summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/freetype-CVE-2018-6942.patch31
-rw-r--r--gnu/packages/patches/htop-fix-process-tree.patch99
-rw-r--r--gnu/packages/patches/ldc-1.1.0-disable-dmd-tests.patch35
-rw-r--r--gnu/packages/patches/ldc-1.1.0-disable-phobos-tests.patch414
-rw-r--r--gnu/packages/patches/ldc-1.7.0-disable-phobos-tests.patch88
-rw-r--r--gnu/packages/patches/ldc-bootstrap-disable-tests.patch (renamed from gnu/packages/patches/ldc-disable-tests.patch)18
-rw-r--r--gnu/packages/patches/optipng-CVE-2017-1000229.patch22
-rw-r--r--gnu/packages/patches/password-store-gnupg-compat.patch28
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-15038.patch51
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-15289.patch66
-rw-r--r--gnu/packages/patches/wavpack-CVE-2018-7253.patch29
-rw-r--r--gnu/packages/patches/wavpack-CVE-2018-7254.patch62
12 files changed, 345 insertions, 598 deletions
diff --git a/gnu/packages/patches/freetype-CVE-2018-6942.patch b/gnu/packages/patches/freetype-CVE-2018-6942.patch
new file mode 100644
index 0000000000..680f357765
--- /dev/null
+++ b/gnu/packages/patches/freetype-CVE-2018-6942.patch
@@ -0,0 +1,31 @@
+Fix CVE-2018-6942:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6942
+https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6942.html
+
+Copied from upstream (ChangeLog section removed):
+https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=29c759284e305ec428703c9a5831d0b1fc3497ef
+
+diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
+index d855aaa..551f14a 100644
+--- a/src/truetype/ttinterp.c
++++ b/src/truetype/ttinterp.c
+@@ -7532,8 +7532,16 @@
+       return;
+     }
+ 
+-    for ( i = 0; i < num_axes; i++ )
+-      args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */
++    if ( coords )
++    {
++      for ( i = 0; i < num_axes; i++ )
++        args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */
++    }
++    else
++    {
++      for ( i = 0; i < num_axes; i++ )
++        args[i] = 0;
++    }
+   }
+ 
+ 
diff --git a/gnu/packages/patches/htop-fix-process-tree.patch b/gnu/packages/patches/htop-fix-process-tree.patch
new file mode 100644
index 0000000000..d8e5e2ccac
--- /dev/null
+++ b/gnu/packages/patches/htop-fix-process-tree.patch
@@ -0,0 +1,99 @@
+From 2971a187551e062ffefdab965f55377b36cd94eb Mon Sep 17 00:00:00 2001
+From: Tobias Geerinckx-Rice <me@tobias.gr>
+Date: Wed, 21 Feb 2018 06:00:50 +0100
+Subject: [PATCH] Fix process tree
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This manually reverts:
+
+  commit 584a9bceab948590dabd189d234a86e6bf4ec3f4
+  Author: wangqr <wangqr@wangqr.tk>
+  Date:   Fri Sep 1 21:27:24 2017 +0800
+
+  Find roots when constructing process tree, fix #587
+
+which breaks the process tree (‘t’) view in at least some cases.
+I will investigate further...
+---
+ ProcessList.c | 63 +++++++++++++++++------------------------------------------
+ 1 file changed, 18 insertions(+), 45 deletions(-)
+
+diff --git a/ProcessList.c b/ProcessList.c
+index 48b2d95..225253d 100644
+--- a/ProcessList.c
++++ b/ProcessList.c
+@@ -213,51 +213,24 @@ void ProcessList_sort(ProcessList* this) {
+       // Restore settings
+       this->settings->sortKey = sortKey;
+       this->settings->direction = direction;
+-      int vsize = Vector_size(this->processes);
+-      // Find all processes whose parent is not visible
+-      int size;
+-      while ((size = Vector_size(this->processes))) {
+-         int i;
+-         for (i = 0; i < size; i++) {
+-            Process* process = (Process*)(Vector_get(this->processes, i));
+-            // Immediately consume not shown processes
+-            if (!process->show) {
+-               process = (Process*)(Vector_take(this->processes, i));
+-               process->indent = 0;
+-               Vector_add(this->processes2, process);
+-               ProcessList_buildTree(this, process->pid, 0, 0, direction, false);
+-               break;
+-            }
+-            pid_t ppid = process->tgid == process->pid ? process->ppid : process->tgid;
+-            // Bisect the process vector to find parent
+-            int l = 0, r = size;
+-            // If PID corresponds with PPID (e.g. "kernel_task" (PID:0, PPID:0)
+-            // on Mac OS X 10.11.6) cancel bisecting and regard this process as
+-            // root.
+-            if (process->pid == ppid)
+-               r = 0;
+-            while (l < r) {
+-               int c = (l + r) / 2;
+-               pid_t pid = ((Process*)(Vector_get(this->processes, c)))->pid;
+-               if (ppid == pid) {
+-                  break;
+-               } else if (ppid < pid) {
+-                  r = c;
+-               } else {
+-                  l = c + 1;
+-               }
+-            }
+-            // If parent not found, then construct the tree with this root
+-            if (l >= r) {
+-               process = (Process*)(Vector_take(this->processes, i));
+-               process->indent = 0;
+-               Vector_add(this->processes2, process);
+-               ProcessList_buildTree(this, process->pid, 0, 0, direction, process->showChildren);
+-               break;
+-            }
+-         }
+-         // There should be no loop in the process tree
+-         assert(i < size);
++
++      // Take PID 1 as root and add to the new listing
++       int vsize = Vector_size(this->processes);
++      Process* init = (Process*) (Vector_take(this->processes, 0));
++      if (!init) return;
++      // This assertion crashes on hardened kernels.
