summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/ath9k-htc-firmware-binutils.patch39
-rw-r--r--gnu/packages/patches/binutils-mips-bash-bug.patch22
-rw-r--r--gnu/packages/patches/cmake-fix-tests.patch83
-rw-r--r--gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch142
-rw-r--r--gnu/packages/patches/expat-CVE-2015-1283-refix.patch39
-rw-r--r--gnu/packages/patches/expat-CVE-2016-0718.patch761
-rw-r--r--gnu/packages/patches/flex-CVE-2016-6354.patch30
-rw-r--r--gnu/packages/patches/fontconfig-CVE-2016-5384.patch170
-rw-r--r--gnu/packages/patches/gawk-fts-test.patch51
-rw-r--r--gnu/packages/patches/gcc-arm-bug-71399.patch55
-rw-r--r--gnu/packages/patches/gnupg-fix-expired-test.patch78
-rw-r--r--gnu/packages/patches/guile-relocatable.patch14
-rw-r--r--gnu/packages/patches/icecat-binutils.patch40
-rw-r--r--gnu/packages/patches/isl-0.11.1-aarch64-support.patch40
-rw-r--r--gnu/packages/patches/libx11-CVE-2016-7942.patch76
-rw-r--r--gnu/packages/patches/libx11-CVE-2016-7943.patch113
-rw-r--r--gnu/packages/patches/libxfixes-CVE-2016-7944.patch62
-rw-r--r--gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch420
-rw-r--r--gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch447
-rw-r--r--gnu/packages/patches/libxrender-CVE-2016-7949.patch66
-rw-r--r--gnu/packages/patches/libxrender-CVE-2016-7950.patch73
-rw-r--r--gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch152
-rw-r--r--gnu/packages/patches/libxv-CVE-2016-5407.patch162
-rw-r--r--gnu/packages/patches/libxvmc-CVE-2016-7953.patch42
-rw-r--r--gnu/packages/patches/linux-pam-no-setfsuid.patch75
-rw-r--r--gnu/packages/patches/mesa-wayland-egl-symbols-check-mips.patch15
-rw-r--r--gnu/packages/patches/ola-readdir-r.patch62
-rw-r--r--gnu/packages/patches/openssl-CVE-2016-2177.patch286
-rw-r--r--gnu/packages/patches/openssl-CVE-2016-2178.patch112
-rw-r--r--gnu/packages/patches/perl-CVE-2015-8607.patch68
-rw-r--r--gnu/packages/patches/perl-CVE-2016-2381.patch116
-rw-r--r--gnu/packages/patches/perl-no-build-time.patch26
-rw-r--r--gnu/packages/patches/perl-reproducible-build-date.patch50
-rw-r--r--gnu/packages/patches/perl-source-date-epoch.patch19
-rw-r--r--gnu/packages/patches/perl-www-curl-remove-symbol.patch39
-rw-r--r--gnu/packages/patches/procps-non-linux.patch40
-rw-r--r--gnu/packages/patches/python-3.4-fix-tests.patch12
-rw-r--r--gnu/packages/patches/python-3.5-fix-tests.patch46
-rw-r--r--gnu/packages/patches/python-disable-ssl-test.patch12
-rw-r--r--gnu/packages/patches/python-file-double-encoding-bug.patch50
-rw-r--r--gnu/packages/patches/python-fix-tests.patch15
-rw-r--r--gnu/packages/patches/python-parse-too-many-fields.patch52
-rw-r--r--gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch33
43 files changed, 731 insertions, 3574 deletions
diff --git a/gnu/packages/patches/ath9k-htc-firmware-binutils.patch b/gnu/packages/patches/ath9k-htc-firmware-binutils.patch
index edd411e1a8..aa253e135f 100644
--- a/gnu/packages/patches/ath9k-htc-firmware-binutils.patch
+++ b/gnu/packages/patches/ath9k-htc-firmware-binutils.patch
@@ -1,6 +1,12 @@
-This Binutils patch is from the ath9k-htc-firmware repository (version 1.3.2).
-Not applying it (apparently) leads to miscompiled firmware, and loading it
-fails with a "Target is unresponsive" message from the 'ath9k_htc' module.
+These Binutils patches are from the ath9k-htc-firmware repository
+(commit f6af791348b68ceadab375e4ed0f7bcda86cb3c0).
+
+Not applying the first patch (apparently) leads to miscompiled firmware,
+and loading it fails with a "Target is unresponsive" message from the
+'ath9k_htc' module.
+
+The final hunk, applied to 'gas/config/tc-xtensa.c', is copied from the
+upstream file 'local/patches/binutils-2.27_fixup.patch'.
 
 From dbca73446265ce01b8e11462c3346b25953e3399 Mon Sep 17 00:00:00 2001
 From: Sujith Manoharan <c_manoha@qca.qualcomm.com>
@@ -28873,16 +28879,6 @@ diff --git a/include/xtensa-config.h b/include/xtensa-config.h
 index 30f4f41..fe9b051 100644
 --- a/include/xtensa-config.h
 +++ b/include/xtensa-config.h
-@@ -1,7 +1,7 @@
- /* Xtensa configuration settings.
--   Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010
-+   Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007
-    Free Software Foundation, Inc.
--   Contributed by Bob Wilson (bob.wilson@acm.org) at Tensilica.
-+   Contributed by Bob Wilson (bwilson@tensilica.com) at Tensilica.
- 
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
 @@ -44,10 +44,7 @@
  #define XCHAL_HAVE_L32R			1
  
@@ -28973,3 +28969,20 @@ index 30f4f41..fe9b051 100644
  #define XCHAL_MAX_INSTRUCTION_SIZE	3
 -- 
 1.8.1
+
+diff --git a/gas/config/tc-xtensa.c b/gas/config/tc-xtensa.c
+index d062044..ca261ae 100644
+--- a/gas/config/tc-xtensa.c
++++ b/gas/config/tc-xtensa.c
+@@ -2228,7 +2228,7 @@ xg_reverse_shift_count (char **cnt_argp)
+   cnt_arg = *cnt_argp;
+ 
+   /* replace the argument with "31-(argument)" */
+-  new_arg = concat ("31-(", cnt_argp, ")", (char *) NULL);
++  new_arg = concat ("31-(", cnt_arg, ")", (char *) NULL);
+ 
+   free (cnt_arg);
+   *cnt_argp = new_arg;
+-- 
+2.10.1
+
diff --git a/gnu/packages/patches/binutils-mips-bash-bug.patch b/gnu/packages/patches/binutils-mips-bash-bug.patch
new file mode 100644
index 0000000000..08d3a79749
--- /dev/null
+++ b/gnu/packages/patches/binutils-mips-bash-bug.patch
@@ -0,0 +1,22 @@
+Bash 4.2.0(1)-release, which we use during bootstrap, does not yield the
+"x" case in:
+
+  case x"$EMULATION_NAME" in x) ;; *) ;; esac
+
+when 'EMULATION_NAME' is undefined.  Bash 4.3.30(1)-release doesn't have this
+problem.  Work around it.
+
+This Bash bug was fixed
+in <http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-007>.
+
+--- a/ld/emulparams/elf32bmipn32-defs.sh
++++ b/ld/emulparams/elf32bmipn32-defs.sh
+@@ -13,7 +13,7 @@ LITTLE_OUTPUT_FORMAT="elf32-littlemips"
+ TEMPLATE_NAME=elf32
+ EXTRA_EM_FILE=mipself
+ 
+-case x"$EMULATION_NAME" in
++case "x$EMULATION_NAME" in
+ xelf32*n32*) ELFSIZE=32 ;;
+ xelf64*) ELFSIZE=64 ;;
+ x) ;;
diff --git a/gnu/packages/patches/cmake-fix-tests.patch b/gnu/packages/patches/cmake-fix-tests.patch
index f59e2cd625..732b0023ab 100644
--- a/gnu/packages/patches/cmake-fix-tests.patch
+++ b/gnu/packages/patches/cmake-fix-tests.patch
@@ -1,6 +1,17 @@
---- cmake-3.2.2.orig/Tests/CMakeLists.txt	2015-04-14 01:09:00.000000000 +0800
-+++ cmake-3.2.2/Tests/CMakeLists.txt	2015-04-28 15:02:34.913039742 +0800
-@@ -342,10 +342,12 @@
+From af0a62dadfb3db25880bc653e2e4c97435a604c9 Mon Sep 17 00:00:00 2001
+From: Efraim Flashner <efraim@flashner.co.il>
+Date: Mon, 29 Aug 2016 20:07:58 +0300
+Subject: [PATCH] cmake-fix-tests
+
+---
+ Tests/CMakeLists.txt | 83 ++++++++++++++++++++++++++++------------------------
+ 1 file changed, 44 insertions(+), 39 deletions(-)
+
+diff --git a/Tests/CMakeLists.txt b/Tests/CMakeLists.txt
+index f21e430..56014a2 100644
+--- a/Tests/CMakeLists.txt
++++ b/Tests/CMakeLists.txt
+@@ -416,10 +416,12 @@ if(BUILD_TESTING)
    endif()
  
    # run test for BundleUtilities on supported platforms/compilers
@@ -17,7 +28,7 @@
    if(NOT "${CMAKE_GENERATOR}" STREQUAL "Watcom WMake")
  
      add_test(BundleUtilities ${CMAKE_CTEST_COMMAND}
-@@ -2257,16 +2259,17 @@
+@@ -2481,30 +2483,32 @@ ${CMake_BINARY_DIR}/bin/cmake -DDIR=dev -P ${CMake_SOURCE_DIR}/Utilities/Release
      PASS_REGULAR_EXPRESSION "Could not find executable"
      FAIL_REGULAR_EXPRESSION "SegFault")
  
@@ -31,6 +42,20 @@
 -    )
 -  set_tests_properties(CTestTestUpload PROPERTIES
 -    PASS_REGULAR_EXPRESSION "Upload\\.xml")
+-
+-  configure_file(
+-    "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in"
+-    "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake"
+-    @ONLY ESCAPE_QUOTES)
+-  add_test(CTestCoverageCollectGCOV ${CMAKE_CTEST_COMMAND}
+-    -C \${CTEST_CONFIGURATION_TYPE}
+-    -S "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" -VV
+-    --output-log "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/testOut.log"
+-    )
+-  set_tests_properties(CTestCoverageCollectGCOV PROPERTIES
+-    PASS_REGULAR_EXPRESSION
+-    "PASSED with correct output.*Testing/CoverageInfo/main.cpp.gcov")
+-  set_property(TEST CTestCoverageCollectGCOV PROPERTY ENVIRONMENT CTEST_PARALLEL_LEVEL=)
 +# This test requires network connectivity: skip it.
 +#  configure_file(
 +#    "${CMake_SOURCE_DIR}/Tests/CTestTestUpload/test.cmake.in"
@@ -42,6 +67,54 @@
 +#    )
 +#  set_tests_properties(CTestTestUpload PROPERTIES
 +#    PASS_REGULAR_EXPRESSION "Upload\\.xml")
++
++# This test times out
++#  configure_file(
++#    "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in"
++#    "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake"
++#    @ONLY ESCAPE_QUOTES)
++#  add_test(CTestCoverageCollectGCOV ${CMAKE_CTEST_COMMAND}
++#    -C \${CTEST_CONFIGURATION_TYPE}
++#    -S "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" -VV
++#    --output-log "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/testOut.log"
++#    )
++#  set_tests_properties(CTestCoverageCollectGCOV PROPERTIES
++#    PASS_REGULAR_EXPRESSION
++#    "PASSED with correct output.*Testing/CoverageInfo/main.cpp.gcov")
++#  set_property(TEST CTestCoverageCollectGCOV PROPERTY ENVIRONMENT CTEST_PARALLEL_LEVEL=)
+ 
+   configure_file(
+     "${CMake_SOURCE_DIR}/Tests/CTestTestEmptyBinaryDirectory/test.cmake.in"
+@@ -2860,17 +2864,18 @@ ${CMake_BINARY_DIR}/bin/cmake -DDIR=dev -P ${CMake_SOURCE_DIR}/Utilities/Release
+   set_tests_properties(CTestTestStopTime PROPERTIES
+     PASS_REGULAR_EXPRESSION "The stop time has been passed")
+ 
+-  configure_file(
+-    "${CMake_SOURCE_DIR}/Tests/CTestTestSubdir/test.cmake.in"
+-    "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake"
+-    @ONLY ESCAPE_QUOTES)
+-  add_test(CTestTestSubdir ${CMAKE_CTEST_COMMAND}
+-    -S "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" -V
+-    --output-log "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/testOutput.log"
+-    )
+-  #make sure all 3 subdirs were added
+-  set_tests_properties(CTestTestSubdir PROPERTIES
+-    PASS_REGULAR_EXPRESSION "0 tests failed out of 3")
++# This test fails to build 2 of the 3 tests
++#  configure_file(
++#    "${CMake_SOURCE_DIR}/Tests/CTestTestSubdir/test.cmake.in"
++#    "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake"
++#    @ONLY ESCAPE_QUOTES)
++#  add_test(CTestTestSubdir ${CMAKE_CTEST_COMMAND}
++#    -S "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" -V
++#    --output-log "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/testOutput.log"
++#    )
++#  #make sure all 3 subdirs were added
++#  set_tests_properties(CTestTestSubdir PROPERTIES
++#    PASS_REGULAR_EXPRESSION "0 tests failed out of 3")
  
