar 2016 17:20:18 +0200
+Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
+
+WPA/WPA2-Personal passphrase is not allowed to include control
+characters. Reject a Credential received from a WPS Registrar both as
+STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
+WPA2PSK authentication type and includes an invalid passphrase.
+
+This fixes an issue where hostapd or wpa_supplicant could have updated
+the configuration file PSK/passphrase parameter with arbitrary data from
+an external device (Registrar) that may not be fully trusted. Should
+such data include a newline character, the resulting configuration file
+could become invalid and fail to be parsed.
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+---
+ src/utils/common.c         | 12 ++++++++++++
+ src/utils/common.h         |  1 +
+ src/wps/wps_attr_process.c | 10 ++++++++++
+ 3 files changed, 23 insertions(+)
+
+diff --git a/src/utils/common.c b/src/utils/common.c
+index 450e2c6..27b7c02 100644
+--- a/src/utils/common.c
++++ b/src/utils/common.c
+@@ -697,6 +697,18 @@ int is_hex(const u8 *data, size_t len)
+ }
+ 
+ 
++int has_ctrl_char(const u8 *data, size_t len)
++{
++	size_t i;
++
++	for (i = 0; i < len; i++) {
++		if (data[i] < 32 || data[i] == 127)
++			return 1;
++	}
++	return 0;
++}
++
++
+ size_t merge_byte_arrays(u8 *res, size_t res_len,
+ 			 const u8 *src1, size_t src1_len,
+ 			 const u8 *src2, size_t src2_len)
+diff --git a/src/utils/common.h b/src/utils/common.h
+index 701dbb2..a972240 100644
+--- a/src/utils/common.h
++++ b/src/utils/common.h
+@@ -488,6 +488,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
+ 
+ char * wpa_config_parse_string(const char *value, size_t *len);
+ int is_hex(const u8 *data, size_t len);
++int has_ctrl_char(const u8 *data, size_t len);
+ size_t merge_byte_arrays(u8 *res, size_t res_len,
+ 			 const u8 *src1, size_t src1_len,
+ 			 const u8 *src2, size_t src2_len);
+diff --git a/src/wps/wps_attr_process.c b/src/wps/wps_attr_process.c
+index eadb22f..e8c4579 100644
+--- a/src/wps/wps_attr_process.c
++++ b/src/wps/wps_attr_process.c
+@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credential *cred)
+ 		cred->key_len--;
+ #endif /* CONFIG_WPS_STRICT */
+ 	}
++
++
++	if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
++	    (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
++		wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
++		wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
++				      cred->key, cred->key_len);
++		return -1;
++	}
++
+ 	return 0;
+ }
+ 
+-- 
+1.9.1
+
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt1.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt1.patch
new file mode 100644
index 0000000000..507a96e47c
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt1.patch
@@ -0,0 +1,51 @@
+From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Fri, 4 Mar 2016 18:46:41 +0200
+Subject: [PATCH 2/5] Reject psk parameter set with invalid passphrase
+ character
+
+WPA/WPA2-Personal passphrase is not allowed to include control
+characters. Reject a passphrase configuration attempt if that passphrase
+includes an invalid passphrase.
+
+This fixes an issue where wpa_supplicant could have updated the
+configuration file psk parameter with arbitrary data from the control
+interface or D-Bus interface. While those interfaces are supposed to be
+accessible only for trusted users/applications, it may be possible that
+an untrusted user has access to a management software component that
+does not validate the passphrase value before passing it to
+wpa_supplicant.
+
+This could allow such an untrusted user to inject up to 63 characters of
+almost arbitrary data into the configuration file. Such configuration
+file could result in wpa_supplicant trying to load a library (e.g.,
+opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
+load_dynamic_eap) from user controlled location when starting again.
+This would allow code from that library to be executed under the
+wpa_supplicant process privileges.
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+---
+ wpa_supplicant/config.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
+index b1c7870..fdd9643 100644
+--- a/wpa_supplicant/config.c
++++ b/wpa_supplicant/config.c
+@@ -478,6 +478,12 @@ static int wpa_config_parse_psk(const struct parse_data *data,
+ 		}
+ 		wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)",
+ 				      (u8 *) value, len);
++		if (has_ctrl_char((u8 *) value, len)) {
++			wpa_printf(MSG_ERROR,
++				   "Line %d: Invalid passphrase character",
++				   line);
++			return -1;
++		}
+ 		if (ssid->passphrase && os_strlen(ssid->passphrase) == len &&
+ 		    os_memcmp(ssid->passphrase, value, len) == 0) {
+ 			/* No change to the previously configured value */
+-- 
+1.9.1
+
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt2.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt2.patch
new file mode 100644
index 0000000000..684d25de96
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt2.patch
@@ -0,0 +1,82 @@
+From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
+From: Paul Stewart <pstew@google.com>
+Date: Thu, 3 Mar 2016 15:40:19 -0800
+Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network
+ output
+
+Spurious newlines output while writing the config file can corrupt the
+wpa_supplicant configuration. Avoid writing these for the network block
+parameters. This is a generic filter that cover cases that may not have
+been explicitly addressed with a more specific commit to avoid control
+characters in the psk parameter.
+
+Signed-off-by: Paul Stewart <pstew@google.com>
+---
+ src/utils/common.c      | 11 +++++++++++
+ src/utils/common.h      |  1 +
+ wpa_supplicant/config.c | 15 +++++++++++++--
+ 3 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/utils/common.c b/src/utils/common.c
+index 27b7c02..9856463 100644
+--- a/src/utils/common.c
++++ b/src/utils/common.c
+@@ -709,6 +709,17 @@ int has_ctrl_char(const u8 *data, size_t len)
+ }
+ 
+ 
++int has_newline(const char *str)
++{
++	while (*str) {
++		if (*str == '\n' || *str == '\r')
++			return 1;
++		str++;
++	}
++	return 0;
++}
++
++
+ size_t merge_byte_arrays(u8 *res, size_t res_len,
+ 			 const u8 *src1, size_t src1_len,
+ 			 const u8 *src2, size_t src2_len)
