summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/alsa-lib-mips-atomic-fix.patch42
-rw-r--r--gnu/packages/patches/coreutils-fix-cross-compilation.patch15
-rw-r--r--gnu/packages/patches/eudev-conflicting-declaration.patch31
-rw-r--r--gnu/packages/patches/flex-CVE-2016-6354.patch30
-rw-r--r--gnu/packages/patches/fontconfig-charwidth-symbol-conflict.patch82
-rw-r--r--gnu/packages/patches/fontconfig-path-max.patch124
-rw-r--r--gnu/packages/patches/gcc-5-source-date-epoch-1.patch190
-rw-r--r--gnu/packages/patches/gcc-5-source-date-epoch-2.patch353
-rw-r--r--gnu/packages/patches/gcc-libiberty-printf-decl.patch28
-rw-r--r--gnu/packages/patches/gd-CVE-2016-7568.patch44
-rw-r--r--gnu/packages/patches/gd-CVE-2016-8670.patch38
-rw-r--r--gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch102
-rw-r--r--gnu/packages/patches/gd-fix-truecolor-format-correction.patch95
-rw-r--r--gnu/packages/patches/gd-freetype-test-failure.patch59
-rw-r--r--gnu/packages/patches/gd-php-73968-Fix-109-XBM-reading.patch121
-rw-r--r--gnu/packages/patches/gdk-pixbuf-list-dir.patch35
-rw-r--r--gnu/packages/patches/glibc-bootstrap-system.patch2
-rw-r--r--gnu/packages/patches/graphite2-ffloat-store.patch34
-rw-r--r--gnu/packages/patches/guile-repl-server-test.patch48
-rw-r--r--gnu/packages/patches/lcms-CVE-2016-10165.patch (renamed from gnu/packages/patches/lcms-fix-out-of-bounds-read.patch)4
-rw-r--r--gnu/packages/patches/libarchive-7zip-heap-overflow.patch77
-rw-r--r--gnu/packages/patches/libarchive-fix-filesystem-attacks.patch445
-rw-r--r--gnu/packages/patches/libarchive-fix-symlink-check.patch60
-rw-r--r--gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch44
-rw-r--r--gnu/packages/patches/libcmis-fix-test-onedrive.patch35
-rw-r--r--gnu/packages/patches/libdrm-symbol-check.patch27
-rw-r--r--gnu/packages/patches/libepoxy-gl-null-checks.patch54
-rw-r--r--gnu/packages/patches/libevent-2.0-CVE-2016-10195.patch (renamed from gnu/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch)5
-rw-r--r--gnu/packages/patches/libevent-2.0-CVE-2016-10196.patch (renamed from gnu/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch)5
-rw-r--r--gnu/packages/patches/libevent-2.0-CVE-2016-10197.patch (renamed from gnu/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch)5
-rw-r--r--gnu/packages/patches/libpng-CVE-2016-10087.patch37
-rw-r--r--gnu/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch33
-rw-r--r--gnu/packages/patches/libxcb-python-3.5-compat.patch64
-rw-r--r--gnu/packages/patches/nss-increase-test-timeout.patch25
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2016-5157.patch96
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2016-7163.patch71
-rw-r--r--gnu/packages/patches/openjpeg-use-after-free-fix.patch48
-rw-r--r--gnu/packages/patches/pcre-CVE-2016-3191.patch151
-rw-r--r--gnu/packages/patches/python-2.7-getentropy-on-old-kernels.patch54
-rw-r--r--gnu/packages/patches/python-3.4-fix-tests.patch12
-rw-r--r--gnu/packages/patches/python-3.5-fix-tests.patch37
-rw-r--r--gnu/packages/patches/python-3.5-getentropy-on-old-kernels.patch720
-rw-r--r--gnu/packages/patches/python-fix-tests.patch17
-rw-r--r--gnu/packages/patches/python-pillow-freetype-2.7-test-failure.patch75
-rw-r--r--gnu/packages/patches/sed-hurd-path-max.patch34
-rw-r--r--gnu/packages/patches/tar-CVE-2016-6321.patch51
-rw-r--r--gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch33
-rw-r--r--gnu/packages/patches/tcsh-fix-autotest.patch113
-rw-r--r--gnu/packages/patches/wget-fix-504-test-timeout.patch160
-rw-r--r--gnu/packages/patches/xcb-proto-python3-print.patch75
-rw-r--r--gnu/packages/patches/xcb-proto-python3-whitespace.patch217
-rw-r--r--gnu/packages/patches/xf86-input-wacom-xorg-abi-25.patch46
52 files changed, 2719 insertions, 1684 deletions
diff --git a/gnu/packages/patches/alsa-lib-mips-atomic-fix.patch b/gnu/packages/patches/alsa-lib-mips-atomic-fix.patch
deleted file mode 100644
index 8c37bd3ac4..0000000000
--- a/gnu/packages/patches/alsa-lib-mips-atomic-fix.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Fix the declarations of inlined atomic ops for mips.
-
-This patch was copied from Debian.
-
---- alsa-lib/include/iatomic.h.orig	2013-05-21 04:48:28.000000000 -0400
-+++ alsa-lib/include/iatomic.h	2013-10-29 13:01:37.055995968 -0400
-@@ -720,7 +720,7 @@
-  * Atomically adds @i to @v.  Note that the guaranteed useful range
-  * of an atomic_t is only 24 bits.
-  */
--extern __inline__ void atomic_add(int i, atomic_t * v)
-+static __inline__ void atomic_add(int i, atomic_t * v)
- {
- 	unsigned long temp;
- 
-@@ -744,7 +744,7 @@
-  * Atomically subtracts @i from @v.  Note that the guaranteed
-  * useful range of an atomic_t is only 24 bits.
-  */
--extern __inline__ void atomic_sub(int i, atomic_t * v)
-+static __inline__ void atomic_sub(int i, atomic_t * v)
- {
- 	unsigned long temp;
- 
-@@ -763,7 +763,7 @@
- /*
-  * Same as above, but return the result value
-  */
--extern __inline__ int atomic_add_return(int i, atomic_t * v)
-+static __inline__ int atomic_add_return(int i, atomic_t * v)
- {
- 	unsigned long temp, result;
- 
-@@ -784,7 +784,7 @@
- 	return result;
- }
- 
--extern __inline__ int atomic_sub_return(int i, atomic_t * v)
-+static __inline__ int atomic_sub_return(int i, atomic_t * v)
- {
- 	unsigned long temp, result;
- 
diff --git a/gnu/packages/patches/coreutils-fix-cross-compilation.patch b/gnu/packages/patches/coreutils-fix-cross-compilation.patch
new file mode 100644
index 0000000000..3f0d35c33e
--- /dev/null
+++ b/gnu/packages/patches/coreutils-fix-cross-compilation.patch
@@ -0,0 +1,15 @@
+Coreutils fails to cross compile for other platforms because cu_install_program
+is not being evaluated properly. This patch fixes it.
+See <https://lists.gnu.org/archive/html/coreutils/2017-01/msg00039.html>
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -5023,7 +5023,7 @@ pr = progs-readme
+ @CROSS_COMPILING_FALSE@cu_install_program = src/ginstall
+ 
+ # Use the just-built 'ginstall', when not cross-compiling.
+-@CROSS_COMPILING_TRUE@cu_install_program = @INSTALL_PROGRAM@
++@CROSS_COMPILING_TRUE@cu_install_program := @INSTALL@
+ info_TEXINFOS = doc/coreutils.texi
+ doc_coreutils_TEXINFOS = \
+   doc/perm.texi \
+
diff --git a/gnu/packages/patches/eudev-conflicting-declaration.patch b/gnu/packages/patches/eudev-conflicting-declaration.patch
new file mode 100644
index 0000000000..f5399e20d3
--- /dev/null
+++ b/gnu/packages/patches/eudev-conflicting-declaration.patch
@@ -0,0 +1,31 @@
+Fix build failure due to conflicting declaration of
+keyboard_lookup_key() in gperf-3.1:
+
+https://bugs.gentoo.org/show_bug.cgi?id=604864
+
+Patch copied from upstream source repository:
+
+https://github.com/gentoo/eudev/commit/5bab4d8de0dcbb8e2e7d4d5125b4aea1652a0d60
+
+From 5bab4d8de0dcbb8e2e7d4d5125b4aea1652a0d60 Mon Sep 17 00:00:00 2001
+From: "Anthony G. Basile" <blueness@gentoo.org>
+Date: Thu, 5 Jan 2017 16:21:17 -0500
+Subject: [PATCH] src/udev/udev-builtin-keyboard.c: fix build with gperf 3.1
+
+Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
+---
+ src/udev/udev-builtin-keyboard.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/udev/udev-builtin-keyboard.c b/src/udev/udev-builtin-keyboard.c
+index 73171c3..fad3520 100644
+--- a/src/udev/udev-builtin-keyboard.c
++++ b/src/udev/udev-builtin-keyboard.c
+@@ -28,7 +28,6 @@
+ 
+ #include "udev.h"
+ 
+-static const struct key *keyboard_lookup_key(const char *str, unsigned len);
+ #include "keyboard-keys-from-name.h"
+ #include "keyboard-keys-to-name.h"
+ 
diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch
deleted file mode 100644
index 1f3cb028d4..0000000000
--- a/gnu/packages/patches/flex-CVE-2016-6354.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354
-https://security-tracker.debian.org/tracker/CVE-2016-6354
-
-Patch copied from upstream source repository:
-https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
-
-From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001
-From: Will Estes <westes575@gmail.com>
-Date: Sat, 27 Feb 2016 11:56:05 -0500
-Subject: [PATCH] Fixed incorrect integer type
-
----
- src/flex.skl | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/flex.skl b/src/flex.skl
-index 36a526a..64f853d 100644
---- a/src/flex.skl
-+++ b/src/flex.skl
-@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer()
- 
- 	else
- 		{
--			yy_size_t num_to_read =
-+			int num_to_read =
- 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
- 
- 		while ( num_to_read <= 0 )
diff --git a/gnu/packages/patches/fontconfig-charwidth-symbol-conflict.patch b/gnu/packages/patches/fontconfig-charwidth-symbol-conflict.patch
new file mode 100644
index 0000000000..8ebe33bc6c
--- /dev/null
+++ b/gnu/packages/patches/fontconfig-charwidth-symbol-conflict.patch
@@ -0,0 +1,82 @@
+The first patch is copied from the upstream source repository:
+
+https://cgit.freedesktop.org/fontconfig/commit/?id=1ab5258f7c2abfafcd63a760ca08bf93591912da
+
+The second patch is adapted from a message to from the OpenEmbedded mailing list:
+
+http://lists.openembedded.org/pipermail/openembedded-core/2016-December/130213.html
+
+From 1ab5258f7c2abfafcd63a760ca08bf93591912da Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Wed, 14 Dec 2016 16:11:05 -0800
+Subject: Avoid conflicts with integer width macros from TS 18661-1:2014
+
+glibc 2.25+ has now defined these macros in <limits.h>
+https://sourceware.org/git/?p=glibc.git;a=commit;h=5b17fd0da62bf923cb61d1bb7b08cf2e1f1f9c1a
+
+Create an alias for FC_CHAR_WIDTH for ABI compatibility
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+diff --git a/fontconfig/fontconfig.h b/fontconfig/fontconfig.h
+index 5c72b22..070a557 100644
+--- a/fontconfig/fontconfig.h
++++ b/fontconfig/fontconfig.h
+@@ -128,7 +128,8 @@ typedef int		FcBool;
+ #define FC_USER_CACHE_FILE	    ".fonts.cache-" FC_CACHE_VERSION
+ 
+ /* Adjust outline rasterizer */
+-#define FC_CHAR_WIDTH	    "charwidth"	/* Int */
++#define FC_CHARWIDTH	    "charwidth"	/* Int */
++#define FC_CHAR_WIDTH	    FC_CHARWIDTH
+ #define FC_CHAR_HEIGHT	    "charheight"/* Int */
+ #define FC_MATRIX	    "matrix"    /* FcMatrix */
+ 
+diff --git a/src/fcobjs.h b/src/fcobjs.h
+index 1fc4f65..d27864b 100644
+--- a/src/fcobjs.h
++++ b/src/fcobjs.h
+@@ -51,7 +51,7 @@ FC_OBJECT (DPI,			FcTypeDouble,	NULL)
+ FC_OBJECT (RGBA,		FcTypeInteger,	NULL)
+ FC_OBJECT (SCALE,		FcTypeDouble,	NULL)
+ FC_OBJECT (MINSPACE,		FcTypeBool,	NULL)
+-FC_OBJECT (CHAR_WIDTH,		FcTypeInteger,	NULL)
++FC_OBJECT (CHARWIDTH,		FcTypeInteger,	NULL)
+ FC_OBJECT (CHAR_HEIGHT,		FcTypeInteger,	NULL)
+ FC_OBJECT (MATRIX,		FcTypeMatrix,	NULL)
+ FC_OBJECT (CHARSET,		FcTypeCharSet,	FcCompareCharSet)
+-- 
+cgit v0.10.2
+
+From 20cddc824c6501c2082cac41b162c34cd5fcc530 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem at gmail.com>
+Date: Sun, 11 Dec 2016 14:32:00 -0800
+Subject: [PATCH] Avoid conflicts with integer width macros from TS
+ 18661-1:2014
+
+glibc 2.25+ has now defined these macros in <limits.h>
+https://sourceware.org/git/?p=glibc.git;a=commit;h=5b17fd0da62bf923cb61d1bb7b08cf2e1f1f9c1a
+
+Signed-off-by: Khem Raj <raj.khem at gmail.com>
+---
+Upstream-Status: Submitted
+
+ fontconfig/fontconfig.h | 2 +-
+ src/fcobjs.h            | 2 +-
+ src/fcobjshash.gperf    | 2 +-
+ src/fcobjshash.h        | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+Index: fontconfig-2.12.1/src/fcobjshash.h
+===================================================================
+--- fontconfig-2.12.1.orig/src/fcobjshash.h
++++ fontconfig-2.12.1/src/fcobjshash.h
+@@ -284,7 +284,7 @@ FcObjectTypeLookup (register const char
+       {(int)(long)&((struct FcObjectTypeNamePool_t *)0)->FcObjectTypeNamePool_str43,FC_CHARSET_OBJECT},
+       {-1},
+ #line 47 "fcobjshash.gperf"
+-      {(int)(long)&((struct FcObjectTypeNamePool_t *)0)->FcObjectTypeNamePool_str45,FC_CHAR_WIDTH_OBJECT},
++      {(int)(long)&((struct FcObjectTypeNamePool_t *)0)->FcObjectTypeNamePool_str45,FC_CHARWIDTH_OBJECT},
+ #line 48 "fcobjshash.gperf"
+       {(int)(long)&((struct FcObjectTypeNamePool_t *)0)->FcObjectTypeNamePool_str46,FC_CHAR_HEIGHT_OBJECT},
+ #line 55 "fcobjshash.gperf"
diff --git a/gnu/packages/patches/fontconfig-path-max.patch b/gnu/packages/patches/fontconfig-path-max.patch
new file mode 100644
index 0000000000..e12f60ef00
--- /dev/null
+++ b/gnu/packages/patches/fontconfig-path-max.patch
@@ -0,0 +1,124 @@
+This patch fix the build on GNU/Hurd, due to PATH_MAX isn't defined.
+
+The patch was adapted from upstream source repository:
+'<https://cgit.freedesktop.org/fontconfig/commit/?id=abdb6d658e1a16410dd1c964e365a3ebd5039e7c>'
+Commit: abdb6d658e1a16410dd1c964e365a3ebd5039e7c
+
+---
+ src/fcdefault.c | 34 +++++++++++++++++++++++++++-------
+ src/fcint.h     |  6 ++++++
+ src/fcstat.c    | 12 +++++++++++-
+ 3 files changed, 44 insertions(+), 8 deletions(-)
+
+diff --git a/src/fcdefault.c b/src/fcdefault.c
+index 6647a8f..5afd7ec 100644
+--- a/src/fcdefault.c
++++ b/src/fcdefault.c
+@@ -148,17 +148,34 @@ retry:
+ 	    prgname = FcStrdup ("");
+ #else
+ # if defined (HAVE_GETEXECNAME)
+-	const char *p = getexecname ();
++	char *p = FcStrdup(getexecname ());
+ # elif defined (HAVE_READLINK)
+-	char buf[PATH_MAX + 1];
+-	int len;
++	size_t size = FC_PATH_MAX;
+ 	char *p = NULL;
+ 
+-	len = readlink ("/proc/self/exe", buf, sizeof (buf) - 1);
+-	if (len != -1)
++	while (1)
+ 	{
+-	    buf[len] = '\0';
+-	    p = buf;
++	    char *buf = malloc (size);
++	    ssize_t len;
++
++	    if (!buf)
++		break;
++
++	    len = readlink ("/proc/self/exe", buf, size - 1);
++	    if (len < 0)
++	    {
++		free (buf);
++		break;
++	    }
++	    if (len < size - 1)
++	    {
++		buf[len] = 0;
++		p = buf;
++		break;
++	    }
++
++	    free (buf);
++	    size *= 2;
+ 	}
+ # else
+ 	char *p = NULL;
+@@ -176,6 +193,9 @@ retry:
+ 
+ 	if (!prgname)
+ 	    prgname = FcStrdup ("");
++
++	if (p)
++	    free (p);
+ #endif
+ 
+ 	if (!fc_atomic_ptr_cmpexch (&default_prgname, NULL, prgname)) {
+diff --git a/src/fcint.h b/src/fcint.h
+index ac911ad..dad34c5 100644
+--- a/src/fcint.h
++++ b/src/fcint.h
+@@ -70,6 +70,12 @@ extern pfnSHGetFolderPathA pSHGetFolderPathA;
+ #  define FC_DIR_SEPARATOR_S       "/"
+ #endif
+ 
++#ifdef PATH_MAX
++#define FC_PATH_MAX	PATH_MAX
++#else
++#define FC_PATH_MAX	128
++#endif
++
+ #if __GNUC__ >= 4
+ #define FC_UNUSED	__attribute__((unused))
+ #else
+diff --git a/src/fcstat.c b/src/fcstat.c
+index 1734fa4..f6e1aaa 100644
+--- a/src/fcstat.c
++++ b/src/fcstat.c
+@@ -278,8 +278,13 @@ FcDirChecksum (const FcChar8 *dir, time_t *checksum)
+ 	{
+ #endif
+ 	struct stat statb;
+-	char f[PATH_MAX + 1];
++	char *f = malloc (len + 1 + dlen + 1);
+ 
++	if (!f)
++	{
++	    ret = -1;
++	    goto bail;
++	}
+ 	memcpy (f, dir, len);
+ 	f[len] = FC_DIR_SEPARATOR;
+ 	memcpy (&f[len + 1], files[n]->d_name, dlen);
+@@ -287,11 +292,16 @@ FcDirChecksum (const FcChar8 *dir, time_t *checksum)
+ 	if (lstat (f, &statb) < 0)
+ 	{
+ 	    ret = -1;
++	    free (f);
+ 	    goto bail;
+ 	}
+ 	if (S_ISDIR (statb.st_mode))
++	{
++	    free (f);
+ 	    goto bail;
++	}
+ 
++	free (f);
+ 	dtype = statb.st_mode;
+ #ifdef HAVE_STRUCT_DIRENT_D_TYPE
+ 	}
+-- 
+2.11.0
+
diff --git a/gnu/packages/patches/gcc-5-source-date-epoch-1.patch b/gnu/packages/patches/gcc-5-source-date-epoch-1.patch
new file mode 100644
index 0000000000..8c94a026b3
--- /dev/null
+++ b/gnu/packages/patches/gcc-5-source-date-epoch-1.patch
@@ -0,0 +1,190 @@
+Make GCC respect SOURCE_DATE_EPOCH in __DATE__ and __TIME__ macros.
+
+Patch adapted from upstream source repository:
+
+https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=e3e8c48c4a494d9da741c1c8ea6c4c0b7c4ff934
+
+From e3e8c48c4a494d9da741c1c8ea6c4c0b7c4ff934 Mon Sep 17 00:00:00 2001
+From: doko <doko@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 28 Apr 2016 09:12:05 +0000
+Subject: [PATCH] gcc/c-family/ChangeLog:
+
+diff --git a/gcc/c-family/c-common.c b/gcc/c-family/c-common.c
+index 1bf5d080034..6f0898a38d7 100644
+--- a/gcc/c-family/c-common.c
++++ b/gcc/c-family/c-common.c
+@@ -12318,4 +12318,37 @@ pointer_to_zero_sized_aggr_p (tree t)
+   return (TYPE_SIZE (t) && integer_zerop (TYPE_SIZE (t)));
+ }
+ 
++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic
++   timestamp to replace embedded current dates to get reproducible
++   results.  Returns -1 if SOURCE_DATE_EPOCH is not defined.  */
++time_t
++get_source_date_epoch ()
++{
++  char *source_date_epoch;
++  long long epoch;
++  char *endptr;
++
++  source_date_epoch = getenv ("SOURCE_DATE_EPOCH");
++  if (!source_date_epoch)
++    return (time_t) -1;
++
++  errno = 0;
++  epoch = strtoll (source_date_epoch, &endptr, 10);
++  if ((errno == ERANGE && (epoch == LLONG_MAX || epoch == LLONG_MIN))
++      || (errno != 0 && epoch == 0))
++    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
++		 "strtoll: %s\n", xstrerror(errno));
++  if (endptr == source_date_epoch)
++    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
++		 "no digits were found: %s\n", endptr);
++  if (*endptr != '\0')
++    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
++		 "trailing garbage: %s\n", endptr);
++  if (epoch < 0)
++    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
++		 "value must be nonnegative: %lld \n", epoch);
++
++  return (time_t) epoch;
++}
++
+ #include "gt-c-family-c-common.h"
+diff --git a/gcc/c-family/c-common.h b/gcc/c-family/c-common.h
+index fdb227f85c3..ba0a5d7df50 100644
+--- a/gcc/c-family/c-common.h
++++ b/gcc/c-family/c-common.h
+@@ -1437,4 +1437,10 @@ extern bool contains_cilk_spawn_stmt (tree);
+ extern tree cilk_for_number_of_iterations (tree);
+ extern bool check_no_cilk (tree, const char *, const char *,
+ 		           location_t loc = UNKNOWN_LOCATION);
++
++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic
++   timestamp to replace embedded current dates to get reproducible
++   results.  Returns -1 if SOURCE_DATE_EPOCH is not defined.  */
++extern time_t get_source_date_epoch (void);
++
+ #endif /* ! GCC_C_COMMON_H */
+diff --git a/gcc/c-family/c-lex.c b/gcc/c-family/c-lex.c
+index bb55be8063e..e68471b9d2b 100644
+--- a/gcc/c-family/c-lex.c
++++ b/gcc/c-family/c-lex.c
+@@ -402,6 +402,9 @@ c_lex_with_flags (tree *value, location_t *loc, unsigned char *cpp_flags,
+   enum cpp_ttype type;
+   unsigned char add_flags = 0;
+   enum overflow_type overflow = OT_NONE;
++  time_t source_date_epoch = get_source_date_epoch ();
++
++  cpp_init_source_date_epoch (parse_in, source_date_epoch);
+ 
+   timevar_push (TV_CPP);
+  retry:
+diff --git a/gcc/doc/cppenv.texi b/gcc/doc/cppenv.texi
+index 100811dc637..3b5317beb53 100644
+--- a/gcc/doc/cppenv.texi
++++ b/gcc/doc/cppenv.texi
+@@ -79,4 +79,21 @@ main input file is omitted.
+ @ifclear cppmanual
+ @xref{Preprocessor Options}.
+ @end ifclear
++
++@item SOURCE_DATE_EPOCH
++
++If this variable is set, its value specifies a UNIX timestamp to be
++used in replacement of the current date and time in the @code{__DATE__}
++and @code{__TIME__} macros, so that the embedded timestamps become
++reproducible.
++
++The value of @env{SOURCE_DATE_EPOCH} must be a UNIX timestamp,
++defined as the number of seconds (excluding leap seconds) since
++01 Jan 1970 00:00:00 represented in ASCII, identical to the output of
++@samp{@command{date +%s}}.
++
++The value should be a known timestamp such as the last modification
++time of the source or package and it should be set by the build
++process.
++
+ @end vtable
+diff --git a/libcpp/include/cpplib.h b/libcpp/include/cpplib.h
+index 1b731d1a3ad..7a5481219be 100644
+--- a/libcpp/include/cpplib.h
++++ b/libcpp/include/cpplib.h
+@@ -775,6 +775,9 @@ extern void cpp_init_special_builtins (cpp_reader *);
+ /* Set up built-ins like __FILE__.  */
+ extern void cpp_init_builtins (cpp_reader *, int);
+ 
++/* Initialize the source_date_epoch value.  */