    configure_file(
-     "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in"
+     "${CMake_SOURCE_DIR}/Tests/CTestTestTimeout/test.cmake.in"
+-- 
+2.9.3
+
diff --git a/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch b/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch
deleted file mode 100644
index edc43f84f1..0000000000
--- a/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-Fix CVE-2012-6702 and CVE-2016-5300.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
-
-Patch copied from:
-https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u3/debian/patches/cve-2012-6702-plus-cve-2016-5300-v1.patch/
-
-From cb31522769d11a375078a073cba94e7176cb48a4 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Wed, 16 Mar 2016 15:30:12 +0100
-Subject: [PATCH] Resolve call to srand, use more entropy (patch version 1.0)
-
-Squashed backport against vanilla Expat 2.1.1, addressing:
-* CVE-2012-6702 -- unanticipated internal calls to srand
-* CVE-2016-5300 -- use of too little entropy
-
-Since commit e3e81a6d9f0885ea02d3979151c358f314bf3d6d
-(released with Expat 2.1.0) Expat called srand by itself
-from inside generate_hash_secret_salt for an instance
-of XML_Parser if XML_SetHashSalt was either (a) not called
-for that instance or if (b) salt 0 was passed to XML_SetHashSalt
-prior to parsing.  That call to srand passed (rather litle)
-entropy extracted from the current time as a seed for srand.
-
-That call to srand (1) broke repeatability for code calling
-srand with a non-random seed prior to parsing with Expat,
-and (2) resulted in a rather small set of hashing salts in
-Expat in total.
-
-For a short- to mid-term fix, the new approach avoids calling
-srand altogether, extracts more entropy out of the clock and
-other sources, too.
-
-For a long term fix, we may want to read sizeof(long) bytes
-from a source like getrandom(..) on Linux, and from similar
-sources on other supported architectures.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1197087
----
- CMakeLists.txt |  3 +++
- lib/xmlparse.c | 48 +++++++++++++++++++++++++++++++++++++++++-------
- 2 files changed, 44 insertions(+), 7 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 353627e..524d514 100755
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -41,6 +41,9 @@ include_directories(${CMAKE_BINARY_DIR} ${CMAKE_SOURCE_DIR}/lib)
- if(MSVC)

-     add_definitions(-D_CRT_SECURE_NO_WARNINGS -wd4996)

- endif(MSVC)

-+if(WIN32)

-+    add_definitions(-DCOMPILED_FROM_DSP)

-+endif(WIN32)