+diff --git a/src/utils/common.h b/src/utils/common.h
+index a972240..d19927b 100644
+--- a/src/utils/common.h
++++ b/src/utils/common.h
+@@ -489,6 +489,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
+ char * wpa_config_parse_string(const char *value, size_t *len);
+ int is_hex(const u8 *data, size_t len);
+ int has_ctrl_char(const u8 *data, size_t len);
++int has_newline(const char *str);
+ size_t merge_byte_arrays(u8 *res, size_t res_len,
+ 			 const u8 *src1, size_t src1_len,
+ 			 const u8 *src2, size_t src2_len);
+diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
+index fdd9643..eb97cd5 100644
+--- a/wpa_supplicant/config.c
++++ b/wpa_supplicant/config.c
+@@ -2699,8 +2699,19 @@ char * wpa_config_get(struct wpa_ssid *ssid, const char *var)
+ 
+ 	for (i = 0; i < NUM_SSID_FIELDS; i++) {
+ 		const struct parse_data *field = &ssid_fields[i];
+-		if (os_strcmp(var, field->name) == 0)
+-			return field->writer(field, ssid);
++		if (os_strcmp(var, field->name) == 0) {
++			char *ret = field->writer(field, ssid);
++
++			if (ret && has_newline(ret)) {
++				wpa_printf(MSG_ERROR,
++					   "Found newline in value for %s; not returning it",
++					   var);
++				os_free(ret);
++				ret = NULL;
++			}
++
++			return ret;
++		}
+ 	}
+ 
+ 	return NULL;
+-- 
+1.9.1
+
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt3.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt3.patch
new file mode 100644
index 0000000000..2dd38fee31
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt3.patch
@@ -0,0 +1,62 @@
+From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Tue, 5 Apr 2016 23:33:10 +0300
+Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the
+ string values
+
+Most of the cred block parameters are written as strings without
+filtering and if there is an embedded newline character in the value,
+unexpected configuration file data might be written.
+
+This fixes an issue where wpa_supplicant could have updated the
+configuration file cred parameter with arbitrary data from the control
+interface or D-Bus interface. While those interfaces are supposed to be
+accessible only for trusted users/applications, it may be possible that
+an untrusted user has access to a management software component that
+does not validate the credential value before passing it to
+wpa_supplicant.
+
+This could allow such an untrusted user to inject almost arbitrary data
+into the configuration file. Such configuration file could result in
+wpa_supplicant trying to load a library (e.g., opensc_engine_path,
+pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
+controlled location when starting again. This would allow code from that
+library to be executed under the wpa_supplicant process privileges.
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+---
+ wpa_supplicant/config.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
+index eb97cd5..69152ef 100644
+--- a/wpa_supplicant/config.c
++++ b/wpa_supplicant/config.c
+@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
+ 
+ 	if (os_strcmp(var, "password") == 0 &&
+ 	    os_strncmp(value, "ext:", 4) == 0) {
++		if (has_newline(value))
++			return -1;
+ 		str_clear_free(cred->password);
+ 		cred->password = os_strdup(value);
+ 		cred->ext_password = 1;
+@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
+ 	}
+ 
+ 	val = wpa_config_parse_string(value, &len);
+-	if (val == NULL) {
++	if (val == NULL ||
++	    (os_strcmp(var, "excluded_ssid") != 0 &&
++	     os_strcmp(var, "roaming_consortium") != 0 &&
++	     os_strcmp(var, "required_roaming_consortium") != 0 &&
++	     has_newline(val))) {
+ 		wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
+ 			   "value '%s'.", line, var, value);
++		os_free(val);
+ 		return -1;
+ 	}
+ 
+-- 
+1.9.1
+
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt4.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt4.patch
new file mode 100644
index 0000000000..5f42aa9219
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt4.patch
@@ -0,0 +1,50 @@
+From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Tue, 5 Apr 2016 23:55:48 +0300
+Subject: [PATCH 5/5] Reject SET commands with newline characters in the
+ string values
+
+Many of the global configuration parameters are written as strings
+without filtering and if there is an embedded newline character in the
+value, unexpected configuration file data might be written.
+
+This fixes an issue where wpa_supplicant could have updated the
+configuration file global parameter with arbitrary data from the control
+interface or D-Bus interface. While those interfaces are supposed to be
+accessible only for trusted users/applications, it may be possible that
+an untrusted user has access to a management software component that
+does not validate the value of a parameter before passing it to
+wpa_supplicant.
+
+This could allow such an untrusted user to inject almost arbitrary data
+into the configuration file. Such configuration file could result in
+wpa_supplicant trying to load a library (e.g., opensc_engine_path,
+pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
+controlled location when starting again. This would allow code from that
+library to be executed under the wpa_supplicant process privileges.
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+---
+ wpa_supplicant/config.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
+index 69152ef..d9a1603 100644
+--- a/wpa_supplicant/config.c
++++ b/wpa_supplicant/config.c
+@@ -3764,6 +3764,12 @@ static int wpa_global_config_parse_str(const struct global_parse_data *data,
+ 		return -1;
+ 	}
+ 
++	if (has_newline(pos)) {
++		wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
++			   line, data->name);
++		return -1;
++	}
++
+ 	tmp = os_strdup(pos);
+ 	if (tmp == NULL)
+ 		return -1;
+-- 
+1.9.1
+
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 0f4441d70c..6685ee0349 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -198,6 +198,7 @@ required structures.")
   (package
    (name "openssl")
    (version "1.0.2g")
+   (replacement openssl/fixed)
    (source (origin
              (method url-fetch)
              (uri (list (string-append "ftp://ftp.openssl.org/source/"
@@ -298,6 +299,25 @@ required structures.")
    (license license:openssl)
    (home-page "http://www.openssl.org/")))
 