++extern void cpp_init_source_date_epoch (cpp_reader *, time_t);
++
+ /* This is called after options have been parsed, and partially
+    processed.  */
+ extern void cpp_post_options (cpp_reader *);
+diff --git a/libcpp/init.c b/libcpp/init.c
+index 45a4d13ffa3..a8d00f4628b 100644
+--- a/libcpp/init.c
++++ b/libcpp/init.c
+@@ -530,6 +530,13 @@ cpp_init_builtins (cpp_reader *pfile, int hosted)
+     _cpp_define_builtin (pfile, "__OBJC__ 1");
+ }
+ 
++/* Initialize the source_date_epoch value.  */
++void
++cpp_init_source_date_epoch (cpp_reader *pfile, time_t source_date_epoch)
++{
++  pfile->source_date_epoch = source_date_epoch; 
++}
++
+ /* Sanity-checks are dependent on command-line options, so it is
+    called as a subroutine of cpp_read_main_file ().  */
+ #if ENABLE_CHECKING
+diff --git a/libcpp/internal.h b/libcpp/internal.h
+index c2d08168945..8507eba1747 100644
+--- a/libcpp/internal.h
++++ b/libcpp/internal.h
+@@ -502,6 +502,10 @@ struct cpp_reader
+   const unsigned char *date;
+   const unsigned char *time;
+ 
++  /* Externally set timestamp to replace current date and time useful for
++     reproducibility.  */
++  time_t source_date_epoch;
++
+   /* EOF token, and a token forcing paste avoidance.  */
+   cpp_token avoid_paste;
+   cpp_token eof;
+diff --git a/libcpp/macro.c b/libcpp/macro.c
+index eb32a6f8c98..3f3b278e97d 100644
+--- a/libcpp/macro.c
++++ b/libcpp/macro.c
+@@ -350,13 +350,20 @@ _cpp_builtin_macro_text (cpp_reader *pfile, cpp_hashnode *node)
+ 	  time_t tt;
+ 	  struct tm *tb = NULL;
+ 
+-	  /* (time_t) -1 is a legitimate value for "number of seconds
+-	     since the Epoch", so we have to do a little dance to
+-	     distinguish that from a genuine error.  */
+-	  errno = 0;
+-	  tt = time(NULL);
+-	  if (tt != (time_t)-1 || errno == 0)
+-	    tb = localtime (&tt);
++	  /* Set a reproducible timestamp for __DATE__ and __TIME__ macro
++	     usage if SOURCE_DATE_EPOCH is defined.  */
++	  if (pfile->source_date_epoch != (time_t) -1)
++	     tb = gmtime (&pfile->source_date_epoch);
++	  else
++	    {
++	      /* (time_t) -1 is a legitimate value for "number of seconds
++		 since the Epoch", so we have to do a little dance to
++		 distinguish that from a genuine error.  */
++	      errno = 0;
++	      tt = time (NULL);
++	      if (tt != (time_t)-1 || errno == 0)
++		tb = localtime (&tt);
++	    }
+ 
+ 	  if (tb)
+ 	    {
+-- 
+2.11.0
+
diff --git a/gnu/packages/patches/gcc-5-source-date-epoch-2.patch b/gnu/packages/patches/gcc-5-source-date-epoch-2.patch
new file mode 100644
index 0000000000..ed2580679a
--- /dev/null
+++ b/gnu/packages/patches/gcc-5-source-date-epoch-2.patch
@@ -0,0 +1,353 @@
+Continuation of the SOURCE_DATE_EPOCH patch.
+
+Patch adapted from upstream source repository:
+
+https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=dfa5c0d3f3e23e4fdb14857a42de376d9ff8601c
+
+From dfa5c0d3f3e23e4fdb14857a42de376d9ff8601c Mon Sep 17 00:00:00 2001
+From: doko <doko@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Wed, 1 Jun 2016 16:42:41 +0000
+Subject: [PATCH] gcc/c-family/ChangeLog:
+
+diff --git a/gcc/c-family/c-common.c b/gcc/c-family/c-common.c
+index 6f0898a38d7..efbc78ef218 100644
+--- a/gcc/c-family/c-common.c
++++ b/gcc/c-family/c-common.c
+@@ -12321,8 +12321,9 @@ pointer_to_zero_sized_aggr_p (tree t)
+ /* Read SOURCE_DATE_EPOCH from environment to have a deterministic
+    timestamp to replace embedded current dates to get reproducible
+    results.  Returns -1 if SOURCE_DATE_EPOCH is not defined.  */
++
+ time_t
+-get_source_date_epoch ()
++cb_get_source_date_epoch (cpp_reader *pfile ATTRIBUTE_UNUSED)
+ {
+   char *source_date_epoch;
+   long long epoch;
+@@ -12334,19 +12335,14 @@ get_source_date_epoch ()
+ 
+   errno = 0;
+   epoch = strtoll (source_date_epoch, &endptr, 10);
+-  if ((errno == ERANGE && (epoch == LLONG_MAX || epoch == LLONG_MIN))
+-      || (errno != 0 && epoch == 0))
+-    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
+-		 "strtoll: %s\n", xstrerror(errno));
+-  if (endptr == source_date_epoch)
+-    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
+-		 "no digits were found: %s\n", endptr);
+-  if (*endptr != '\0')
+-    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
+-		 "trailing garbage: %s\n", endptr);
+-  if (epoch < 0)
+-    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
+-		 "value must be nonnegative: %lld \n", epoch);
++  if (errno != 0 || endptr == source_date_epoch || *endptr != '\0'
++      || epoch < 0 || epoch > MAX_SOURCE_DATE_EPOCH)
++    {
++      error_at (input_location, "environment variable SOURCE_DATE_EPOCH must "
++	        "expand to a non-negative integer less than or equal to %wd",
++		MAX_SOURCE_DATE_EPOCH);
++      return (time_t) -1;
++    }
+ 
+   return (time_t) epoch;
+ }
+diff --git a/gcc/c-family/c-common.h b/gcc/c-family/c-common.h
+index ba0a5d7df50..977ae9df5ea 100644
+--- a/gcc/c-family/c-common.h
++++ b/gcc/c-family/c-common.h
+@@ -1063,6 +1063,16 @@ extern vec<tree, va_gc> *make_tree_vector_copy (const vec<tree, va_gc> *);
+    c_register_builtin_type.  */
+ extern GTY(()) tree registered_builtin_types;
+ 
++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic
++   timestamp to replace embedded current dates to get reproducible
++   results.  Returns -1 if SOURCE_DATE_EPOCH is not defined.  */
++extern time_t cb_get_source_date_epoch (cpp_reader *pfile);
++
++/* The value (as a unix timestamp) corresponds to date
++   "Dec 31 9999 23:59:59 UTC", which is the latest date that __DATE__ and
++   __TIME__ can store.  */
++#define MAX_SOURCE_DATE_EPOCH HOST_WIDE_INT_C (253402300799)
++
+ /* In c-gimplify.c  */
+ extern void c_genericize (tree);
+ extern int c_gimplify_expr (tree *, gimple_seq *, gimple_seq *);
+@@ -1438,9 +1448,4 @@ extern tree cilk_for_number_of_iterations (tree);
+ extern bool check_no_cilk (tree, const char *, const char *,
+ 		           location_t loc = UNKNOWN_LOCATION);
+ 
+-/* Read SOURCE_DATE_EPOCH from environment to have a deterministic
+-   timestamp to replace embedded current dates to get reproducible
+-   results.  Returns -1 if SOURCE_DATE_EPOCH is not defined.  */
+-extern time_t get_source_date_epoch (void);
+-
+ #endif /* ! GCC_C_COMMON_H */
+diff --git a/gcc/c-family/c-lex.c b/gcc/c-family/c-lex.c
+index e68471b9d2b..3f78073f640 100644
+--- a/gcc/c-family/c-lex.c
++++ b/gcc/c-family/c-lex.c
+@@ -97,6 +97,7 @@ init_c_lex (void)
+   cb->valid_pch = c_common_valid_pch;
+   cb->read_pch = c_common_read_pch;
+   cb->has_attribute = c_common_has_attribute;
++  cb->get_source_date_epoch = cb_get_source_date_epoch;
+ 
+   /* Set the debug callbacks if we can use them.  */
+   if ((debug_info_level == DINFO_LEVEL_VERBOSE
+@@ -402,9 +403,6 @@ c_lex_with_flags (tree *value, location_t *loc, unsigned char *cpp_flags,
+   enum cpp_ttype type;
+   unsigned char add_flags = 0;
+   enum overflow_type overflow = OT_NONE;
+-  time_t source_date_epoch = get_source_date_epoch ();
+-
+-  cpp_init_source_date_epoch (parse_in, source_date_epoch);
+ 
+   timevar_push (TV_CPP);
+  retry:
+diff --git a/gcc/doc/cppenv.texi b/gcc/doc/cppenv.texi
+index 3b5317beb53..7b4cf6adc11 100644
+--- a/gcc/doc/cppenv.texi
++++ b/gcc/doc/cppenv.texi
+@@ -81,7 +81,6 @@ main input file is omitted.
+ @end ifclear
+ 
+ @item SOURCE_DATE_EPOCH
+-
+ If this variable is set, its value specifies a UNIX timestamp to be
+ used in replacement of the current date and time in the @code{__DATE__}
+ and @code{__TIME__} macros, so that the embedded timestamps become
+@@ -89,8 +88,9 @@ reproducible.
+ 
+ The value of @env{SOURCE_DATE_EPOCH} must be a UNIX timestamp,
+ defined as the number of seconds (excluding leap seconds) since
+-01 Jan 1970 00:00:00 represented in ASCII, identical to the output of
+-@samp{@command{date +%s}}.
++01 Jan 1970 00:00:00 represented in ASCII; identical to the output of
++@samp{@command{date +%s}} on GNU/Linux and other systems that support the
++@code{%s} extension in the @code{date} command.
+ 
+ The value should be a known timestamp such as the last modification
+ time of the source or package and it should be set by the build
+diff --git a/gcc/gcc.c b/gcc/gcc.c
+index d956c36b151..2709f295734 100644
+--- a/gcc/gcc.c
++++ b/gcc/gcc.c
+@@ -3328,6 +3328,29 @@ save_switch (const char *opt, size_t n_args, const char *const *args,
+   n_switches++;
+ }
+ 
++/* Set the SOURCE_DATE_EPOCH environment variable to the current time if it is
++   not set already.  */
++
++static void
++set_source_date_epoch_envvar ()
++{
++  /* Array size is 21 = ceil(log_10(2^64)) + 1 to hold string representations
++     of 64 bit integers.  */
++  char source_date_epoch[21];
++  time_t tt;
++
++  errno = 0;
++  tt = time (NULL);
++  if (tt < (time_t) 0 || errno != 0)
++    tt = (time_t) 0;
++
++  snprintf (source_date_epoch, 21, "%llu", (unsigned long long) tt);
++  /* Using setenv instead of xputenv because we want the variable to remain
++     after finalizing so that it's still set in the second run when using
++     -fcompare-debug.  */
++  setenv ("SOURCE_DATE_EPOCH", source_date_epoch, 0);
++}
++
+ /* Handle an option DECODED that is unknown to the option-processing
+    machinery.  */
+ 
+@@ -3628,6 +3651,7 @@ driver_handle_option (struct gcc_options *opts,
+       else
+ 	compare_debug_opt = arg;
+       save_switch (compare_debug_replacement_opt, 0, NULL, validated, true);
++      set_source_date_epoch_envvar ();
+       return true;
+ 
+     case OPT_fdiagnostics_color_:
+diff --git a/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c
+new file mode 100644
+index 00000000000..f6aa1a360ff
+--- /dev/null
++++ b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c
+@@ -0,0 +1,11 @@
++/* { dg-do run } */
++/* { dg-set-compiler-env-var SOURCE_DATE_EPOCH "630333296" } */
++
++int
++main(void)
++{
++  __builtin_printf ("%s %s\n", __DATE__, __TIME__);
++  return 0;
++}
++
++/* { dg-output "^Dec 22 1989 12:34:56\n$" } */
+diff --git a/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c
+new file mode 100644
+index 00000000000..ae18362ae87
+--- /dev/null
++++ b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c
+@@ -0,0 +1,12 @@
++/* { dg-do compile } */
++/* { dg-set-compiler-env-var SOURCE_DATE_EPOCH "AAA" } */
++
++/* Make sure that SOURCE_DATE_EPOCH is only parsed once */
++
++int
++main(void)
++{
++  __builtin_printf ("%s %s\n", __DATE__, __TIME__); /* { dg-error "SOURCE_DATE_EPOCH must expand" } */
++  __builtin_printf ("%s %s\n", __DATE__, __TIME__);
++  return 0;
++}
+diff --git a/gcc/testsuite/lib/gcc-dg.exp b/gcc/testsuite/lib/gcc-dg.exp
+index 4fa433d9954..7656b2254a1 100644
+--- a/gcc/testsuite/lib/gcc-dg.exp
++++ b/gcc/testsuite/lib/gcc-dg.exp
+@@ -324,6 +324,38 @@ proc restore-target-env-var { } {
+     }
+ }
+ 
++proc dg-set-compiler-env-var { args } {
++    global set_compiler_env_var
++    global saved_compiler_env_var
++    if { [llength $args] != 3 } {
++	error "dg-set-compiler-env-var: need two arguments"
++	return
++    }
++    set var [lindex $args 1]
++    set value [lindex $args 2]
++    if [info exists ::env($var)] {
++      lappend saved_compiler_env_var [list $var 1 $::env($var)]
++    } else {
++      lappend saved_compiler_env_var [list $var 0]
++    }
++    setenv $var $value
++    lappend set_compiler_env_var [list $var $value]
++}
++
++proc restore-compiler-env-var { } {
++    global saved_compiler_env_var
++    for { set env_vari [llength $saved_compiler_env_var] } {
++          [incr env_vari -1] >= 0 } {} {
++	set env_var [lindex $saved_compiler_env_var $env_vari]
++	set var [lindex $env_var 0]
++	if [lindex $env_var 1] {
++	    setenv $var [lindex $env_var 2]
++	} else {
++	    unsetenv $var
++	}
++    }
++}
++
+ # Utility routines.
+ 
+ #
+@@ -785,6 +817,11 @@ if { [info procs saved-dg-test] == [list] } {
+ 	if [info exists set_target_env_var] {
+ 	    unset set_target_env_var
+ 	}
++	if [info exists set_compiler_env_var] {
++	    restore-compiler-env-var
++	    unset set_compiler_env_var
++	    unset saved_compiler_env_var
++	}
+ 	unset_timeout_vars
+ 	if [info exists compiler_conditional_xfail_data] {
+ 	    unset compiler_conditional_xfail_data
+diff --git a/libcpp/include/cpplib.h b/libcpp/include/cpplib.h
+index 7a5481219be..867aeebc39f 100644
+--- a/libcpp/include/cpplib.h
++++ b/libcpp/include/cpplib.h
+@@ -585,6 +585,9 @@ struct cpp_callbacks
+ 
+   /* Callback that can change a user builtin into normal macro.  */
+   bool (*user_builtin_macro) (cpp_reader *, cpp_hashnode *);
++
++  /* Callback to parse SOURCE_DATE_EPOCH from environment.  */
++  time_t (*get_source_date_epoch) (cpp_reader *);
+ };
+ 
+ #ifdef VMS
+@@ -775,9 +778,6 @@ extern void cpp_init_special_builtins (cpp_reader *);
+ /* Set up built-ins like __FILE__.  */
+ extern void cpp_init_builtins (cpp_reader *, int);
+ 
+-/* Initialize the source_date_epoch value.  */
+-extern void cpp_init_source_date_epoch (cpp_reader *, time_t);
+-
+ /* This is called after options have been parsed, and partially
+    processed.  */
+ extern void cpp_post_options (cpp_reader *);
+diff --git a/libcpp/init.c b/libcpp/init.c
+index a8d00f4628b..61c9bbbf945 100644
+--- a/libcpp/init.c
++++ b/libcpp/init.c
+@@ -254,6 +254,9 @@ cpp_create_reader (enum c_lang lang, cpp_hash_table *table,
+   /* Do not force token locations by default.  */
+   pfile->forced_token_location_p = NULL;
+ 
++  /* Initialize source_date_epoch to -2 (not yet set).  */
++  pfile->source_date_epoch = (time_t) -2;
++
+   /* The expression parser stack.  */
+   _cpp_expand_op_stack (pfile);
+ 
+@@ -530,13 +533,6 @@ cpp_init_builtins (cpp_reader *pfile, int hosted)
+     _cpp_define_builtin (pfile, "__OBJC__ 1");
+ }
+ 
+-/* Initialize the source_date_epoch value.  */
+-void
+-cpp_init_source_date_epoch (cpp_reader *pfile, time_t source_date_epoch)
+-{
+-  pfile->source_date_epoch = source_date_epoch; 
+-}
+-
+ /* Sanity-checks are dependent on command-line options, so it is
+    called as a subroutine of cpp_read_main_file ().  */
+ #if ENABLE_CHECKING
+diff --git a/libcpp/internal.h b/libcpp/internal.h
+index 8507eba1747..226ae328e76 100644
+--- a/libcpp/internal.h
++++ b/libcpp/internal.h
+@@ -503,7 +503,8 @@ struct cpp_reader
+   const unsigned char *time;
+ 
+   /* Externally set timestamp to replace current date and time useful for
+-     reproducibility.  */
++     reproducibility.  It should be initialized to -2 (not yet set) and
++     set to -1 to disable it or to a non-negative value to enable it.  */
+   time_t source_date_epoch;
+ 
+   /* EOF token, and a token forcing paste avoidance.  */
+diff --git a/libcpp/macro.c b/libcpp/macro.c
+index 3f3b278e97d..756c7c6e0c6 100644
+--- a/libcpp/macro.c
++++ b/libcpp/macro.c
+@@ -351,9 +351,13 @@ _cpp_builtin_macro_text (cpp_reader *pfile, cpp_hashnode *node)
+ 	  struct tm *tb = NULL;
+ 
+ 	  /* Set a reproducible timestamp for __DATE__ and __TIME__ macro
+-	     usage if SOURCE_DATE_EPOCH is defined.  */
+-	  if (pfile->source_date_epoch != (time_t) -1)
+-	     tb = gmtime (&pfile->source_date_epoch);
++	     if SOURCE_DATE_EPOCH is defined.  */
++	  if (pfile->source_date_epoch == (time_t) -2
++	      && pfile->cb.get_source_date_epoch != NULL)
++	    pfile->source_date_epoch = pfile->cb.get_source_date_epoch (pfile);
++
++	  if (pfile->source_date_epoch >= (time_t) 0)
++	    tb = gmtime (&pfile->source_date_epoch);
+ 	  else
+ 	    {
+ 	      /* (time_t) -1 is a legitimate value for "number of seconds
+-- 
+2.11.0
+
diff --git a/gnu/packages/patches/gcc-libiberty-printf-decl.patch b/gnu/packages/patches/gcc-libiberty-printf-decl.patch
new file mode 100644
index 0000000000..a612c9e00e
--- /dev/null
+++ b/gnu/packages/patches/gcc-libiberty-printf-decl.patch
@@ -0,0 +1,28 @@
+This patch makes the exeception specifier of libiberty's 'asprintf'
+and 'vasprintf' declarations match those of glibc to work around the
+problem described at <https://gcc.gnu.org/ml/gcc-help/2016-04/msg00039.html>.
+
+The problem in part stems from the fact that libiberty is configured
+without _GNU_SOURCE (thus, it sets HAVE_DECL_ASPRINTF to 0), whereas libcc1
+is configured and built with _GNU_SOURCE, hence the conflicting declarations.
+
+--- gcc-5.3.0/include/libiberty.h	2016-04-23 22:45:46.262709079 +0200
++++ gcc-5.3.0/include/libiberty.h	2016-04-23 22:45:37.110635439 +0200
+@@ -625,7 +625,7 @@ extern int pwait (int, int *, int);
+ /* Like sprintf but provides a pointer to malloc'd storage, which must
+    be freed by the caller.  */
+ 
+-extern int asprintf (char **, const char *, ...) ATTRIBUTE_PRINTF_2;
++extern int asprintf (char **, const char *, ...) __THROWNL ATTRIBUTE_PRINTF_2;
+ #endif
+ 
+ /* Like asprintf but allocates memory without fail. This works like
+@@ -637,7 +637,7 @@ extern char *xasprintf (const char *, ..
+ /* Like vsprintf but provides a pointer to malloc'd storage, which
+    must be freed by the caller.  */
+ 
+-extern int vasprintf (char **, const char *, va_list) ATTRIBUTE_PRINTF(2,0);
++extern int vasprintf (char **, const char *, va_list) __THROWNL ATTRIBUTE_PRINTF(2,0);
+ #endif
+ 
+ /* Like vasprintf but allocates memory without fail. This works like
diff --git a/gnu/packages/patches/gd-CVE-2016-7568.patch b/gnu/packages/patches/gd-CVE-2016-7568.patch
deleted file mode 100644
index 6a1a63296c..0000000000
--- a/gnu/packages/patches/gd-CVE-2016-7568.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Fix CVE-2016-7568 (integer overflow in gdImageWebpCtx()):
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7568
-
-Patch copied from upstream source repository:
-
-https://github.com/libgd/libgd/commit/2806adfdc27a94d333199345394d7c302952b95f
-
-From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001
-From: trylab <trylab@users.noreply.github.com>
-Date: Tue, 6 Sep 2016 18:35:32 +0800
-Subject: [PATCH] Fix integer overflow in gdImageWebpCtx
-
-Integer overflow can be happened in expression gdImageSX(im) * 4 *
-gdImageSY(im). It could lead to heap buffer overflow in the following
-code. This issue has been reported to the PHP Bug Tracking System. The
-proof-of-concept file will be supplied some days later. This issue was
-discovered by Ke Liu of Tencent's Xuanwu LAB.
----
- src/gd_webp.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/src/gd_webp.c b/src/gd_webp.c
-index 8eb4dee..9886399 100644
---- a/src/gd_webp.c
-+++ b/src/gd_webp.c
-@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
- 		quality = 80;
- 	}
- 
-+	if (overflow2(gdImageSX(im), 4)) {
-+		return;
-+	}
-+
-+	if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) {
-+		return;
-+	}
-+
- 	argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im));
- 	if (!argb) {
- 		return;
--- 
-2.10.0
-
diff --git a/gnu/packages/patches/gd-CVE-2016-8670.patch b/gnu/packages/patches/gd-CVE-2016-8670.patch
deleted file mode 100644
index 39ee99ac31..0000000000
--- a/gnu/packages/patches/gd-CVE-2016-8670.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Fix CVE-2016-8670 (buffer overflow in dynamicGetbuf()):
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8670
-http://seclists.org/oss-sec/2016/q4/138
-
-Patch copied from upstream source repository:
-
-https://github.com/libgd/libgd/commit/53110871935244816bbb9d131da0bccff734bfe9
-
-From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Wed, 12 Oct 2016 11:15:32 +0200
-Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion
-
-We make sure to never pass a negative `rlen` as size to memcpy(). See
-also <https://bugs.php.net/bug.php?id=73280>.
-
-Patch provided by Emmanuel Law.
----
- src/gd_io_dp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
-index 135eda3..228bfa5 100644
---- a/src/gd_io_dp.c
-+++ b/src/gd_io_dp.c
-@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
- 	if(remain >= len) {
- 		rlen = len;