++      // I wonder how well tree view works on those systems.
++      // assert(init->pid == 1);
++      init->indent = 0;
++      Vector_add(this->processes2, init);
++      // Recursively empty list
++      ProcessList_buildTree(this, init->pid, 0, 0, direction, true);
++      // Add leftovers
++      while (Vector_size(this->processes)) {
++         Process* p = (Process*) (Vector_take(this->processes, 0));
++         p->indent = 0;
++         Vector_add(this->processes2, p);
++         ProcessList_buildTree(this, p->pid, 0, 0, direction, p->showChildren);
+       }
+       assert(Vector_size(this->processes2) == vsize); (void)vsize;
+       assert(Vector_size(this->processes) == 0);
+-- 
+2.16.2
+
diff --git a/gnu/packages/patches/ldc-1.1.0-disable-dmd-tests.patch b/gnu/packages/patches/ldc-1.1.0-disable-dmd-tests.patch
deleted file mode 100644
index 31eb44aefc..0000000000
--- a/gnu/packages/patches/ldc-1.1.0-disable-dmd-tests.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-This patch deactivates some tests that fail when ldc is built with the command:
-
-./pre-inst-env guix environment guix --pure -- ./pre-inst-env guix build ldc@1.1.0-beta6
-
-When the --keep-failed flag is added to the build command above, and the tests
-run in the resulting /tmp/guix-build-ldc-1.1.0-beta6.drv-* directory, the tests
-pass.
-
-by Frederick M. Muriithi <fredmanglis@gmail.com>
-
-diff --git a/d_do_test.d b/d_do_test.d
-index aa67169..8173759 100755
---- a/d_do_test.d
-+++ b/d_do_test.d
-@@ -645,8 +645,6 @@ int main(string[] args)
-                     auto gdb_output = execute(fThisRun, command, true, result_path);
-                     if (testArgs.gdbMatch !is null)
-                     {
--                        enforce(match(gdb_output, regex(testArgs.gdbMatch)),
--                                "\nGDB regex: '"~testArgs.gdbMatch~"' didn't match output:\n----\n"~gdb_output~"\n----\n");
-                     }
-                 }
-             }
-diff --git a/runnable/gdb15729.sh b/runnable/gdb15729.sh
-index 1d390e0..906b2b6 100755
---- a/runnable/gdb15729.sh
-+++ b/runnable/gdb15729.sh
-@@ -21,7 +21,6 @@ if [ $OS == "linux" ]; then
-        echo RESULT=
-        p s.val
- EOF
--    gdb ${dir}${SEP}gdb15729 --batch -x ${dir}${SEP}gdb15729.gdb | grep 'RESULT=.*1234' || exit 1
- fi
- 
- rm -f ${libname} ${dir}${SEP}{gdb15729${OBJ},gdb15729${EXE},gdb15729.gdb}
diff --git a/gnu/packages/patches/ldc-1.1.0-disable-phobos-tests.patch b/gnu/packages/patches/ldc-1.1.0-disable-phobos-tests.patch
deleted file mode 100644
index 70dd419455..0000000000
--- a/gnu/packages/patches/ldc-1.1.0-disable-phobos-tests.patch
+++ /dev/null
@@ -1,414 +0,0 @@
-This patch deactivates failing tests that depend on network connectivity
-to pass in curl.d and socket.d
-It deactivates tests in path.d that assume /root
-
-A thread was started on the ldc forum to pursue the possibility of a
-version flag to deactivate tests conditionally. The thread is at
-https://forum.dlang.org/post/zmdbdgnzrxyvtpqafvyg@forum.dlang.org
-
-by Frederick M. Muriithi <fredmanglis@gmail.com>
-
-diff --git a/std/datetime.d b/std/datetime.d
-index 4d4afb1..2c91a44 100644
---- a/std/datetime.d
-+++ b/std/datetime.d
-@@ -27306,8 +27306,8 @@ public:
-         // leaving it commented out until I can sort it out.
-         //assert(equal(tzNames, tzNames.uniq()));
- 
--        foreach(tzName; tzNames)
--            assertNotThrown!DateTimeException(testPZSuccess(tzName));
-+        //foreach(tzName; tzNames)
-+            //assertNotThrown!DateTimeException(testPZSuccess(tzName));
-     }
- 
- 
-@@ -29178,8 +29178,8 @@ public:
- 
-         auto tzNames = getInstalledTZNames();
- 
--        foreach(tzName; tzNames)
--            assertNotThrown!DateTimeException(testPTZSuccess(tzName));
-+        //foreach(tzName; tzNames)
-+            //assertNotThrown!DateTimeException(testPTZSuccess(tzName));
- 
-         // No timezone directories on Android, just a single tzdata file
-         version(Android) {} else
-diff --git a/std/net/curl.d b/std/net/curl.d
-index 9c6af66..5fccb38 100644
---- a/std/net/curl.d
-+++ b/std/net/curl.d
-@@ -419,7 +419,7 @@ void download(Conn = AutoProtocol)(const(char)[] url, string saveToPath, Conn co
- 
- unittest
- {
--    static import std.file;
-+    /*static import std.file;
-     foreach (host; [testServer.addr, "http://"~testServer.addr])
-     {
-         testServer.handle((s) {
-@@ -430,7 +430,7 @@ unittest
-         scope (exit) std.file.remove(fn);
-         download(host, fn);
-         assert(std.file.readText(fn) == "Hello world");
--    }
-+    }*/
- }
- 
- /** Upload file from local files system using the HTTP or FTP protocol.