+(define openssl/fixed
+  (package
+    (inherit openssl)
+    (source
+     (let ((name "openssl")
+           (version "1.0.2h"))
+       (origin
+         (method url-fetch)
+         (uri (list (string-append "ftp://ftp.openssl.org/source/"
+                                   name "-" version ".tar.gz")
+                    (string-append "ftp://ftp.openssl.org/source/old/"
+                                   (string-trim-right version char-set:letter)
+                                   "/" name "-" version ".tar.gz")))
+         (sha256
+          (base32
+           "06996ds1rk8xhnyb5y273a7xkcxhggp4bq1g02rab55d7bjhfh0x"))
+         (patches (search-patches "openssl-runpath.patch"
+                                  "openssl-c-rehash-in.patch")))))))
+
 (define-public libressl
   (package
     (name "libressl")
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 94339012f5..fb85d933f9 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2013 Cyril Roelandt <tipecaml@gmail.com>
 ;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2015 Mathieu Lirzin <mthl@openmailbox.org>
+;;; Copyright © 2015, 2016 Mathieu Lirzin <mthl@gnu.org>
 ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014, 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
@@ -27,7 +27,7 @@
 
 (define-module (gnu packages version-control)
   #:use-module ((guix licenses)
-                #:select (asl2.0 bsd-2
+                #:select (asl2.0 bsd-2 bsd-3
                           gpl1+ gpl2 gpl2+ gpl3+ lgpl2.1
                           public-domain x11-style))
   #:use-module (guix utils)
@@ -1012,6 +1012,58 @@ as possible.  Resolution of contention for source files, a major headache for
 any project with more than one developer, is one of Aegis's major functions.")
     (license gpl3+)))
 