- 

- set(expat_SRCS

-     lib/xmlparse.c

-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index e308c79..c5f942f 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -6,7 +6,14 @@
- #include <string.h>                     /* memset(), memcpy() */
- #include <assert.h>
- #include <limits.h>                     /* UINT_MAX */
--#include <time.h>                       /* time() */
-+
-+#ifdef COMPILED_FROM_DSP
-+#define getpid GetCurrentProcessId
-+#else
-+#include <sys/time.h>                   /* gettimeofday() */
-+#include <sys/types.h>                  /* getpid() */
-+#include <unistd.h>                     /* getpid() */
-+#endif
- 
- #define XML_BUILDING_EXPAT 1
- 
-@@ -432,7 +439,7 @@ static ELEMENT_TYPE *
- getElementType(XML_Parser parser, const ENCODING *enc,
-                const char *ptr, const char *end);
- 
--static unsigned long generate_hash_secret_salt(void);
-+static unsigned long generate_hash_secret_salt(XML_Parser parser);
- static XML_Bool startParsing(XML_Parser parser);
- 
- static XML_Parser
-@@ -691,11 +698,38 @@ static const XML_Char implicitContext[] = {
- };
- 
- static unsigned long
--generate_hash_secret_salt(void)
-+gather_time_entropy(void)
- {
--  unsigned int seed = time(NULL) % UINT_MAX;
--  srand(seed);
--  return rand();
-+#ifdef COMPILED_FROM_DSP
-+  FILETIME ft;
-+  GetSystemTimeAsFileTime(&ft); /* never fails */
-+  return ft.dwHighDateTime ^ ft.dwLowDateTime;
-+#else
-+  struct timeval tv;
-+  int gettimeofday_res;
-+
-+  gettimeofday_res = gettimeofday(&tv, NULL);
-+  assert (gettimeofday_res == 0);
-+
-+  /* Microseconds time is <20 bits entropy */
-+  return tv.tv_usec;
-+#endif
-+}
-+
-+static unsigned long
-+generate_hash_secret_salt(XML_Parser parser)
-+{
-+  /* Process ID is 0 bits entropy if attacker has local access
-+   * XML_Parser address is few bits of entropy if attacker has local access */
-+  const unsigned long entropy =
-+      gather_time_entropy() ^ getpid() ^ (unsigned long)parser;
-+
-+  /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */
-+  if (sizeof(unsigned long) == 4) {
-+    return entropy * 2147483647;
-+  } else {
-+    return entropy * 2305843009213693951;
-+  }
- }
- 
- static XML_Bool  /* only valid for root parser */
-@@ -703,7 +737,7 @@ startParsing(XML_Parser parser)
- {
-     /* hash functions must be initialized before setContext() is called */
-     if (hash_secret_salt == 0)
--      hash_secret_salt = generate_hash_secret_salt();
-+      hash_secret_salt = generate_hash_secret_salt(parser);
-     if (ns) {
-       /* implicit context only set for root parser, since child
-          parsers (i.e. external entity parsers) will inherit it
--- 
-2.8.2
-
diff --git a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch b/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
deleted file mode 100644
index fc8d6291f5..0000000000
--- a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Follow-up upstream fix for CVE-2015-1283 to not rely on undefined
-behavior.
-
-Adapted from a patch from Debian (found in Debian package version
-2.1.0-6+deb8u2) to apply to upstream code:
-
-https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u2/debian/patches/CVE-2015-1283-refix.patch/
-
----
- lib/xmlparse.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 0f6f4cd..5c70c17 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -1727,7 +1727,8 @@ XML_GetBuffer(XML_Parser parser, int len)
-   }
- 
-   if (len > bufferLim - bufferEnd) {
--    int neededSize = len + (int)(bufferEnd - bufferPtr);
-+    /* Do not invoke signed arithmetic overflow: */
-+    int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
-     if (neededSize < 0) {
-       errorCode = XML_ERROR_NO_MEMORY;
-       return NULL;
-@@ -1759,7 +1760,8 @@ XML_GetBuffer(XML_Parser parser, int len)
-       if (bufferSize == 0)
-         bufferSize = INIT_BUFFER_SIZE;
-       do {
--        bufferSize *= 2;
-+        /* Do not invoke signed arithmetic overflow: */
-+        bufferSize = (int) (2U * (unsigned) bufferSize);
-       } while (bufferSize < neededSize && bufferSize > 0);
-       if (bufferSize <= 0) {
-         errorCode = XML_ERROR_NO_MEMORY;
--- 
-2.8.3
-
diff --git a/gnu/packages/patches/expat-CVE-2016-0718.patch b/gnu/packages/patches/expat-CVE-2016-0718.patch
deleted file mode 100644
index 22436c20cc..0000000000
--- a/gnu/packages/patches/expat-CVE-2016-0718.patch
+++ /dev/null
@@ -1,761 +0,0 @@
-Fix CVE-2016-0718.
-
-Copied from Debian, as found in Debian package version 2.1.0-6+deb8u2.
-
-https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u2/debian/patches/CVE-2016-0718-v2-2-1.patch/
-
-From cdfcb1b5c95e93b00ae9e9d25708b4a3bee72c15 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Mon, 2 May 2016 00:02:44 +0200
-Subject: [PATCH] Address CVE-2016-0718 (/patch/ version 2.2.1)
-
-* Out of bounds memory access when doing text conversion on malformed input
-* Integer overflow related to memory allocation
-
-Reported by Gustavo Grieco
-
-Patch credits go to
-* Christian Heimes
-* Karl Waclawek
-* Gustavo Grieco
-* Sebastian Pipping
-* Pascal Cuoq
----
- expat/lib/xmlparse.c    |  34 +++++++++-----
- expat/lib/xmltok.c      | 115 +++++++++++++++++++++++++++++++++++-------------
- expat/lib/xmltok.h      |  10 ++++-
- expat/lib/xmltok_impl.c |  62 +++++++++++++-------------
- 4 files changed, 146 insertions(+), 75 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index e308c79..13e080d 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -2436,11 +2436,11 @@ doContent(XML_Parser parser,
-           for (;;) {
-             int bufSize;
-             int convLen;
--            XmlConvert(enc,
-+            const enum XML_Convert_Result convert_res = XmlConvert(enc,
-                        &fromPtr, rawNameEnd,
-                        (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1);
-             convLen = (int)(toPtr - (XML_Char *)tag->buf);
--            if (fromPtr == rawNameEnd) {
-+            if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) {
-               tag->name.strLen = convLen;
-               break;
-             }
-@@ -2661,11 +2661,11 @@ doContent(XML_Parser parser,
-           if (MUST_CONVERT(enc, s)) {
-             for (;;) {
-               ICHAR *dataPtr = (ICHAR *)dataBuf;
--              XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-+              const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-               *eventEndPP = s;
-               charDataHandler(handlerArg, dataBuf,
-                               (int)(dataPtr - (ICHAR *)dataBuf));
--              if (s == next)
-+              if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
-                 break;
-               *eventPP = s;
-             }
-@@ -3269,11 +3269,11 @@ doCdataSection(XML_Parser parser,
-           if (MUST_CONVERT(enc, s)) {
-             for (;;) {
-               ICHAR *dataPtr = (ICHAR *)dataBuf;
--              XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-+              const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-               *eventEndPP = next;
-               charDataHandler(handlerArg, dataBuf,
-                               (int)(dataPtr - (ICHAR *)dataBuf));
--              if (s == next)
-+              if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
-                 break;
-               *eventPP = s;
-             }
-@@ -5350,6 +5350,7 @@ reportDefault(XML_Parser parser, const ENCODING *enc,
-               const char *s, const char *end)
- {
-   if (MUST_CONVERT(enc, s)) {
-+    enum XML_Convert_Result convert_res;
-     const char **eventPP;
-     const char **eventEndPP;
-     if (enc == encoding) {
-@@ -5362,11 +5363,11 @@ reportDefault(XML_Parser parser, const ENCODING *enc,
-     }
-     do {
-       ICHAR *dataPtr = (ICHAR *)dataBuf;
--      XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
-+      convert_res = XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
-       *eventEndPP = s;
-       defaultHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf));
-       *eventPP = s;
--    } while (s != end);
-+    } while ((convert_res != XML_CONVERT_COMPLETED) && (convert_res != XML_CONVERT_INPUT_INCOMPLETE));
-   }
-   else
-     defaultHandler(handlerArg, (XML_Char *)s, (int)((XML_Char *)end - (XML_Char *)s));
-@@ -6169,8 +6170,8 @@ poolAppend(STRING_POOL *pool, const ENCODING *enc,
-   if (!pool->ptr && !poolGrow(pool))
-     return NULL;
-   for (;;) {
--    XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
--    if (ptr == end)
-+    const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
-+    if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
-       break;
-     if (!poolGrow(pool))
-       return NULL;
-@@ -6254,8 +6255,13 @@ poolGrow(STRING_POOL *pool)
-     }
-   }
-   if (pool->blocks && pool->start == pool->blocks->s) {
--    int blockSize = (int)(pool->end - pool->start)*2;
--    BLOCK *temp = (BLOCK *)
-+    BLOCK *temp;
-+    int blockSize = (int)((unsigned)(pool->end - pool->start)*2U);
-+
-+    if (blockSize < 0)
-+      return XML_FALSE;
-+
-+    temp = (BLOCK *)
-       pool->mem->realloc_fcn(pool->blocks,
-                              (offsetof(BLOCK, s)
-                               + blockSize * sizeof(XML_Char)));
-@@ -6270,6 +6276,10 @@ poolGrow(STRING_POOL *pool)
-   else {
-     BLOCK *tem;
-     int blockSize = (int)(pool->end - pool->start);
-+
-+    if (blockSize < 0)
-+      return XML_FALSE;
-+
-     if (blockSize < INIT_BLOCK_SIZE)
-       blockSize = INIT_BLOCK_SIZE;
-     else
-diff --git a/lib/xmltok.c b/lib/xmltok.c
-index bf09dfc..cb98ce1 100644
---- a/lib/xmltok.c
-+++ b/lib/xmltok.c
-@@ -318,39 +318,55 @@ enum {  /* UTF8_cvalN is value of masked first byte of N byte sequence */
-   UTF8_cval4 = 0xf0
- };
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- utf8_toUtf8(const ENCODING *enc,
-             const char **fromP, const char *fromLim,
-             char **toP, const char *toLim)
- {
-+  enum XML_Convert_Result res = XML_CONVERT_COMPLETED;
-   char *to;
-   const char *from;
-   if (fromLim - *fromP > toLim - *toP) {
-     /* Avoid copying partial characters. */
-+    res = XML_CONVERT_OUTPUT_EXHAUSTED;
-     for (fromLim = *fromP + (toLim - *toP); fromLim > *fromP; fromLim--)
-       if (((unsigned char)fromLim[-1] & 0xc0) != 0x80)
-         break;
-   }
--  for (to = *toP, from = *fromP; from != fromLim; from++, to++)
-+  for (to = *toP, from = *fromP; (from < fromLim) && (to < toLim); from++, to++)
-     *to = *from;
-   *fromP = from;
-   *toP = to;
-+
-+  if ((to == toLim) && (from < fromLim))
-+    return XML_CONVERT_OUTPUT_EXHAUSTED;
-+  else
-+    return res;
- }
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- utf8_toUtf16(const ENCODING *enc,
-              const char **fromP, const char *fromLim,
-              unsigned short **toP, const unsigned short *toLim)
- {
-+  enum XML_Convert_Result res = XML_CONVERT_COMPLETED;
-   unsigned short *to = *toP;
-   const char *from = *fromP;
--  while (from != fromLim && to != toLim) {
-+  while (from < fromLim && to < toLim) {
-     switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) {
-     case BT_LEAD2:
-+      if (fromLim - from < 2) {
-+        res = XML_CONVERT_INPUT_INCOMPLETE;
-+        break;
-+      }
-       *to++ = (unsigned short)(((from[0] & 0x1f) << 6) | (from[1] & 0x3f));
-       from += 2;
-       break;
-     case BT_LEAD3:
-+      if (fromLim - from < 3) {
-+        res = XML_CONVERT_INPUT_INCOMPLETE;
-+        break;
-+      }
-       *to++ = (unsigned short)(((from[0] & 0xf) << 12)
-                                | ((from[1] & 0x3f) << 6) | (from[2] & 0x3f));
-       from += 3;
-@@ -358,8 +374,14 @@ utf8_toUtf16(const ENCODING *enc,
-     case BT_LEAD4:
-       {
-         unsigned long n;
--        if (to + 1 == toLim)
-+        if (toLim - to < 2) {
-+          res = XML_CONVERT_OUTPUT_EXHAUSTED;
-           goto after;
-+        }
-+        if (fromLim - from < 4) {
-+          res = XML_CONVERT_INPUT_INCOMPLETE;
-+          goto after;
-+        }
-         n = ((from[0] & 0x7) << 18) | ((from[1] & 0x3f) << 12)
-             | ((from[2] & 0x3f) << 6) | (from[3] & 0x3f);
-         n -= 0x10000;
-@@ -377,6 +399,7 @@ utf8_toUtf16(const ENCODING *enc,
- after:
-   *fromP = from;
-   *toP = to;
-+  return res;
- }
- 
- #ifdef XML_NS
-@@ -425,7 +448,7 @@ static const struct normal_encoding internal_utf8_encoding = {
-   STANDARD_VTABLE(sb_) NORMAL_VTABLE(utf8_)
- };
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- latin1_toUtf8(const ENCODING *enc,
-               const char **fromP, const char *fromLim,
-               char **toP, const char *toLim)
-@@ -433,30 +456,35 @@ latin1_toUtf8(const ENCODING *enc,
-   for (;;) {
-     unsigned char c;
-     if (*fromP == fromLim)
--      break;
-+      return XML_CONVERT_COMPLETED;
-     c = (unsigned char)**fromP;
-     if (c & 0x80) {
-       if (toLim - *toP < 2)
--        break;
-+        return XML_CONVERT_OUTPUT_EXHAUSTED;
-       *(*toP)++ = (char)((c >> 6) | UTF8_cval2);
-       *(*toP)++ = (char)((c & 0x3f) | 0x80);
-       (*fromP)++;
-     }
-     else {
-       if (*toP == toLim)
--        break;
-+        return XML_CONVERT_OUTPUT_EXHAUSTED;
-       *(*toP)++ = *(*fromP)++;
-     }
-   }
- }
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- latin1_toUtf16(const ENCODING *enc,
-                const char **fromP, const char *fromLim,
-                unsigned short **toP, const unsigned short *toLim)
- {
--  while (*fromP != fromLim && *toP != toLim)
-+  while (*fromP < fromLim && *toP < toLim)
-     *(*toP)++ = (unsigned char)*(*fromP)++;
-+
-+  if ((*toP == toLim) && (*fromP < fromLim))
-+    return XML_CONVERT_OUTPUT_EXHAUSTED;
-+  else
-+    return XML_CONVERT_COMPLETED;
- }
- 
- #ifdef XML_NS
-@@ -483,13 +511,18 @@ static const struct normal_encoding latin1_encoding = {
-   STANDARD_VTABLE(sb_)
- };
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- ascii_toUtf8(const ENCODING *enc,
-              const char **fromP, const char *fromLim,
-              char **toP, const char *toLim)
- {
--  while (*fromP != fromLim && *toP != toLim)
-+  while (*fromP < fromLim && *toP < toLim)
-     *(*toP)++ = *(*fromP)++;
-+
-+  if ((*toP == toLim) && (*fromP < fromLim))
-+    return XML_CONVERT_OUTPUT_EXHAUSTED;
-+  else
-+    return XML_CONVERT_COMPLETED;
- }
- 
- #ifdef XML_NS
-@@ -536,13 +569,14 @@ unicode_byte_type(char hi, char lo)
- }
- 
- #define DEFINE_UTF16_TO_UTF8(E) \
--static void  PTRCALL \
-+static enum XML_Convert_Result  PTRCALL \