-@@ -483,7 +483,7 @@ void upload(Conn = AutoProtocol)(string loadFromPath, const(char)[] url, Conn co
- 
- unittest
- {
--    static import std.file;
-+    /*static import std.file;
-     foreach (host; [testServer.addr, "http://"~testServer.addr])
-     {
-         auto fn = std.file.deleteme;
-@@ -496,7 +496,7 @@ unittest
-             s.send(httpOK());
-         });
-         upload(fn, host ~ "/path");
--    }
-+    }*/
- }
- 
- /** HTTP/FTP get content.
-@@ -551,7 +551,7 @@ T[] get(Conn = AutoProtocol, T = char)(const(char)[] url, Conn conn = Conn())
- 
- unittest
- {
--    foreach (host; [testServer.addr, "http://"~testServer.addr])
-+    /*foreach (host; [testServer.addr, "http://"~testServer.addr])
-     {
-         testServer.handle((s) {
-             assert(s.recvReq.hdrs.canFind("GET /path"));
-@@ -559,7 +559,7 @@ unittest
-         });
-         auto res = get(host ~ "/path");
-         assert(res == "GETRESPONSE");
--    }
-+    }*/
- }
- 
- 
-@@ -598,7 +598,7 @@ if (is(T == char) || is(T == ubyte))
- 
- unittest
- {
--    foreach (host; [testServer.addr, "http://"~testServer.addr])
-+    /*foreach (host; [testServer.addr, "http://"~testServer.addr])
-     {
-         testServer.handle((s) {
-             auto req = s.recvReq;
-@@ -608,12 +608,12 @@ unittest
-         });
-         auto res = post(host ~ "/path", "POSTBODY");
-         assert(res == "POSTRESPONSE");
--    }
-+    }*/
- }
- 
- unittest
- {
--    auto data = new ubyte[](256);
-+    /*auto data = new ubyte[](256);
-     foreach (i, ref ub; data)
-         ub = cast(ubyte)i;
- 
-@@ -624,7 +624,7 @@ unittest
-         s.send(httpOK(cast(ubyte[])[17, 27, 35, 41]));
-     });
-     auto res = post!ubyte(testServer.addr, data);
--    assert(res == cast(ubyte[])[17, 27, 35, 41]);
-+    assert(res == cast(ubyte[])[17, 27, 35, 41]);*/
- }
- 
- 
-@@ -680,7 +680,7 @@ T[] put(Conn = AutoProtocol, T = char, PutUnit)(const(char)[] url, const(PutUnit
- 
- unittest
- {
--    foreach (host; [testServer.addr, "http://"~testServer.addr])
-+    /*foreach (host; [testServer.addr, "http://"~testServer.addr])
-     {
-         testServer.handle((s) {
-             auto req = s.recvReq;
-@@ -690,7 +690,7 @@ unittest
-         });
-         auto res = put(host ~ "/path", "PUTBODY");
-         assert(res == "PUTRESPONSE");
--    }
-+    }*/
- }
- 
- 
-@@ -742,7 +742,7 @@ void del(Conn = AutoProtocol)(const(char)[] url, Conn conn = Conn())
- 
- unittest
- {
--    foreach (host; [testServer.addr, "http://"~testServer.addr])
-+    /*foreach (host; [testServer.addr, "http://"~testServer.addr])
-     {
-         testServer.handle((s) {
-             auto req = s.recvReq;
-@@ -750,7 +750,7 @@ unittest
-             s.send(httpOK());
-         });
-         del(host ~ "/path");
--    }
-+    }*/
- }
- 
- 
-@@ -796,13 +796,13 @@ T[] options(T = char, OptionsUnit)(const(char)[] url,
- 
- unittest
- {
--    testServer.handle((s) {
-+    /*testServer.handle((s) {
-         auto req = s.recvReq;
-         assert(req.hdrs.canFind("OPTIONS /path"));
-         s.send(httpOK("OPTIONSRESPONSE"));
-     });
-     auto res = options(testServer.addr ~ "/path");
--    assert(res == "OPTIONSRESPONSE");
-+    assert(res == "OPTIONSRESPONSE");*/
- }
- 
- 
-@@ -836,13 +836,13 @@ T[] trace(T = char)(const(char)[] url, HTTP conn = HTTP())
- 
- unittest
- {
--    testServer.handle((s) {
-+    /*testServer.handle((s) {
-         auto req = s.recvReq;
-         assert(req.hdrs.canFind("TRACE /path"));
-         s.send(httpOK("TRACERESPONSE"));
-     });
-     auto res = trace(testServer.addr ~ "/path");
--    assert(res == "TRACERESPONSE");
-+    assert(res == "TRACERESPONSE");*/
- }
- 
- 
-@@ -875,13 +875,13 @@ T[] connect(T = char)(const(char)[] url, HTTP conn = HTTP())
- 
- unittest
- {
--    testServer.handle((s) {
-+    /*testServer.handle((s) {
-         auto req = s.recvReq;
-         assert(req.hdrs.canFind("CONNECT /path"));
-         s.send(httpOK("CONNECTRESPONSE"));
-     });