+(define-public reposurgeon
+  (package
+    (name "reposurgeon")
+    (version "3.37")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "http://www.catb.org/~esr/" name "/"
+                                  name "-" version ".tar.xz"))
+              (sha256
+               (base32
+                "14asjg4xy3mhh5z0r3k7c1wv9y803j2zfq32g5q5m95sf7yzygan"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:tests? #f                      ;no test suite distributed
+       #:make-flags
+       (list (string-append "target=" (assoc-ref %outputs "out")))
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure)
+         (add-before 'build 'fix-docbook
+           (lambda* (#:key inputs #:allow-other-keys)
+             (substitute* (find-files "." "\\.xml$")
+               (("docbook/docbookx.dtd")
+                (string-append (assoc-ref inputs "docbook-xml")
+                               "/xml/dtd/docbook/docbookx.dtd")))
+             #t))
+         (add-after 'install 'install-emacs-data
+           (lambda* (#:key outputs #:allow-other-keys)
+             (install-file "reposurgeon-mode.el"
+                           (string-append (assoc-ref outputs "out")
+                                          "/share/emacs/site-lisp")))))))
+    (inputs
+     `(("python" ,python-wrapper)))
+    (native-inputs
+     `(("asciidoc" ,asciidoc)
+       ("docbook-xml" ,docbook-xml-4.1.2)
+       ("docbook-xsl" ,docbook-xsl)
+       ("libxml2" ,libxml2)
+       ("xmlto" ,xmlto)))
+    (home-page "http://www.catb.org/~esr/reposurgeon/")
+    (synopsis "Edit version-control repository history")
+    (description "Reposurgeon enables risky operations that version-control
+systems don't want to let you do, such as editing past comments and metadata
+and removing commits.  It works with any version control system that can
+export and import Git fast-import streams, including Git, Mercurial, Fossil,
+Bazaar, CVS, RCS, and Src.  It can also read Subversion dump files directly
+and can thus be used to script production of very high-quality conversions
+from Subversion to any supported Distributed Version Control System (DVCS).")
+    ;; Most files are distributed under bsd-2, except 'repocutter' which is
+    ;; under bsd-3.
+    (license (list bsd-2 bsd-3))))
+
 (define-public tig
   (package
     (name "tig")
diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm
index 4e543d70d8..a9cd6e93c8 100644
--- a/guix/build/syscalls.scm
+++ b/guix/build/syscalls.scm
@@ -110,9 +110,7 @@
             termios-input-speed
             termios-output-speed
             local-flags
-            TCSANOW
-            TCSADRAIN
-            TCSAFLUSH
+            tcsetattr-action
             tcgetattr
             tcsetattr
 
@@ -1059,9 +1057,11 @@ given an integer, returns the list of names of the constants that are or'd."
  (define EXTPROC #o0200000))
 
 ;; "Actions" values for 'tcsetattr'.
-(define TCSANOW  0)
-(define TCSADRAIN 1)
-(define TCSAFLUSH 2)
+(define-bits tcsetattr-action
+  %unused-tcsetattr-action->symbols
+  (define TCSANOW  0)
+  (define TCSADRAIN 1)
+  (define TCSAFLUSH 2))
 
 (define-record-type <termios>
   (termios input-flags output-flags control-flags local-flags
@@ -1107,8 +1107,8 @@ given an integer, returns the list of names of the constants that are or'd."
 (define tcsetattr
   (let ((proc (syscall->procedure int "tcsetattr" (list int int '*))))
     (lambda (fd actions termios)
-      "Use TERMIOS for the tty at FD.  ACTIONS is one of 'TCSANOW',
-'TCSADRAIN', or 'TCSAFLUSH'; see tcsetattr(3) for details."
+      "Use TERMIOS for the tty at FD.  ACTIONS is one of of the values
+produced by 'tcsetattr-action'; see tcsetattr(3) for details."
       (define bv
         (make-bytevector sizeof-termios))
 
diff --git a/tests/syscalls.scm b/tests/syscalls.scm
index ab1e13984d..0b73fb4b0c 100644
--- a/tests/syscalls.scm
+++ b/tests/syscalls.scm
@@ -281,7 +281,7 @@
 
 (test-assert "tcsetattr"
   (let ((first (tcgetattr 0)))
-    (tcsetattr 0 TCSANOW first)
+    (tcsetattr 0 (tcsetattr-action TCSANOW) first)
     (equal? first (tcgetattr 0))))
 
 (test-assert "terminal-window-size ENOTTY"