- 	} else {
--		if(remain == 0) {
-+		if(remain <= 0) {
- 			/* 2.0.34: EOF is incorrect. We use 0 for
- 			 * errors and EOF, just like fileGetbuf,
- 			 * which is a simple fread() wrapper.
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch b/gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch
deleted file mode 100644
index e395c66d89..0000000000
--- a/gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-This fixes PHP bug #73155: https://bugs.php.net/bug.php?id=73155
-
-Patch adapted from upstream source repository:
-
-https://github.com/libgd/libgd/commit/8067a8ac336dfe0acbe96ec2eb24572209a7f279
-
-(.gitignore change removed)
-
-From 8067a8ac336dfe0acbe96ec2eb24572209a7f279 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Fri, 23 Sep 2016 18:29:52 +0200
-Subject: [PATCH] Fix #309: gdImageGd2() writes wrong chunk sizes on boundaries
-
-(cherry picked from commit bb1998a16e30d542ab22eba5501911a9aa066edb)
----
- src/gd_gd2.c             |  4 ++--
- tests/gd2/CMakeLists.txt |  1 +
- tests/gd2/Makemodule.am  |  1 +
- tests/gd2/bug00309.c     | 37 +++++++++++++++++++++++++++++++++++++
- 4 files changed, 41 insertions(+), 2 deletions(-)
- create mode 100644 tests/gd2/bug00309.c
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index 75e5e1f..b9b2f93 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -938,8 +938,8 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
- 	};
- 
- 	/* Work out number of chunks. */
--	ncx = im->sx / cs + 1;
--	ncy = im->sy / cs + 1;
-+	ncx = (im->sx + cs - 1) / cs;
-+	ncy = (im->sy + cs - 1) / cs;
- 
- 	/* Write the standard header. */
- 	_gd2PutHeader (im, out, cs, fmt, ncx, ncy);
-diff --git a/tests/gd2/CMakeLists.txt b/tests/gd2/CMakeLists.txt
-index 3b650ad..247b466 100644
---- a/tests/gd2/CMakeLists.txt
-+++ b/tests/gd2/CMakeLists.txt
-@@ -1,5 +1,6 @@
- SET(TESTS_FILES
- 	bug_289
-+	bug00309
- 	gd2_empty_file
- 	gd2_im2im
- 	gd2_null
-diff --git a/tests/gd2/Makemodule.am b/tests/gd2/Makemodule.am
-index b8ee946..d69aee0 100644
---- a/tests/gd2/Makemodule.am
-+++ b/tests/gd2/Makemodule.am
-@@ -1,5 +1,6 @@
- libgd_test_programs += \
- 	gd2/bug_289 \
-+	gd2/bug00309 \
- 	gd2/gd2_empty_file \
- 	gd2/php_bug_72339 \
- 	gd2/gd2_read_corrupt
-diff --git a/tests/gd2/bug00309.c b/tests/gd2/bug00309.c
-new file mode 100644
-index 0000000..b649cdc
---- /dev/null
-+++ b/tests/gd2/bug00309.c
-@@ -0,0 +1,37 @@
-+/**
-+ * Regression test for <https://github.com/libgd/libgd/issues/309>.
-+ *
-+ * We test that an image with 64x64 pixels reports only a single chunk in the
-+ * GD2 image header when the chunk size is 64.
-+ */
-+
-+
-+#include "gd.h"
-+#include "gdtest.h"
-+
-+
-+int main()
-+{
-+    gdImagePtr im;
-+    unsigned char *buf;
-+    int size, word;
-+
-+    im = gdImageCreate(64, 64);
-+    gdImageColorAllocate(im, 0, 0, 0);
-+
-+    buf = gdImageGd2Ptr(im, 64, 1, &size);
-+
-+    gdImageDestroy(im);
-+
-+    word = buf[10] << 8 | buf[11];
-+    gdTestAssertMsg(word == 64, "chunk size is %d, but expected 64\n", word);
-+    word = buf[14] << 8 | buf[15];
-+    gdTestAssertMsg(word == 1, "x chunk count is %d, but expected 1\n", word);
-+    word = buf[16] << 8 | buf[17];
-+    gdTestAssertMsg(word == 1, "y chunk count is %d, but expected 1\n", word);
-+    gdTestAssertMsg(size == 5145, "file size is %d, but expected 5145\n", size);
-+
-+    gdFree(buf);
-+
-+    return gdNumFailures();
-+}
diff --git a/gnu/packages/patches/gd-fix-truecolor-format-correction.patch b/gnu/packages/patches/gd-fix-truecolor-format-correction.patch
deleted file mode 100644
index be3eff9327..0000000000
--- a/gnu/packages/patches/gd-fix-truecolor-format-correction.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-This fixes PHP bug #73159: https://bugs.php.net/bug.php?id=73159
-
-Patch lifted from upstream source repository:
-
-https://github.com/libgd/libgd/commit/e1f61a4141d2e0937a13b8bfb1992b9f29eb05f5
-
-From e1f61a4141d2e0937a13b8bfb1992b9f29eb05f5 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Mon, 15 Aug 2016 17:49:40 +0200
-Subject: [PATCH] Fix #289: Passing unrecognized formats to gdImageGd2 results
- in corrupted files
-
-We must not apply the format correction twice for truecolor images.
-
-(cherry picked from commit 09090c125658e23a4ae2a2e002646bb7278bd89e)
----
- src/gd_gd2.c             |  2 +-
- tests/gd2/CMakeLists.txt |  1 +
- tests/gd2/Makemodule.am  |  1 +
- tests/gd2/bug_289.c      | 33 +++++++++++++++++++++++++++++++++
- 4 files changed, 36 insertions(+), 1 deletion(-)
- create mode 100644 tests/gd2/bug_289.c
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index 86c881e..75e5e1f 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -918,7 +918,7 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
- 	/* Force fmt to a valid value since we don't return anything. */
- 	/* */
- 	if ((fmt != GD2_FMT_RAW) && (fmt != GD2_FMT_COMPRESSED)) {
--		fmt = im->trueColor ? GD2_FMT_TRUECOLOR_COMPRESSED : GD2_FMT_COMPRESSED;
-+		fmt = GD2_FMT_COMPRESSED;
- 	};
- 	if (im->trueColor) {
- 		fmt += 2;
-diff --git a/tests/gd2/CMakeLists.txt b/tests/gd2/CMakeLists.txt
-index 8aecacc..3b650ad 100644
---- a/tests/gd2/CMakeLists.txt
-+++ b/tests/gd2/CMakeLists.txt
-@@ -1,4 +1,5 @@
- SET(TESTS_FILES
-+	bug_289
- 	gd2_empty_file
- 	gd2_im2im
- 	gd2_null
-diff --git a/tests/gd2/Makemodule.am b/tests/gd2/Makemodule.am
-index 754a284..b8ee946 100644
---- a/tests/gd2/Makemodule.am
-+++ b/tests/gd2/Makemodule.am
-@@ -1,4 +1,5 @@
- libgd_test_programs += \
-+	gd2/bug_289 \
- 	gd2/gd2_empty_file \
- 	gd2/php_bug_72339 \
- 	gd2/gd2_read_corrupt
-diff --git a/tests/gd2/bug_289.c b/tests/gd2/bug_289.c
-new file mode 100644
-index 0000000..ad311e9
---- /dev/null
-+++ b/tests/gd2/bug_289.c
-@@ -0,0 +1,33 @@
-+/**
-+ * Passing an unrecognized format to gdImageGd2() should result in
-+ * GD2_FMT_TRUECOLOR_COMPRESSED for truecolor images.
-+ *
-+ * See <https://github.com/libgd/libgd/issues/289>.
-+ */
-+
-+#include "gd.h"
-+#include "gdtest.h"
-+
-+
-+#define GD2_FMT_UNRECOGNIZED 0
-+#define GD2_FMT_TRUECOLOR_COMPRESSED 4
-+
-+#define MSG "expected %s byte to be %d, but got %d\n"
-+
-+
-+int main()
-+{
-+    gdImagePtr im;
-+    char *buffer;
-+    int size;
-+
-+    im = gdImageCreateTrueColor(10, 10);
-+    gdTestAssert(im != NULL);
-+    buffer = (char *) gdImageGd2Ptr(im, 128, GD2_FMT_UNRECOGNIZED, &size);
-+    gdTestAssert(buffer != NULL);
-+    gdImageDestroy(im);
-+    gdTestAssertMsg(buffer[12] == 0, MSG, "1st", 0, buffer[12]);
-+    gdTestAssertMsg(buffer[13] == GD2_FMT_TRUECOLOR_COMPRESSED, MSG, "2nd", GD2_FMT_TRUECOLOR_COMPRESSED, buffer[13]);
-+
-+    return gdNumFailures();
-+}
diff --git a/gnu/packages/patches/gd-freetype-test-failure.patch b/gnu/packages/patches/gd-freetype-test-failure.patch
new file mode 100644
index 0000000000..49c16ca089
--- /dev/null
+++ b/gnu/packages/patches/gd-freetype-test-failure.patch
@@ -0,0 +1,59 @@
+Fix a test failure with freetype 2.7:
+
+https://github.com/libgd/libgd/commit/a5570d3ed30ff76c2a8bdd54f4ab1825acca0143
+
+Patch copied from upstream source repository:
+
+https://github.com/libgd/libgd/commit/a5570d3ed30ff76c2a8bdd54f4ab1825acca0143
+
+From a5570d3ed30ff76c2a8bdd54f4ab1825acca0143 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sun, 29 Jan 2017 17:07:50 +0100
+Subject: [PATCH] Fix #302: Test suite fails with freetype 2.7
+
+Actually, the test failures are not necessarily related to freetype
+2.7, but rather are caused by subpixel hinting which is enabled by
+default in freetype 2.7. Subpixel hinting is, however, already
+available in freetype 2.5 and in versions having the "Infinality"
+patch.
+
+To get the expected results in all environments, we have to disable
+subpixel hinting, what is easily done by setting a respective
+environment variable.
+
+See also:
+* https://www.freetype.org/freetype2/docs/subpixel-hinting.html
+* https://www.freetype.org/freetype2/docs/reference/ft2-tt_driver.html
+---
+ tests/freetype/bug00132.c                    | 3 +++
+ tests/gdimagestringft/gdimagestringft_bbox.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/tests/freetype/bug00132.c b/tests/freetype/bug00132.c
+index 713dd2d..42ed5b1 100644
+--- a/tests/freetype/bug00132.c
++++ b/tests/freetype/bug00132.c
+@@ -11,6 +11,9 @@ int main()
+ 	char *path;
+ 	char *ret = NULL;
+ 
++	/* disable subpixel hinting */
++	putenv("FREETYPE_PROPERTIES=truetype:interpreter-version=35");
++
+ 	im = gdImageCreateTrueColor(50, 30);
+ 
+ 	if (!im) {
+diff --git a/tests/gdimagestringft/gdimagestringft_bbox.c b/tests/gdimagestringft/gdimagestringft_bbox.c
+index 0161ec8..1596a9e 100644
+--- a/tests/gdimagestringft/gdimagestringft_bbox.c
++++ b/tests/gdimagestringft/gdimagestringft_bbox.c
+@@ -38,6 +38,9 @@ int main()
+ 	int error = 0;
+ 	FILE *fp;
+ 
++	/* disable subpixel hinting */
++	putenv("FREETYPE_PROPERTIES=truetype:interpreter-version=35");
++
+ 	path = gdTestFilePath("freetype/DejaVuSans.ttf");
+ 	im = gdImageCreate(800, 800);
+ 	gdImageColorAllocate(im, 0xFF, 0xFF, 0xFF); /* allocate white for background color */
diff --git a/gnu/packages/patches/gd-php-73968-Fix-109-XBM-reading.patch b/gnu/packages/patches/gd-php-73968-Fix-109-XBM-reading.patch
new file mode 100644
index 0000000000..a926c1455c
--- /dev/null
+++ b/gnu/packages/patches/gd-php-73968-Fix-109-XBM-reading.patch
@@ -0,0 +1,121 @@
+This bug was first reported to php on https://bugs.php.net/bug.php?id=73968.
+php then reported it to gd in https://github.com/libgd/libgd/issues/109.
+
+Patch adapted from upstream source repository:
+
+https://github.com/libgd/libgd/commit/082c5444838ea0d84f9fb6441aefdb44d78d9bba
+
+Binary diffs have been removed from the patch because our patch
+procedure doesn't support them.
+
+From 082c5444838ea0d84f9fb6441aefdb44d78d9bba Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Fri, 20 Jan 2017 22:48:20 +0100
+Subject: [PATCH] Fix #109: XBM reading fails with printed error
+
+When calculating the number of required bytes of an XBM image, we have
+to take the line padding into account.
+---
+ src/gd_xbm.c                     |   2 +-
+ tests/xbm/CMakeLists.txt         |   1 +
+ tests/xbm/Makemodule.am          |   5 ++++-
+ tests/xbm/github_bug_109.c       |  35 +++++++++++++++++++++++++++++++++++
+ tests/xbm/github_bug_109.xbm     |   5 +++++
+ 5 files changed, 47 insertions(+), 2 deletions(-)
+ create mode 100644 tests/xbm/github_bug_109.c
+ create mode 100644 tests/xbm/github_bug_109.xbm
+ create mode 100644 tests/xbm/github_bug_109_exp.png
+
+diff --git a/src/gd_xbm.c b/src/gd_xbm.c
+index 5f09b56..c2ba2ad 100644
+--- a/src/gd_xbm.c
++++ b/src/gd_xbm.c
+@@ -108,7 +108,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
+ 				max_bit = 32768;
+ 			}
+ 			if (max_bit) {
+-				bytes = (width * height / 8) + 1;
++                bytes = (width + 7) / 8 * height;
+ 				if (!bytes) {
+ 					return 0;
+ 				}
+diff --git a/tests/xbm/CMakeLists.txt b/tests/xbm/CMakeLists.txt
+index 183cf5e..08576e0 100644
+--- a/tests/xbm/CMakeLists.txt
++++ b/tests/xbm/CMakeLists.txt
+@@ -1,4 +1,5 @@
+ LIST(APPEND TESTS_FILES
++	github_bug_109
+ 	github_bug_170
+ )
+ 
+diff --git a/tests/xbm/Makemodule.am b/tests/xbm/Makemodule.am
+index ba1eabd..0f5beb6 100644
+--- a/tests/xbm/Makemodule.am
++++ b/tests/xbm/Makemodule.am
+@@ -1,5 +1,8 @@
+ libgd_test_programs += \
++	xbm/github_bug_109 \
+ 	xbm/github_bug_170
+ 
+ EXTRA_DIST += \
+-	xbm/CMakeLists.txt
++	xbm/CMakeLists.txt \
++	xbm/github_bug_109.xbm \
++	xbm/github_bug_109_exp.png
+diff --git a/tests/xbm/github_bug_109.c b/tests/xbm/github_bug_109.c
+new file mode 100644
+index 0000000..1a020c6
+--- /dev/null
++++ b/tests/xbm/github_bug_109.c
+@@ -0,0 +1,35 @@
++/**
++ * Test reading of XBM images with a width that is not a multiple of 8
++ *
++ * We're reading such an XBM image, and check that we got what we've expected,
++ * instead of an error message.
++ *
++ * See also <https://github.com/libgd/libgd/issues/109>.
++ */
++
++
++#include "gd.h"
++#include "gdtest.h"
++
++
++int main()
++{
++    gdImagePtr im;
++    FILE *fp;
++    char *path;
++
++    fp = gdTestFileOpen2("xbm", "github_bug_109.xbm");
++    im = gdImageCreateFromXbm(fp);
++    fclose(fp);
++    gdTestAssert(im != NULL);
++    gdTestAssert(gdImageGetTrueColorPixel(im, 0, 0) == 0);
++    gdTestAssert(gdImageGetTrueColorPixel(im, 0, 1) == 0xffffff);
++
++    path = gdTestFilePath2("xbm", "github_bug_109_exp.png");
++    gdAssertImageEqualsToFile(path, im);
++    gdFree(path);
++
++    gdImageDestroy(im);
++
++    return gdNumFailures();
++}
+diff --git a/tests/xbm/github_bug_109.xbm b/tests/xbm/github_bug_109.xbm
+new file mode 100644
+index 0000000..f427d86
+--- /dev/null
++++ b/tests/xbm/github_bug_109.xbm
+@@ -0,0 +1,5 @@
++#define test_width 10
++#define test_height 10
++static unsigned char test_bits[] = {
++  0xFF, 0x03, 0x00, 0x00, 0xFF, 0x03, 0x00, 0x00, 0xFF, 0x03, 0x00, 0x00, 
++  0xFF, 0x03, 0x00, 0x00, 0xFF, 0x03, 0x00, 0x00};
+
+-- 
+2.7.4
+
diff --git a/gnu/packages/patches/gdk-pixbuf-list-dir.patch b/gnu/packages/patches/gdk-pixbuf-list-dir.patch
new file mode 100644
index 0000000000..137914a19c
--- /dev/null
+++ b/gnu/packages/patches/gdk-pixbuf-list-dir.patch
@@ -0,0 +1,35 @@
+Sort directory entries so that the output of
+‘gdk-pixbuf-query-loaders’ is deterministic.
+
+See: https://bugzilla.gnome.org/show_bug.cgi?id=777332
+--- gdk-pixbuf-2.34.0/gdk-pixbuf/queryloaders.c.orig	2017-01-11 00:17:32.865843062 +0100
++++ gdk-pixbuf-2.34.0/gdk-pixbuf/queryloaders.c	2017-01-16 16:12:03.420667874 +0100
+@@ -354,16 +354,27 @@
+ 
+                 dir = g_dir_open (path, 0, NULL);
+                 if (dir) {
++                        GList *entries = NULL;
+                         const char *dent;
+ 
+                         while ((dent = g_dir_read_name (dir))) {
+                                 gint len = strlen (dent);
+                                 if (len > SOEXT_LEN &&
+                                     strcmp (dent + len - SOEXT_LEN, SOEXT) == 0) {
+-                                        query_module (contents, path, dent);
++                                        entries = g_list_append (entries, g_strdup (dent));
+                                 }
+                         }
+                         g_dir_close (dir);
++                        /* Sort directory entries so that the output of
++                           ‘gdk-pixbuf-query-loaders’ is deterministic. */
++                        entries = g_list_sort (entries, (GCompareFunc) strcmp);
++                        GList *xentries;
++                        for (xentries = entries; xentries; xentries = g_list_next (xentries)) {
++                                dent = xentries->data;
++                                query_module (contents, path, dent);
++                                g_free (xentries->data);
++                        }
++                        g_list_free (entries);
+                 }
+ #else
+                 g_string_append_printf (contents, "# dynamic loading of modules not supported\n");
diff --git a/gnu/packages/patches/glibc-bootstrap-system.patch b/gnu/packages/patches/glibc-bootstrap-system.patch
index 7208cce3f4..2f8e7da7e1 100644
--- a/gnu/packages/patches/glibc-bootstrap-system.patch
+++ b/gnu/packages/patches/glibc-bootstrap-system.patch
@@ -26,3 +26,5 @@ instead uses the hard-coded absolute file name of `bash'.
        _IO__exit (127);
      }
    _IO_close (child_end);
+
+
diff --git a/gnu/packages/patches/graphite2-ffloat-store.patch b/gnu/packages/patches/graphite2-ffloat-store.patch
new file mode 100644
index 0000000000..f6ee56973e
--- /dev/null
+++ b/gnu/packages/patches/graphite2-ffloat-store.patch
@@ -0,0 +1,34 @@
+Fix test failures of awamicmp1 and awamicmp2.
+
+Debian bug report:
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855814
+
+Patch adapted from upstream source repository:
+
+https://github.com/silnrsi/graphite/commit/f7bbdd87d510d587c872e314d6458160c0069c65
+
+From f7bbdd87d510d587c872e314d6458160c0069c65 Mon Sep 17 00:00:00 2001
+From: Martin Hosken <martin_hosken@sil.org>
+Date: Tue, 14 Feb 2017 17:00:03 +0000
+Subject: [PATCH] try -ffloat-store for fp stability. Remove nested const to
+ work around VS bug
+
+---
+ src/CMakeLists.txt    | 2 +-
+ src/inc/locale2lcid.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
+index 4f1e7e5..5b61b5c 100644
+--- a/src/CMakeLists.txt
++++ b/src/CMakeLists.txt
+@@ -108,7 +108,7 @@ set_target_properties(graphite2 PROPERTIES  PUBLIC_HEADER "${GRAPHITE_HEADERS}"
+ 
+ if  (${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
+     set_target_properties(graphite2 PROPERTIES 
+-        COMPILE_FLAGS   "-Wall -Wextra -Wno-unknown-pragmas -Wendif-labels -Wshadow -Wctor-dtor-privacy -Wnon-virtual-dtor -fno-rtti -fno-exceptions -fvisibility=hidden -fvisibility-inlines-hidden -fno-stack-protector"
++        COMPILE_FLAGS   "-Wall -Wextra -Wno-unknown-pragmas -Wendif-labels -Wshadow -Wctor-dtor-privacy -Wnon-virtual-dtor -fno-rtti -fno-exceptions -fvisibility=hidden -fvisibility-inlines-hidden -fno-stack-protector -ffloat-store"
+         LINK_FLAGS      "-nodefaultlibs ${GRAPHITE_LINK_FLAGS}" 
+         LINKER_LANGUAGE C)
+     if (CMAKE_COMPILER_IS_GNUCXX)
diff --git a/gnu/packages/patches/guile-repl-server-test.patch b/gnu/packages/patches/guile-repl-server-test.patch
deleted file mode 100644
index 81e724ecc4..0000000000
--- a/gnu/packages/patches/guile-repl-server-test.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-commit 8d6209ea56241bb1890c142539927c9ef3fb5a13
-Author: Ludovic Courtès <ludo@gnu.org>
-Date:   Fri Nov 4 22:44:32 2016 +0100
-
-    tests: Throw 'unresolved when the REPL server is too slow.
-
-commit 2fbde7f02adb8c6585e9baf6e293ee49cd23d4c4
-Author: Ludovic Courtès <ludo@gnu.org>
-Date:   Fri Nov 4 22:45:51 2016 +0100
-
-    tests: Avoid race condition in REPL server test.
-
-index ca389ba..4b5ec0c 100644
---- a/test-suite/tests/00-repl-server.test
-+++ b/test-suite/tests/00-repl-server.test
-@@ -61,10 +61,11 @@ socket connected to that server."
-                (lambda ()
-                  (connect client-socket sockaddr))
-                (lambda args
--                 (when (and (memv (system-error-errno args)
--                                  (list ENOENT ECONNREFUSED))
--                            (< tries 3))
--                   (sleep 1)
-+                 (when (memv (system-error-errno args)
-+                             (list ENOENT ECONNREFUSED))
-+                   (when (> tries 30)
-+                     (throw 'unresolved))
-+                   (usleep 100)
-                    (loop (+ tries 1))))))
- 
-            (proc client-socket))
-@@ -104,8 +105,14 @@ reached."
-       "scheme@(repl-server)> $1 = 42\n"
-     (with-repl-server socket
-       (read-until-prompt socket %last-line-before-prompt)
--      (display "(+ 40 2)\n(quit)\n" socket)
--      (read-string socket)))
-+
-+      ;; Wait until 'repl-reader' in boot-9 has written the prompt.
-+      ;; Otherwise, if we write too quickly, 'repl-reader' checks for
-+      ;; 'char-ready?' and doesn't print the prompt.
-+      (match (select (list socket) '() (list socket) 3)
-+        (((_) () ())
-+         (display "(+ 40 2)\n(quit)\n" socket)
-+         (read-string socket)))))
- 
-   (pass-if "HTTP inter-protocol attack"           ;CVE-2016-8606
-     (with-repl-server socket
diff --git a/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch b/gnu/packages/patches/lcms-CVE-2016-10165.patch
index d9f7ac6a36..fa4d75c9ee 100644
--- a/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch
+++ b/gnu/packages/patches/lcms-CVE-2016-10165.patch
@@ -1,7 +1,9 @@
-Fix an out-of-bounds heap read in Type_MLU_Read():
+Fix CVE-2016-10165, an out-of-bounds heap read in Type_MLU_Read():
 