- E ## toUtf8(const ENCODING *enc, \
-             const char **fromP, const char *fromLim, \
-             char **toP, const char *toLim) \
- { \
--  const char *from; \
--  for (from = *fromP; from != fromLim; from += 2) { \
-+  const char *from = *fromP; \
-+  fromLim = from + (((fromLim - from) >> 1) << 1);  /* shrink to even */ \
-+  for (; from < fromLim; from += 2) { \
-     int plane; \
-     unsigned char lo2; \
-     unsigned char lo = GET_LO(from); \
-@@ -552,7 +586,7 @@ E ## toUtf8(const ENCODING *enc, \
-       if (lo < 0x80) { \
-         if (*toP == toLim) { \
-           *fromP = from; \
--          return; \
-+          return XML_CONVERT_OUTPUT_EXHAUSTED; \
-         } \
-         *(*toP)++ = lo; \
-         break; \
-@@ -562,7 +596,7 @@ E ## toUtf8(const ENCODING *enc, \
-     case 0x4: case 0x5: case 0x6: case 0x7: \
-       if (toLim -  *toP < 2) { \
-         *fromP = from; \
--        return; \
-+        return XML_CONVERT_OUTPUT_EXHAUSTED; \
-       } \
-       *(*toP)++ = ((lo >> 6) | (hi << 2) |  UTF8_cval2); \
-       *(*toP)++ = ((lo & 0x3f) | 0x80); \
-@@ -570,7 +604,7 @@ E ## toUtf8(const ENCODING *enc, \
-     default: \
-       if (toLim -  *toP < 3)  { \
-         *fromP = from; \
--        return; \
-+        return XML_CONVERT_OUTPUT_EXHAUSTED; \
-       } \
-       /* 16 bits divided 4, 6, 6 amongst 3 bytes */ \
-       *(*toP)++ = ((hi >> 4) | UTF8_cval3); \
-@@ -580,7 +614,11 @@ E ## toUtf8(const ENCODING *enc, \
-     case 0xD8: case 0xD9: case 0xDA: case 0xDB: \
-       if (toLim -  *toP < 4) { \
-         *fromP = from; \
--        return; \
-+        return XML_CONVERT_OUTPUT_EXHAUSTED; \
-+      } \
-+      if (fromLim - from < 4) { \
-+        *fromP = from; \
-+        return XML_CONVERT_INPUT_INCOMPLETE; \
-       } \
-       plane = (((hi & 0x3) << 2) | ((lo >> 6) & 0x3)) + 1; \
-       *(*toP)++ = ((plane >> 2) | UTF8_cval4); \
-@@ -596,20 +634,32 @@ E ## toUtf8(const ENCODING *enc, \
-     } \
-   } \
-   *fromP = from; \
-+  if (from < fromLim) \
-+    return XML_CONVERT_INPUT_INCOMPLETE; \
-+  else \
-+    return XML_CONVERT_COMPLETED; \
- }
- 
- #define DEFINE_UTF16_TO_UTF16(E) \
--static void  PTRCALL \
-+static enum XML_Convert_Result  PTRCALL \
- E ## toUtf16(const ENCODING *enc, \
-              const char **fromP, const char *fromLim, \
-              unsigned short **toP, const unsigned short *toLim) \
- { \
-+  enum XML_Convert_Result res = XML_CONVERT_COMPLETED; \
-+  fromLim = *fromP + (((fromLim - *fromP) >> 1) << 1);  /* shrink to even */ \
-   /* Avoid copying first half only of surrogate */ \
-   if (fromLim - *fromP > ((toLim - *toP) << 1) \
--      && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) \
-+      && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) { \
-     fromLim -= 2; \
--  for (; *fromP != fromLim && *toP != toLim; *fromP += 2) \
-+    res = XML_CONVERT_INPUT_INCOMPLETE; \
-+  } \
-+  for (; *fromP < fromLim && *toP < toLim; *fromP += 2) \
-     *(*toP)++ = (GET_HI(*fromP) << 8) | GET_LO(*fromP); \
-+  if ((*toP == toLim) && (*fromP < fromLim)) \
-+    return XML_CONVERT_OUTPUT_EXHAUSTED; \
-+  else \
-+    return res; \
- }
- 
- #define SET2(ptr, ch) \
-@@ -1288,7 +1338,7 @@ unknown_isInvalid(const ENCODING *enc, const char *p)
-   return (c & ~0xFFFF) || checkCharRefNumber(c) < 0;
- }
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- unknown_toUtf8(const ENCODING *enc,
-                const char **fromP, const char *fromLim,
-                char **toP, const char *toLim)
-@@ -1299,21 +1349,21 @@ unknown_toUtf8(const ENCODING *enc,
-     const char *utf8;
-     int n;
-     if (*fromP == fromLim)
--      break;
-+      return XML_CONVERT_COMPLETED;
-     utf8 = uenc->utf8[(unsigned char)**fromP];
-     n = *utf8++;
-     if (n == 0) {
-       int c = uenc->convert(uenc->userData, *fromP);
-       n = XmlUtf8Encode(c, buf);
-       if (n > toLim - *toP)
--        break;
-+        return XML_CONVERT_OUTPUT_EXHAUSTED;
-       utf8 = buf;
-       *fromP += (AS_NORMAL_ENCODING(enc)->type[(unsigned char)**fromP]
-                  - (BT_LEAD2 - 2));
-     }
-     else {
-       if (n > toLim - *toP)
--        break;
-+        return XML_CONVERT_OUTPUT_EXHAUSTED;
-       (*fromP)++;
-     }
-     do {
-@@ -1322,13 +1372,13 @@ unknown_toUtf8(const ENCODING *enc,
-   }
- }
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- unknown_toUtf16(const ENCODING *enc,
-                 const char **fromP, const char *fromLim,
-                 unsigned short **toP, const unsigned short *toLim)
- {
-   const struct unknown_encoding *uenc = AS_UNKNOWN_ENCODING(enc);
--  while (*fromP != fromLim && *toP != toLim) {
-+  while (*fromP < fromLim && *toP < toLim) {
-     unsigned short c = uenc->utf16[(unsigned char)**fromP];
-     if (c == 0) {
-       c = (unsigned short)
-@@ -1340,6 +1390,11 @@ unknown_toUtf16(const ENCODING *enc,
-       (*fromP)++;
-     *(*toP)++ = c;
-   }
-+
-+  if ((*toP == toLim) && (*fromP < fromLim))
-+    return XML_CONVERT_OUTPUT_EXHAUSTED;
-+  else
-+    return XML_CONVERT_COMPLETED;
- }
- 
- ENCODING *
-@@ -1503,7 +1558,7 @@ initScan(const ENCODING * const *encodingTable,
- {
-   const ENCODING **encPtr;
- 
--  if (ptr == end)
-+  if (ptr >= end)
-     return XML_TOK_NONE;
-   encPtr = enc->encPtr;
-   if (ptr + 1 == end) {
-diff --git a/lib/xmltok.h b/lib/xmltok.h
-index ca867aa..752007e 100644
---- a/lib/xmltok.h
-+++ b/lib/xmltok.h
-@@ -130,6 +130,12 @@ typedef int (PTRCALL *SCANNER)(const ENCODING *,
-                                const char *,
-                                const char **);
- 
-+enum XML_Convert_Result {
-+  XML_CONVERT_COMPLETED = 0,
-+  XML_CONVERT_INPUT_INCOMPLETE = 1,
-+  XML_CONVERT_OUTPUT_EXHAUSTED = 2  /* and therefore potentially input remaining as well */
-+};
-+
- struct encoding {
-   SCANNER scanners[XML_N_STATES];
-   SCANNER literalScanners[XML_N_LITERAL_TYPES];
-@@ -158,12 +164,12 @@ struct encoding {
-                             const char *ptr,
-                             const char *end,
-                             const char **badPtr);
--  void (PTRCALL *utf8Convert)(const ENCODING *enc,
-+  enum XML_Convert_Result (PTRCALL *utf8Convert)(const ENCODING *enc,
-                               const char **fromP,
-                               const char *fromLim,
-                               char **toP,
-                               const char *toLim);
--  void (PTRCALL *utf16Convert)(const ENCODING *enc,
-+  enum XML_Convert_Result (PTRCALL *utf16Convert)(const ENCODING *enc,
-                                const char **fromP,
-                                const char *fromLim,
-                                unsigned short **toP,
-diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
-index 9c2895b..6c5a3ba 100644
---- a/lib/xmltok_impl.c
-+++ b/lib/xmltok_impl.c
-@@ -93,13 +93,13 @@ static int PTRCALL
- PREFIX(scanComment)(const ENCODING *enc, const char *ptr,
-                     const char *end, const char **nextTokPtr)
- {
--  if (ptr != end) {
-+  if (ptr < end) {
-     if (!CHAR_MATCHES(enc, ptr, ASCII_MINUS)) {
-       *nextTokPtr = ptr;
-       return XML_TOK_INVALID;
-     }
-     ptr += MINBPC(enc);
--    while (ptr != end) {
-+    while (ptr < end) {
-       switch (BYTE_TYPE(enc, ptr)) {
-       INVALID_CASES(ptr, nextTokPtr)
-       case BT_MINUS:
-@@ -147,7 +147,7 @@ PREFIX(scanDecl)(const ENCODING *enc, const char *ptr,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     case BT_PERCNT:
-       if (ptr + MINBPC(enc) == end)
-@@ -233,7 +233,7 @@ PREFIX(scanPi)(const ENCODING *enc, const char *ptr,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
-     case BT_S: case BT_CR: case BT_LF:
-@@ -242,7 +242,7 @@ PREFIX(scanPi)(const ENCODING *enc, const char *ptr,
-         return XML_TOK_INVALID;
-       }
-       ptr += MINBPC(enc);
--      while (ptr != end) {
-+      while (ptr < end) {
-         switch (BYTE_TYPE(enc, ptr)) {
-         INVALID_CASES(ptr, nextTokPtr)
-         case BT_QUEST:
-@@ -305,7 +305,7 @@ static int PTRCALL
- PREFIX(cdataSectionTok)(const ENCODING *enc, const char *ptr,
-                         const char *end, const char **nextTokPtr)
- {
--  if (ptr == end)
-+  if (ptr >= end)
-     return XML_TOK_NONE;
-   if (MINBPC(enc) > 1) {
-     size_t n = end - ptr;
-@@ -348,7 +348,7 @@ PREFIX(cdataSectionTok)(const ENCODING *enc, const char *ptr,
-     ptr += MINBPC(enc);
-     break;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
- #define LEAD_CASE(n) \
-     case BT_LEAD ## n: \
-@@ -391,11 +391,11 @@ PREFIX(scanEndTag)(const ENCODING *enc, const char *ptr,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
-     case BT_S: case BT_CR: case BT_LF:
--      for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) {
-+      for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) {
-         switch (BYTE_TYPE(enc, ptr)) {
-         case BT_S: case BT_CR: case BT_LF:
-           break;
-@@ -432,7 +432,7 @@ static int PTRCALL
- PREFIX(scanHexCharRef)(const ENCODING *enc, const char *ptr,
-                        const char *end, const char **nextTokPtr)
- {
--  if (ptr != end) {
-+  if (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     case BT_DIGIT:
-     case BT_HEX:
-@@ -441,7 +441,7 @@ PREFIX(scanHexCharRef)(const ENCODING *enc, const char *ptr,
-       *nextTokPtr = ptr;
-       return XML_TOK_INVALID;
-     }
--    for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) {
-+    for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) {
-       switch (BYTE_TYPE(enc, ptr)) {
-       case BT_DIGIT:
-       case BT_HEX:
-@@ -464,7 +464,7 @@ static int PTRCALL
- PREFIX(scanCharRef)(const ENCODING *enc, const char *ptr,
-                     const char *end, const char **nextTokPtr)
- {
--  if (ptr != end) {
-+  if (ptr < end) {
-     if (CHAR_MATCHES(enc, ptr, ASCII_x))
-       return PREFIX(scanHexCharRef)(enc, ptr + MINBPC(enc), end, nextTokPtr);
-     switch (BYTE_TYPE(enc, ptr)) {
-@@ -474,7 +474,7 @@ PREFIX(scanCharRef)(const ENCODING *enc, const char *ptr,
-       *nextTokPtr = ptr;
-       return XML_TOK_INVALID;
-     }
--    for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) {
-+    for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) {
-       switch (BYTE_TYPE(enc, ptr)) {
-       case BT_DIGIT:
-         break;
-@@ -506,7 +506,7 @@ PREFIX(scanRef)(const ENCODING *enc, const char *ptr, const char *end,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
-     case BT_SEMI:
-@@ -529,7 +529,7 @@ PREFIX(scanAtts)(const ENCODING *enc, const char *ptr, const char *end,
- #ifdef XML_NS
-   int hadColon = 0;
- #endif
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
- #ifdef XML_NS
-@@ -716,7 +716,7 @@ PREFIX(scanLt)(const ENCODING *enc, const char *ptr, const char *end,
-   hadColon = 0;
- #endif
-   /* we have a start-tag */
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
- #ifdef XML_NS
-@@ -740,7 +740,7 @@ PREFIX(scanLt)(const ENCODING *enc, const char *ptr, const char *end,
-     case BT_S: case BT_CR: case BT_LF:
-       {
-         ptr += MINBPC(enc);
--        while (ptr != end) {
-+        while (ptr < end) {
-           switch (BYTE_TYPE(enc, ptr)) {
-           CHECK_NMSTRT_CASES(enc, ptr, end, nextTokPtr)
-           case BT_GT:
-@@ -785,7 +785,7 @@ static int PTRCALL
- PREFIX(contentTok)(const ENCODING *enc, const char *ptr, const char *end,
-                    const char **nextTokPtr)
- {
--  if (ptr == end)
-+  if (ptr >= end)
-     return XML_TOK_NONE;
-   if (MINBPC(enc) > 1) {
-     size_t n = end - ptr;
-@@ -832,7 +832,7 @@ PREFIX(contentTok)(const ENCODING *enc, const char *ptr, const char *end,
-     ptr += MINBPC(enc);
-     break;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
- #define LEAD_CASE(n) \
-     case BT_LEAD ## n: \
-@@ -895,7 +895,7 @@ PREFIX(scanPercent)(const ENCODING *enc, const char *ptr, const char *end,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
-     case BT_SEMI:
-@@ -921,7 +921,7 @@ PREFIX(scanPoundName)(const ENCODING *enc, const char *ptr, const char *end,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
-     case BT_CR: case BT_LF: case BT_S:
-@@ -941,7 +941,7 @@ PREFIX(scanLit)(int open, const ENCODING *enc,
-                 const char *ptr, const char *end,
-                 const char **nextTokPtr)
- {
--  while (ptr != end) {
-+  while (ptr < end) {
-     int t = BYTE_TYPE(enc, ptr);
-     switch (t) {
-     INVALID_CASES(ptr, nextTokPtr)
-@@ -973,7 +973,7 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
-                   const char **nextTokPtr)
- {
-   int tok;
--  if (ptr == end)
-+  if (ptr >= end)
-     return XML_TOK_NONE;
-   if (MINBPC(enc) > 1) {
-     size_t n = end - ptr;
-@@ -1141,7 +1141,7 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
-     case BT_GT: case BT_RPAR: case BT_COMMA:
-@@ -1204,10 +1204,10 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr,
-                           const char *end, const char **nextTokPtr)
- {
-   const char *start;
--  if (ptr == end)
-+  if (ptr >= end)
-     return XML_TOK_NONE;
-   start = ptr;
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
- #define LEAD_CASE(n) \
-     case BT_LEAD ## n: ptr += n; break;
-@@ -1262,10 +1262,10 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr,
-                        const char *end, const char **nextTokPtr)
- {
-   const char *start;
--  if (ptr == end)
-+  if (ptr >= end)
-     return XML_TOK_NONE;
-   start = ptr;
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
- #define LEAD_CASE(n) \
-     case BT_LEAD ## n: ptr += n; break;
-@@ -1326,7 +1326,7 @@ PREFIX(ignoreSectionTok)(const ENCODING *enc, const char *ptr,
-       end = ptr + n;
-     }
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     INVALID_CASES(ptr, nextTokPtr)
-     case BT_LT:
-@@ -1373,7 +1373,7 @@ PREFIX(isPublicId)(const ENCODING *enc, const char *ptr, const char *end,
- {
-   ptr += MINBPC(enc);
-   end -= MINBPC(enc);
--  for (; ptr != end; ptr += MINBPC(enc)) {
-+  for (; ptr < end; ptr += MINBPC(enc)) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     case BT_DIGIT:
-     case BT_HEX:
-@@ -1760,7 +1760,7 @@ PREFIX(updatePosition)(const ENCODING *enc,
-     case BT_CR:
-       pos->lineNumber++;
-       ptr += MINBPC(enc);
--      if (ptr != end && BYTE_TYPE(enc, ptr) == BT_LF)
-+      if (ptr < end && BYTE_TYPE(enc, ptr) == BT_LF)
-         ptr += MINBPC(enc);
-       pos->columnNumber = (XML_Size)-1;
-       break;
--- 
-2.8.2
-
diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch
new file mode 100644
index 0000000000..1f3cb028d4
--- /dev/null
+++ b/gnu/packages/patches/flex-CVE-2016-6354.patch
@@ -0,0 +1,30 @@
+Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354
+https://security-tracker.debian.org/tracker/CVE-2016-6354
+
+Patch copied from upstream source repository:
+https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
+
+From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001
+From: Will Estes <westes575@gmail.com>
+Date: Sat, 27 Feb 2016 11:56:05 -0500
+Subject: [PATCH] Fixed incorrect integer type
+
+---
+ src/flex.skl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/flex.skl b/src/flex.skl
+index 36a526a..64f853d 100644
+--- a/src/flex.skl
++++ b/src/flex.skl
+@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer()
+ 
+ 	else
+ 		{
+-			yy_size_t num_to_read =
++			int num_to_read =
+ 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+ 
+ 		while ( num_to_read <= 0 )
diff --git a/gnu/packages/patches/fontconfig-CVE-2016-5384.patch b/gnu/packages/patches/fontconfig-CVE-2016-5384.patch
deleted file mode 100644
index 617d5afbaf..0000000000
--- a/gnu/packages/patches/fontconfig-CVE-2016-5384.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-Fix CVE-2016-5384 (double-free resulting in arbitrary code execution):
-
-<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5384>
-
-Copied from upstream code repository:
-
-<https://cgit.freedesktop.org/fontconfig/commit/?id=7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940>
-
-From 7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sat, 25 Jun 2016 19:18:53 +0200
-Subject: Properly validate offsets in cache files.
-
-The cache files are insufficiently validated. Even though the magic
-number at the beginning of the file as well as time stamps are checked,
-it is not verified if contained offsets are in legal ranges or are
-even pointers.
-
-The lack of validation allows an attacker to trigger arbitrary free()
-calls, which in turn allows double free attacks and therefore arbitrary
-code execution. Due to the conversion from offsets into pointers through
-macros, this even allows to circumvent ASLR protections.
-
-This attack vector allows privilege escalation when used with setuid
-binaries like fbterm. A user can create ~/.fonts or any other
-system-defined user-private font directory, run fc-cache and adjust
-cache files in ~/.cache/fontconfig. The execution of setuid binaries will
-scan these files and therefore are prone to attacks.
-
-If it's not about code execution, an endless loop can be created by
-letting linked lists become circular linked lists.
-
-This patch verifies that:
-
-- The file is not larger than the maximum addressable space, which
-  basically only affects 32 bit systems. This allows out of boundary
-  access into unallocated memory.
-- Offsets are always positive or zero
-- Offsets do not point outside file boundaries
-- No pointers are allowed in cache files, every "pointer or offset"
-  field must be an offset or NULL
-- Iterating linked lists must not take longer than the amount of elements
-  specified. A violation of this rule can break a possible endless loop.
-
-If one or more of these points are violated, the cache is recreated.
-This is current behaviour.
-
-Even though this patch fixes many issues, the use of mmap() shall be
-forbidden in setuid binaries. It is impossible to guarantee with these
-checks that a malicious user does not change cache files after
-verification. This should be handled in a different patch.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-
-diff --git a/src/fccache.c b/src/fccache.c
-index 71e8f03..02ec301 100644
---- a/src/fccache.c
-+++ b/src/fccache.c
-@@ -27,6 +27,7 @@
- #include <fcntl.h>
- #include <dirent.h>
- #include <string.h>
-+#include <limits.h>
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <assert.h>
-@@ -587,6 +588,82 @@ FcCacheTimeValid (FcConfig *config, FcCache *cache, struct stat *dir_stat)
-     return cache->checksum == (int) dir_stat->st_mtime && fnano;
- }
- 
-+static FcBool
-+FcCacheOffsetsValid (FcCache *cache)
-+{
-+    char		*base = (char *)cache;
-+    char		*end = base + cache->size;
-+    intptr_t		*dirs;
-+    FcFontSet		*fs;
-+    int			 i, j;
-+
-+    if (cache->dir < 0 || cache->dir > cache->size - sizeof (intptr_t) ||
-+        memchr (base + cache->dir, '\0', cache->size - cache->dir) == NULL)
-+        return FcFalse;
-+
-+    if (cache->dirs < 0 || cache->dirs >= cache->size ||
-+        cache->dirs_count < 0 ||
-+        cache->dirs_count > (cache->size - cache->dirs) / sizeof (intptr_t))
-+        return FcFalse;
-+
-+    dirs = FcCacheDirs (cache);
-+    if (dirs)
-+    {
-+        for (i = 0; i < cache->dirs_count; i++)
-+        {
-+            FcChar8	*dir;
-+
-+            if (dirs[i] < 0 ||
-+                dirs[i] > end - (char *) dirs - sizeof (intptr_t))
-+                return FcFalse;
-+
-+            dir = FcOffsetToPtr (dirs, dirs[i], FcChar8);
-+            if (memchr (dir, '\0', end - (char *) dir) == NULL)
-+                return FcFalse;
-+         }
-+    }
-+
-+    if (cache->set < 0 || cache->set > cache->size - sizeof (FcFontSet))
-+        return FcFalse;
-+
-+    fs = FcCacheSet (cache);
-+    if (fs)
-+    {
-+        if (fs->nfont > (end - (char *) fs) / sizeof (FcPattern))
-+            return FcFalse;
-+
-+        if (fs->fonts != 0 && !FcIsEncodedOffset(fs->fonts))
-+            return FcFalse;
-+
-+        for (i = 0; i < fs->nfont; i++)
-+        {
-+            FcPattern		*font = FcFontSetFont (fs, i);
-+            FcPatternElt	*e;
-+            FcValueListPtr	 l;
-+
-+            if ((char *) font < base ||
-+                (char *) font > end - sizeof (FcFontSet) ||
-+                font->elts_offset < 0 ||
-+                font->elts_offset > end - (char *) font ||
-+                font->num > (end - (char *) font - font->elts_offset) / sizeof (FcPatternElt))
-+                return FcFalse;
-+
-+
-+            e = FcPatternElts(font);
-+            if (e->values != 0 && !FcIsEncodedOffset(e->values))
-+                return FcFalse;
-+
-+            for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l))
-+                if (l->next != NULL && !FcIsEncodedOffset(l->next))
-+                    break;
-+            if (j < 0)
-+                return FcFalse;
-+        }
-+    }
-+
-+    return FcTrue;
-+}
-+
- /*
-  * Map a cache file into memory
-  */
-@@ -596,7 +673,8 @@ FcDirCacheMapFd (FcConfig *config, int fd, struct stat *fd_stat, struct stat *di
-     FcCache	*cache;
-     FcBool	allocated = FcFalse;
- 
--    if (fd_stat->st_size < (int) sizeof (FcCache))
-+    if (fd_stat->st_size > INTPTR_MAX ||
-+        fd_stat->st_size < (int) sizeof (FcCache))
- 	return NULL;
-     cache = FcCacheFindByStat (fd_stat);
-     if (cache)
-@@ -652,6 +730,7 @@ FcDirCacheMapFd (FcConfig *config, int fd, struct stat *fd_stat, struct stat *di
-     if (cache->magic != FC_CACHE_MAGIC_MMAP ||
- 	cache->version < FC_CACHE_VERSION_NUMBER ||
- 	cache->size != (intptr_t) fd_stat->st_size ||
-+        !FcCacheOffsetsValid (cache) ||
- 	!FcCacheTimeValid (config, cache, dir_stat) ||
- 	!FcCacheInsert (cache, fd_stat))
-     {
--- 
-cgit v0.10.2
-
diff --git a/gnu/packages/patches/gawk-fts-test.patch b/gnu/packages/patches/gawk-fts-test.patch
deleted file mode 100644
index de1f5c431c..0000000000
--- a/gnu/packages/patches/gawk-fts-test.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-This is upstream commit c9a018c.  We have observed random failures of
-this test on i686 that seem related to load.
-
-2015-05-21         Arnold D. Robbins     <arnold@skeeve.com>
-
-	* fts.awk: Really remove atime from the output. 
-	This avoids spurious failures on heavily loaded systems.
-
-diff --git a/test/fts.awk b/test/fts.awk
-index b1df060..dea5b68 100644
---- a/test/fts.awk
-+++ b/test/fts.awk
-@@ -50,6 +50,11 @@ function sort_traverse(data,	sorted, i)
- {
- 	asorti(data, sorted)
- 	for (i = 1; i in sorted; i++) {
-+		# 5/2015: skip for atime, since there can
-+		# occasionally be small differences.
-+		if (sorted[i] == "atime")
-+			continue
-+
- 		indent()
- 		printf("%s --> %s\n", sorted[i], data[sorted[i]]) > output
- 	}
-@@ -63,17 +68,20 @@ function traverse(data,         i)
- 			printf("%s:\n", i) > output
- 
- 			Level++
--			if (("mtime" in data[i]) && ! isarray(data[i][mtime])) {
-+			if (("mtime" in data[i]) && ! isarray(data[i]["mtime"])) {
- 				sort_traverse(data[i])
- 			} else {
- 				traverse(data[i])
- 			}
- 			Level--
--		} else if (data[i] != "atime") {
--			# 4/2015: skip for atime, since there can
--			# occasionally be small differences.
--			indent()
--			printf("%s --> %s\n", i, data[i]) > output
-+#		} else {
-+#			JUNK = 1
-+#			if (i != "atime") {
-+#				# 4/2015: skip for atime, since there can
-+#				# occasionally be small differences.
-+#				indent()
-+#				printf("%s --> %s\n", i, data[i]) > output
-+#			}
- 		}
- 	}
- }
diff --git a/gnu/packages/patches/gcc-arm-bug-71399.patch b/gnu/packages/patches/gcc-arm-bug-71399.patch
new file mode 100644
index 0000000000..6f04fece0e
--- /dev/null
+++ b/gnu/packages/patches/gcc-arm-bug-71399.patch
@@ -0,0 +1,55 @@
+Revert the following commit to work around a bootstrap comparison failure on
+ARMv7, as reported at <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71399>.
+
+commit f6ab85b7049a03962ea98924d00802da357a1ad3
+Author: renlin <renlin@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date:   Wed Dec 2 14:06:31 2015 +0000
+
+    [PR67383][ARM][4.9]Backport of "Allow any register for DImode values in Thumb2"
+    
+    This partially fix PR67383. It allows the reload more flexibility to choose
+    spilling pseudo registers.
+    
+    
+    gcc/ChangeLog:
+    
+    2015-12-02  Renlin Li  <renlin.li@arm.com>
+    
+            Backport from mainline.
+            2014-04-22  Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>
+    
+            * config/arm/arm.c (arm_hard_regno_mode_ok): Loosen
+            restrictions on core registers for DImode values in Thumb2.
+    
+    
+    git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-4_9-branch@231177 138bc75d-0d04-0410-961f-82ee72b054a4
+
+diff --git a/gcc/config/arm/arm.c b/gcc/config/arm/arm.c
+index 8ba6060..d9028a1 100644
+--- b/gcc/config/arm/arm.c
++++ a/gcc/config/arm/arm.c
+@@ -22624,19 +22624,12 @@
+     }
+ 
+   /* We allow almost any value to be stored in the general registers.
+-     Restrict doubleword quantities to even register pairs in ARM state
+-     so that we can use ldrd.  Do not allow very large Neon structure
+-     opaque modes in general registers; they would use too many.  */
++     Restrict doubleword quantities to even register pairs so that we can
++     use ldrd.  Do not allow very large Neon structure opaque modes in
++     general registers; they would use too many.  */
+   if (regno <= LAST_ARM_REGNUM)
+-    {
+-      if (ARM_NUM_REGS (mode) > 4)
+-	  return FALSE;
+-
+-      if (TARGET_THUMB2)
+-	return TRUE;
+-
+-      return !(TARGET_LDRD && GET_MODE_SIZE (mode) > 4 && (regno & 1) != 0);
+-    }
++    return !(TARGET_LDRD && GET_MODE_SIZE (mode) > 4 && (regno & 1) != 0)
++      && ARM_NUM_REGS (mode) <= 4;
+ 
+   if (regno == FRAME_POINTER_REGNUM
+       || regno == ARG_POINTER_REGNUM)
diff --git a/gnu/packages/patches/gnupg-fix-expired-test.patch b/gnu/packages/patches/gnupg-fix-expired-test.patch
deleted file mode 100644
index ac2564f50c..0000000000
--- a/gnu/packages/patches/gnupg-fix-expired-test.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-Fix a test that has an expiration date of 2016-09-17:
-
-https://bugs.gnupg.org/gnupg/issue2393
-
-Patch adapted from upstream source repository:
-
-https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=e584d6468a2e72cd01e55f46104f9f96b56c0b66
-
-The patch has been altered by commenting out a diff that does not apply
-to the version of GnuPG that we are applying it to, 2.1.13. This is
-what the patch author refers to below with "This commit includes changes
-to the old test as well, for those who need to backport it." We keep the
-old test and comment out the new test.
-
-From e584d6468a2e72cd01e55f46104f9f96b56c0b66 Mon Sep 17 00:00:00 2001
-From: Justus Winter <justus@g10code.com>
-Date: Thu, 23 Jun 2016 17:24:23 +0200
-Subject: [PATCH] tests/openpgp: Fake the system time for the tofu test.
-
-The keys in the tofu test are set to expire on 2016-09-17.  Fake the
-system time for this test.
-
-This commit includes changes to the old test as well, for those who
-need to backport it.
-
-* tests/openpgp/gpg-agent.conf.tmpl: Drop trailing newlines.
-* tests/openpgp/tofu.scm: Fake system time.
-* tests/openpgp/tofu.test: Likewise.
-
-GnuPG-bug-id: 2393
-Signed-off-by: Justus Winter <justus@g10code.com>
----
- tests/openpgp/gpg-agent.conf.tmpl | 2 --
- tests/openpgp/tofu.scm            | 4 +++-
- tests/openpgp/tofu.test           | 3 +++
- 3 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/tests/openpgp/gpg-agent.conf.tmpl b/tests/openpgp/gpg-agent.conf.tmpl
-index b3cb54f..70e1633 100644
---- a/tests/openpgp/gpg-agent.conf.tmpl
-+++ b/tests/openpgp/gpg-agent.conf.tmpl
-@@ -1,4 +1,2 @@
- allow-preset-passphrase
- no-grab
--
--
-#diff --git a/tests/openpgp/tofu.scm b/tests/openpgp/tofu.scm
-#index 24fa9df..38b6a0f 100755
-#--- a/tests/openpgp/tofu.scm
-#+++ b/tests/openpgp/tofu.scm
-#@@ -19,7 +19,9 @@
-# 
-# (load (with-path "defs.scm"))
-# 
-#-(define GPG `(,(tool 'gpg) --no-permission-warning)) ;; w/o --always-trust
-#+ ;; Redefine GPG without --always-trust and a fixed time.
-#+(define GPG `(,(tool 'gpg) --no-permission-warning
-#+	      --faked-system-time=1466684990))
-# (define GNUPGHOME (getenv "GNUPGHOME"))
-# (if (string=? "" GNUPGHOME)
-#     (error "GNUPGHOME not set"))
-diff --git a/tests/openpgp/tofu.test b/tests/openpgp/tofu.test
-index 18c1756..0d34af4 100755
---- a/tests/openpgp/tofu.test
-+++ b/tests/openpgp/tofu.test
-@@ -4,6 +4,9 @@
- 
- # set -x
- 
-+# Redefine GPG with a fixed time.
-+GPG="$GPG --faked-system-time=1466684990"
-+
- KEYS="2183839A BC15C85A EE37CF96"
- 
- # Make sure $srcdir is set.
--- 
-2.10.0
-
diff --git a/gnu/packages/patches/guile-relocatable.patch b/gnu/packages/patches/guile-relocatable.patch
index 077394cdde..2431495f24 100644
--- a/gnu/packages/patches/guile-relocatable.patch
+++ b/gnu/packages/patches/guile-relocatable.patch
@@ -1,8 +1,6 @@
 This patch changes Guile to use a default search path relative to the
 location of the `guile' binary, allowing it to be relocated.
 