-     auto res = connect(testServer.addr ~ "/path");
--    assert(res == "CONNECTRESPONSE");
-+    assert(res == "CONNECTRESPONSE");*/
- }
- 
- 
-@@ -919,14 +919,14 @@ T[] patch(T = char, PatchUnit)(const(char)[] url, const(PatchUnit)[] patchData,
- 
- unittest
- {
--    testServer.handle((s) {
-+    /*testServer.handle((s) {
-         auto req = s.recvReq;
-         assert(req.hdrs.canFind("PATCH /path"));
-         assert(req.bdy.canFind("PATCHBODY"));
-         s.send(httpOK("PATCHRESPONSE"));
-     });
-     auto res = patch(testServer.addr ~ "/path", "PATCHBODY");
--    assert(res == "PATCHRESPONSE");
-+    assert(res == "PATCHRESPONSE");*/
- }
- 
- 
-@@ -1031,19 +1031,19 @@ private auto _basicHTTP(T)(const(char)[] url, const(void)[] sendData, HTTP clien
- 
- unittest
- {
--    testServer.handle((s) {
-+    /*testServer.handle((s) {
-         auto req = s.recvReq;
-         assert(req.hdrs.canFind("GET /path"));
-         s.send(httpNotFound());
-     });
-     auto e = collectException!CurlException(get(testServer.addr ~ "/path"));
--    assert(e.msg == "HTTP request returned status code 404 (Not Found)");
-+    assert(e.msg == "HTTP request returned status code 404 (Not Found)");*/
- }
- 
- // Bugzilla 14760 - content length must be reset after post
- unittest
- {
--    testServer.handle((s) {
-+    /*testServer.handle((s) {
-         auto req = s.recvReq;
-         assert(req.hdrs.canFind("POST /"));
-         assert(req.bdy.canFind("POSTBODY"));
-@@ -1061,7 +1061,7 @@ unittest
-     auto res = post(testServer.addr, "POSTBODY", http);
-     assert(res == "POSTRESPONSE");
-     res = trace(testServer.addr, http);
--    assert(res == "TRACERESPONSE");
-+    assert(res == "TRACERESPONSE");*/
- }
- 
- /*
-@@ -1265,14 +1265,14 @@ if (isCurlConn!Conn && isSomeChar!Char && isSomeChar!Terminator)
- 
- unittest
- {
--    foreach (host; [testServer.addr, "http://"~testServer.addr])
-+    /*foreach (host; [testServer.addr, "http://"~testServer.addr])
-     {
-         testServer.handle((s) {
-             auto req = s.recvReq;
-             s.send(httpOK("Line1\nLine2\nLine3"));
-         });
-         assert(byLine(host).equal(["Line1", "Line2", "Line3"]));
--    }
-+    }*/
- }
- 
- /** HTTP/FTP fetch content as a range of chunks.
-@@ -1337,14 +1337,14 @@ auto byChunk(Conn = AutoProtocol)
- 
- unittest
- {
--    foreach (host; [testServer.addr, "http://"~testServer.addr])
-+    /*foreach (host; [testServer.addr, "http://"~testServer.addr])
-     {
-         testServer.handle((s) {
-             auto req = s.recvReq;
-             s.send(httpOK(cast(ubyte[])[0, 1, 2, 3, 4, 5]));
-         });
-         assert(byChunk(host, 2).equal([[0, 1], [2, 3], [4, 5]]));
--    }
-+    }*/
- }
- 
- private T[] _getForRange(T,Conn)(const(char)[] url, Conn conn)
-@@ -1629,14 +1629,14 @@ auto byLineAsync(Conn = AutoProtocol, Terminator = char, Char = char)
- 
- unittest
- {
--    foreach (host; [testServer.addr, "http://"~testServer.addr])
-+    /*foreach (host; [testServer.addr, "http://"~testServer.addr])
-     {
-         testServer.handle((s) {
-             auto req = s.recvReq;
-             s.send(httpOK("Line1\nLine2\nLine3"));
-         });
-         assert(byLineAsync(host).equal(["Line1", "Line2", "Line3"]));
--    }
-+    }*/
- }
- 
- 
-@@ -1778,14 +1778,14 @@ auto byChunkAsync(Conn = AutoProtocol)
- 
- unittest
- {
--    foreach (host; [testServer.addr, "http://"~testServer.addr])
-+    /*foreach (host; [testServer.addr, "http://"~testServer.addr])
-     {
-         testServer.handle((s) {
-             auto req = s.recvReq;
-             s.send(httpOK(cast(ubyte[])[0, 1, 2, 3, 4, 5]));
-         });
-         assert(byChunkAsync(host, 2).equal([[0, 1], [2, 3], [4, 5]]));
--    }
-+    }*/
- }
- 
- 
-@@ -2041,7 +2041,7 @@ private mixin template Protocol()
- 
-     unittest
-     {
--        testServer.handle((s) {
-+        /*testServer.handle((s) {
-             auto req = s.recvReq;
-             assert(req.hdrs.canFind("GET /"));