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10165
 http://seclists.org/oss-sec/2016/q3/288
 https://bugzilla.redhat.com/show_bug.cgi?id=1367357
+https://security-tracker.debian.org/tracker/CVE-2016-10165
 
 Patch copied from upstream source repository:
 
diff --git a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch b/gnu/packages/patches/libarchive-7zip-heap-overflow.patch
deleted file mode 100644
index bef628f0a8..0000000000
--- a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-Fix buffer overflow reading 7Zip files:
-
-https://github.com/libarchive/libarchive/issues/761
-
-Patch copied from upstream repository:
-
-https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126
-
-From 7f17c791dcfd8c0416e2cd2485b19410e47ef126 Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 18 Sep 2016 18:14:58 -0700
-Subject: [PATCH] Issue 761:  Heap overflow reading corrupted 7Zip files
-
-The sample file that demonstrated this had multiple 'EmptyStream'
-attributes.  The first one ended up being used to calculate
-certain statistics, then was overwritten by the second which
-was incompatible with those statistics.
-
-The fix here is to reject any header with multiple EmptyStream
-attributes.  While here, also reject headers with multiple
-EmptyFile, AntiFile, Name, or Attributes markers.
----
- libarchive/archive_read_support_format_7zip.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
-index 1dfe52b..c0a536c 100644
---- a/libarchive/archive_read_support_format_7zip.c
-+++ b/libarchive/archive_read_support_format_7zip.c
-@@ -2431,6 +2431,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 
- 		switch (type) {
- 		case kEmptyStream:
-+			if (h->emptyStreamBools != NULL)
-+				return (-1);
- 			h->emptyStreamBools = calloc((size_t)zip->numFiles,
- 			    sizeof(*h->emptyStreamBools));
- 			if (h->emptyStreamBools == NULL)
-@@ -2451,6 +2453,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 					return (-1);
- 				break;
- 			}
-+			if (h->emptyFileBools != NULL)
-+				return (-1);
- 			h->emptyFileBools = calloc(empty_streams,
- 			    sizeof(*h->emptyFileBools));
- 			if (h->emptyFileBools == NULL)
-@@ -2465,6 +2469,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 					return (-1);
- 				break;
- 			}
-+			if (h->antiBools != NULL)
-+				return (-1);
- 			h->antiBools = calloc(empty_streams,
- 			    sizeof(*h->antiBools));
- 			if (h->antiBools == NULL)
-@@ -2491,6 +2497,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 			if ((ll & 1) || ll < zip->numFiles * 4)
- 				return (-1);
- 
-+			if (zip->entry_names != NULL)
-+				return (-1);
- 			zip->entry_names = malloc(ll);
- 			if (zip->entry_names == NULL)
- 				return (-1);
-@@ -2543,6 +2551,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 			if ((p = header_bytes(a, 2)) == NULL)
- 				return (-1);
- 			allAreDefined = *p;
-+			if (h->attrBools != NULL)
-+				return (-1);
- 			h->attrBools = calloc((size_t)zip->numFiles,
- 			    sizeof(*h->attrBools));
- 			if (h->attrBools == NULL)
--- 
-2.10.0
-
diff --git a/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch b/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch
deleted file mode 100644
index bce63d5e4e..0000000000
--- a/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch
+++ /dev/null
@@ -1,445 +0,0 @@
-This patch fixes two bugs that allow attackers to overwrite or change
-the permissions of arbitrary files:
-
-https://github.com/libarchive/libarchive/issues/745
-https://github.com/libarchive/libarchive/issues/746
-
-Patch copied from upstream repository:
-
-https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9
-
-From dfd6b54ce33960e420fb206d8872fb759b577ad9 Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 11 Sep 2016 13:21:57 -0700
-Subject: [PATCH] Fixes for Issue #745 and Issue #746 from Doran Moppert.
-
----
- libarchive/archive_write_disk_posix.c | 294 ++++++++++++++++++++++++++--------
- 1 file changed, 227 insertions(+), 67 deletions(-)
-
-diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
-index 8f0421e..abe1a86 100644
---- a/libarchive/archive_write_disk_posix.c
-+++ b/libarchive/archive_write_disk_posix.c
-@@ -326,12 +326,14 @@ struct archive_write_disk {
- 
- #define HFS_BLOCKS(s)	((s) >> 12)
- 
-+static int	check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
- static int	check_symlinks(struct archive_write_disk *);
- static int	create_filesystem_object(struct archive_write_disk *);
- static struct fixup_entry *current_fixup(struct archive_write_disk *, const char *pathname);
- #if defined(HAVE_FCHDIR) && defined(PATH_MAX)
- static void	edit_deep_directories(struct archive_write_disk *ad);
- #endif
-+static int	cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
- static int	cleanup_pathname(struct archive_write_disk *);
- static int	create_dir(struct archive_write_disk *, char *);
- static int	create_parent_dir(struct archive_write_disk *, char *);
-@@ -2014,6 +2016,10 @@ create_filesystem_object(struct archive_write_disk *a)
- 	const char *linkname;
- 	mode_t final_mode, mode;
- 	int r;
-+	/* these for check_symlinks_fsobj */
-+	char *linkname_copy;	/* non-const copy of linkname */
-+	struct archive_string error_string;
-+	int error_number;
- 
- 	/* We identify hard/symlinks according to the link names. */
- 	/* Since link(2) and symlink(2) don't handle modes, we're done here. */
-@@ -2022,6 +2028,27 @@ create_filesystem_object(struct archive_write_disk *a)
- #if !HAVE_LINK
- 		return (EPERM);
- #else
-+		archive_string_init(&error_string);
-+		linkname_copy = strdup(linkname);
-+		if (linkname_copy == NULL) {
-+		    return (EPERM);
-+		}
-+		/* TODO: consider using the cleaned-up path as the link target? */
-+		r = cleanup_pathname_fsobj(linkname_copy, &error_number, &error_string, a->flags);
-+		if (r != ARCHIVE_OK) {
-+			archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+			free(linkname_copy);
-+			/* EPERM is more appropriate than error_number for our callers */
-+			return (EPERM);
-+		}
-+		r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags);
-+		if (r != ARCHIVE_OK) {
-+			archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+			free(linkname_copy);
-+			/* EPERM is more appropriate than error_number for our callers */
-+			return (EPERM);
-+		}
-+		free(linkname_copy);
- 		r = link(linkname, a->name) ? errno : 0;
- 		/*
- 		 * New cpio and pax formats allow hardlink entries
-@@ -2362,115 +2389,228 @@ current_fixup(struct archive_write_disk *a, const char *pathname)
-  * recent paths.
-  */
- /* TODO: Extend this to support symlinks on Windows Vista and later. */
-+
-+/*
-+ * Checks the given path to see if any elements along it are symlinks.  Returns
-+ * ARCHIVE_OK if there are none, otherwise puts an error in errmsg.
-+ */
- static int
--check_symlinks(struct archive_write_disk *a)
-+check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags)
- {
- #if !defined(HAVE_LSTAT)
- 	/* Platform doesn't have lstat, so we can't look for symlinks. */
- 	(void)a; /* UNUSED */
-+	(void)path; /* UNUSED */
-+	(void)error_number; /* UNUSED */
-+	(void)error_string; /* UNUSED */
-+	(void)flags; /* UNUSED */
- 	return (ARCHIVE_OK);
- #else
--	char *pn;
-+	int res = ARCHIVE_OK;
-+	char *tail;
-+	char *head;
-+	int last;
- 	char c;
- 	int r;
- 	struct stat st;
-+	int restore_pwd;
-+
-+	/* Nothing to do here if name is empty */
-+	if(path[0] == '\0')
-+	    return (ARCHIVE_OK);
- 
- 	/*
- 	 * Guard against symlink tricks.  Reject any archive entry whose
- 	 * destination would be altered by a symlink.
-+	 *
-+	 * Walk the filename in chunks separated by '/'.  For each segment:
-+	 *  - if it doesn't exist, continue
-+	 *  - if it's symlink, abort or remove it
-+	 *  - if it's a directory and it's not the last chunk, cd into it
-+	 * As we go:
-+	 *  head points to the current (relative) path
-+	 *  tail points to the temporary \0 terminating the segment we're currently examining
-+	 *  c holds what used to be in *tail
-+	 *  last is 1 if this is the last tail
- 	 */
--	/* Whatever we checked last time doesn't need to be re-checked. */
--	pn = a->name;
--	if (archive_strlen(&(a->path_safe)) > 0) {
--		char *p = a->path_safe.s;
--		while ((*pn != '\0') && (*p == *pn))
--			++p, ++pn;
--	}
-+	restore_pwd = open(".", O_RDONLY | O_BINARY | O_CLOEXEC);
-+	__archive_ensure_cloexec_flag(restore_pwd);
-+	if (restore_pwd < 0)
-+		return (ARCHIVE_FATAL);
-+	head = path;
-+	tail = path;
-+	last = 0;
-+	/* TODO: reintroduce a safe cache here? */
- 	/* Skip the root directory if the path is absolute. */
--	if(pn == a->name && pn[0] == '/')
--		++pn;
--	c = pn[0];
--	/* Keep going until we've checked the entire name. */
--	while (pn[0] != '\0' && (pn[0] != '/' || pn[1] != '\0')) {
-+	if(tail == path && tail[0] == '/')
-+		++tail;
-+	/* Keep going until we've checked the entire name.
-+	 * head, tail, path all alias the same string, which is
-+	 * temporarily zeroed at tail, so be careful restoring the
-+	 * stashed (c=tail[0]) for error messages.
-+	 * Exiting the loop with break is okay; continue is not.
-+	 */
-+	while (!last) {
-+		/* Skip the separator we just consumed, plus any adjacent ones */
-+		while (*tail == '/')
-+		    ++tail;
- 		/* Skip the next path element. */
--		while (*pn != '\0' && *pn != '/')
--			++pn;
--		c = pn[0];
--		pn[0] = '\0';
-+		while (*tail != '\0' && *tail != '/')
-+			++tail;
-+		/* is this the last path component? */
-+		last = (tail[0] == '\0') || (tail[0] == '/' && tail[1] == '\0');
-+		/* temporarily truncate the string here */
-+		c = tail[0];
-+		tail[0] = '\0';
- 		/* Check that we haven't hit a symlink. */
--		r = lstat(a->name, &st);
-+		r = lstat(head, &st);
- 		if (r != 0) {
-+			tail[0] = c;
- 			/* We've hit a dir that doesn't exist; stop now. */
- 			if (errno == ENOENT) {
- 				break;
- 			} else {
--				/* Note: This effectively disables deep directory
-+				/* Treat any other error as fatal - best to be paranoid here
-+				 * Note: This effectively disables deep directory
- 				 * support when security checks are enabled.
- 				 * Otherwise, very long pathnames that trigger
- 				 * an error here could evade the sandbox.
- 				 * TODO: We could do better, but it would probably
- 				 * require merging the symlink checks with the
- 				 * deep-directory editing. */
--				return (ARCHIVE_FAILED);
-+				if (error_number) *error_number = errno;
-+				if (error_string)
-+					archive_string_sprintf(error_string,
-+							"Could not stat %s",
-+							path);
-+				res = ARCHIVE_FAILED;
-+				break;
-+			}
-+		} else if (S_ISDIR(st.st_mode)) {
-+			if (!last) {
-+				if (chdir(head) != 0) {
-+					tail[0] = c;
-+					if (error_number) *error_number = errno;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Could not chdir %s",
-+								path);
-+					res = (ARCHIVE_FATAL);
-+					break;
-+				}
-+				/* Our view is now from inside this dir: */
-+				head = tail + 1;
- 			}
- 		} else if (S_ISLNK(st.st_mode)) {
--			if (c == '\0') {
-+			if (last) {
- 				/*
- 				 * Last element is symlink; remove it
- 				 * so we can overwrite it with the
- 				 * item being extracted.
- 				 */
--				if (unlink(a->name)) {
--					archive_set_error(&a->archive, errno,
--					    "Could not remove symlink %s",
--					    a->name);
--					pn[0] = c;
--					return (ARCHIVE_FAILED);
-+				if (unlink(head)) {
-+					tail[0] = c;
-+					if (error_number) *error_number = errno;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Could not remove symlink %s",
-+								path);
-+					res = ARCHIVE_FAILED;
-+					break;
- 				}
--				a->pst = NULL;
- 				/*
- 				 * Even if we did remove it, a warning
- 				 * is in order.  The warning is silly,
- 				 * though, if we're just replacing one
- 				 * symlink with another symlink.
- 				 */
--				if (!S_ISLNK(a->mode)) {
--					archive_set_error(&a->archive, 0,
--					    "Removing symlink %s",
--					    a->name);
-+				tail[0] = c;
-+				/* FIXME:  not sure how important this is to restore
-+				if (!S_ISLNK(path)) {
-+					if (error_number) *error_number = 0;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Removing symlink %s",
-+								path);
- 				}
-+				*/
- 				/* Symlink gone.  No more problem! */
--				pn[0] = c;
--				return (0);
--			} else if (a->flags & ARCHIVE_EXTRACT_UNLINK) {
-+				res = ARCHIVE_OK;
-+				break;
-+			} else if (flags & ARCHIVE_EXTRACT_UNLINK) {
- 				/* User asked us to remove problems. */
--				if (unlink(a->name) != 0) {
--					archive_set_error(&a->archive, 0,
--					    "Cannot remove intervening symlink %s",
--					    a->name);
--					pn[0] = c;
--					return (ARCHIVE_FAILED);
-+				if (unlink(head) != 0) {
-+					tail[0] = c;
-+					if (error_number) *error_number = 0;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Cannot remove intervening symlink %s",
-+								path);
-+					res = ARCHIVE_FAILED;
-+					break;
- 				}
--				a->pst = NULL;
-+				tail[0] = c;
- 			} else {
--				archive_set_error(&a->archive, 0,
--				    "Cannot extract through symlink %s",
--				    a->name);
--				pn[0] = c;
--				return (ARCHIVE_FAILED);
-+				tail[0] = c;
-+				if (error_number) *error_number = 0;
-+				if (error_string)
-+					archive_string_sprintf(error_string,
-+							"Cannot extract through symlink %s",
-+							path);
-+				res = ARCHIVE_FAILED;
-+				break;
- 			}
- 		}
--		pn[0] = c;
--		if (pn[0] != '\0')
--			pn++; /* Advance to the next segment. */
-+		/* be sure to always maintain this */
-+		tail[0] = c;
-+		if (tail[0] != '\0')
-+			tail++; /* Advance to the next segment. */
- 	}
--	pn[0] = c;
--	/* We've checked and/or cleaned the whole path, so remember it. */
--	archive_strcpy(&a->path_safe, a->name);
--	return (ARCHIVE_OK);
-+	/* Catches loop exits via break */
-+	tail[0] = c;
-+#ifdef HAVE_FCHDIR
-+	/* If we changed directory above, restore it here. */
-+	if (restore_pwd >= 0) {
-+		r = fchdir(restore_pwd);
-+		if (r != 0) {
-+			if(error_number) *error_number = errno;
-+			if(error_string)
-+				archive_string_sprintf(error_string,
-+						"chdir() failure");
-+		}
-+		close(restore_pwd);
-+		restore_pwd = -1;
-+		if (r != 0) {
-+			res = (ARCHIVE_FATAL);
-+		}
-+	}
-+#endif
-+	/* TODO: reintroduce a safe cache here? */
-+	return res;
- #endif
- }
- 
-+/*
-+ * Check a->name for symlinks, returning ARCHIVE_OK if its clean, otherwise
-+ * calls archive_set_error and returns ARCHIVE_{FATAL,FAILED}
-+ */
-+static int
-+check_symlinks(struct archive_write_disk *a)
-+{
-+	struct archive_string error_string;
-+	int error_number;
-+	int rc;
-+	archive_string_init(&error_string);
-+	rc = check_symlinks_fsobj(a->name, &error_number, &error_string, a->flags);
-+	if (rc != ARCHIVE_OK) {
-+		archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+	}
-+	archive_string_free(&error_string);
-+	a->pst = NULL;	/* to be safe */
-+	return rc;
-+}
-+
-+
- #if defined(__CYGWIN__)
- /*
-  * 1. Convert a path separator from '\' to '/' .
-@@ -2544,15 +2684,17 @@ cleanup_pathname_win(struct archive_write_disk *a)
-  * is set) if the path is absolute.
-  */
- static int
--cleanup_pathname(struct archive_write_disk *a)
-+cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags)
- {
- 	char *dest, *src;
- 	char separator = '\0';
- 
--	dest = src = a->name;
-+	dest = src = path;
- 	if (*src == '\0') {
--		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
--		    "Invalid empty pathname");
-+		if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
-+		if (error_string)
-+		    archive_string_sprintf(error_string,
-+			    "Invalid empty pathname");
- 		return (ARCHIVE_FAILED);
- 	}
- 
-@@ -2561,9 +2703,11 @@ cleanup_pathname(struct archive_write_disk *a)
- #endif
- 	/* Skip leading '/'. */
- 	if (*src == '/') {
--		if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
--			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
--			                  "Path is absolute");
-+		if (flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
-+			if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
-+			if (error_string)
-+			    archive_string_sprintf(error_string,
-+				    "Path is absolute");
- 			return (ARCHIVE_FAILED);
- 		}
- 
-@@ -2590,10 +2734,11 @@ cleanup_pathname(struct archive_write_disk *a)
- 			} else if (src[1] == '.') {
- 				if (src[2] == '/' || src[2] == '\0') {
- 					/* Conditionally warn about '..' */
--					if (a->flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) {
--						archive_set_error(&a->archive,
--						    ARCHIVE_ERRNO_MISC,
--						    "Path contains '..'");
-+					if (flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) {
-+						if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
-+						if (error_string)
-+						    archive_string_sprintf(error_string,
-+							    "Path contains '..'");
- 						return (ARCHIVE_FAILED);
- 					}
- 				}
-@@ -2624,7 +2769,7 @@ cleanup_pathname(struct archive_write_disk *a)
- 	 * We've just copied zero or more path elements, not including the
- 	 * final '/'.
- 	 */
--	if (dest == a->name) {
-+	if (dest == path) {
- 		/*
- 		 * Nothing got copied.  The path must have been something
- 		 * like '.' or '/' or './' or '/././././/./'.
-@@ -2639,6 +2784,21 @@ cleanup_pathname(struct archive_write_disk *a)
- 	return (ARCHIVE_OK);
- }
- 
-+static int
-+cleanup_pathname(struct archive_write_disk *a)
-+{
-+	struct archive_string error_string;
-+	int error_number;
-+	int rc;
-+	archive_string_init(&error_string);
-+	rc = cleanup_pathname_fsobj(a->name, &error_number, &error_string, a->flags);
-+	if (rc != ARCHIVE_OK) {
-+		archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+	}
-+	archive_string_free(&error_string);
-+	return rc;
-+}
-+
- /*
-  * Create the parent directory of the specified path, assuming path
-  * is already in mutable storage.
diff --git a/gnu/packages/patches/libarchive-fix-symlink-check.patch b/gnu/packages/patches/libarchive-fix-symlink-check.patch
deleted file mode 100644
index f042c31a84..0000000000
--- a/gnu/packages/patches/libarchive-fix-symlink-check.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-Make sure to check for symlinks even if the pathname is very long:
-
-https://github.com/libarchive/libarchive/issues/744
-
-Patch copied from upstream repository:
-
-https://github.com/libarchive/libarchive/commit/1fa9c7bf90f0862036a99896b0501c381584451a
-
-From 1fa9c7bf90f0862036a99896b0501c381584451a Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 21 Aug 2016 17:11:45 -0700
-Subject: [PATCH] Issue #744 (part of Issue #743): Enforce sandbox with very
- long pathnames
-
-Because check_symlinks is handled separately from the deep-directory
-support, very long pathnames cause problems.  Previously, the code
-ignored most failures to lstat() a path component.  In particular,
-this led to check_symlinks always passing for very long paths, which
-in turn provides a way to evade the symlink checks in the sandboxing
-code.
-
-We now fail on unrecognized lstat() failures, which plugs this
-hole at the cost of disabling deep directory support when the
-user requests sandboxing.
-
-TODO:  This probably cannot be completely fixed without
-entirely reimplementing the deep directory support to
-integrate the symlink checks.  I want to reimplement the
-deep directory hanlding someday anyway; openat() and
-related system calls now provide a much cleaner way to
-handle deep directories than the chdir approach used by this
-code.
----
- libarchive/archive_write_disk_posix.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
-index 39ee3b6..8f0421e 100644
---- a/libarchive/archive_write_disk_posix.c
-+++ b/libarchive/archive_write_disk_posix.c
-@@ -2401,8 +2401,18 @@ check_symlinks(struct archive_write_disk *a)
- 		r = lstat(a->name, &st);
- 		if (r != 0) {
- 			/* We've hit a dir that doesn't exist; stop now. */
--			if (errno == ENOENT)
-+			if (errno == ENOENT) {
- 				break;
-+			} else {
-+				/* Note: This effectively disables deep directory
-+				 * support when security checks are enabled.
-+				 * Otherwise, very long pathnames that trigger
-+				 * an error here could evade the sandbox.
-+				 * TODO: We could do better, but it would probably
-+				 * require merging the symlink checks with the
-+				 * deep-directory editing. */
-+				return (ARCHIVE_FAILED);
-+			}
- 		} else if (S_ISLNK(st.st_mode)) {
- 			if (c == '\0') {
- 				/*
diff --git a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch b/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch
deleted file mode 100644
index 0e70ac90ce..0000000000
--- a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Fixes this buffer overflow:
-https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
-
-Patch copied from upstream source repository:
-https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
-
-From e37b620fe8f14535d737e89a4dcabaed4517bf1a Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 21 Aug 2016 10:51:43 -0700
-Subject: [PATCH] Issue #767:  Buffer overflow printing a filename
-
-The safe_fprintf function attempts to ensure clean output for an
-arbitrary sequence of bytes by doing a trial conversion of the
-multibyte characters to wide characters -- if the resulting wide
-character is printable then we pass through the corresponding bytes
-unaltered, otherwise, we convert them to C-style ASCII escapes.
-
-The stack trace in Issue #767 suggest that the 20-byte buffer
-was getting overflowed trying to format a non-printable multibyte
-character.  This should only happen if there is a valid multibyte
-character of more than 5 bytes that was unprintable.  (Each byte
-would get expanded to a four-charcter octal-style escape of the form
-"\123" resulting in >20 characters for the >5 byte multibyte character.)
-
-I've not been able to reproduce this, but have expanded the conversion
-buffer to 128 bytes on the belief that no multibyte character set
-has a single character of more than 32 bytes.
----
- tar/util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tar/util.c b/tar/util.c
-index 9ff22f2..2b4aebe 100644
---- a/tar/util.c
-+++ b/tar/util.c
-@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...)
- 		}
- 
- 		/* If our output buffer is full, dump it and keep going. */
--		if (i > (sizeof(outbuff) - 20)) {
-+		if (i > (sizeof(outbuff) - 128)) {
- 			outbuff[i] = '\0';
- 			fprintf(f, "%s", outbuff);
- 			i = 0;
diff --git a/gnu/packages/patches/libcmis-fix-test-onedrive.patch b/gnu/packages/patches/libcmis-fix-test-onedrive.patch
deleted file mode 100644
index adf2e0b8e5..0000000000
--- a/gnu/packages/patches/libcmis-fix-test-onedrive.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-Patch from resolution of http://sourceforge.net/p/libcmis/tickets/13/
-
-From 814c7845d53688b35a747cf193c2ff99e40a8652 Mon Sep 17 00:00:00 2001
-From: Jonathan Wakely <jwakely@redhat.com>
-Date: Wed, 2 Sep 2015 16:35:45 +0100
-Subject: [PATCH 5/5] Remove invalid comments from test JSON file.
-
----
- qa/libcmis/data/onedrive/search-result.json | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/qa/libcmis/data/onedrive/search-result.json b/qa/libcmis/data/onedrive/search-result.json
-index 61d250a..2482429 100644
---- a/qa/libcmis/data/onedrive/search-result.json
-+++ b/qa/libcmis/data/onedrive/search-result.json
-@@ -8,7 +8,7 @@
-       },
-       "name":"OneDriveFile",
-       "description":"",
--      "parent_id":"folderA", // path: /A/Wrong File 
-+      "parent_id":"folderA",
-       "size":18047,
-       "upload_location":"https://apis.live.net/v5.0/wrongFileId/content/",
-       "comments_count":0,
-@@ -32,7 +32,7 @@
-       },
-       "name":"OneDriveFile",
-       "description":"",
--      "parent_id":"folderC", // path: /A/B/C/Right File
-+      "parent_id":"folderC",
-       "size":4,
-       "upload_location":"https://apis.live.net/v5.0/rightFileId/content/",
-       "comments_count":0,
--- 
-2.4.3
\ No newline at end of file
diff --git a/gnu/packages/patches/libdrm-symbol-check.patch b/gnu/packages/patches/libdrm-symbol-check.patch
index 676024beb4..69c67e778d 100644
--- a/gnu/packages/patches/libdrm-symbol-check.patch
+++ b/gnu/packages/patches/libdrm-symbol-check.patch
@@ -1,5 +1,5 @@
 Augment the list of expected symbols to fix the symbol-check tests on
-mips64el-linux and armhf-linux.
+mips64el-linux, armhf-linux and aarch64-linux.
 