-diff --git a/libguile/load.c b/libguile/load.c
-index af2ca45..19dd338 100644
 --- a/libguile/load.c
 +++ b/libguile/load.c
 @@ -26,6 +26,7 @@
@@ -12,8 +10,8 @@ index af2ca45..19dd338 100644
 +#include <libgen.h>
  
  #include "libguile/_scm.h"
- #include "libguile/private-gc.h" /* scm_getenv_int */
-@@ -255,6 +256,32 @@ scm_init_load_path ()
+ #include "libguile/alist.h"
+@@ -325,6 +326,32 @@
    SCM cpath = SCM_EOL;
  
  #ifdef SCM_LIBRARY_DIR
@@ -43,10 +41,10 @@ index af2ca45..19dd338 100644
 +  strcpy (ccache_dir, prefix);
 +  strcat (ccache_dir, "/lib/guile/2.0/ccache");
 +
-   env = getenv ("GUILE_SYSTEM_PATH");
+   env = scm_i_mirror_backslashes (getenv ("GUILE_SYSTEM_PATH"));
    if (env && strcmp (env, "") == 0)
      /* special-case interpret system-path=="" as meaning no system path instead
-@@ -263,10 +290,7 @@ scm_init_load_path ()
+@@ -333,10 +360,7 @@
    else if (env)
      path = scm_parse_path (scm_from_locale_string (env), path);
    else
@@ -56,9 +54,9 @@ index af2ca45..19dd338 100644
 -                       scm_from_locale_string (SCM_PKGDATA_DIR));
 +    path = scm_list_1 (scm_from_locale_string (module_dir));
  