-             assert(req.hdrs.canFind("Basic dXNlcjpwYXNz"));
-@@ -2051,7 +2051,7 @@ private mixin template Protocol()
-         auto http = HTTP(testServer.addr);
-         http.onReceive = (ubyte[] data) { return data.length; };
-         http.setAuthentication("user", "pass");
--        http.perform();
-+        http.perform();*/
-     }
- 
-     /**
-@@ -2959,7 +2959,7 @@ struct HTTP
- 
-     unittest
-     {
--        testServer.handle((s) {
-+        /*testServer.handle((s) {
-             auto req = s.recvReq!ubyte;
-             assert(req.hdrs.canFind("POST /path"));
-             assert(req.bdy.canFind(cast(ubyte[])[0, 1, 2, 3, 4]));
-@@ -2975,7 +2975,7 @@ struct HTTP
-         ubyte[] res;
-         http.onReceive = (data) { res ~= data; return data.length; };
-         http.perform();
--        assert(res == cast(ubyte[])[17, 27, 35, 41]);
-+        assert(res == cast(ubyte[])[17, 27, 35, 41]);*/
-     }
- 
-     /**
-diff --git a/std/path.d b/std/path.d
-index 60c844f..0598104 100644
---- a/std/path.d
-+++ b/std/path.d
-@@ -3953,8 +3953,10 @@ unittest
-         }
-         else
-         {
-+/*
-             assert(expandTilde("~root") == "/root", expandTilde("~root"));
-             assert(expandTilde("~root/") == "/root/", expandTilde("~root/"));
-+*/
-         }
-         assert(expandTilde("~Idontexist/hey") == "~Idontexist/hey");
-     }
-diff --git a/std/socket.d b/std/socket.d
-index 7f5a3c3..e68b881 100644
---- a/std/socket.d
-+++ b/std/socket.d
-@@ -481,15 +481,15 @@ unittest
- {
-     softUnittest({
-         Protocol proto = new Protocol;
--        assert(proto.getProtocolByType(ProtocolType.TCP));
-+        //assert(proto.getProtocolByType(ProtocolType.TCP));
-         //writeln("About protocol TCP:");
-         //writefln("\tName: %s", proto.name);
-         // foreach(string s; proto.aliases)
-         // {
-         //      writefln("\tAlias: %s", s);
-         // }
--        assert(proto.name == "tcp");
--        assert(proto.aliases.length == 1 && proto.aliases[0] == "TCP");
-+        //assert(proto.name == "tcp");
-+        //assert(proto.aliases.length == 1 && proto.aliases[0] == "TCP");
-     });
- }
- 
-@@ -832,9 +832,9 @@ unittest
-     InternetHost ih = new InternetHost;
- 
-     ih.getHostByAddr(0x7F_00_00_01);
--    assert(ih.addrList[0] == 0x7F_00_00_01);
-+    //assert(ih.addrList[0] == 0x7F_00_00_01);
-     ih.getHostByAddr("127.0.0.1");
--    assert(ih.addrList[0] == 0x7F_00_00_01);
-+    //assert(ih.addrList[0] == 0x7F_00_00_01);
- 
-     softUnittest({
-         if (!ih.getHostByName("www.digitalmars.com"))
diff --git a/gnu/packages/patches/ldc-1.7.0-disable-phobos-tests.patch b/gnu/packages/patches/ldc-1.7.0-disable-phobos-tests.patch
new file mode 100644
index 0000000000..ccc136cc76
--- /dev/null
+++ b/gnu/packages/patches/ldc-1.7.0-disable-phobos-tests.patch
@@ -0,0 +1,88 @@
+diff --git a/std/path.d b/std/path.d
+index a9f0bd8..f47d103 100644
+--- a/std/path.d
++++ b/std/path.d
+@@ -4041,7 +4041,7 @@ version(unittest) import std.process : environment;
+         else version (Android)
+         {
+         }
+-        else
++        else version (HasRoot)
+         {
+             assert(expandTilde("~root") == "/root", expandTilde("~root"));
+             assert(expandTilde("~root/") == "/root/", expandTilde("~root/"));
+
+diff --git a/std/process.d b/std/process.d
+index df83296..d921cdb 100644
+--- a/std/process.d
++++ b/std/process.d
+@@ -1171,7 +1171,7 @@ version (Posix) @system unittest
+     assert(exists(buildPath(directory, "bar")));
+ }
+
+-@system unittest // Specifying a bad working directory.
++@system version(skipunittest) unittest // Specifying a bad working directory.
+ {
+     import std.exception : assertThrown;
+     TestScript prog = "/bin/echo";
+diff --git a/std/socket.d b/std/socket.d
+index 8a261d5..c1b87b6 100644
+--- a/std/socket.d
++++ b/std/socket.d
+@@ -484,7 +484,7 @@ class Protocol
+ // Skip this test on Android because getprotobyname/number are
+ // unimplemented in bionic.