 --- libdrm-2.4.65/freedreno/freedreno-symbol-check.orig	2015-09-04 11:07:40.000000000 -0400
 +++ libdrm-2.4.65/freedreno/freedreno-symbol-check	2015-10-18 23:57:15.288416229 -0400
@@ -193,3 +193,28 @@ mips64el-linux and armhf-linux.
  drm_tegra_bo_get_flags
  drm_tegra_bo_get_handle
  drm_tegra_bo_get_tiling
+
+--- libdrm-2.4.65/radeon/radeon-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
++++ libdrm-2.4.65/radeon/radeon-symbol-check	2015-10-18 23:57:00.756759698 -0400
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-# The following symbols (past the first five) are taken from the public headers.
++# The following symbols (past the first 12) are taken from the public headers.
+ # A list of the latter should be available Makefile.sources/LIBDRM_RADEON_H_FILES
+ 
+ FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_tegra.so} | awk '{print $3}'| while read func; do
+@@ -10,6 +10,13 @@
+ _end
+ _fini
+ _init
++_fbss
++_fdata
++_ftext
++__bss_start__
++__bss_end__
++_bss_end__
++__end__
+ radeon_bo_debug
+ radeon_bo_get_handle
+ radeon_bo_get_src_domain
diff --git a/gnu/packages/patches/libepoxy-gl-null-checks.patch b/gnu/packages/patches/libepoxy-gl-null-checks.patch
deleted file mode 100644
index bdc4b05989..0000000000
--- a/gnu/packages/patches/libepoxy-gl-null-checks.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-This patch from <https://bugzilla.redhat.com/show_bug.cgi?id=1395366> adds NULL
-checks to avoid crashes when GL support is missing, as is the case when running
-Xvfb.
-
-Upstream issue: <https://github.com/anholt/libepoxy/issues/72>.
-
-diff -ur libepoxy-1.3.1/src/dispatch_common.c libepoxy-1.3.1/src/dispatch_common.c
---- libepoxy-1.3.1/src/dispatch_common.c	2015-07-15 19:46:36.000000000 -0400
-+++ libepoxy-1.3.1/src/dispatch_common.c	2016-11-16 09:03:52.809066247 -0500
-@@ -348,6 +348,8 @@
- epoxy_extension_in_string(const char *extension_list, const char *ext)
- {
-     const char *ptr = extension_list;
-+    if (! ptr) return false;
-+    if (! ext) return false;
-     int len = strlen(ext);
- 
-     /* Make sure that don't just find an extension with our name as a prefix. */
-@@ -380,6 +382,7 @@
- 
-         for (i = 0; i < num_extensions; i++) {
-             const char *gl_ext = (const char *)glGetStringi(GL_EXTENSIONS, i);
-+            if (! gl_ext) return false;
-             if (strcmp(ext, gl_ext) == 0)
-                 return true;
-         }
-diff -ur libepoxy-1.3.1/src/dispatch_egl.c libepoxy-1.3.1/src/dispatch_egl.c
---- libepoxy-1.3.1/src/dispatch_egl.c	2015-07-15 19:46:36.000000000 -0400
-+++ libepoxy-1.3.1/src/dispatch_egl.c	2016-11-16 08:40:34.069358709 -0500
-@@ -46,6 +46,7 @@
-     int ret;
- 
-     version_string = eglQueryString(dpy, EGL_VERSION);
-+    if (! version_string) return 0;
-     ret = sscanf(version_string, "%d.%d", &major, &minor);
-     assert(ret == 2);
-     return major * 10 + minor;
-diff -ur libepoxy-1.3.1/src/dispatch_glx.c libepoxy-1.3.1/src/dispatch_glx.c
---- libepoxy-1.3.1/src/dispatch_glx.c	2015-07-15 19:46:36.000000000 -0400
-+++ libepoxy-1.3.1/src/dispatch_glx.c	2016-11-16 08:41:03.065730370 -0500
-@@ -57,11 +57,13 @@
-     int ret;
- 
-     version_string = glXQueryServerString(dpy, screen, GLX_VERSION);
-+    if (! version_string) return 0;
-     ret = sscanf(version_string, "%d.%d", &server_major, &server_minor);
-     assert(ret == 2);
-     server = server_major * 10 + server_minor;
- 
-     version_string = glXGetClientString(dpy, GLX_VERSION);
-+    if (! version_string) return 0;
-     ret = sscanf(version_string, "%d.%d", &client_major, &client_minor);
-     assert(ret == 2);
-     client = client_major * 10 + client_minor;
diff --git a/gnu/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch b/gnu/packages/patches/libevent-2.0-CVE-2016-10195.patch
index f1907d53e2..bffe2c454c 100644
--- a/gnu/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch
+++ b/gnu/packages/patches/libevent-2.0-CVE-2016-10195.patch
@@ -1,7 +1,6 @@
-Fix buffer overread in libevents DNS code.
-
-Upstream bug report:
+Fix CVE-2016-10195 (buffer overread in libevent's DNS code):
 
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10195
 https://github.com/libevent/libevent/issues/317
 
 Patch copied from upstream source repository:
diff --git a/gnu/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch b/gnu/packages/patches/libevent-2.0-CVE-2016-10196.patch
index 4d16a4b917..03f96e938b 100644
--- a/gnu/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch
+++ b/gnu/packages/patches/libevent-2.0-CVE-2016-10196.patch
@@ -1,7 +1,6 @@
-Fix buffer overflow in evutil.
-
-Upstream bug report:
+Fix CVE-2016-10196 (buffer overflow in evutil):
 
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10196
 https://github.com/libevent/libevent/issues/318
 
 Patch copied from upstream source repository:
diff --git a/gnu/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch b/gnu/packages/patches/libevent-2.0-CVE-2016-10197.patch
index c4ad0a1a4a..c62a328627 100644
--- a/gnu/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch
+++ b/gnu/packages/patches/libevent-2.0-CVE-2016-10197.patch
@@ -1,7 +1,6 @@
-Fix OOB read on empty hostnames in evdns.
-
-Upstream bug report:
+Fix CVE-2016-10197 (out of bounds read on empty hostnames in evdns):
 
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10197
 https://github.com/libevent/libevent/issues/332
 
 Patch copied from upstream source repository:
diff --git a/gnu/packages/patches/libpng-CVE-2016-10087.patch b/gnu/packages/patches/libpng-CVE-2016-10087.patch
deleted file mode 100644
index 8093b3e448..0000000000
--- a/gnu/packages/patches/libpng-CVE-2016-10087.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Fix CVE-2016-10087, a null pointer dereference in png_set_text_2():
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087
-http://seclists.org/oss-sec/2016/q4/777
-
-Patch adapted from upstream source repository:
-
-https://sourceforge.net/p/libpng/code/ci/812768d7a9c973452222d454634496b25ed415eb/
-
-From 812768d7a9c973452222d454634496b25ed415eb Mon Sep 17 00:00:00 2001
-From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
-Date: Thu, 29 Dec 2016 07:51:33 -0600
-Subject: [PATCH] [libpng16] Fixed a potential null pointer dereference in
- png_set_text_2()
-
-(bug report and patch by Patrick Keshishian).
----
- ANNOUNCE | 2 ++
- CHANGES  | 2 ++
- png.c    | 1 +
- 3 files changed, 5 insertions(+)
-
-diff --git a/png.c b/png.c
-index 8afc28fc2..2e05de159 100644
---- a/png.c
-+++ b/png.c
-@@ -477,6 +477,7 @@ png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
-          png_free(png_ptr, info_ptr->text);
-          info_ptr->text = NULL;
-          info_ptr->num_text = 0;
-+         info_ptr->max_text = 0;
-       }
-    }
- #endif
--- 
-2.11.0
-
diff --git a/gnu/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch b/gnu/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch
new file mode 100644
index 0000000000..4133be7fc9
--- /dev/null
+++ b/gnu/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch
@@ -0,0 +1,33 @@
+This fixes a regression introduced in 1.8.0 where libssh2 fails to build
+with the gcrypt backend.
+
+Upstream bug URL:
+
+https://github.com/libssh2/libssh2/issues/150
+
+Patch copied from upstream source repository:
+
+https://github.com/libssh2/libssh2/commit/ced924b78a40126606797ef57a74066eb3b4b83f
+
+From ced924b78a40126606797ef57a74066eb3b4b83f Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <siarheit@google.com>
+Date: Mon, 31 Oct 2016 09:04:33 +0000
+Subject: [PATCH] acinclude.m4: fix ./configure --with-libgcrypt
+
+diff --git a/acinclude.m4 b/acinclude.m4
+index 734ef07..c78260c 100644
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -412,9 +412,9 @@ AC_DEFUN([LIBSSH2_CHECKFOR_GCRYPT], [
+ 
+   old_LDFLAGS=$LDFLAGS
+   old_CFLAGS=$CFLAGS
+-  if test -n "$use_libgcrypt" && test "$use_libgcrypt" != "no"; then
+-    LDFLAGS="$LDFLAGS -L$use_libgcrypt/lib"
+-    CFLAGS="$CFLAGS -I$use_libgcrypt/include"
++  if test -n "$with_libgcrypt_prefix" && test "$use_libgcrypt" != "no"; then
++    LDFLAGS="$LDFLAGS -L$with_libgcrypt_prefix/lib"
++    CFLAGS="$CFLAGS -I$with_libgcrypt_prefix/include"
+   fi
+   AC_LIB_HAVE_LINKFLAGS([gcrypt], [], [
+     #include <gcrypt.h>
diff --git a/gnu/packages/patches/libxcb-python-3.5-compat.patch b/gnu/packages/patches/libxcb-python-3.5-compat.patch
new file mode 100644
index 0000000000..f652498aad
--- /dev/null
+++ b/gnu/packages/patches/libxcb-python-3.5-compat.patch
@@ -0,0 +1,64 @@
+Fix compatibility issue with Python 3.5.
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xcb/libxcb/commit/?id=8740a288ca468433141341347aa115b9544891d3
+
+From 8740a288ca468433141341347aa115b9544891d3 Mon Sep 17 00:00:00 2001
+From: Thomas Klausner <wiz@NetBSD.org>
+Date: Thu, 19 May 2016 17:31:18 +0200
+Subject: [PATCH] Fix inconsistent use of tabs vs. space.
+
+Needed for at least python-3.5.x.
+
+Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
+Signed-off-by: Uli Schlachter <psychon@znc.in>
+---
+ src/c_client.py | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/c_client.py b/src/c_client.py
+index 57de3fb..043338d 100644
+--- a/src/c_client.py
++++ b/src/c_client.py
+@@ -1364,7 +1364,7 @@ def _c_serialize(context, self):
+             _c('    unsigned int xcb_align_to = 0;')
+         if self.is_switch:
+             _c('    unsigned int xcb_padding_offset = %d;',
+-	       self.get_align_offset() )
++               self.get_align_offset() )
+         prefix = [('_aux', '->', self)]
+         aux_ptr = 'xcb_out'
+ 
+@@ -1390,7 +1390,7 @@ def _c_serialize(context, self):
+         _c('    unsigned int xcb_align_to = 0;')
+         if self.is_switch:
+             _c('    unsigned int xcb_padding_offset = %d;',
+-	       self.get_align_offset() )
++               self.get_align_offset() )
+ 
+     elif 'sizeof' == context:
+         param_names = [p[2] for p in params]
+@@ -1930,14 +1930,14 @@ def _c_accessors_list(self, field):
+                     # from the request size and divide that by the member size
+                     return '(((R->length * 4) - sizeof('+ self.c_type + '))/'+'sizeof('+field.type.member.c_wiretype+'))'
+                 else:
+-		    # use the accessor to get the start of the list, then
+-		    # compute the length of it by subtracting it from
++                    # use the accessor to get the start of the list, then
++                    # compute the length of it by subtracting it from
+                     # the adress of the first byte after the end of the
+                     # request
+-		    after_end_of_request = '(((char*)R) + R->length * 4)'
+-		    start_of_list = '%s(R)' % (field.c_accessor_name)
++                    after_end_of_request = '(((char*)R) + R->length * 4)'
++                    start_of_list = '%s(R)' % (field.c_accessor_name)
+                     bytesize_of_list = '%s - (char*)(%s)' % (after_end_of_request, start_of_list)
+-		    return '(%s) / sizeof(%s)' % (bytesize_of_list, field.type.member.c_wiretype)
++                    return '(%s) / sizeof(%s)' % (bytesize_of_list, field.type.member.c_wiretype)
+             else:
+                 raise Exception(
+                     "lengthless lists with varsized members are not supported. Fieldname '%s'"
+-- 
+2.11.1
+
diff --git a/gnu/packages/patches/nss-increase-test-timeout.patch b/gnu/packages/patches/nss-increase-test-timeout.patch
new file mode 100644
index 0000000000..c6aac6ac00
--- /dev/null
+++ b/gnu/packages/patches/nss-increase-test-timeout.patch
@@ -0,0 +1,25 @@
+We've seen some tests take more than 20s to complete on a busy armhf
+machine. Even a busy x86_64 machine can use more than 5s on some tests.
+
+Increase timeouts to increase chances of a successful build.
+
+--- a/nss/gtests/ssl_gtest/tls_connect.cc	2017-03-14 22:47:30.855813629 +0100
++++ b/nss/gtests/ssl_gtest/tls_connect.cc	2017-03-14 22:48:49.042335273 +0100
+@@ -245,7 +245,7 @@
+ 
+   ASSERT_TRUE_WAIT((client_->state() != TlsAgent::STATE_CONNECTING) &&
+                        (server_->state() != TlsAgent::STATE_CONNECTING),
+-                   5000);
++                   25000);
+ }
+ 
+ void TlsConnectTestBase::EnableExtendedMasterSecret() {
+@@ -387,7 +387,7 @@
+   } else {
+     fail_agent = server_;
+   }
+-  ASSERT_TRUE_WAIT(fail_agent->state() == TlsAgent::STATE_ERROR, 5000);
++  ASSERT_TRUE_WAIT(fail_agent->state() == TlsAgent::STATE_ERROR, 25000);
+ }
+ 
+ void TlsConnectTestBase::ConfigureVersion(uint16_t version) {
diff --git a/gnu/packages/patches/openjpeg-CVE-2016-5157.patch b/gnu/packages/patches/openjpeg-CVE-2016-5157.patch
deleted file mode 100644
index f83bd9b511..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2016-5157.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-Fix CVE-2016-5157 (heap overflow in opj_dwt_interleave_v() allowing execution of
-arbitrary code):
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5157
-https://pdfium.googlesource.com/pdfium/+/b6befb2ed2485a3805cddea86dc7574510178ea9
-http://seclists.org/oss-sec/2016/q3/441
-
-Adapted from upstream source repository:
-
-https://github.com/uclouvain/openjpeg/commit/e078172b1c3f98d2219c37076b238fb759c751ea
-
-The final hunk of the patch, affecting
-'tests/nonregression/test_suite.ctest.in', had to be adjusted, since it referred
-to some context that is not yet provided by a tagged release.
-
-From c80286a4d573ad07ccc3c8b53289c38bb8256b30 Mon Sep 17 00:00:00 2001
-From: Leo Famulari <leo@famulari.name>
-Date: Fri, 9 Sep 2016 04:37:40 -0400
-Subject: [PATCH] CVE-2016-5157 adjusted to apply to 2.1.0.
-
----
- src/lib/openjp2/tcd.c                   | 11 +++++++++++
- tests/compare_dump_files.c              | 14 +++++++-------
- tests/nonregression/test_suite.ctest.in |  2 ++
- 3 files changed, 20 insertions(+), 7 deletions(-)
-
-diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
-index 12da05c..7a29c49 100644
---- a/src/lib/openjp2/tcd.c
-+++ b/src/lib/openjp2/tcd.c
-@@ -696,9 +696,20 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
- 	l_tx0 = l_cp->tx0 + p * l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */
- 	l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0);
- 	l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx), l_image->x1);
-+	/* all those OPJ_UINT32 are casted to OPJ_INT32, let's do some sanity check */
-+	if ((l_tile->x0 < 0) || (l_tile->x1 <= l_tile->x0)) {
-+		opj_event_msg(manager, EVT_ERROR, "Tile X coordinates are not supported\n");
-+		return OPJ_FALSE;
-+	}
- 	l_ty0 = l_cp->ty0 + q * l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */
- 	l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0);
- 	l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy), l_image->y1);
-+	/* all those OPJ_UINT32 are casted to OPJ_INT32, let's do some sanity check */
-+	if ((l_tile->y0 < 0) || (l_tile->y1 <= l_tile->y0)) {
-+		opj_event_msg(manager, EVT_ERROR, "Tile Y coordinates are not supported\n");
-+		return OPJ_FALSE;
-+	}
-+	
- 
- 	/* testcase 1888.pdf.asan.35.988 */
- 	if (l_tccp->numresolutions == 0) {
-diff --git a/tests/compare_dump_files.c b/tests/compare_dump_files.c
-index 946c92a..7d22270 100644
---- a/tests/compare_dump_files.c
-+++ b/tests/compare_dump_files.c
-@@ -118,10 +118,10 @@ int main(int argc, char **argv)
-   test_cmp_parameters inParam;
-   FILE *fbase=NULL, *ftest=NULL;
-   int same = 0;
--  char lbase[256];
--  char strbase[256];
--  char ltest[256];
--  char strtest[256];
-+  char lbase[512];
-+  char strbase[512];
-+  char ltest[512];
-+  char strtest[512];
- 
-   if( parse_cmdline_cmp(argc, argv, &inParam) == 1 )
-     {
-@@ -154,9 +154,9 @@ int main(int argc, char **argv)
- 
-   while (fgets(lbase, sizeof(lbase), fbase) && fgets(ltest,sizeof(ltest),ftest))
-     {
--    int nbase = sscanf(lbase, "%255[^\r\n]", strbase);
--    int ntest = sscanf(ltest, "%255[^\r\n]", strtest);
--    assert( nbase != 255 && ntest != 255 );
-+    int nbase = sscanf(lbase, "%511[^\r\n]", strbase);
-+    int ntest = sscanf(ltest, "%511[^\r\n]", strtest);
-+    assert( nbase != 511 && ntest != 511 );
-     if( nbase != 1 || ntest != 1 )
-       {
-       fprintf(stderr, "could not parse line from files\n" );
-diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
-index d393e6c..90cfa43 100644
---- a/tests/nonregression/test_suite.ctest.in
-+++ b/tests/nonregression/test_suite.ctest.in
-@@ -564,3 +564,5 @@ opj_decompress -i @INPUT_NR_PATH@/issue726.j2k -o @TEMP_PATH@/issue726.png
- # issue 775
- !opj_decompress -i @INPUT_NR_PATH@/issue775.j2k -o @TEMP_PATH@/issue775.png
- !opj_decompress -i @INPUT_NR_PATH@/issue775-2.j2k -o @TEMP_PATH@/issue775-2.png
-+#  issue 823 (yes, not a typo, test image is issue822)
-+!opj_decompress -i @INPUT_NR_PATH@/issue822.jp2 -o @TEMP_PATH@/issue822.png
--- 
-2.10.0
-
diff --git a/gnu/packages/patches/openjpeg-CVE-2016-7163.patch b/gnu/packages/patches/openjpeg-CVE-2016-7163.patch
deleted file mode 100644
index a4a24e4ff5..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2016-7163.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-Fix CVE-2016-7613 (Integer overflow in opj_pi_create_decode allowing execution
-of arbitrary code):
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7163
-https://github.com/uclouvain/openjpeg/issues/826
-http://seclists.org/oss-sec/2016/q3/442
-
-Copied from upstream repository:
-
-https://github.com/uclouvain/openjpeg/commit/c16bc057ba3f125051c9966cf1f5b68a05681de4
-https://github.com/uclouvain/openjpeg/commit/ef01f18dfc6780b776d0674ed3e7415c6ef54d24
-
-From c16bc057ba3f125051c9966cf1f5b68a05681de4 Mon Sep 17 00:00:00 2001
-From: trylab <trylab@users.noreply.github.com>
-Date: Tue, 6 Sep 2016 13:55:49 +0800
-Subject: [PATCH] Fix an integer overflow issue (#809)
-
-Prevent an integer overflow issue in function opj_pi_create_decode of
-pi.c.
----
- src/lib/openjp2/pi.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
-index cffad66..36e2ff0 100644
---- a/src/lib/openjp2/pi.c
-+++ b/src/lib/openjp2/pi.c
-@@ -1237,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
- 	l_current_pi = l_pi;
- 
- 	/* memory allocation for include */
--	l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
-+	/* prevent an integer overflow issue */
-+	l_current_pi->include = 00;
-+	if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U)))
-+	{
-+		l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
-+	}
-+
- 	if
- 		(!l_current_pi->include)
- 	{
--- 
-2.10.0
-
-From ef01f18dfc6780b776d0674ed3e7415c6ef54d24 Mon Sep 17 00:00:00 2001
-From: Matthieu Darbois <mayeut@users.noreply.github.com>
-Date: Thu, 8 Sep 2016 07:34:46 +0200
-Subject: [PATCH] Cast to size_t before multiplication
-
-Need to cast to size_t before multiplication otherwise overflow check is useless.
----
- src/lib/openjp2/pi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
-index 36e2ff0..809b33d 100644
---- a/src/lib/openjp2/pi.c
-+++ b/src/lib/openjp2/pi.c
-@@ -1241,7 +1241,7 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
- 	l_current_pi->include = 00;
- 	if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U)))
- 	{
--		l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
-+		l_current_pi->include = (OPJ_INT16*) opj_calloc((size_t)(l_tcp->numlayers + 1U) * l_step_l, sizeof(OPJ_INT16));
- 	}
- 
- 	if
--- 
-2.10.0
-
diff --git a/gnu/packages/patches/openjpeg-use-after-free-fix.patch b/gnu/packages/patches/openjpeg-use-after-free-fix.patch
deleted file mode 100644
index 1a9cb1ae1d..0000000000
--- a/gnu/packages/patches/openjpeg-use-after-free-fix.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 940100c28ae28931722290794889cf84a92c5f6f Mon Sep 17 00:00:00 2001
-From: mayeut <mayeut@users.noreply.github.com>
-Date: Sun, 6 Sep 2015 17:24:03 +0200
-Subject: [PATCH] Fix potential use-after-free in opj_j2k_write_mco function
-
-Fixes #563
----
- src/lib/openjp2/j2k.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
-index 19a48f5..d487d89 100644
---- a/src/lib/openjp2/j2k.c
-+++ b/src/lib/openjp2/j2k.c
-@@ -5559,8 +5559,7 @@ static OPJ_BOOL opj_j2k_write_mco(     opj_j2k_t *p_j2k,
-         assert(p_stream != 00);
- 
-         l_tcp =&(p_j2k->m_cp.tcps[p_j2k->m_current_tile_number]);
--        l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
--
-+	
-         l_mco_size = 5 + l_tcp->m_nb_mcc_records;
-         if (l_mco_size > p_j2k->m_specific_param.m_encoder.m_header_tile_data_size) {
- 
-@@ -5575,6 +5574,8 @@ static OPJ_BOOL opj_j2k_write_mco(     opj_j2k_t *p_j2k,
-                 p_j2k->m_specific_param.m_encoder.m_header_tile_data = new_header_tile_data;
-                 p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = l_mco_size;
-         }
-+        l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
-+
- 
-         opj_write_bytes(l_current_data,J2K_MS_MCO,2);                   /* MCO */
-         l_current_data += 2;
-@@ -5586,10 +5587,9 @@ static OPJ_BOOL opj_j2k_write_mco(     opj_j2k_t *p_j2k,
-         ++l_current_data;
- 
-         l_mcc_record = l_tcp->m_mcc_records;
--        for     (i=0;i<l_tcp->m_nb_mcc_records;++i) {
-+        for (i=0;i<l_tcp->m_nb_mcc_records;++i) {
-                 opj_write_bytes(l_current_data,l_mcc_record->m_index,1);/* Imco -> use the mcc indicated by 1*/
-                 ++l_current_data;
--
-                 ++l_mcc_record;
-         }
- 
--- 
-2.5.0
-
diff --git a/gnu/packages/patches/pcre-CVE-2016-3191.patch b/gnu/packages/patches/pcre-CVE-2016-3191.patch
deleted file mode 100644
index 89cce2a36f..0000000000
--- a/gnu/packages/patches/pcre-CVE-2016-3191.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-Fix for CVE-2016-3191.
-See <https://bugzilla.redhat.com/show_bug.cgi?id=1311503>.
-This is svn r1631 at <svn://vcs.exim.org/pcre/code>.
-
-Index: trunk/testdata/testoutput11-16
-===================================================================
---- trunk/testdata/testoutput11-16	(revision 1630)
-+++ trunk/testdata/testoutput11-16	(revision 1631)
-@@ -765,4 +765,7 @@
-  25     End
- ------------------------------------------------------------------
- 
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: regular expression is too complicated at offset 490
-+
- /-- End of testinput11 --/
-Index: trunk/testdata/testinput11
-===================================================================
---- trunk/testdata/testinput11	(revision 1630)
-+++ trunk/testdata/testinput11	(revision 1631)
-@@ -138,4 +138,6 @@
- 
- /.((?2)(?R)\1)()/B
- 
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+
- /-- End of testinput11 --/
-Index: trunk/testdata/testoutput11-8
-===================================================================
---- trunk/testdata/testoutput11-8	(revision 1630)
-+++ trunk/testdata/testoutput11-8	(revision 1631)
-@@ -765,4 +765,7 @@
-  38     End
- ------------------------------------------------------------------
- 
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: missing ) at offset 509
-+
- /-- End of testinput11 --/
-Index: trunk/testdata/testoutput11-32
-===================================================================
---- trunk/testdata/testoutput11-32	(revision 1630)
-+++ trunk/testdata/testoutput11-32	(revision 1631)
-@@ -765,4 +765,7 @@
-  25     End
- ------------------------------------------------------------------
- 
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: missing ) at offset 509
-+
- /-- End of testinput11 --/
-Index: trunk/pcre_internal.h
-===================================================================
---- trunk/pcre_internal.h	(revision 1630)
-+++ trunk/pcre_internal.h	(revision 1631)
-@@ -7,7 +7,7 @@
- and semantics are as close as possible to those of the Perl 5 language.
- 
-                        Written by Philip Hazel
--           Copyright (c) 1997-2014 University of Cambridge
-+           Copyright (c) 1997-2016 University of Cambridge
- 
- -----------------------------------------------------------------------------
- Redistribution and use in source and binary forms, with or without
-@@ -2289,7 +2289,7 @@
-        ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59,
-        ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69,
-        ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79,
--       ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERRCOUNT };
-+       ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERR87, ERRCOUNT };
- 
- /* JIT compiling modes. The function list is indexed by them. */
- 
-Index: trunk/pcre_compile.c
-===================================================================
---- trunk/pcre_compile.c	(revision 1630)
-+++ trunk/pcre_compile.c	(revision 1631)
-@@ -6,7 +6,7 @@
- and semantics are as close as possible to those of the Perl 5 language.
- 
-                        Written by Philip Hazel
--           Copyright (c) 1997-2014 University of Cambridge
-+           Copyright (c) 1997-2016 University of Cambridge
- 
- -----------------------------------------------------------------------------
- Redistribution and use in source and binary forms, with or without
-@@ -560,6 +560,7 @@
-   /* 85 */
-   "parentheses are too deeply nested (stack check)\0"
-   "digits missing in \\x{} or \\o{}\0"
-+  "regular expression is too complicated\0"
-   ;
- 
- /* Table to identify digits and hex digits. This is used when compiling
-@@ -4591,7 +4592,8 @@
-     if (code > cd->start_workspace + cd->workspace_size -
-         WORK_SIZE_SAFETY_MARGIN)                       /* Check for overrun */
-       {
--      *errorcodeptr = ERR52;
-+      *errorcodeptr = (code >= cd->start_workspace + cd->workspace_size)?
-+        ERR52 : ERR87;
-       goto FAILED;
-       }
- 
-@@ -6626,8 +6628,21 @@
-             cd->had_accept = TRUE;
-             for (oc = cd->open_caps; oc != NULL; oc = oc->next)
-               {
--              *code++ = OP_CLOSE;
--              PUT2INC(code, 0, oc->number);
-+              if (lengthptr != NULL)
-+                {
-+#ifdef COMPILE_PCRE8
-+                *lengthptr += 1 + IMM2_SIZE;
-+#elif defined COMPILE_PCRE16
-+                *lengthptr += 2 + IMM2_SIZE;
-+#elif defined COMPILE_PCRE32
-+                *lengthptr += 4 + IMM2_SIZE;
-+#endif
-+                }
-+              else
-+                {
-+                *code++ = OP_CLOSE;
-+                PUT2INC(code, 0, oc->number);
-+                }
-               }
-             setverb = *code++ =
-               (cd->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT;
-Index: trunk/pcreposix.c
-===================================================================
---- trunk/pcreposix.c	(revision 1630)
-+++ trunk/pcreposix.c	(revision 1631)
-@@ -6,7 +6,7 @@
- and semantics are as close as possible to those of the Perl 5 language.
- 
-                        Written by Philip Hazel
--           Copyright (c) 1997-2014 University of Cambridge
-+           Copyright (c) 1997-2016 University of Cambridge
- 
- -----------------------------------------------------------------------------
- Redistribution and use in source and binary forms, with or without
-@@ -173,7 +173,8 @@
-   REG_BADPAT,  /* group name must start with a non-digit */
-   /* 85 */
-   REG_BADPAT,  /* parentheses too deeply nested (stack check) */
--  REG_BADPAT   /* missing digits in \x{} or \o{} */
-+  REG_BADPAT,  /* missing digits in \x{} or \o{} */
-+  REG_BADPAT   /* pattern too complicated */
- };
- 
- /* Table of texts corresponding to POSIX error codes */
diff --git a/gnu/packages/patches/python-2.7-getentropy-on-old-kernels.patch b/gnu/packages/patches/python-2.7-getentropy-on-old-kernels.patch
new file mode 100644
index 0000000000..5a09b4ac52
--- /dev/null
+++ b/gnu/packages/patches/python-2.7-getentropy-on-old-kernels.patch
@@ -0,0 +1,54 @@
+This patch resolves a compatibility issue when compiled against glibc
+2.25
+and run runder kernels < 3.17:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1410175
+
+Upstream bug URLs:
+
+https://bugs.python.org/issue29157
+https://bugs.python.org/issue29188
+
+Patch adapted from upstream source repository:
+
+https://github.com/python/cpython/commit/01bdbad3e951014c58581635b94b22868537901c
+
+From 01bdbad3e951014c58581635b94b22868537901c Mon Sep 17 00:00:00 2001
+From: Victor Stinner <victor.stinner@gmail.com>
+Date: Mon, 9 Jan 2017 11:10:41 +0100
+Subject: [PATCH] Don't use getentropy() on Linux
+
+Issue #29188: Support glibc 2.24 on Linux: don't use getentropy() function but
+read from /dev/urandom to get random bytes, for example in os.urandom().  On
+Linux, getentropy() is implemented which getrandom() is blocking mode, whereas
+os.urandom() should not block.
+---
+ Misc/NEWS       |  5 +++++
+ Python/random.c | 11 +++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/Python/random.c b/Python/random.c
+index 57c41ffcd6..000cb36938 100644
+--- a/Python/random.c
++++ b/Python/random.c
+@@ -97,8 +97,15 @@ win32_urandom(unsigned char *buffer, Py_ssize_t size, int raise)
+ }
+ 
+ /* Issue #25003: Don't use getentropy() on Solaris (available since
+- * Solaris 11.3), it is blocking whereas os.urandom() should not block. */
+-#elif defined(HAVE_GETENTROPY) && !defined(sun)
++   Solaris 11.3), it is blocking whereas os.urandom() should not block.
++
++   Issue #29188: Don't use getentropy() on Linux since the glibc 2.24
++   implements it with the getrandom() syscall which can fail with ENOSYS,
++   and this error is not supported in py_getentropy() and getrandom() is called
++   with flags=0 which blocks until system urandom is initialized, which is not
++   the desired behaviour to seed the Python hash secret nor for os.urandom():
++   see the PEP 524 which was only implemented in Python 3.6. */
++#elif defined(HAVE_GETENTROPY) && !defined(sun) && !defined(linux)
+ #define PY_GETENTROPY 1
+ 
+ /* Fill buffer with size pseudo-random bytes generated by getentropy().
+-- 
+2.12.0
+
diff --git a/gnu/packages/patches/python-3.4-fix-tests.patch b/gnu/packages/patches/python-3.4-fix-tests.patch
deleted file mode 100644
index d1f8138e79..0000000000
--- a/gnu/packages/patches/python-3.4-fix-tests.patch
+++ /dev/null
@@ -1,12 +0,0 @@
---- Lib/test/test_posixpath.py  2014-03-01 05:46:56.984311000 +0100
-+++ Lib/test/test_posixpath.py  2014-03-07 00:59:20.888311000 +0100
-@@ -319,7 +319,11 @@
-                 del env['HOME']
-                 home = pwd.getpwuid(os.getuid()).pw_dir
-                 # $HOME can end with a trailing /, so strip it (see #17809)
--                self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
-+                # The Guix builders have '/' as a home directory, so
-+                # home.rstrip("/") will be an empty string and the test will
-+                # fail. Let's just disable it since it does not really make
-+                # sense with such a bizarre setup.
-+                # self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
diff --git a/gnu/packages/patches/python-3.5-fix-tests.patch b/gnu/packages/patches/python-3.5-fix-tests.patch
index 46d2a84efb..9778b88dbd 100644
--- a/gnu/packages/patches/python-3.5-fix-tests.patch
+++ b/gnu/packages/patches/python-3.5-fix-tests.patch
@@ -35,12 +35,35 @@ prior revisions of Python.
 