-   env = getenv ("GUILE_SYSTEM_COMPILED_PATH");
+   env = scm_i_mirror_backslashes (getenv ("GUILE_SYSTEM_COMPILED_PATH"));
    if (env && strcmp (env, "") == 0)
-@@ -276,8 +300,7 @@ scm_init_load_path ()
+@@ -346,8 +370,7 @@
      cpath = scm_parse_path (scm_from_locale_string (env), cpath);
    else
      {
diff --git a/gnu/packages/patches/icecat-binutils.patch b/gnu/packages/patches/icecat-binutils.patch
new file mode 100644
index 0000000000..53a3ed9bb0
--- /dev/null
+++ b/gnu/packages/patches/icecat-binutils.patch
@@ -0,0 +1,40 @@
+
+# HG changeset patch
+# User J. Brown <jb999@gmx.de>
+# Date 1476951900 14400
+# Node ID cca249d09ef600650e6127c18be438a37e9d4587
+# Parent  d8bbf1a3957fd25ff24bfee51331c150b154cc39
+Bug 1242901 - Fix linking libxul.so with binutils/GNU ld >= 2.26. r=glandium
+
+The build fails with:
+
+    /usr/bin/ld: ../../xpcom/components/nsComponentManager.o: relocation R_386_GOTOFF against protected data `start_kPStaticModules_NSModule' can not be used when making a shared object
+    /usr/bin/ld: final link failed: Bad value
+    collect2: error: ld returned 1 exit status
+
+This is a patch from 2016/04/27 16:36:50 ryoon found on
+http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/www/firefox45/patches/#dirlist.
+
+diff --git a/xpcom/components/Module.h b/xpcom/components/Module.h
+--- a/xpcom/components/Module.h
++++ b/xpcom/components/Module.h
+@@ -133,17 +133,17 @@ struct Module
+ #if defined(MOZILLA_INTERNAL_API)
+ #  define NSMODULE_NAME(_name) _name##_NSModule
+ #  if defined(_MSC_VER)
+ #    pragma section(".kPStaticModules$M", read)
+ #    pragma comment(linker, "/merge:.kPStaticModules=.rdata")
+ #    define NSMODULE_SECTION __declspec(allocate(".kPStaticModules$M"), dllexport)
+ #  elif defined(__GNUC__)
+ #    if defined(__ELF__)
+-#      define NSMODULE_SECTION __attribute__((section(".kPStaticModules"), visibility("protected")))
++#      define NSMODULE_SECTION __attribute__((section(".kPStaticModules"), visibility("default")))
+ #    elif defined(__MACH__)
+ #      define NSMODULE_SECTION __attribute__((section("__DATA, .kPStaticModules"), visibility("default")))
+ #    elif defined (_WIN32)
+ #      define NSMODULE_SECTION __attribute__((section(".kPStaticModules"), dllexport))
+ #    endif
+ #  endif
+ #  if !defined(NSMODULE_SECTION)
+ #    error Do not know how to define sections.
+
diff --git a/gnu/packages/patches/isl-0.11.1-aarch64-support.patch b/gnu/packages/patches/isl-0.11.1-aarch64-support.patch
new file mode 100644
index 0000000000..c5607fc80d
--- /dev/null
+++ b/gnu/packages/patches/isl-0.11.1-aarch64-support.patch
@@ -0,0 +1,40 @@
+Add aarch64 support to config.guess and config.sub, as would be found if using
+a more recent version of autoconf.
+---
+ config.guess          |    7 +++++++
+ config.sub            |    1 +
+ 2 files changed, 8 insertions(+)
+
+diff --git a/config.guess b/config.guess
+index 40eaed4..baad294 100755
+--- a/config.guess
++++ b/config.guess
+@@ -861,6 +861,13 @@ EOF
+     i*86:Minix:*:*)
+ 	echo ${UNAME_MACHINE}-pc-minix
+ 	exit ;;
++    aarch64:Linux:*:*)
++	echo ${UNAME_MACHINE}-unknown-linux-gnu
++	exit ;;
++    aarch64_be:Linux:*:*)
++	UNAME_MACHINE=aarch64_be
++	echo ${UNAME_MACHINE}-unknown-linux-gnu
++	exit ;;
+     alpha:Linux:*:*)
+ 	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+ 	  EV5)   UNAME_MACHINE=alphaev5 ;;
+diff --git a/config.sub b/config.sub
+index 30fdca8..8f5b018 100755
+--- a/config.sub
++++ b/config.sub
+@@ -247,6 +247,7 @@ case $basic_machine in
+ 	# Some are omitted here because they have special meanings below.
+ 	1750a | 580 \
+ 	| a29k \
++	| aarch64 | aarch64_be \
+ 	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+ 	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+ 	| am33_2.0 \
+-- 
+2.9.0
+
diff --git a/gnu/packages/patches/libx11-CVE-2016-7942.patch b/gnu/packages/patches/libx11-CVE-2016-7942.patch
deleted file mode 100644
index 75770235ef..0000000000
--- a/gnu/packages/patches/libx11-CVE-2016-7942.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-Fix CVE-2016-7942:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17
-
-From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:25:25 +0200
-Subject: [PATCH] Validation of server responses in XGetImage()
-
-Check if enough bytes were received for specified image type and
-geometry. Otherwise GetPixel and other functions could trigger an
-out of boundary read later on.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/GetImage.c | 29 ++++++++++++++++++++---------
- 1 file changed, 20 insertions(+), 9 deletions(-)
-
-diff --git a/src/GetImage.c b/src/GetImage.c
-index c461abc..ff32d58 100644
---- a/src/GetImage.c
-+++ b/src/GetImage.c
-@@ -59,6 +59,7 @@ XImage *XGetImage (
- 	char *data;
- 	unsigned long nbytes;
- 	XImage *image;
-+	int planes;
- 	LockDisplay(dpy);
- 	GetReq (GetImage, req);
- 	/*
-@@ -91,18 +92,28 @@ XImage *XGetImage (
- 	    return (XImage *) NULL;
- 	}
-         _XReadPad (dpy, data, nbytes);
--        if (format == XYPixmap)
--	   image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
--		  Ones (plane_mask &
--			(((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
--		  format, 0, data, width, height, dpy->bitmap_pad, 0);
--	else /* format == ZPixmap */
--           image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
--		 rep.depth, ZPixmap, 0, data, width, height,
--		  _XGetScanlinePad(dpy, (int) rep.depth), 0);
-+        if (format == XYPixmap) {
-+	    image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
-+		Ones (plane_mask &
-+		    (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
-+		format, 0, data, width, height, dpy->bitmap_pad, 0);
-+	    planes = image->depth;
-+	} else { /* format == ZPixmap */
-+            image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
-+		rep.depth, ZPixmap, 0, data, width, height,
-+		    _XGetScanlinePad(dpy, (int) rep.depth), 0);
-+	    planes = 1;
-+	}
- 
- 	if (!image)
- 	    Xfree(data);
-+	if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
-+	    INT_MAX / image->height <= image->bytes_per_line ||
-+	    INT_MAX / planes <= image->height * image->bytes_per_line ||
-+	    nbytes < planes * image->height * image->bytes_per_line) {
-+	    XDestroyImage(image);
-+	    image = NULL;
-+	}
- 	UnlockDisplay(dpy);
- 	SyncHandle();
- 	return (image);
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libx11-CVE-2016-7943.patch b/gnu/packages/patches/libx11-CVE-2016-7943.patch
deleted file mode 100644
index 7bcbc58dd4..0000000000
--- a/gnu/packages/patches/libx11-CVE-2016-7943.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-Fix CVE-2016-7943:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7943.
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9
-
-From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:22:57 +0200
-Subject: [PATCH] The validation of server responses avoids out of boundary
- accesses.
-
-v2: FontNames.c  return a NULL list whenever a single
-length field from the server is incohent.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/FontNames.c | 23 +++++++++++++++++------
- src/ListExt.c   | 12 ++++++++----
- src/ModMap.c    |  3 ++-
- 3 files changed, 27 insertions(+), 11 deletions(-)
-
-diff --git a/src/FontNames.c b/src/FontNames.c
-index 21dcafe..e55f338 100644
---- a/src/FontNames.c
-+++ b/src/FontNames.c
-@@ -66,7 +66,7 @@ int *actualCount)	/* RETURN */
- 
-     if (rep.nFonts) {
- 	flist = Xmalloc (rep.nFonts * sizeof(char *));
--	if (rep.length < (INT_MAX >> 2)) {
-+	if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
- 	    rlen = rep.length << 2;
- 	    ch = Xmalloc(rlen + 1);
- 	    /* +1 to leave room for last null-terminator */
-@@ -93,11 +93,22 @@ int *actualCount)	/* RETURN */
- 	    if (ch + length < chend) {
- 		flist[i] = ch + 1;  /* skip over length */
- 		ch += length + 1;  /* find next length ... */
--		length = *(unsigned char *)ch;
--		*ch = '\0';  /* and replace with null-termination */
--		count++;
--	    } else
--		flist[i] = NULL;
-+		if (ch <= chend) {
-+		    length = *(unsigned char *)ch;
-+		    *ch = '\0';  /* and replace with null-termination */
-+		    count++;
-+		} else {
-+                    Xfree(flist);
-+                    flist = NULL;
-+                    count = 0;
-+                    break;
-+		}
-+	    } else {
-+                Xfree(flist);
-+                flist = NULL;
-+                count = 0;
-+                break;
-+            }
- 	}
-     }
-     *actualCount = count;
-diff --git a/src/ListExt.c b/src/ListExt.c
-index be6b989..0516e45 100644
---- a/src/ListExt.c
-+++ b/src/ListExt.c
-@@ -55,7 +55,7 @@ char **XListExtensions(
- 
- 	if (rep.nExtensions) {
- 	    list = Xmalloc (rep.nExtensions * sizeof (char *));
--	    if (rep.length < (INT_MAX >> 2)) {
-+	    if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
- 		rlen = rep.length << 2;
- 		ch = Xmalloc (rlen + 1);
-                 /* +1 to leave room for last null-terminator */
-@@ -80,9 +80,13 @@ char **XListExtensions(
- 		if (ch + length < chend) {
- 		    list[i] = ch+1;  /* skip over length */
- 		    ch += length + 1; /* find next length ... */
--		    length = *ch;
--		    *ch = '\0'; /* and replace with null-termination */
--		    count++;
-+		    if (ch <= chend) {
-+			length = *ch;
-+			*ch = '\0'; /* and replace with null-termination */
-+			count++;
-+		    } else {
-+			list[i] = NULL;
-+		    }
- 		} else
- 		    list[i] = NULL;
- 	    }
-diff --git a/src/ModMap.c b/src/ModMap.c
-index a809aa2..49a5d08 100644
---- a/src/ModMap.c
-+++ b/src/ModMap.c
-@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy)
-     GetEmptyReq(GetModifierMapping, req);
-     (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
- 
--    if (rep.length < (INT_MAX >> 2)) {
-+    if (rep.length < (INT_MAX >> 2) &&
-+	(rep.length >> 1) == rep.numKeyPerModifier) {
- 	nbytes = (unsigned long)rep.length << 2;
- 	res = Xmalloc(sizeof (XModifierKeymap));
- 	if (res)
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxfixes-CVE-2016-7944.patch b/gnu/packages/patches/libxfixes-CVE-2016-7944.patch
deleted file mode 100644
index 2ce463fc46..0000000000
--- a/gnu/packages/patches/libxfixes-CVE-2016-7944.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-Fix CVE-2016-7944:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e
-
-From 61c1039ee23a2d1de712843bed3480654d7ef42e Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 22:38:44 +0200
-Subject: [PATCH] Integer overflow on illegal server response
-
-The 32 bit field "rep.length" is not checked for validity, which allows
-an integer overflow on 32 bit systems.
-
-A malicious server could send INT_MAX as length, which gets multiplied
-by the size of XRectangle. In that case the client won't read the whole
-data from server, getting out of sync.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/Region.c | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/src/Region.c b/src/Region.c
-index cb0cf6e..59bcc1a 100644
---- a/src/Region.c
-+++ b/src/Region.c
-@@ -23,6 +23,7 @@
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
-+#include <limits.h>
- #include "Xfixesint.h"
- 
- XserverRegion
-@@ -333,9 +334,17 @@ XFixesFetchRegionAndBounds (Display	    *dpy,
-     bounds->y = rep.y;
-     bounds->width = rep.width;
-     bounds->height = rep.height;
--    nbytes = (long) rep.length << 2;
--    nrects = rep.length >> 1;
--    rects = Xmalloc (nrects * sizeof (XRectangle));
-+
-+    if (rep.length < (INT_MAX >> 2)) {
-+	nbytes = (long) rep.length << 2;
-+	nrects = rep.length >> 1;
-+	rects = Xmalloc (nrects * sizeof (XRectangle));
-+    } else {
-+	nbytes = 0;
-+	nrects = 0;
-+	rects = NULL;
-+    }
-+
-     if (!rects)
-     {
- 	_XEatDataWords(dpy, rep.length);
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch b/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch
deleted file mode 100644
index ca899e34c0..0000000000
--- a/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch
+++ /dev/null
@@ -1,420 +0,0 @@
-Fix CVE-2016-7945:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7945
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=19a9cd607de73947fcfb104682f203ffe4e1f4e5
-
-From 19a9cd607de73947fcfb104682f203ffe4e1f4e5 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 22:31:34 +0200
-Subject: [PATCH] Properly validate server responses.
-
-By validating length fields from server responses, out of boundary
-accesses and endless loops can be mitigated.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/XGMotion.c      |  3 ++-
- src/XGetBMap.c      |  3 ++-
- src/XGetDCtl.c      |  6 ++++--
- src/XGetFCtl.c      |  7 ++++++-
- src/XGetKMap.c      | 14 +++++++++++---
- src/XGetMMap.c      | 11 +++++++++--
- src/XIQueryDevice.c | 36 ++++++++++++++++++++++++++++++++++--
- src/XListDev.c      | 21 +++++++++++++++------
- src/XOpenDev.c      | 13 ++++++++++---
- src/XQueryDv.c      |  8 ++++++--
- 10 files changed, 99 insertions(+), 23 deletions(-)
-
-diff --git a/src/XGMotion.c b/src/XGMotion.c
-index 7785843..9433e29 100644
---- a/src/XGMotion.c
-+++ b/src/XGMotion.c
-@@ -114,7 +114,8 @@ XGetDeviceMotionEvents(
-     }
-     /* rep.axes is a CARD8, so assume max number of axes for bounds check */
-     if (rep.nEvents <
--	(INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) {
-+	(INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int)))) &&
-+	rep.nEvents * (rep.axes + 1) <= rep.length) {
- 	size_t bsize = rep.nEvents *
- 	    (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
- 	bufp = Xmalloc(bsize);
-diff --git a/src/XGetBMap.c b/src/XGetBMap.c
-index 002daba..13bb8c6 100644
---- a/src/XGetBMap.c
-+++ b/src/XGetBMap.c
-@@ -92,7 +92,8 @@ XGetDeviceButtonMapping(
- 
-     status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
-     if (status == 1) {
--	if (rep.length <= (sizeof(mapping) >> 2)) {
-+	if (rep.length <= (sizeof(mapping) >> 2) &&
-+	    rep.nElts <= (rep.length << 2)) {
- 	    unsigned long nbytes = rep.length << 2;
- 	    _XRead(dpy, (char *)mapping, nbytes);
- 
-diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c
-index c5d3b53..7f6b396 100644
---- a/src/XGetDCtl.c
-+++ b/src/XGetDCtl.c
-@@ -93,7 +93,8 @@ XGetDeviceControl(
-     if (rep.length > 0) {
- 	unsigned long nbytes;
- 	size_t size = 0;
--	if (rep.length < (INT_MAX >> 2)) {
-+	if (rep.length < (INT_MAX >> 2) &&
-+	    (rep.length << 2) >= sizeof(xDeviceState)) {
- 	    nbytes = (unsigned long) rep.length << 2;
- 	    d = Xmalloc(nbytes);
- 	}
-@@ -117,7 +118,8 @@ XGetDeviceControl(
- 	    size_t val_size;
- 
- 	    r = (xDeviceResolutionState *) d;
--	    if (r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
-+	    if (sizeof(xDeviceResolutionState) > nbytes ||
-+		r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
- 		goto out;
- 	    val_size = 3 * sizeof(int) * r->num_valuators;
- 	    if ((sizeof(xDeviceResolutionState) + val_size) > nbytes)
-diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c
-index 7fd6d0e..82dcc64 100644
---- a/src/XGetFCtl.c
-+++ b/src/XGetFCtl.c
-@@ -73,6 +73,7 @@ XGetFeedbackControl(
-     XFeedbackState *Sav = NULL;
-     xFeedbackState *f = NULL;
-     xFeedbackState *sav = NULL;
-+    char *end = NULL;
-     xGetFeedbackControlReq *req;
-     xGetFeedbackControlReply rep;
-     XExtDisplayInfo *info = XInput_find_display(dpy);
-@@ -105,10 +106,12 @@ XGetFeedbackControl(
- 	    goto out;
- 	}
- 	sav = f;
-+	end = (char *)f + nbytes;
- 	_XRead(dpy, (char *)f, nbytes);
- 
- 	for (i = 0; i < *num_feedbacks; i++) {
--	    if (f->length > nbytes)
-+	    if ((char *)f + sizeof(*f) > end ||
-+	        f->length == 0 || f->length > nbytes)
- 		goto out;
- 	    nbytes -= f->length;
- 
-@@ -125,6 +128,8 @@ XGetFeedbackControl(
- 	    case StringFeedbackClass:
- 	    {
- 		xStringFeedbackState *strf = (xStringFeedbackState *) f;
-+		if ((char *)f + sizeof(*strf) > end)
-+		    goto out;
- 		size += sizeof(XStringFeedbackState) +
- 		    (strf->num_syms_supported * sizeof(KeySym));
- 	    }
-diff --git a/src/XGetKMap.c b/src/XGetKMap.c
-index 0540ce4..008a72b 100644
---- a/src/XGetKMap.c
-+++ b/src/XGetKMap.c
-@@ -54,6 +54,7 @@ SOFTWARE.
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <X11/extensions/XI.h>
- #include <X11/extensions/XIproto.h>
- #include <X11/Xlibint.h>
-@@ -93,9 +94,16 @@ XGetDeviceKeyMapping(register Display * dpy, XDevice * dev,
- 	return (KeySym *) NULL;
-     }
-     if (rep.length > 0) {
--	*syms_per_code = rep.keySymsPerKeyCode;
--	nbytes = (long)rep.length << 2;
--	mapping = (KeySym *) Xmalloc((unsigned)nbytes);
-+	if (rep.length < INT_MAX >> 2 &&
-+	    rep.length == rep.keySymsPerKeyCode * keycount) {
-+	    *syms_per_code = rep.keySymsPerKeyCode;
-+	    nbytes = (long)rep.length << 2;