+ version(CRuntime_Bionic) {} else
+-@safe unittest
++@safe version(hasNetwork) unittest
+ {
+     softUnittest({
+         Protocol proto = new Protocol;
+@@ -804,7 +804,7 @@ class InternetHost
+ }
+
+ ///
+-@safe unittest
++@safe version(hasNetwork) unittest
+ {
+     InternetHost ih = new InternetHost;
+
+@@ -959,7 +959,7 @@ AddressInfo[] getAddressInfo(T...)(in char[] node, T options)
+     return () @trusted { return getAddressInfoImpl(node, service, &hints); }();
+ }
+
+-@system unittest
++@system version(hasNetwork) unittest
+ {
+     struct Oops
+     {
+@@ -1010,7 +1010,7 @@ private AddressInfo[] getAddressInfoImpl(in char[] node, in char[] service, addr
+ }
+
+
+-@safe unittest
++@safe version(hasNetwork) unittest
+ {
+     softUnittest({
+         if (getaddrinfoPointer)
+diff --git a/std/stdio.d b/std/stdio.d
+index 10106a5..4b0590e 100644
+--- a/std/stdio.d
++++ b/std/stdio.d
+@@ -1426,8 +1426,7 @@ Removes the lock over the specified file segment.
+         g.unlock();
+     }
+
+-    version(Posix)
+-    @system unittest
++    @system version(skip) unittest
+     {
+         static import std.file;
+         auto deleteme = testFilename();
+@@ -1483,7 +1482,6 @@ Removes the lock over the specified file segment.
+         f.unlock();
+     }
+
+-
+ /**
+ Writes its arguments in text format to the file.
diff --git a/gnu/packages/patches/ldc-disable-tests.patch b/gnu/packages/patches/ldc-bootstrap-disable-tests.patch
index bdd6e5b76c..d2e40b8016 100644
--- a/gnu/packages/patches/ldc-disable-tests.patch
+++ b/gnu/packages/patches/ldc-bootstrap-disable-tests.patch
@@ -4,17 +4,17 @@ two others use networking.  Not bad out of almost 700 tests!
 
 by Pjotr Prins <pjotr.guix@thebird.nl>
 
---- a/std/datetime.d.orig	2016-11-24 01:13:52.584495545 +0100
-+++ b/std/datetime.d	2016-11-24 01:17:09.655306728 +0100
+--- a/std/datetime.d.orig      2016-11-24 01:13:52.584495545 +0100
++++ b/std/datetime.d   2016-11-24 01:17:09.655306728 +0100
 @@ -28081,22 +28081,24 @@
          import std.range : retro;
          import std.format : format;
- 
+
 -        name = strip(name);
 -
          enforce(tzDatabaseDir.exists(), new DateTimeException(format("Directory %s does not exist.", tzDatabaseDir)));
          enforce(tzDatabaseDir.isDir, new DateTimeException(format("%s is not a directory.", tzDatabaseDir)));
- 
+
          version(Android)
          {
 +            name = strip(name);
@@ -29,11 +29,11 @@ by Pjotr Prins <pjotr.guix@thebird.nl>
 +            auto filename = "./" ~ strip(name); // make sure the prefix is not stripped
 +            immutable file = buildNormalizedPath(tzDatabaseDir, filename);
 +        }
- 
+
 -        enforce(file.exists(), new DateTimeException(format("File %s does not exist.", file)));
 +        enforce(file.exists(), new DateTimeException(format("File %s does not exist in %s.", file, tzDatabaseDir)));
          enforce(file.isFile, new DateTimeException(format("%s is not a file.", file)));
- 
+
          auto tzFile = File(file);
 diff --git a/std/path.d b/std/path.d
 index 254d8f0..b0fc04d 100644
@@ -56,13 +56,13 @@ index b85d1c9..7fbf346 100644
 --- a/std/socket.d
 +++ b/std/socket.d
 @@ -859,6 +862,8 @@ class InternetHost
- 
+
  unittest
  {
 +    pragma(msg, "test disabled on GNU Guix");
 +    /*
      InternetHost ih = new InternetHost;
- 
+
      ih.getHostByAddr(0x7F_00_00_01);
 @@ -889,6 +894,7 @@ unittest
          //      writefln("aliases[%d] = %s", i, s);
@@ -70,5 +70,3 @@ index b85d1c9..7fbf346 100644
      });
 +    */
  }
- 
- 
diff --git a/gnu/packages/patches/optipng-CVE-2017-1000229.patch b/gnu/packages/patches/optipng-CVE-2017-1000229.patch
deleted file mode 100644
index 2cb3b2f21c..0000000000
--- a/gnu/packages/patches/optipng-CVE-2017-1000229.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Fix CVE-2017-1000229:
-
-https://security-tracker.debian.org/tracker/CVE-2017-1000229
-https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000229.html
-https://nvd.nist.gov/vuln/detail/CVE-2017-1000229
-
-Patch copied from upstream bug tracker:
-https://sourceforge.net/p/optipng/bugs/65/
-
-diff --git a/src/minitiff/tiffread.c b/src/minitiff/tiffread.c
-index b4910ec..5f9b376 100644
---- a/src/minitiff/tiffread.c
-+++ b/src/minitiff/tiffread.c
-@@ -350,6 +350,8 @@ minitiff_read_info(struct minitiff_info *tiff_ptr, FILE *fp)
-         count = tiff_ptr->strip_offsets_count;
-         if (count == 0 || count > tiff_ptr->height)
-             goto err_invalid;
-+        if (count > (size_t)-1 / sizeof(long))
-+            goto err_memory;
-         tiff_ptr->strip_offsets = (long *)malloc(count * sizeof(long));
-         if (tiff_ptr->strip_offsets == NULL)
-             goto err_memory;
diff --git a/gnu/packages/patches/password-store-gnupg-compat.patch b/gnu/packages/patches/password-store-gnupg-compat.patch
new file mode 100644
index 0000000000..75c6362021
--- /dev/null
+++ b/gnu/packages/patches/password-store-gnupg-compat.patch
@@ -0,0 +1,28 @@
+Copied from upstream mailing list:
+https://lists.zx2c4.com/pipermail/password-store/2018-February/003216.html.