 --- Lib/test/test_asyncio/test_base_events.py
 +++ Lib/test/test_asyncio/test_base_events.py
-@@ -142,6 +142,8 @@ class BaseEventTests(test_utils.TestCase):
-             (INET, STREAM, TCP, '', ('1.2.3.4', 1)),
-             base_events._ipaddr_info('1.2.3.4', b'1', INET, STREAM, TCP))
- 
+@@ -1216,6 +1216,8 @@
+         self._test_create_connection_ip_addr(m_socket, False)
+
+     @patch_socket
 +    @unittest.skipUnless(support.is_resource_enabled('network'),
 +                         'network is not enabled')
-     def test_getaddrinfo_servname(self):
-         INET = socket.AF_INET
-         STREAM = socket.SOCK_STREAM
+     def test_create_connection_service_name(self, m_socket):
+         m_socket.getaddrinfo = socket.getaddrinfo
+         sock = m_socket.socket.return_value
+
+--- Lib/test/test_pdb.py.org    2017-03-12 03:09:01.991856701 +0100
++++ Lib/test/test_pdb.py        2017-03-12 03:26:17.742572869 +0100
+
+For some reason, KeyboardInterrupts do not work in the build
+environment (lack of controlling TTY?). Just change the expected
+outcome. Unfortunately, this will make it fail for users running
+`python -m test test_pdb test_pdb` interactively.
+
+@@ -928,11 +928,11 @@
+     > <doctest test.test_pdb.test_pdb_issue_20766[0]>(6)test_function()
+     -> print('pdb %d: %s' % (i, sess._previous_sigint_handler))
+     (Pdb) continue
+-    pdb 1: <built-in function default_int_handler>
++    pdb 1: Handlers.SIG_IGN
+     > <doctest test.test_pdb.test_pdb_issue_20766[0]>(5)test_function()
+     -> sess.set_trace(sys._getframe())
+     (Pdb) continue
+-    pdb 2: <built-in function default_int_handler>
++    pdb 2: Handlers.SIG_IGN
+     """
+
+ class PdbTestCase(unittest.TestCase):
diff --git a/gnu/packages/patches/python-3.5-getentropy-on-old-kernels.patch b/gnu/packages/patches/python-3.5-getentropy-on-old-kernels.patch
new file mode 100644
index 0000000000..8a12b5b448
--- /dev/null
+++ b/gnu/packages/patches/python-3.5-getentropy-on-old-kernels.patch
@@ -0,0 +1,720 @@
+This patch resolves a compatibility issue when compiled against glibc 2.25
+and run runder kernels < 3.17:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1410175
+
+Upstream bug URL: https://bugs.python.org/issue29157
+
+Patch copied from upstream source repository:
+
+https://hg.python.org/cpython/rev/8125d9a8152b
+
+# HG changeset patch
+# User Victor Stinner <victor.stinner@gmail.com>
+# Date 1483957133 -3600
+# Node ID 8125d9a8152b79e712cb09c7094b9129b9bcea86
+# Parent  337461574c90281630751b6095c4e1baf380cf7d
+Issue #29157: Prefer getrandom() over getentropy()
+
+Copy and then adapt Python/random.c from default branch. Difference between 3.5
+and default branches:
+
+* Python 3.5 only uses getrandom() in non-blocking mode: flags=GRND_NONBLOCK
+* If getrandom() fails with EAGAIN: py_getrandom() immediately fails and
+  remembers that getrandom() doesn't work.
+* Python 3.5 has no _PyOS_URandomNonblock() function: _PyOS_URandom()
+  works in non-blocking mode on Python 3.5
+
+diff --git a/Python/random.c b/Python/random.c
+--- Python/random.c
++++ Python/random.c
+@@ -1,6 +1,9 @@
+ #include "Python.h"
+ #ifdef MS_WINDOWS
+ #  include <windows.h>
++/* All sample MSDN wincrypt programs include the header below. It is at least
++ * required with Min GW. */
++#  include <wincrypt.h>
+ #else
+ #  include <fcntl.h>
+ #  ifdef HAVE_SYS_STAT_H
+@@ -37,10 +40,9 @@ win32_urandom_init(int raise)
+     return 0;
+ 
+ error:
+-    if (raise)
++    if (raise) {
+         PyErr_SetFromWindowsErr(0);
+-    else
+-        Py_FatalError("Failed to initialize Windows random API (CryptoGen)");
++    }
+     return -1;
+ }
+ 
+@@ -53,8 +55,9 @@ win32_urandom(unsigned char *buffer, Py_
+ 
+     if (hCryptProv == 0)
+     {
+-        if (win32_urandom_init(raise) == -1)
++        if (win32_urandom_init(raise) == -1) {
+             return -1;
++        }
+     }
+ 
+     while (size > 0)
+@@ -63,11 +66,9 @@ win32_urandom(unsigned char *buffer, Py_
+         if (!CryptGenRandom(hCryptProv, (DWORD)chunk, buffer))
+         {
+             /* CryptGenRandom() failed */
+-            if (raise)
++            if (raise) {
+                 PyErr_SetFromWindowsErr(0);
+-            else
+-                Py_FatalError("Failed to initialized the randomized hash "
+-                        "secret using CryptoGen)");
++            }
+             return -1;
+         }
+         buffer += chunk;
+@@ -76,58 +77,23 @@ win32_urandom(unsigned char *buffer, Py_
+     return 0;
+ }
+ 
+-/* Issue #25003: Don't use getentropy() on Solaris (available since
+- * Solaris 11.3), it is blocking whereas os.urandom() should not block. */
+-#elif defined(HAVE_GETENTROPY) && !defined(sun)
+-#define PY_GETENTROPY 1
+-
+-/* Fill buffer with size pseudo-random bytes generated by getentropy().
+-   Return 0 on success, or raise an exception and return -1 on error.
+-
+-   If fatal is nonzero, call Py_FatalError() instead of raising an exception
+-   on error. */
+-static int
+-py_getentropy(unsigned char *buffer, Py_ssize_t size, int fatal)
+-{
+-    while (size > 0) {
+-        Py_ssize_t len = Py_MIN(size, 256);
+-        int res;
+-
+-        if (!fatal) {
+-            Py_BEGIN_ALLOW_THREADS
+-            res = getentropy(buffer, len);
+-            Py_END_ALLOW_THREADS
+-
+-            if (res < 0) {
+-                PyErr_SetFromErrno(PyExc_OSError);
+-                return -1;
+-            }
+-        }
+-        else {
+-            res = getentropy(buffer, len);
+-            if (res < 0)
+-                Py_FatalError("getentropy() failed");
+-        }
+-
+-        buffer += len;
+-        size -= len;
+-    }
+-    return 0;
+-}
+-
+-#else
++#else /* !MS_WINDOWS */
+ 
+ #if defined(HAVE_GETRANDOM) || defined(HAVE_GETRANDOM_SYSCALL)
+ #define PY_GETRANDOM 1
+ 
+-/* Call getrandom()
++/* Call getrandom() to get random bytes:
++
+    - Return 1 on success
+-   - Return 0 if getrandom() syscall is not available (failed with ENOSYS or
+-     EPERM) or if getrandom(GRND_NONBLOCK) failed with EAGAIN (system urandom
+-     not initialized yet) and raise=0.
++   - Return 0 if getrandom() is not available (failed with ENOSYS or EPERM),
++     or if getrandom(GRND_NONBLOCK) failed with EAGAIN (system urandom not
++     initialized yet).
+    - Raise an exception (if raise is non-zero) and return -1 on error:
+-     getrandom() failed with EINTR and the Python signal handler raised an
+-     exception, or getrandom() failed with a different error. */
++     if getrandom() failed with EINTR, raise is non-zero and the Python signal
++     handler raised an exception, or if getrandom() failed with a different
++     error.
++
++   getrandom() is retried if it failed with EINTR: interrupted by a signal. */
+ static int
+ py_getrandom(void *buffer, Py_ssize_t size, int raise)
+ {
+@@ -142,16 +108,19 @@ py_getrandom(void *buffer, Py_ssize_t si
+      * see https://bugs.python.org/issue26839. To avoid this, use the
+      * GRND_NONBLOCK flag. */
+     const int flags = GRND_NONBLOCK;
++    char *dest;
+     long n;
+ 
+     if (!getrandom_works) {
+         return 0;
+     }
+ 
++    dest = buffer;
+     while (0 < size) {
+ #ifdef sun
+         /* Issue #26735: On Solaris, getrandom() is limited to returning up
+-           to 1024 bytes */
++           to 1024 bytes. Call it multiple times if more bytes are
++           requested. */
+         n = Py_MIN(size, 1024);
+ #else
+         n = Py_MIN(size, LONG_MAX);
+@@ -161,34 +130,35 @@ py_getrandom(void *buffer, Py_ssize_t si
+ #ifdef HAVE_GETRANDOM
+         if (raise) {
+             Py_BEGIN_ALLOW_THREADS
+-            n = getrandom(buffer, n, flags);
++            n = getrandom(dest, n, flags);
+             Py_END_ALLOW_THREADS
+         }
+         else {
+-            n = getrandom(buffer, n, flags);
++            n = getrandom(dest, n, flags);
+         }
+ #else
+         /* On Linux, use the syscall() function because the GNU libc doesn't
+-         * expose the Linux getrandom() syscall yet. See:
+-         * https://sourceware.org/bugzilla/show_bug.cgi?id=17252 */
++           expose the Linux getrandom() syscall yet. See:
++           https://sourceware.org/bugzilla/show_bug.cgi?id=17252 */
+         if (raise) {
+             Py_BEGIN_ALLOW_THREADS
+-            n = syscall(SYS_getrandom, buffer, n, flags);
++            n = syscall(SYS_getrandom, dest, n, flags);
+             Py_END_ALLOW_THREADS
+         }
+         else {
+-            n = syscall(SYS_getrandom, buffer, n, flags);
++            n = syscall(SYS_getrandom, dest, n, flags);
+         }
+ #endif
+ 
+         if (n < 0) {
+-            /* ENOSYS: getrandom() syscall not supported by the kernel (but
+-             * maybe supported by the host which built Python). EPERM:
+-             * getrandom() syscall blocked by SECCOMP or something else. */
++            /* ENOSYS: the syscall is not supported by the kernel.
++               EPERM: the syscall is blocked by a security policy (ex: SECCOMP)
++               or something else. */
+             if (errno == ENOSYS || errno == EPERM) {
+                 getrandom_works = 0;
+                 return 0;
+             }
++
+             if (errno == EAGAIN) {
+                 /* getrandom(GRND_NONBLOCK) fails with EAGAIN if the system
+                    urandom is not initialiazed yet. In this case, fall back on
+@@ -202,32 +172,101 @@ py_getrandom(void *buffer, Py_ssize_t si
+             }
+ 
+             if (errno == EINTR) {
+-                if (PyErr_CheckSignals()) {
+-                    if (!raise) {
+-                        Py_FatalError("getrandom() interrupted by a signal");
++                if (raise) {
++                    if (PyErr_CheckSignals()) {
++                        return -1;
+                     }
+-                    return -1;
+                 }
+ 
+-                /* retry getrandom() */
++                /* retry getrandom() if it was interrupted by a signal */
+                 continue;
+             }
+ 
+             if (raise) {
+                 PyErr_SetFromErrno(PyExc_OSError);
+             }
+-            else {
+-                Py_FatalError("getrandom() failed");
++            return -1;
++        }
++
++        dest += n;
++        size -= n;
++    }
++    return 1;
++}
++
++#elif defined(HAVE_GETENTROPY)
++#define PY_GETENTROPY 1
++
++/* Fill buffer with size pseudo-random bytes generated by getentropy():
++
++   - Return 1 on success
++   - Return 0 if getentropy() syscall is not available (failed with ENOSYS or
++     EPERM).
++   - Raise an exception (if raise is non-zero) and return -1 on error:
++     if getentropy() failed with EINTR, raise is non-zero and the Python signal
++     handler raised an exception, or if getentropy() failed with a different
++     error.
++
++   getentropy() is retried if it failed with EINTR: interrupted by a signal. */
++static int
++py_getentropy(char *buffer, Py_ssize_t size, int raise)
++{
++    /* Is getentropy() supported by the running kernel? Set to 0 if
++       getentropy() failed with ENOSYS or EPERM. */
++    static int getentropy_works = 1;
++
++    if (!getentropy_works) {
++        return 0;
++    }
++
++    while (size > 0) {
++        /* getentropy() is limited to returning up to 256 bytes. Call it
++           multiple times if more bytes are requested. */
++        Py_ssize_t len = Py_MIN(size, 256);
++        int res;
++
++        if (raise) {
++            Py_BEGIN_ALLOW_THREADS
++            res = getentropy(buffer, len);
++            Py_END_ALLOW_THREADS
++        }
++        else {
++            res = getentropy(buffer, len);
++        }
++
++        if (res < 0) {
++            /* ENOSYS: the syscall is not supported by the running kernel.
++               EPERM: the syscall is blocked by a security policy (ex: SECCOMP)
++               or something else. */
++            if (errno == ENOSYS || errno == EPERM) {
++                getentropy_works = 0;
++                return 0;
++            }
++
++            if (errno == EINTR) {
++                if (raise) {
++                    if (PyErr_CheckSignals()) {
++                        return -1;
++                    }
++                }
++
++                /* retry getentropy() if it was interrupted by a signal */
++                continue;
++            }
++
++            if (raise) {
++                PyErr_SetFromErrno(PyExc_OSError);
+             }
+             return -1;
+         }
+ 
+-        buffer += n;
+-        size -= n;
++        buffer += len;
++        size -= len;
+     }
+     return 1;
+ }
+-#endif
++#endif /* defined(HAVE_GETENTROPY) && !defined(sun) */
++
+ 
+ static struct {
+     int fd;
+@@ -235,136 +274,123 @@ static struct {
+     ino_t st_ino;
+ } urandom_cache = { -1 };
+ 
++/* Read random bytes from the /dev/urandom device:
+ 
+-/* Read 'size' random bytes from py_getrandom(). Fall back on reading from
+-   /dev/urandom if getrandom() is not available.
++   - Return 0 on success
++   - Raise an exception (if raise is non-zero) and return -1 on error
+ 
+-   Call Py_FatalError() on error. */
+-static void
+-dev_urandom_noraise(unsigned char *buffer, Py_ssize_t size)
++   Possible causes of errors:
++
++   - open() failed with ENOENT, ENXIO, ENODEV, EACCES: the /dev/urandom device
++     was not found. For example, it was removed manually or not exposed in a
++     chroot or container.
++   - open() failed with a different error
++   - fstat() failed
++   - read() failed or returned 0
++
++   read() is retried if it failed with EINTR: interrupted by a signal.
++
++   The file descriptor of the device is kept open between calls to avoid using
++   many file descriptors when run in parallel from multiple threads:
++   see the issue #18756.
++
++   st_dev and st_ino fields of the file descriptor (from fstat()) are cached to
++   check if the file descriptor was replaced by a different file (which is
++   likely a bug in the application): see the issue #21207.
++
++   If the file descriptor was closed or replaced, open a new file descriptor
++   but don't close the old file descriptor: it probably points to something
++   important for some third-party code. */
++static int
++dev_urandom(char *buffer, Py_ssize_t size, int raise)
+ {
+     int fd;
+     Py_ssize_t n;
+ 
+-    assert (0 < size);
++    if (raise) {
++        struct _Py_stat_struct st;
+ 
+-#ifdef PY_GETRANDOM
+-    if (py_getrandom(buffer, size, 0) == 1) {
+-        return;
++        if (urandom_cache.fd >= 0) {
++            /* Does the fd point to the same thing as before? (issue #21207) */
++            if (_Py_fstat_noraise(urandom_cache.fd, &st)
++                || st.st_dev != urandom_cache.st_dev
++                || st.st_ino != urandom_cache.st_ino) {
++                /* Something changed: forget the cached fd (but don't close it,
++                   since it probably points to something important for some
++                   third-party code). */
++                urandom_cache.fd = -1;
++            }
++        }
++        if (urandom_cache.fd >= 0)
++            fd = urandom_cache.fd;
++        else {
++            fd = _Py_open("/dev/urandom", O_RDONLY);
++            if (fd < 0) {
++                if (errno == ENOENT || errno == ENXIO ||
++                    errno == ENODEV || errno == EACCES) {
++                    PyErr_SetString(PyExc_NotImplementedError,
++                                    "/dev/urandom (or equivalent) not found");
++                }
++                /* otherwise, keep the OSError exception raised by _Py_open() */
++                return -1;
++            }
++            if (urandom_cache.fd >= 0) {
++                /* urandom_fd was initialized by another thread while we were
++                   not holding the GIL, keep it. */
++                close(fd);
++                fd = urandom_cache.fd;
++            }
++            else {
++                if (_Py_fstat(fd, &st)) {
++                    close(fd);
++                    return -1;
++                }
++                else {
++                    urandom_cache.fd = fd;
++                    urandom_cache.st_dev = st.st_dev;
++                    urandom_cache.st_ino = st.st_ino;
++                }
++            }
++        }
++
++        do {
++            n = _Py_read(fd, buffer, (size_t)size);
++            if (n == -1)
++                return -1;
++            if (n == 0) {
++                PyErr_Format(PyExc_RuntimeError,
++                        "Failed to read %zi bytes from /dev/urandom",
++                        size);
++                return -1;
++            }
++
++            buffer += n;
++            size -= n;
++        } while (0 < size);
+     }
+-    /* getrandom() failed with ENOSYS or EPERM,
+-       fall back on reading /dev/urandom */
+-#endif
+-
+-    fd = _Py_open_noraise("/dev/urandom", O_RDONLY);
+-    if (fd < 0) {
+-        Py_FatalError("Failed to open /dev/urandom");
+-    }
+-
+-    while (0 < size)
+-    {
+-        do {
+-            n = read(fd, buffer, (size_t)size);
+-        } while (n < 0 && errno == EINTR);
+-
+-        if (n <= 0) {
+-            /* read() failed or returned 0 bytes */
+-            Py_FatalError("Failed to read bytes from /dev/urandom");
+-            break;
+-        }
+-        buffer += n;
+-        size -= n;
+-    }
+-    close(fd);
+-}
+-
+-/* Read 'size' random bytes from py_getrandom(). Fall back on reading from
+-   /dev/urandom if getrandom() is not available.
+-
+-   Return 0 on success. Raise an exception and return -1 on error. */
+-static int
+-dev_urandom_python(char *buffer, Py_ssize_t size)
+-{
+-    int fd;
+-    Py_ssize_t n;
+-    struct _Py_stat_struct st;
+-#ifdef PY_GETRANDOM
+-    int res;
+-#endif
+-
+-    if (size <= 0)
+-        return 0;
+-
+-#ifdef PY_GETRANDOM
+-    res = py_getrandom(buffer, size, 1);
+-    if (res < 0) {
+-        return -1;
+-    }
+-    if (res == 1) {
+-        return 0;
+-    }
+-    /* getrandom() failed with ENOSYS or EPERM,
+-       fall back on reading /dev/urandom */
+-#endif
+-
+-    if (urandom_cache.fd >= 0) {
+-        /* Does the fd point to the same thing as before? (issue #21207) */
+-        if (_Py_fstat_noraise(urandom_cache.fd, &st)
+-            || st.st_dev != urandom_cache.st_dev
+-            || st.st_ino != urandom_cache.st_ino) {
+-            /* Something changed: forget the cached fd (but don't close it,
+-               since it probably points to something important for some
+-               third-party code). */
+-            urandom_cache.fd = -1;
+-        }
+-    }
+-    if (urandom_cache.fd >= 0)
+-        fd = urandom_cache.fd;
+     else {
+-        fd = _Py_open("/dev/urandom", O_RDONLY);
++        fd = _Py_open_noraise("/dev/urandom", O_RDONLY);
+         if (fd < 0) {
+-            if (errno == ENOENT || errno == ENXIO ||
+-                errno == ENODEV || errno == EACCES)
+-                PyErr_SetString(PyExc_NotImplementedError,
+-                                "/dev/urandom (or equivalent) not found");
+-            /* otherwise, keep the OSError exception raised by _Py_open() */
+             return -1;
+         }
+-        if (urandom_cache.fd >= 0) {
+-            /* urandom_fd was initialized by another thread while we were
+-               not holding the GIL, keep it. */
+-            close(fd);
+-            fd = urandom_cache.fd;
+-        }
+-        else {
+-            if (_Py_fstat(fd, &st)) {
++
++        while (0 < size)
++        {
++            do {
++                n = read(fd, buffer, (size_t)size);
++            } while (n < 0 && errno == EINTR);
++
++            if (n <= 0) {
++                /* stop on error or if read(size) returned 0 */
+                 close(fd);
+                 return -1;
+             }
+-            else {
+-                urandom_cache.fd = fd;
+-                urandom_cache.st_dev = st.st_dev;
+-                urandom_cache.st_ino = st.st_ino;
+-            }
++
++            buffer += n;
++            size -= n;
+         }
++        close(fd);
+     }
+-
+-    do {
+-        n = _Py_read(fd, buffer, (size_t)size);
+-        if (n == -1) {
+-            return -1;
+-        }
+-        if (n == 0) {
+-            PyErr_Format(PyExc_RuntimeError,
+-                    "Failed to read %zi bytes from /dev/urandom",
+-                    size);
+-            return -1;
+-        }
+-
+-        buffer += n;
+-        size -= n;
+-    } while (0 < size);
+-
+     return 0;
+ }
+ 
+@@ -376,8 +402,8 @@ dev_urandom_close(void)
+         urandom_cache.fd = -1;
+     }
+ }
++#endif /* !MS_WINDOWS */
+ 
+-#endif
+ 
+ /* Fill buffer with pseudo-random bytes generated by a linear congruent
+    generator (LCG):
+@@ -400,29 +426,98 @@ lcg_urandom(unsigned int x0, unsigned ch
+     }
+ }
+ 
++/* Read random bytes:
++
++   - Return 0 on success
++   - Raise an exception (if raise is non-zero) and return -1 on error
++
++   Used sources of entropy ordered by preference, preferred source first:
++
++   - CryptGenRandom() on Windows
++   - getrandom() function (ex: Linux and Solaris): call py_getrandom()
++   - getentropy() function (ex: OpenBSD): call py_getentropy()
++   - /dev/urandom device
++
++   Read from the /dev/urandom device if getrandom() or getentropy() function
++   is not available or does not work.
++
++   Prefer getrandom() over getentropy() because getrandom() supports blocking
++   and non-blocking mode and Python requires non-blocking RNG at startup to
++   initialize its hash secret: see the PEP 524.
++
++   Prefer getrandom() and getentropy() over reading directly /dev/urandom
++   because these functions don't need file descriptors and so avoid ENFILE or
++   EMFILE errors (too many open files): see the issue #18756.
++
++   Only use RNG running in the kernel. They are more secure because it is
++   harder to get the internal state of a RNG running in the kernel land than a
++   RNG running in the user land. The kernel has a direct access to the hardware
++   and has access to hardware RNG, they are used as entropy sources.
++
++   Note: the OpenSSL RAND_pseudo_bytes() function does not automatically reseed
++   its RNG on fork(), two child processes (with the same pid) generate the same
++   random numbers: see issue #18747. Kernel RNGs don't have this issue,
++   they have access to good quality entropy sources.
++
++   If raise is zero:
++
++   - Don't raise an exception on error
++   - Don't call the Python signal handler (don't call PyErr_CheckSignals()) if
++     a function fails with EINTR: retry directly the interrupted function
++   - Don't release the GIL to call functions.
++*/
++static int
++pyurandom(void *buffer, Py_ssize_t size, int raise)
++{
++#if defined(PY_GETRANDOM) || defined(PY_GETENTROPY)
++    int res;
++#endif
++
++    if (size < 0) {
++        if (raise) {
++            PyErr_Format(PyExc_ValueError,
++                         "negative argument not allowed");
++        }
++        return -1;
++    }
++
++    if (size == 0) {
++        return 0;
++    }
++
++#ifdef MS_WINDOWS
++    return win32_urandom((unsigned char *)buffer, size, raise);
++#else
++
++#if defined(PY_GETRANDOM) || defined(PY_GETENTROPY)
++#ifdef PY_GETRANDOM
++    res = py_getrandom(buffer, size, raise);
++#else
++    res = py_getentropy(buffer, size, raise);
++#endif
++    if (res < 0) {
++        return -1;
++    }
++    if (res == 1) {
++        return 0;
++    }
++    /* getrandom() or getentropy() function is not available: failed with
++       ENOSYS, EPERM or EAGAIN. Fall back on reading from /dev/urandom. */
++#endif
++
++    return dev_urandom(buffer, size, raise);
++#endif
++}
++
+ /* Fill buffer with size pseudo-random bytes from the operating system random
+    number generator (RNG). It is suitable for most cryptographic purposes
+    except long living private keys for asymmetric encryption.
+ 
+-   Return 0 on success, raise an exception and return -1 on error. */
++   Return 0 on success. Raise an exception and return -1 on error. */
+ int
+ _PyOS_URandom(void *buffer, Py_ssize_t size)
+ {
+-    if (size < 0) {
+-        PyErr_Format(PyExc_ValueError,
+-                     "negative argument not allowed");
+-        return -1;
+-    }
+-    if (size == 0)
+-        return 0;
+-
+-#ifdef MS_WINDOWS
+-    return win32_urandom((unsigned char *)buffer, size, 1);
+-#elif defined(PY_GETENTROPY)
+-    return py_getentropy(buffer, size, 0);
+-#else
+-    return dev_urandom_python((char*)buffer, size);
+-#endif
++    return pyurandom(buffer, size, 1);
+ }
+ 
+ void
+@@ -463,13 +558,14 @@ void
+         }
+     }
+     else {
+-#ifdef MS_WINDOWS
+-        (void)win32_urandom(secret, secret_size, 0);
+-#elif defined(PY_GETENTROPY)
+-        (void)py_getentropy(secret, secret_size, 1);
+-#else
+-        dev_urandom_noraise(secret, secret_size);
+-#endif
++        int res;
++
++        /* _PyRandom_Init() is called very early in the Python initialization
++           and so exceptions cannot be used (use raise=0). */
++        res = pyurandom(secret, secret_size, 0);
++        if (res < 0) {
++            Py_FatalError("failed to get random numbers to initialize Python");
++        }
+     }
+ }
+ 
+@@ -481,8 +577,6 @@ void
+         CryptReleaseContext(hCryptProv, 0);
+         hCryptProv = 0;
+     }
+-#elif defined(PY_GETENTROPY)
+-    /* nothing to clean */
+ #else
+     dev_urandom_close();
+ #endif
+
diff --git a/gnu/packages/patches/python-fix-tests.patch b/gnu/packages/patches/python-fix-tests.patch
index e093307c51..d8f69866fd 100644
--- a/gnu/packages/patches/python-fix-tests.patch
+++ b/gnu/packages/patches/python-fix-tests.patch
@@ -3,23 +3,22 @@ http://bugs.python.org/issue20868 .
 
 --- Lib/test/test_shutil.py     2014-03-01 03:02:36.088311000 +0100
 +++ Lib/test/test_shutil.py     2014-03-01 04:56:37.768311000 +0100
-@@ -1053,6 +1053,7 @@
+@@ -1127,6 +1127,7 @@
          self.assertRaises(ValueError, make_archive, base_name, 'xxx')
- 
-     @requires_zlib
+
+     @support.requires_zlib
 +    @unittest.skipIf(True, "getgrgid(0)[0] raises a KeyError on Guix")
      def test_make_archive_owner_group(self):
          # testing make_archive with owner and group, with various combinations
          # this works even if there's not gid/uid support
-@@ -1081,6 +1082,7 @@
- 
- 
-     @requires_zlib
+@@ -1155,6 +1156,7 @@
+
+
+     @support.requires_zlib
 +    @unittest.skipIf(True, "getgrgid(0)[0] raises a KeyError on Guix")
      @unittest.skipUnless(UID_GID_SUPPORT, "Requires grp and pwd support")
      def test_tarfile_root_owner(self):
-         tmpdir, tmpdir2, base_name =  self._create_files()
-
+         root_dir, base_dir = self._create_files()
 --- Lib/test/test_socket.py.orig	2014-03-02 22:14:12.264311000 +0100
 +++ Lib/test/test_socket.py	2014-03-21 03:50:45.660311000 +0100
 @@ -819,6 +819,8 @@
diff --git a/gnu/packages/patches/python-pillow-freetype-2.7-test-failure.patch b/gnu/packages/patches/python-pillow-freetype-2.7-test-failure.patch
new file mode 100644
index 0000000000..18bc30bc79
--- /dev/null
+++ b/gnu/packages/patches/python-pillow-freetype-2.7-test-failure.patch
@@ -0,0 +1,75 @@
+Fix some test failures when building with freetype-2.7.
+
+https://github.com/python-pillow/Pillow/issues/2116
+https://github.com/python-pillow/Pillow/pull/2286
+
+Patch copied from upstream source repository:
+
+https://github.com/python-pillow/Pillow/commit/acf68c835c93ba144f83198306aa7e6082a43f43
+
+From acf68c835c93ba144f83198306aa7e6082a43f43 Mon Sep 17 00:00:00 2001
+From: hugovk <hugovk@users.noreply.github.com>
+Date: Mon, 12 Dec 2016 15:16:43 +0200
+Subject: [PATCH] Increase epsilon for FreeType 2.7
+
+---
+ Tests/test_imagefont.py | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/Tests/test_imagefont.py b/Tests/test_imagefont.py
+index de89ac92..5207dce3 100644
+--- a/Tests/test_imagefont.py
++++ b/Tests/test_imagefont.py
+@@ -125,7 +125,9 @@ try:
+ 
+             target = 'Tests/images/rectangle_surrounding_text.png'
+             target_img = Image.open(target)
+-            self.assert_image_similar(im, target_img, .5)
++
++            # Epsilon ~.5 fails with FreeType 2.7
++            self.assert_image_similar(im, target_img, 2.5)
+ 
+         def test_render_multiline(self):
+             im = Image.new(mode='RGB', size=(300, 100))
+@@ -144,7 +146,7 @@ try:
+             # some versions of freetype have different horizontal spacing.
+             # setting a tight epsilon, I'm showing the original test failure
+             # at epsilon = ~38.
+-            self.assert_image_similar(im, target_img, .5)
++            self.assert_image_similar(im, target_img, 6.2)
+ 
+         def test_render_multiline_text(self):
+             ttf = ImageFont.truetype(FONT_PATH, FONT_SIZE)
+@@ -158,7 +160,8 @@ try:
+             target = 'Tests/images/multiline_text.png'
+             target_img = Image.open(target)
+ 
+-            self.assert_image_similar(im, target_img, .5)
++            # Epsilon ~.5 fails with FreeType 2.7
++            self.assert_image_similar(im, target_img, 6.2)
+ 
+             # Test that text() can pass on additional arguments
+             # to multiline_text()
+@@ -178,7 +181,8 @@ try:
+                 target = 'Tests/images/multiline_text'+ext+'.png'
+                 target_img = Image.open(target)
+ 
+-                self.assert_image_similar(im, target_img, .5)
++                # Epsilon ~.5 fails with FreeType 2.7
++                self.assert_image_similar(im, target_img, 6.2)
+ 
+         def test_unknown_align(self):
+             im = Image.new(mode='RGB', size=(300, 100))
+@@ -227,7 +231,8 @@ try:
+             target = 'Tests/images/multiline_text_spacing.png'
+             target_img = Image.open(target)
+ 
+-            self.assert_image_similar(im, target_img, .5)
++            # Epsilon ~.5 fails with FreeType 2.7
++            self.assert_image_similar(im, target_img, 6.2)
+ 
+         def test_rotated_transposed_font(self):
+             img_grey = Image.new("L", (100, 100))
+-- 
+2.12.0
+
diff --git a/gnu/packages/patches/sed-hurd-path-max.patch b/gnu/packages/patches/sed-hurd-path-max.patch
deleted file mode 100644
index 5226cba4cb..0000000000
--- a/gnu/packages/patches/sed-hurd-path-max.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-7bb8d35d0330161a5af5341471d0c183a067e8c2
-Author: Jose E. Marchesi <jemarch@gnu.org>
-Date:   Sun Oct 6 14:43:38 2013 +0200
-
-    Set PATH_MAX to some constant in case it is not defined in system
-    headers.
-    
-    2013-10-06  Jose E. Marchesi  <jemarch@gnu.org>
-    
-    	* basicdefs.h (PATH_MAX): Defined to some constant in case it is
-    	not defined by system headers.
-    	* sed/utils.c: Do not include pathmax.h anymore.
-    	* bootstrap.conf (gnulib_modules): Do not use the gnulib module
-    	pathmax.
-
-diff --git a/basicdefs.h b/basicdefs.h
-index 0d28a97..09f5beb 100644
---- a/basicdefs.h
-+++ b/basicdefs.h
-@@ -40,6 +41,13 @@ typedef unsigned long countT;
- #define obstack_chunk_alloc  ck_malloc
- #define obstack_chunk_free   free
- 
-+/* MAX_PATH is not defined in some platforms, most notably GNU/Hurd.
-+   In that case we define it here to some constant.  Note however that
-+   this relies in the fact that sed does reallocation if a buffer
-+   needs to be larger than PATH_MAX.  */
-+#ifndef PATH_MAX
-+# define PATH_MAX 200
-+#endif
- 
- /* handle misdesigned <ctype.h> macros (snarfed from lib/regex.c) */
- /* Jim Meyering writes:
- 
diff --git a/gnu/packages/patches/tar-CVE-2016-6321.patch b/gnu/packages/patches/tar-CVE-2016-6321.patch
new file mode 100644
index 0000000000..b79be9bc94
--- /dev/null
+++ b/gnu/packages/patches/tar-CVE-2016-6321.patch
@@ -0,0 +1,51 @@
+Fix CVE-2016-6321:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
+https://security-tracker.debian.org/tracker/CVE-2016-6321
+
+Patch adapted from upstream source repository (the changes to 'NEWS'
+don't apply to the Tar 1.29 release tarball).
+
+http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
+
+From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
+Date: Sat, 29 Oct 2016 21:04:40 -0700
+Subject: [PATCH] When extracting, skip ".." members
+
+* NEWS: Document this.
+* src/extract.c (extract_archive): Skip members whose names
+contain "..".
+---
+ NEWS          | 8 +++++++-
+ src/extract.c | 8 ++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/extract.c b/src/extract.c
+index f982433..7904148 100644
+--- a/src/extract.c
++++ b/src/extract.c
+@@ -1629,12 +1629,20 @@ extract_archive (void)
+ {
+   char typeflag;
+   tar_extractor_t fun;
++  bool skip_dotdot_name;
+ 
+   fatal_exit_hook = extract_finish;
+ 
+   set_next_block_after (current_header);
+ 
++  skip_dotdot_name = (!absolute_names_option
++		      && contains_dot_dot (current_stat_info.orig_file_name));
++  if (skip_dotdot_name)
++    ERROR ((0, 0, _("%s: Member name contains '..'"),
++	    quotearg_colon (current_stat_info.orig_file_name)));
++
+   if (!current_stat_info.file_name[0]
++      || skip_dotdot_name
+       || (interactive_option
+ 	  && !confirm ("extract", current_stat_info.file_name)))
+     {
+-- 
+2.11.0
+
diff --git a/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch b/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch
deleted file mode 100644
index 1426883216..0000000000
--- a/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Do not define BSDWAIT to avoid error "storage size of ‘w’ isn’t known".
-
-This is an adapted version of the upstream patch taken from here:
-https://github.com/tcsh-org/tcsh/commit/4689eb60a74bf13bc146ca3d76e9d7a124ab7b49.patch
-
-From 4689eb60a74bf13bc146ca3d76e9d7a124ab7b49 Mon Sep 17 00:00:00 2001
-From: christos <christos>
-Date: Fri, 23 Sep 2016 19:17:28 +0000
-Subject: [PATCH] Don't define BSDWAIT for linux anymore.
-
----
- sh.proc.c | 8 +++-----
- 1 file changed, 3 insertions(+), 5 deletions(-)
-
-diff --git a/sh.proc.c b/sh.proc.c
-index 49b199f..874d67c 100644
---- sh.proc.c
-+++ sh.proc.c
-@@ -47,11 +47,9 @@ RCSID("$tcsh$")
- # define HZ 16
- #endif /* aiws */
- 
--#if defined(_BSD) || (defined(IRIS4D) && __STDC__) || defined(__lucid) || defined(__linux__) || defined(__GNU__) || defined(__GLIBC__)
--# if !defined(__ANDROID__)
--#  define BSDWAIT
--# endif
--#endif /* _BSD || (IRIS4D && __STDC__) || __lucid || glibc */
-+#if defined(_BSD) || (defined(IRIS4D) && __STDC__) || defined(__lucid)
-+# define BSDWAIT
-+#endif /* _BSD || (IRIS4D && __STDC__) || __lucid */
- #ifndef WTERMSIG
- # define WTERMSIG(w)	(((union wait *) &(w))->w_termsig)
- # ifndef BSDWAIT
diff --git a/gnu/packages/patches/tcsh-fix-autotest.patch b/gnu/packages/patches/tcsh-fix-autotest.patch
index a16980161c..78444a1b2a 100644
--- a/gnu/packages/patches/tcsh-fix-autotest.patch
+++ b/gnu/packages/patches/tcsh-fix-autotest.patch
@@ -1,6 +1,6 @@
---- tests/commands.at	2011-01-22 01:04:02.000000000 +0100
-+++ tests/commands.at	2013-02-04 10:57:24.000000000 +0100
-@@ -919,26 +919,27 @@
+--- tests/commands.at
++++ tests/commands.at
+@@ -921,26 +921,27 @@ AT_CLEANUP
  TCSH_UNTESTED([notify])
  
  
@@ -48,27 +48,9 @@
  
  
  AT_SETUP([popd])
-@@ -1203,11 +1204,12 @@
- AT_DATA([script.csh],
- [[set var=$1
- ]])
--AT_CHECK([[tcsh -f -c 'source -h script.csh foo; history' \
--	   | sed 's/	[^	]*	/ TIME /']], ,
--[     1 TIME source -h script.csh foo ; history
--     2 TIME set var=$1
--])
-+# XXX: Not sure why this fails. The output is : "1 TIME set var=$1"
-+#AT_CHECK([[tcsh -f -c 'source -h script.csh foo; history' \
-+#	   | sed 's/	[^	]*	/ TIME /']], ,
-+#[     1 TIME source -h script.csh foo ; history
-+#     2 TIME set var=$1
-+#])
- 
- AT_CHECK([tcsh -f -c 'source -h script.csh foo; echo $var'], 1, [],
- [var: Undefined variable.
---- tests/lexical.at	2011-12-27 22:50:52.000000000 +0100
-+++ tests/lexical.at	2013-02-04 10:53:21.000000000 +0100
-@@ -33,9 +33,9 @@
+--- tests/lexical.at
++++ tests/lexical.at
+@@ -35,9 +35,9 @@ AT_CHECK([if [ ! -t 0 ]; then exit 77; fi],, [Skipping comment tests])
  AT_CHECK([echo 'echo OK@%:@comment' | tcsh -f], , [OK
  ])
  
@@ -81,9 +63,33 @@
  
  AT_DATA([comment2.csh],
  [[echo testing...@%:@\
---- tests/subst.at	2011-12-27 22:50:52.000000000 +0100
-+++ tests/subst.at	2013-02-01 08:14:25.000000000 +0100
-@@ -54,7 +54,7 @@
+@@ -567,10 +567,10 @@ run=3
+# Adapt to changes in sed 4.3:
+# https://github.com/tcsh-org/tcsh/commit/2ad4fc1705893207598ed5cd21713ddf3f17bba0
+ ]])
+ AT_DATA([uniformity_test.csh],
+ [[
+-set SERVICE_NAME_LOG = `cat batchsystem.properties | grep '^jdbc_url' | sed -ne 's/^[^=]*=[^@]*@[:blank:]*\([^$]*\)$/\1/p' | perl -pe 's/\s//g'  |  perl -pe 's/\)/\\\)/g' | perl -pe 's/\(/\\\(/g'`
++set SERVICE_NAME_LOG = `cat batchsystem.properties | grep '^jdbc_url' | sed -ne 's/^[^=]*=[^@]*@[[:blank:]]*\([^$]*\)$/\1/p' | perl -pe 's/\s//g'  |  perl -pe 's/\)/\\\)/g' | perl -pe 's/\(/\\\(/g'`
+ echo -n "$SERVICE_NAME_LOG" > ./output1
+ 
+-cat batchsystem.properties | grep '^jdbc_url' | sed -ne 's/^[^=]*=[^@]*@[:blank:]*\([^$]*\)$/\1/p' | perl -pe 's/\s//g'  |  perl -pe 's/\)/\\\)/g' | perl -pe 's/\(/\\\(/g' > ./output2
++cat batchsystem.properties | grep '^jdbc_url' | sed -ne 's/^[^=]*=[^@]*@[[:blank:]]*\([^$]*\)$/\1/p' | perl -pe 's/\s//g'  |  perl -pe 's/\)/\\\)/g' | perl -pe 's/\(/\\\(/g' > ./output2
+ 
+ diff -uprN ./output1 ./output2 >& /dev/null
+ 
+@@ -587,7 +587,7 @@ AT_DATA([quoting_result_test.csh],
+ echo "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP\)(HOST=db\)(PORT=1521\)\)(CONNECT_DATA=(SERVER=DEDICATED\)(SERVICE_NAME=bns03\)\)\)" > ./expected_result
+ 
+ set string = "jdbc_url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=db)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=bns03)))"
+-set SERVICE_NAME_LOG  = `echo "$string" | grep '^jdbc_url' | sed -ne 's/^[^=]*=[^@]*@[:blank:]*\([^$]*\)$/\1/p' | perl -pe 's/\)/\\\)/g'`
++set SERVICE_NAME_LOG  = `echo "$string" | grep '^jdbc_url' | sed -ne 's/^[^=]*=[^@]*@[[:blank:]]*\([^$]*\)$/\1/p' | perl -pe 's/\)/\\\)/g'`
+ 
+ echo "$SERVICE_NAME_LOG" > ./actual_result
+ 
+--- tests/subst.at
++++ tests/subst.at
+@@ -54,7 +54,7 @@ AT_CHECK([echo 'echo ~; echo "$HOME"' | tcsh -f | uniq | wc -l | tr -d ' \t'],
  , [1
  ])
  