+
+From 9b0c86159d754cc88dd3642564eed527153dfb7f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= <clement@lassieur.org>
+Date: Sat, 24 Feb 2018 12:05:46 +0100
+Subject: [PATCH] tests: fix compatibility with GnuPG 2.2.5
+
+---
+ tests/t0300-reencryption.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/t0300-reencryption.sh b/tests/t0300-reencryption.sh
+index 6d5811d..6d15364 100755
+--- a/tests/t0300-reencryption.sh
++++ b/tests/t0300-reencryption.sh
+@@ -10,7 +10,7 @@ canonicalize_gpg_keys() {
+ 	$GPG --list-keys --with-colons "$@" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u
+ }
+ gpg_keys_from_encrypted_file() {
+-	$GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u
++	$GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | grep "public key is" | cut -d ' ' -f 5 | LC_ALL=C sort -u
+ }
+ gpg_keys_from_group() {
+ 	local output="$($GPG --list-config --with-colons | sed -n "s/^cfg:group:$1:\\(.*\\)/\\1/p" | head -n 1)"
+-- 
+2.16.2
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-15038.patch b/gnu/packages/patches/qemu-CVE-2017-15038.patch
deleted file mode 100644
index 4791a186bf..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-15038.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-Fix CVE-2017-15038:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15038
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=7bd92756303f2158a68d5166264dc30139b813b6
-
-From 7bd92756303f2158a68d5166264dc30139b813b6 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 16 Oct 2017 14:21:59 +0200
-Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr
-
-9p back-end first queries the size of an extended attribute,
-allocates space for it via g_malloc() and then retrieves its
-value into allocated buffer. Race between querying attribute
-size and retrieving its could lead to memory bytes disclosure.
-Use g_malloc0() to avoid it.
-
-Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 23ac7bb532..f8bbac251d 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -3234,7 +3234,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
-         xattr_fidp->fid_type = P9_FID_XATTR;
-         xattr_fidp->fs.xattr.xattrwalk_fid = true;
-         if (size) {
--            xattr_fidp->fs.xattr.value = g_malloc(size);
-+            xattr_fidp->fs.xattr.value = g_malloc0(size);
-             err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
-                                      xattr_fidp->fs.xattr.value,
-                                      xattr_fidp->fs.xattr.len);
-@@ -3267,7 +3267,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
-         xattr_fidp->fid_type = P9_FID_XATTR;
-         xattr_fidp->fs.xattr.xattrwalk_fid = true;
-         if (size) {
--            xattr_fidp->fs.xattr.value = g_malloc(size);
-+            xattr_fidp->fs.xattr.value = g_malloc0(size);
-             err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
-                                     &name, xattr_fidp->fs.xattr.value,
-                                     xattr_fidp->fs.xattr.len);
--- 
-2.15.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-15289.patch b/gnu/packages/patches/qemu-CVE-2017-15289.patch
deleted file mode 100644
index d4b536a405..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-15289.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-Fix CVE-2017-15289:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15289
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=eb38e1bc3740725ca29a535351de94107ec58d51 
-
-From eb38e1bc3740725ca29a535351de94107ec58d51 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 11 Oct 2017 10:43:14 +0200
-Subject: [PATCH] cirrus: fix oob access in mode4and5 write functions
-
-Move dst calculation into the loop, so we apply the mask on each
-interation and will not overflow vga memory.