@@ -92,39 +98,9 @@
  	  | wc -l | tr -d ' \t'], , [1
  ])
  
---- tests/variables.at	2011-12-27 22:50:52.000000000 +0100
-+++ tests/variables.at	2013-02-04 11:40:35.000000000 +0100
-@@ -317,17 +317,18 @@
- AT_CLEANUP
- 
- 
--AT_SETUP([$ edit])
--
--AT_CHECK([TERM=something tcsh -f -c 'echo $?edit'], ,
--[1
--])
--
--AT_CHECK([TERM=dumb tcsh -f -c 'echo $?edit'], ,
--[0
--])
--
--AT_CLEANUP
-+# XXX
-+#AT_SETUP([$ edit])
-+#
-+#AT_CHECK([TERM=something tcsh -f -c 'echo $?edit'], ,
-+#[1
-+#])
-+#
-+#AT_CHECK([TERM=dumb tcsh -f -c 'echo $?edit'], ,
-+#[0
-+#])
-+#
-+#AT_CLEANUP
- 
- 
- AT_SETUP([$ ellipsis])
-@@ -642,7 +643,8 @@
+--- tests/variables.at
++++ tests/variables.at
+@@ -666,7 +666,8 @@ set listflags=(-xA $cwd/args.sh)
  ls-F -something .
  ]])
  AT_DATA([args.sh],
@@ -134,7 +110,22 @@
  ]])
  chmod a+x args.sh
  AT_CHECK([tcsh -f listflags.csh], ,
-@@ -695,55 +697,57 @@
+@@ -704,9 +705,9 @@ AT_CHECK([tcsh -f mail.csh], ,
+# This test fails by trying to change to the build user's home
+# directory, which does not exist.
+ AT_CLEANUP
+ 
+ 
+-AT_SETUP([$ cdtohome])
+-AT_CHECK([tcsh -f -c 'cd'], 0)
+-AT_CLEANUP
++#AT_SETUP([$ cdtohome])
++#AT_CHECK([tcsh -f -c 'cd'], 0)
++#AT_CLEANUP
+ AT_SETUP([$ noimplicithome])
+ AT_CHECK([tcsh -f -c 'unset cdtohome; cd'], 1, , [cd: Too few arguments.
+ ])
+@@ -728,55 +729,57 @@ TCSH_UNTESTED([$ oid])
  AT_SETUP([$ owd])
  
  AT_DATA([owd.csh],
diff --git a/gnu/packages/patches/wget-fix-504-test-timeout.patch b/gnu/packages/patches/wget-fix-504-test-timeout.patch
new file mode 100644
index 0000000000..d9bf154103
--- /dev/null
+++ b/gnu/packages/patches/wget-fix-504-test-timeout.patch
@@ -0,0 +1,160 @@
+This patch is from upstream. If a machine is too slow it can cause
+test-504.py to fail.
+http://git.savannah.gnu.org/cgit/wget.git/patch/?id=ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de
+
+From ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Tue, 14 Feb 2017 16:20:26 +0100
+Subject: Fix 504 status handling
+
+* src/http.c (gethttp): Move 504 handling to correct place.
+  (http_loop): Fix memeory leak.
+* testenv/server/http/http_server.py: Add Content-Length header on non-2xx
+  status codes with a body
+
+Reported-by: Adam Sampson
+---
+ src/http.c                         | 30 +++++++++++-------------------
+ testenv/server/http/http_server.py |  9 +++++----
+ 2 files changed, 16 insertions(+), 23 deletions(-)
+
+diff --git a/src/http.c b/src/http.c
+index 898e184..d2c5c77 100644
+--- a/src/http.c
++++ b/src/http.c
+@@ -3476,7 +3476,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
+ 
+ #ifdef HAVE_METALINK
+   /* We need to check for the Metalink data in the very first response
+-     we get from the server (before redirectionrs, authorization, etc.).  */
++     we get from the server (before redirections, authorization, etc.).  */
+   if (metalink)
+     {
+       hs->metalink = metalink_from_http (resp, hs, u);
+@@ -3496,7 +3496,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
+       uerr_t auth_err = RETROK;
+       bool retry;
+       /* Normally we are not interested in the response body.
+-         But if we are writing a WARC file we are: we like to keep everyting.  */
++         But if we are writing a WARC file we are: we like to keep everything.  */
+       if (warc_enabled)
+         {
+           int _err;
+@@ -3556,20 +3556,6 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
+         pconn.authorized = true;
+     }
+ 
+-  if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
+-    {
+-      hs->len = 0;
+-      hs->res = 0;
+-      hs->restval = 0;
+-
+-      CLOSE_FINISH (sock);
+-      xfree (hs->message);
+-
+-      retval = GATEWAYTIMEOUT;
+-      goto cleanup;
+-    }
+-
+-
+   {
+     uerr_t ret = check_file_output (u, hs, resp, hdrval, sizeof hdrval);
+     if (ret != RETROK)
+@@ -3910,8 +3896,8 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
+               retval = _err;
+               goto cleanup;
+             }
+-          else
+-            CLOSE_FINISH (sock);
++
++          CLOSE_FINISH (sock);
+         }
+       else
+         {
+@@ -3934,7 +3920,11 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
+             CLOSE_INVALIDATE (sock);
+         }
+ 
+-      retval = RETRFINISHED;
++      if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
++        retval = GATEWAYTIMEOUT;
++      else
++        retval = RETRFINISHED;
++
+       goto cleanup;
+     }
+ 
+@@ -4208,6 +4198,8 @@ http_loop (const struct url *u, struct url *original_url, char **newloc,
+              bring them to "while" statement at the end, to judge
+              whether the number of tries was exceeded.  */
+           printwhat (count, opt.ntry);
++          xfree (hstat.message);
++          xfree (hstat.error);
+           continue;
+         case FWRITEERR: case FOPENERR:
+           /* Another fatal error.  */
+diff --git a/testenv/server/http/http_server.py b/testenv/server/http/http_server.py
+index e96f6e8..b222df0 100644
+--- a/testenv/server/http/http_server.py
++++ b/testenv/server/http/http_server.py
+@@ -204,7 +204,6 @@ class _Handler(BaseHTTPRequestHandler):
+ 
+     def Response(self, resp_obj):
+         self.send_response(resp_obj.response_code)
+-        self.finish_headers()
+         if resp_obj.response_code == 304:
+             raise NoBodyServerError("Conditional get falling to head")
+         raise ServerError("Custom Response code sent.")
+@@ -329,7 +328,6 @@ class _Handler(BaseHTTPRequestHandler):
+         except AuthError as se:
+             self.send_response(401, "Authorization Required")
+             self.send_challenge(auth_rule.auth_type, auth_rule.auth_parm)
+-            self.finish_headers()
+             raise se
+ 
+     def handle_auth(self, auth_rule):
+@@ -362,7 +360,6 @@ class _Handler(BaseHTTPRequestHandler):
+             if header_recd is None or header_recd != exp_headers[header_line]:
+                 self.send_error(400, "Expected Header %s not found" %
+                                 header_line)
+-                self.finish_headers()
+                 raise ServerError("Header " + header_line + " not found")
+ 
+     def RejectHeader(self, header_obj):
+@@ -372,7 +369,6 @@ class _Handler(BaseHTTPRequestHandler):
+             if header_recd and header_recd == rej_headers[header_line]:
+                 self.send_error(400, 'Blacklisted Header %s received' %
+                                 header_line)
+-                self.finish_headers()
+                 raise ServerError("Header " + header_line + ' received')
+ 
+     def __log_request(self, method):
+@@ -400,6 +396,7 @@ class _Handler(BaseHTTPRequestHandler):
+ 
+             content = self.server.fileSys.get(path)
+             content_length = len(content)
++
+             for rule_name in self.rules:
+                 try:
+                     assert hasattr(self, rule_name)
+@@ -410,12 +407,16 @@ class _Handler(BaseHTTPRequestHandler):
+                     return(None, None)
+                 except AuthError as ae:
+                     print(ae.__str__())
++                    self.finish_headers()
+                     return(None, None)
+                 except NoBodyServerError as nbse:
+                     print(nbse.__str__())
++                    self.finish_headers()
+                     return(None, None)
+                 except ServerError as se:
+                     print(se.__str__())
++                    self.add_header("Content-Length", content_length)
++                    self.finish_headers()
+                     return(content, None)
+ 
+             try:
+-- 
+cgit v1.0-41-gc330
+
diff --git a/gnu/packages/patches/xcb-proto-python3-print.patch b/gnu/packages/patches/xcb-proto-python3-print.patch
new file mode 100644
index 0000000000..7d5dc9bc27
--- /dev/null
+++ b/gnu/packages/patches/xcb-proto-python3-print.patch
@@ -0,0 +1,75 @@
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xcb/proto/commit/?id=bea5e1c85bdc0950913790364e18228f20395a3d
+
+From bea5e1c85bdc0950913790364e18228f20395a3d Mon Sep 17 00:00:00 2001
+From: Thomas Klausner <wiz@NetBSD.org>
+Date: Thu, 19 May 2016 17:30:05 +0200
+Subject: [PATCH] print() is a function and needs parentheses.
+
+Fixes build with python-3.x.
+
+Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
+Signed-off-by: Uli Schlachter <psychon@znc.in>
+---
+ xcbgen/xtypes.py | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/xcbgen/xtypes.py b/xcbgen/xtypes.py
+index c3b5758..b83b119 100644
+--- a/xcbgen/xtypes.py
++++ b/xcbgen/xtypes.py
+@@ -501,7 +501,7 @@ class ComplexType(Type):
+                 int(required_start_align_element.get('align', "4"), 0),
+                 int(required_start_align_element.get('offset', "0"), 0))
+             if verbose_align_log:
+-                print "Explicit start-align for %s: %s\n" % (self, self.required_start_align)
++                print ("Explicit start-align for %s: %s\n" % (self, self.required_start_align))
+ 
+     def resolve(self, module):
+         if self.resolved:
+@@ -592,7 +592,7 @@ class ComplexType(Type):
+                 if verbose_align_log:
+                     print ("calc_required_start_align: %s has start-align %s"
+                         % (str(self), str(self.required_start_align)))
+-                    print "Details:\n" + str(log)
++                    print ("Details:\n" + str(log))
+                 if self.required_start_align.offset != 0:
+                     print (("WARNING: %s\n\thas start-align with non-zero offset: %s"
+                         + "\n\tsuggest to add explicit definition with:"
+@@ -619,12 +619,12 @@ class ComplexType(Type):
+             for offset in range(0,align):
+                 align_candidate = Alignment(align, offset)
+                 if verbose_align_log:
+-                    print "trying %s for %s" % (str(align_candidate), str(self))
++                    print ("trying %s for %s" % (str(align_candidate), str(self)))
+                 my_log = AlignmentLog()
+                 if self.is_possible_start_align(align_candidate, callstack, my_log):
+                     log.append(my_log)
+                     if verbose_align_log:
+-                        print "found start-align %s for %s" % (str(align_candidate), str(self))
++                        print ("found start-align %s for %s" % (str(align_candidate), str(self)))
+                     return align_candidate
+                 else:
+                     my_ok_count = my_log.ok_count()
+@@ -641,7 +641,7 @@ class ComplexType(Type):
+         # none of the candidates applies
+         # this type has illegal internal aligns for all possible start_aligns
+         if verbose_align_log:
+-            print "didn't find start-align for %s" % str(self)
++            print ("didn't find start-align for %s" % str(self))
+         log.append(best_log)
+         return None
+ 
+@@ -900,7 +900,7 @@ class SwitchType(ComplexType):
+     # aux function for unchecked_get_alignment_after
+     def get_align_for_selected_case_field(self, case_field, start_align, callstack, log):
+         if verbose_align_log:
+-            print "get_align_for_selected_case_field: %s, case_field = %s" % (str(self), str(case_field))
++            print ("get_align_for_selected_case_field: %s, case_field = %s" % (str(self), str(case_field)))
+         total_align = start_align
+         for field in self.bitcases:
+             my_callstack = callstack[:]
+-- 
+2.11.1
+
diff --git a/gnu/packages/patches/xcb-proto-python3-whitespace.patch b/gnu/packages/patches/xcb-proto-python3-whitespace.patch
new file mode 100644
index 0000000000..f0509138b2
--- /dev/null
+++ b/gnu/packages/patches/xcb-proto-python3-whitespace.patch
@@ -0,0 +1,217 @@
+Fixes compatibility issue with python > 3.5.
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xcb/proto/commit/?id=ea7a3ac6c658164690e0febb55f4467cb9e0bcac
+
+From ea7a3ac6c658164690e0febb55f4467cb9e0bcac Mon Sep 17 00:00:00 2001
+From: Thomas Klausner <wiz@NetBSD.org>
+Date: Thu, 19 May 2016 17:30:04 +0200
+Subject: [PATCH] Make whitespace use consistent.
+
+At least python-3.5.x complains about this forcefully.
+
+Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
+Signed-off-by: Uli Schlachter <psychon@znc.in>
+---
+ xcbgen/align.py | 96 ++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 48 insertions(+), 48 deletions(-)
+
+diff --git a/xcbgen/align.py b/xcbgen/align.py
+index 5e31838..d4c12ee 100644
+--- a/xcbgen/align.py
++++ b/xcbgen/align.py
+@@ -16,12 +16,12 @@ class Alignment(object):
+         return self.align == other.align and self.offset == other.offset
+ 
+     def __str__(self):
+-	return "(align=%d, offset=%d)" % (self.align, self.offset)
++        return "(align=%d, offset=%d)" % (self.align, self.offset)
+ 
+     @staticmethod
+     def for_primitive_type(size):
+-	# compute the required start_alignment based on the size of the type
+-	if size % 8 == 0:
++        # compute the required start_alignment based on the size of the type
++        if size % 8 == 0:
+             # do 8-byte primitives require 8-byte alignment in X11?
+             return Alignment(8,0)
+         elif size % 4 == 0:
+@@ -33,7 +33,7 @@ class Alignment(object):
+ 
+ 
+     def align_after_fixed_size(self, size):
+-	new_offset = (self.offset + size) % self.align
++        new_offset = (self.offset + size) % self.align
+         return Alignment(self.align, new_offset)
+ 
+ 
+@@ -41,7 +41,7 @@ class Alignment(object):
+         '''
+         Assuming the given external_align, checks whether
+         self is fulfilled for all cases.
+-	Returns True if yes, False otherwise.
++        Returns True if yes, False otherwise.
+         '''
+         if self.align == 1 and self.offset == 0:
+             # alignment 1 with offset 0 is always fulfilled
+@@ -55,9 +55,9 @@ class Alignment(object):
+             # the external align guarantees less alignment -> not guaranteed
+             return False
+ 
+-	if external_align.align % self.align != 0:
++        if external_align.align % self.align != 0:
+             # the external align cannot be divided by our align
+-	    # -> not guaranteed
++            # -> not guaranteed
+             # (this can only happen if there are alignments that are not
+             # a power of 2, which is highly discouraged. But better be
+             # safe and check for it)
+@@ -72,7 +72,7 @@ class Alignment(object):
+ 
+     def combine_with(self, other):
+         # returns the alignment that is guaranteed when
+-	# both, self or other, can happen
++        # both, self or other, can happen
+         new_align = gcd(self.align, other.align)
+         new_offset_candidate1 = self.offset % new_align
+         new_offset_candidate2 = other.offset % new_align
+@@ -83,8 +83,8 @@ class Alignment(object):
+             new_align = gcd(new_align, offset_diff)
+             new_offset_candidate1 = self.offset % new_align
+             new_offset_candidate2 = other.offset % new_align
+-	    assert new_offset_candidate1 == new_offset_candidate2
+-	    new_offset = new_offset_candidate1
++            assert new_offset_candidate1 == new_offset_candidate2
++            new_offset = new_offset_candidate1
+         # return the result
+         return Alignment(new_align, new_offset)
+ 
+@@ -92,44 +92,44 @@ class Alignment(object):
+ class AlignmentLog(object):
+ 
+     def __init__(self):
+-	self.ok_list = []
+-	self.fail_list = []
+-	self.verbosity = 1
++        self.ok_list = []
++        self.fail_list = []
++        self.verbosity = 1
+ 
+     def __str__(self):
+-	result = ""
++        result = ""
+ 
+-	# output the OK-list
+-	for (align_before, field_name, type_obj, callstack, align_after) in self.ok_list:
+-	    stacksize = len(callstack)
++        # output the OK-list
++        for (align_before, field_name, type_obj, callstack, align_after) in self.ok_list:
++            stacksize = len(callstack)
+             indent = '  ' * stacksize
+-	    if self.ok_callstack_is_relevant(callstack):
++            if self.ok_callstack_is_relevant(callstack):
+                 if field_name is None or field_name == "":
+-	            result += ("    %sok: %s:\n\t%sbefore: %s, after: %s\n"
+-		        % (indent, str(type_obj), indent, str(align_before), str(align_after)))
+-	        else:
+-		    result += ("    %sok: field \"%s\" in %s:\n\t%sbefore: %s, after: %s\n"
+-		        % (indent, str(field_name), str(type_obj),
+-		           indent, str(align_before), str(align_after)))
++                    result += ("    %sok: %s:\n\t%sbefore: %s, after: %s\n"
++                        % (indent, str(type_obj), indent, str(align_before), str(align_after)))
++                else:
++                    result += ("    %sok: field \"%s\" in %s:\n\t%sbefore: %s, after: %s\n"
++                        % (indent, str(field_name), str(type_obj),
++                           indent, str(align_before), str(align_after)))
+                 if self.verbosity >= 1:
+-		    result += self.callstack_to_str(indent, callstack)
++                    result += self.callstack_to_str(indent, callstack)
+ 
+-	# output the fail-list
+-	for (align_before, field_name, type_obj, callstack, reason) in self.fail_list:
+-	    stacksize = len(callstack)
++        # output the fail-list
++        for (align_before, field_name, type_obj, callstack, reason) in self.fail_list:
++            stacksize = len(callstack)
+             indent = '  ' * stacksize
+-	    if field_name is None or field_name == "":
+-	        result += ("    %sfail: align %s is incompatible with\n\t%s%s\n\t%sReason: %s\n"
+-		    % (indent, str(align_before), indent, str(type_obj), indent, reason))
+-	    else:
+-		result += ("    %sfail: align %s is incompatible with\n\t%sfield \"%s\" in %s\n\t%sReason: %s\n"
+-		    % (indent, str(align_before), indent, str(field_name), str(type_obj), indent, reason))
++            if field_name is None or field_name == "":
++                result += ("    %sfail: align %s is incompatible with\n\t%s%s\n\t%sReason: %s\n"
++                    % (indent, str(align_before), indent, str(type_obj), indent, reason))
++            else:
++                result += ("    %sfail: align %s is incompatible with\n\t%sfield \"%s\" in %s\n\t%sReason: %s\n"
++                    % (indent, str(align_before), indent, str(field_name), str(type_obj), indent, reason))
+ 
+             if self.verbosity >= 1:
+-	        result += self.callstack_to_str(indent, callstack)
++                result += self.callstack_to_str(indent, callstack)
+ 
+ 
+-	return result
++        return result
+ 
+ 
+     def callstack_to_str(self, indent, callstack):
+@@ -137,41 +137,41 @@ class AlignmentLog(object):
+         for stack_elem in callstack:
+             result += "\t  %s%s\n" % (indent, str(stack_elem))
+         result += "\t%s]\n" % indent
+-	return result
++        return result
+ 
+ 
+     def ok_callstack_is_relevant(self, ok_callstack):
+         # determine whether an ok callstack is relevant for logging
+-	if self.verbosity >= 2:
+-	    return True
++        if self.verbosity >= 2:
++            return True
+ 
+         # empty callstacks are always relevant
+-	if len(ok_callstack) == 0:
++        if len(ok_callstack) == 0:
+             return True
+ 
+-	# check whether the ok_callstack is a subset or equal to a fail_callstack
++        # check whether the ok_callstack is a subset or equal to a fail_callstack
+         for (align_before, field_name, type_obj, fail_callstack, reason) in self.fail_list:
+             if len(ok_callstack) <= len(fail_callstack):
+                 zipped = zip(ok_callstack, fail_callstack[:len(ok_callstack)])
+-		is_subset = all([i == j for i, j in zipped])
+-		if is_subset:
++                is_subset = all([i == j for i, j in zipped])
++                if is_subset:
+                     return True
+ 
+         return False
+ 
+ 
+     def ok(self, align_before, field_name, type_obj, callstack, align_after):
+-	self.ok_list.append((align_before, field_name, type_obj, callstack, align_after))
++        self.ok_list.append((align_before, field_name, type_obj, callstack, align_after))
+ 
+     def fail(self, align_before, field_name, type_obj, callstack, reason):
+-	self.fail_list.append((align_before, field_name, type_obj, callstack, reason))
++        self.fail_list.append((align_before, field_name, type_obj, callstack, reason))
+ 
+     def append(self, other):
+-	self.ok_list.extend(other.ok_list)
+-	self.fail_list.extend(other.fail_list)
++        self.ok_list.extend(other.ok_list)
++        self.fail_list.extend(other.fail_list)
+ 
+     def ok_count(self):
+-	return len(self.ok_list)
++        return len(self.ok_list)
+ 
+ 
+ 
+-- 
+2.11.1
+
diff --git a/gnu/packages/patches/xf86-input-wacom-xorg-abi-25.patch b/gnu/packages/patches/xf86-input-wacom-xorg-abi-25.patch
new file mode 100644
index 0000000000..dc594bdccb
--- /dev/null
+++ b/gnu/packages/patches/xf86-input-wacom-xorg-abi-25.patch
@@ -0,0 +1,46 @@
+Resolves a test compatibility issue with xorg >= 1.19.
+
+Upstream bug report:
+
+https://sourceforge.net/p/linuxwacom/bugs/329/
+
+Patch copied from upstream source repository:
+
+https://sourceforge.net/p/linuxwacom/xf86-input-wacom/ci/f0dedf7a610ac97bc45738492b98ce4f1e0514ec/
+
+From f0dedf7a610ac97bc45738492b98ce4f1e0514ec Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Wed, 18 Jan 2017 09:00:10 -0800
+Subject: [PATCH] tests: Fix compilation under ABI 25 and greater
+
+diff --git a/test/fake-symbols.c b/test/fake-symbols.c
+index 6f2c10a..e649fb9 100644
+--- a/test/fake-symbols.c
++++ b/test/fake-symbols.c
+@@ -493,6 +493,7 @@ void TimerFree(OsTimerPtr timer)
+ {
+ }
+ 
++#if GET_ABI_MAJOR(ABI_XINPUT_VERSION) < 24
+ int
+ xf86BlockSIGIO (void)
+ {
+@@ -503,6 +504,15 @@ void
+ xf86UnblockSIGIO (int wasset)
+ {
+ }
++#else
++void input_lock (void)
++{
++}
++
++void input_unlock (void)
++{
++}
++#endif
+ 
+ /* This is not the same as the X server one, but it'll do for the tests */
+ #if GET_ABI_MAJOR(ABI_XINPUT_VERSION) >= 14
+-- 
+2.11.1
+