-
-Cc: Prasad J Pandit <pjp@fedoraproject.org>
-Reported-by: Niu Guoxiang <niuguoxiang@huawei.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 20171011084314.21752-1-kraxel@redhat.com
----
- hw/display/cirrus_vga.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index b4d579857a..bc32bf1e39 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s,
-     unsigned val = mem_value;
-     uint8_t *dst;
- 
--    dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
-     for (x = 0; x < 8; x++) {
-+        dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask);
- 	if (val & 0x80) {
- 	    *dst = s->cirrus_shadow_gr1;
- 	} else if (mode == 5) {
- 	    *dst = s->cirrus_shadow_gr0;
- 	}
- 	val <<= 1;
--	dst++;
-     }
-     memory_region_set_dirty(&s->vga.vram, offset, 8);
- }
-@@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
-     unsigned val = mem_value;
-     uint8_t *dst;
- 
--    dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
-     for (x = 0; x < 8; x++) {
-+        dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
- 	if (val & 0x80) {
- 	    *dst = s->cirrus_shadow_gr1;
- 	    *(dst + 1) = s->vga.gr[0x11];
-@@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
- 	    *(dst + 1) = s->vga.gr[0x10];
- 	}
- 	val <<= 1;
--	dst += 2;
-     }
-     memory_region_set_dirty(&s->vga.vram, offset, 16);
- }
--- 
-2.15.0
-
diff --git a/gnu/packages/patches/wavpack-CVE-2018-7253.patch b/gnu/packages/patches/wavpack-CVE-2018-7253.patch
new file mode 100644
index 0000000000..651755afd0
--- /dev/null
+++ b/gnu/packages/patches/wavpack-CVE-2018-7253.patch
@@ -0,0 +1,29 @@
+Fix CVE-2018-7253:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7253
+
+Copied from upstream:
+https://github.com/dbry/WavPack/commit/36a24c7881427d2e1e4dc1cef58f19eee0d13aec
+
+diff --git a/cli/dsdiff.c b/cli/dsdiff.c
+index 410dc1c..c016df9 100644
+--- a/cli/dsdiff.c
++++ b/cli/dsdiff.c
+@@ -153,7 +153,17 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+                 error_line ("dsdiff file version = 0x%08x", version);
+         }
+         else if (!strncmp (dff_chunk_header.ckID, "PROP", 4)) {
+-            char *prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
++            char *prop_chunk;
++
++            if (dff_chunk_header.ckDataSize < 4 || dff_chunk_header.ckDataSize > 1024) {
++                error_line ("%s is not a valid .DFF file!", infilename);
++                return WAVPACK_SOFT_ERROR;
++            }
++
++            if (debug_logging_mode)
++                error_line ("got PROP chunk of %d bytes total", (int) dff_chunk_header.ckDataSize);
++
++            prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
+ 
+             if (!DoReadFile (infile, prop_chunk, (uint32_t) dff_chunk_header.ckDataSize, &bcount) ||
+                 bcount != dff_chunk_header.ckDataSize) {
diff --git a/gnu/packages/patches/wavpack-CVE-2018-7254.patch b/gnu/packages/patches/wavpack-CVE-2018-7254.patch
new file mode 100644
index 0000000000..61db296ec8
--- /dev/null
+++ b/gnu/packages/patches/wavpack-CVE-2018-7254.patch
@@ -0,0 +1,62 @@
+Fix CVE-2018-7254:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7254
+
+Copied from upstream:
+https://github.com/dbry/WavPack/commit/8e3fe45a7bac31d9a3b558ae0079e2d92a04799e
+
+diff --git a/cli/caff.c b/cli/caff.c
+index ae57c4b..6248a71 100644
+--- a/cli/caff.c
++++ b/cli/caff.c
+@@ -89,8 +89,8 @@ typedef struct
+ 
+ #define CAFChannelDescriptionFormat "LLLLL"
+ 
+-static const char TMH_full [] = { 1,2,3,13,9,10,5,6,12,14,15,16,17,9,4,18,7,8,19,20,21 };
+-static const char TMH_std [] = { 1,2,3,11,8,9,5,6,10,12,13,14,15,7,4,16 };
++static const char TMH_full [] = { 1,2,3,13,9,10,5,6,12,14,15,16,17,9,4,18,7,8,19,20,21,0 };
++static const char TMH_std [] = { 1,2,3,11,8,9,5,6,10,12,13,14,15,7,4,16,0 };
+ 
+ static struct {
+     uint32_t mChannelLayoutTag;     // Core Audio layout, 100 - 146 in high word, num channels in low word
+@@ -274,10 +274,19 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+             }
+         }
+         else if (!strncmp (caf_chunk_header.mChunkType, "chan", 4)) {
+-            CAFChannelLayout *caf_channel_layout = malloc ((size_t) caf_chunk_header.mChunkSize);
++            CAFChannelLayout *caf_channel_layout;
+ 
+-            if (caf_chunk_header.mChunkSize < sizeof (CAFChannelLayout) ||
+-                !DoReadFile (infile, caf_channel_layout, (uint32_t) caf_chunk_header.mChunkSize, &bcount) ||
++            if (caf_chunk_header.mChunkSize < sizeof (CAFChannelLayout) || caf_chunk_header.mChunkSize > 1024) {
++                error_line ("this .CAF file has an invalid 'chan' chunk!");
++                return WAVPACK_SOFT_ERROR;
++            }
++
++            if (debug_logging_mode)
++                error_line ("'chan' chunk is %d bytes", (int) caf_chunk_header.mChunkSize);
++
++            caf_channel_layout = malloc ((size_t) caf_chunk_header.mChunkSize);
++
++            if (!DoReadFile (infile, caf_channel_layout, (uint32_t) caf_chunk_header.mChunkSize, &bcount) ||
+                 bcount != caf_chunk_header.mChunkSize) {
+                     error_line ("%s is not a valid .CAF file!", infilename);
+                     free (caf_channel_layout);
+@@ -495,8 +504,15 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+         }
+         else {          // just copy unknown chunks to output file
+ 
+-            int bytes_to_copy = (uint32_t) caf_chunk_header.mChunkSize;
+-            char *buff = malloc (bytes_to_copy);
++            uint32_t bytes_to_copy = (uint32_t) caf_chunk_header.mChunkSize;
++            char *buff;
++
++            if (caf_chunk_header.mChunkSize < 0 || caf_chunk_header.mChunkSize > 1048576) {
++                error_line ("%s is not a valid .CAF file!", infilename);
++                return WAVPACK_SOFT_ERROR;
++            }
++
++            buff = malloc (bytes_to_copy);
+ 
+             if (debug_logging_mode)
+                 error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",