-+	    mapping = (KeySym *) Xmalloc((unsigned)nbytes);
-+	} else {
-+	    *syms_per_code = 0;
-+	    nbytes = 0;
-+	    mapping = NULL;
-+	}
- 	if (mapping)
- 	    _XRead(dpy, (char *)mapping, nbytes);
- 	else
-diff --git a/src/XGetMMap.c b/src/XGetMMap.c
-index 246698c..33c114f 100644
---- a/src/XGetMMap.c
-+++ b/src/XGetMMap.c
-@@ -53,6 +53,7 @@ SOFTWARE.
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <X11/extensions/XI.h>
- #include <X11/extensions/XIproto.h>
- #include <X11/Xlibint.h>
-@@ -85,8 +86,14 @@ XGetDeviceModifierMapping(
- 	SyncHandle();
- 	return (XModifierKeymap *) NULL;
-     }
--    nbytes = (unsigned long)rep.length << 2;
--    res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap));
-+    if (rep.length < (INT_MAX >> 2) &&
-+	rep.numKeyPerModifier == rep.length >> 1) {
-+	nbytes = (unsigned long)rep.length << 2;
-+	res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap));
-+    } else {
-+	nbytes = 0;
-+	res = NULL;
-+    }
-     if (res) {
- 	res->modifiermap = (KeyCode *) Xmalloc(nbytes);
- 	if (res->modifiermap)
-diff --git a/src/XIQueryDevice.c b/src/XIQueryDevice.c
-index fb8504f..a457cd6 100644
---- a/src/XIQueryDevice.c
-+++ b/src/XIQueryDevice.c
-@@ -26,6 +26,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdint.h>
- #include <X11/Xlibint.h>
- #include <X11/extensions/XI2proto.h>
-@@ -43,6 +44,7 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
-     xXIQueryDeviceReq   *req;
-     xXIQueryDeviceReply reply;
-     char                *ptr;
-+    char                *end;
-     int                 i;
-     char                *buf;
- 
-@@ -60,14 +62,24 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
-     if (!_XReply(dpy, (xReply*) &reply, 0, xFalse))
-         goto error;
- 
--    *ndevices_return = reply.num_devices;
--    info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo));
-+    if (reply.length < INT_MAX / 4)
-+    {
-+	*ndevices_return = reply.num_devices;
-+	info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo));
-+    }
-+    else
-+    {
-+	*ndevices_return = 0;
-+	info = NULL;
-+    }
-+
-     if (!info)
-         goto error;
- 
-     buf = Xmalloc(reply.length * 4);
-     _XRead(dpy, buf, reply.length * 4);
-     ptr = buf;
-+    end = buf + reply.length * 4;
- 
-     /* info is a null-terminated array */
-     info[reply.num_devices].name = NULL;
-@@ -79,6 +91,9 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
-         XIDeviceInfo    *lib = &info[i];
-         xXIDeviceInfo   *wire = (xXIDeviceInfo*)ptr;
- 
-+        if (ptr + sizeof(xXIDeviceInfo) > end)
-+            goto error_loop;
-+
-         lib->deviceid    = wire->deviceid;
-         lib->use         = wire->use;
-         lib->attachment  = wire->attachment;
-@@ -87,12 +102,23 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
- 
-         ptr += sizeof(xXIDeviceInfo);
- 
-+        if (ptr + wire->name_len > end)
-+            goto error_loop;
-+
-         lib->name = Xcalloc(wire->name_len + 1, 1);
-+        if (lib->name == NULL)
-+            goto error_loop;
-         strncpy(lib->name, ptr, wire->name_len);
-+        lib->name[wire->name_len] = '\0';
-         ptr += ((wire->name_len + 3)/4) * 4;
- 
-         sz = size_classes((xXIAnyInfo*)ptr, nclasses);
-         lib->classes = Xmalloc(sz);
-+        if (lib->classes == NULL)
-+        {
-+            Xfree(lib->name);
-+            goto error_loop;
-+        }
-         ptr += copy_classes(lib, (xXIAnyInfo*)ptr, &nclasses);
-         /* We skip over unused classes */
-         lib->num_classes = nclasses;
-@@ -103,6 +129,12 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
-     SyncHandle();
-     return info;
- 
-+error_loop:
-+    while (--i >= 0)
-+    {
-+        Xfree(info[i].name);
-+        Xfree(info[i].classes);
-+    }
- error:
-     UnlockDisplay(dpy);
- error_unlocked:
-diff --git a/src/XListDev.c b/src/XListDev.c
-index b85ff3c..f850cd0 100644
---- a/src/XListDev.c
-+++ b/src/XListDev.c
-@@ -74,7 +74,7 @@ static int pad_to_xid(int base_size)
- }
- 
- static size_t
--SizeClassInfo(xAnyClassPtr *any, int num_classes)
-+SizeClassInfo(xAnyClassPtr *any, size_t len, int num_classes)
- {
-     int size = 0;
-     int j;
-@@ -90,6 +90,8 @@ SizeClassInfo(xAnyClassPtr *any, int num_classes)
-                 {
-                     xValuatorInfoPtr v;
- 
-+                    if (len < sizeof(v))
-+                        return 0;
-                     v = (xValuatorInfoPtr) *any;
-                     size += pad_to_xid(sizeof(XValuatorInfo) +
-                         (v->num_axes * sizeof(XAxisInfo)));
-@@ -98,6 +100,8 @@ SizeClassInfo(xAnyClassPtr *any, int num_classes)
-             default:
-                 break;
-         }
-+        if ((*any)->length > len)
-+            return 0;
-         *any = (xAnyClassPtr) ((char *)(*any) + (*any)->length);
-     }
- 
-@@ -170,7 +174,7 @@ XListInputDevices(
-     register Display	*dpy,
-     int			*ndevices)
- {
--    size_t size;
-+    size_t s, size;
-     xListInputDevicesReq *req;
-     xListInputDevicesReply rep;
-     xDeviceInfo *list, *slist = NULL;
-@@ -178,6 +182,7 @@ XListInputDevices(
-     XDeviceInfo *clist = NULL;
-     xAnyClassPtr any, sav_any;
-     XAnyClassPtr Any;
-+    char *end = NULL;
-     unsigned char *nptr, *Nptr;
-     int i;
-     unsigned long rlen;
-@@ -213,16 +218,20 @@ XListInputDevices(
- 
- 	any = (xAnyClassPtr) ((char *)list + (*ndevices * sizeof(xDeviceInfo)));
- 	sav_any = any;
-+	end = (char *)list + rlen;
- 	for (i = 0; i < *ndevices; i++, list++) {
--            size += SizeClassInfo(&any, (int)list->num_classes);
-+            s = SizeClassInfo(&any, end - (char *)any, (int)list->num_classes);
-+            if (!s)
-+                goto out;
-+            size += s;
- 	}
- 
--	Nptr = ((unsigned char *)list) + rlen + 1;
-+	Nptr = ((unsigned char *)list) + rlen;
- 	for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) {
-+	    if (nptr >= Nptr)
-+		goto out;
- 	    size += *nptr + 1;
- 	    nptr += (*nptr + 1);
--	    if (nptr > Nptr)
--		goto out;
- 	}
- 
- 	clist = (XDeviceInfoPtr) Xmalloc(size);
-diff --git a/src/XOpenDev.c b/src/XOpenDev.c
-index 029dec2..4b3c460 100644
---- a/src/XOpenDev.c
-+++ b/src/XOpenDev.c
-@@ -53,6 +53,7 @@ SOFTWARE.
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <X11/extensions/XI.h>
- #include <X11/extensions/XIproto.h>
- #include <X11/Xlibint.h>
-@@ -86,9 +87,15 @@ XOpenDevice(
- 	return (XDevice *) NULL;
-     }
- 
--    rlen = rep.length << 2;
--    dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes *
--			      sizeof(XInputClassInfo));
-+    if (rep.length < INT_MAX >> 2 &&
-+	(rep.length << 2) >= rep.num_classes * sizeof(xInputClassInfo)) {
-+	rlen = rep.length << 2;
-+	dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes *
-+				  sizeof(XInputClassInfo));
-+    } else {
-+	rlen = 0;
-+	dev = NULL;
-+    }
-     if (dev) {
- 	int dlen;	/* data length */
- 
-diff --git a/src/XQueryDv.c b/src/XQueryDv.c
-index de1c0e5..7ee2272 100644
---- a/src/XQueryDv.c
-+++ b/src/XQueryDv.c
-@@ -73,7 +73,7 @@ XQueryDeviceState(
-     xQueryDeviceStateReply rep;
-     XDeviceState *state = NULL;
-     XInputClass *any, *Any;
--    char *data = NULL;
-+    char *data = NULL, *end = NULL;
-     XExtDisplayInfo *info = XInput_find_display(dpy);
- 
-     LockDisplay(dpy);
-@@ -92,6 +92,7 @@ XQueryDeviceState(
- 	if (rep.length < (INT_MAX >> 2)) {
- 	    rlen = (unsigned long) rep.length << 2;
- 	    data = Xmalloc(rlen);
-+	    end = data + rlen;
- 	}
- 	if (!data) {
- 	    _XEatDataWords(dpy, rep.length);
-@@ -100,7 +101,8 @@ XQueryDeviceState(
- 	_XRead(dpy, data, rlen);
- 
- 	for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) {
--	    if (any->length > rlen)
-+	    if ((char *)any + sizeof(XInputClass) > end ||
-+		any->length == 0 || any->length > rlen)
- 		goto out;
- 	    rlen -= any->length;
- 
-@@ -114,6 +116,8 @@ XQueryDeviceState(
- 	    case ValuatorClass:
- 	    {
- 		xValuatorState *v = (xValuatorState *) any;
-+		if ((char *)any + sizeof(xValuatorState) > end)
-+		    goto out;
- 		size += (sizeof(XValuatorState) +
- 			 (v->num_valuators * sizeof(int)));
- 	    }
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch b/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch
deleted file mode 100644
index ece8b18309..0000000000
--- a/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch
+++ /dev/null
@@ -1,447 +0,0 @@
-Fix CVE-2016-7947 and CVE-2016-7948.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6
-
-From a0df3e1c7728205e5c7650b2e6dce684139254a6 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 22:21:40 +0200
-Subject: [PATCH] Avoid out of boundary accesses on illegal responses
-
-The responses of the connected X server have to be properly checked
-to avoid out of boundary accesses that could otherwise be triggered
-by a malicious server.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/XrrConfig.c   | 32 +++++++++++++--------
- src/XrrCrtc.c     | 83 ++++++++++++++++++++++++++++++++++++++++++-------------
- src/XrrMonitor.c  | 18 ++++++++++++
- src/XrrOutput.c   | 11 ++++++++
- src/XrrProvider.c | 28 ++++++++++++++++---
- src/XrrScreen.c   | 52 ++++++++++++++++++++++------------
- 6 files changed, 172 insertions(+), 52 deletions(-)
-
-diff --git a/src/XrrConfig.c b/src/XrrConfig.c
-index 2f0282b..e68c45a 100644
---- a/src/XrrConfig.c
-+++ b/src/XrrConfig.c
-@@ -29,6 +29,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetScreenInfo (Display *dpy,
- 	rep.rate = 0;
- 	rep.nrateEnts = 0;
-     }
-+    if (rep.length < INT_MAX >> 2) {
-+	nbytes = (long) rep.length << 2;
- 
--    nbytes = (long) rep.length << 2;
-+	nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
-+			    ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */);
- 
--    nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
--			 ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */);
-+	/*
-+	 * first we must compute how much space to allocate for
-+	 * randr library's use; we'll allocate the structures in a single
-+	 * allocation, on cleanlyness grounds.
-+	 */
- 
--    /*
--     * first we must compute how much space to allocate for
--     * randr library's use; we'll allocate the structures in a single
--     * allocation, on cleanlyness grounds.
--     */
-+	rbytes = sizeof (XRRScreenConfiguration) +
-+	  (rep.nSizes * sizeof (XRRScreenSize) +
-+	   rep.nrateEnts * sizeof (int));
- 
--    rbytes = sizeof (XRRScreenConfiguration) +
--      (rep.nSizes * sizeof (XRRScreenSize) +
--       rep.nrateEnts * sizeof (int));
-+	scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
-+    } else {
-+	nbytes = 0;
-+	nbytesRead = 0;
-+	rbytes = 0;
-+	scp = NULL;
-+    }
- 
--    scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
-     if (scp == NULL) {
- 	_XEatData (dpy, (unsigned long) nbytes);
- 	return NULL;
-diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c
-index 5ae35c5..6665092 100644
---- a/src/XrrCrtc.c
-+++ b/src/XrrCrtc.c
-@@ -24,6 +24,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc)
- 	return NULL;
-     }
- 
--    nbytes = (long) rep.length << 2;
-+    if (rep.length < INT_MAX >> 2)
-+    {
-+	nbytes = (long) rep.length << 2;
- 
--    nbytesRead = (long) (rep.nOutput * 4 +
--			 rep.nPossibleOutput * 4);
-+	nbytesRead = (long) (rep.nOutput * 4 +
-+			     rep.nPossibleOutput * 4);
- 
--    /*
--     * first we must compute how much space to allocate for
--     * randr library's use; we'll allocate the structures in a single
--     * allocation, on cleanlyness grounds.
--     */
-+	/*
-+	 * first we must compute how much space to allocate for
-+	 * randr library's use; we'll allocate the structures in a single
-+	 * allocation, on cleanlyness grounds.
-+	 */
- 
--    rbytes = (sizeof (XRRCrtcInfo) +
--	      rep.nOutput * sizeof (RROutput) +
--	      rep.nPossibleOutput * sizeof (RROutput));
-+	rbytes = (sizeof (XRRCrtcInfo) +
-+		  rep.nOutput * sizeof (RROutput) +
-+		  rep.nPossibleOutput * sizeof (RROutput));
-+
-+	xci = (XRRCrtcInfo *) Xmalloc(rbytes);
-+    }
-+    else
-+    {
-+	nbytes = 0;
-+	nbytesRead = 0;
-+	rbytes = 0;
-+	xci = NULL;
-+    }
- 
--    xci = (XRRCrtcInfo *) Xmalloc(rbytes);
-     if (xci == NULL) {
- 	_XEatDataWords (dpy, rep.length);
- 	UnlockDisplay (dpy);
-@@ -194,12 +206,21 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc)
-     if (!_XReply (dpy, (xReply *) &rep, 0, xFalse))
- 	goto out;
- 
--    nbytes = (long) rep.length << 2;
-+    if (rep.length < INT_MAX >> 2)
-+    {
-+	nbytes = (long) rep.length << 2;
- 
--    /* three channels of CARD16 data */
--    nbytesRead = (rep.size * 2 * 3);
-+	/* three channels of CARD16 data */
-+	nbytesRead = (rep.size * 2 * 3);
- 
--    crtc_gamma = XRRAllocGamma (rep.size);
-+	crtc_gamma = XRRAllocGamma (rep.size);
-+    }
-+    else
-+    {
-+	nbytes = 0;
-+	nbytesRead = 0;
-+	crtc_gamma = NULL;
-+    }
- 
-     if (!crtc_gamma)
-     {
-@@ -357,7 +378,7 @@ XRRGetCrtcTransform (Display	*dpy,
-     xRRGetCrtcTransformReq	*req;
-     int				major_version, minor_version;
-     XRRCrtcTransformAttributes	*attr;
--    char			*extra = NULL, *e;
-+    char			*extra = NULL, *end = NULL, *e;
-     int				p;
- 
-     *attributes = NULL;
-@@ -395,9 +416,17 @@ XRRGetCrtcTransform (Display	*dpy,
- 	else
- 	{
- 	    int extraBytes = rep.length * 4 - CrtcTransformExtra;
--	    extra = Xmalloc (extraBytes);
-+	    if (rep.length < INT_MAX / 4 &&
-+		rep.length * 4 >= CrtcTransformExtra) {
-+		extra = Xmalloc (extraBytes);
-+		end = extra + extraBytes;
-+	    } else
-+		extra = NULL;
- 	    if (!extra) {
--		_XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
-+		if (rep.length > (CrtcTransformExtra >> 2))
-+		    _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
-+		else
-+		    _XEatDataWords (dpy, rep.length);
- 		UnlockDisplay (dpy);
- 		SyncHandle ();
- 		return False;
-@@ -429,22 +458,38 @@ XRRGetCrtcTransform (Display	*dpy,
- 
-     e = extra;
- 
-+    if (e + rep.pendingNbytesFilter > end) {
-+	XFree (extra);
-+	return False;
-+    }
-     memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter);
-     attr->pendingFilter[rep.pendingNbytesFilter] = '\0';
-     e += (rep.pendingNbytesFilter + 3) & ~3;
-     for (p = 0; p < rep.pendingNparamsFilter; p++) {
- 	INT32	f;
-+	if (e + 4 > end) {
-+	    XFree (extra);
-+	    return False;
-+	}
- 	memcpy (&f, e, 4);
- 	e += 4;
- 	attr->pendingParams[p] = (XFixed) f;
-     }
-     attr->pendingNparams = rep.pendingNparamsFilter;
- 
-+    if (e + rep.currentNbytesFilter > end) {
-+	XFree (extra);
-+	return False;
-+    }
-     memcpy (attr->currentFilter, e, rep.currentNbytesFilter);
-     attr->currentFilter[rep.currentNbytesFilter] = '\0';
-     e += (rep.currentNbytesFilter + 3) & ~3;
-     for (p = 0; p < rep.currentNparamsFilter; p++) {
- 	INT32	f;
-+	if (e + 4 > end) {
-+	    XFree (extra);
-+	    return False;
-+	}
- 	memcpy (&f, e, 4);
- 	e += 4;
- 	attr->currentParams[p] = (XFixed) f;
-diff --git a/src/XrrMonitor.c b/src/XrrMonitor.c
-index a9eaa7b..adc5330 100644
---- a/src/XrrMonitor.c
-+++ b/src/XrrMonitor.c
-@@ -24,6 +24,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -65,6 +66,15 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
- 	return NULL;
-     }
- 
-+    if (rep.length > INT_MAX >> 2 ||
-+	rep.nmonitors > INT_MAX / SIZEOF(xRRMonitorInfo) ||
-+	rep.noutputs > INT_MAX / 4 ||
-+	rep.nmonitors * SIZEOF(xRRMonitorInfo) > INT_MAX - rep.noutputs * 4) {
-+	_XEatData (dpy, rep.length);
-+	UnlockDisplay (dpy);
-+	SyncHandle ();
-+	return NULL;
-+    }
-     nbytes = (long) rep.length << 2;
-     nmon = rep.nmonitors;
-     noutput = rep.noutputs;
-@@ -111,6 +121,14 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
- 	    mon[m].outputs = output;
- 	    buf += SIZEOF (xRRMonitorInfo);
- 	    xoutput = (CARD32 *) buf;
-+	    if (xmon->noutput > rep.noutputs) {
-+	        Xfree(buf);
-+	        Xfree(mon);
-+	        UnlockDisplay (dpy);
-+	        SyncHandle ();
-+	        return NULL;
-+	    }
-+	    rep.noutputs -= xmon->noutput;
- 	    for (o = 0; o < xmon->noutput; o++)
- 		output[o] = xoutput[o];
- 	    output += xmon->noutput;
-diff --git a/src/XrrOutput.c b/src/XrrOutput.c
-index 85f0b6e..30f3d40 100644
---- a/src/XrrOutput.c
-+++ b/src/XrrOutput.c
-@@ -25,6 +25,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -60,6 +61,16 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output)
- 	return NULL;
-     }
- 
-+    if (rep.length > INT_MAX >> 2 || rep.length < (OutputInfoExtra >> 2))
-+    {
-+        if (rep.length > (OutputInfoExtra >> 2))
-+	    _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2));
-+	else
-+	    _XEatDataWords (dpy, rep.length);
-+	UnlockDisplay (dpy);
-+	SyncHandle ();
-+	return NULL;
-+    }
-     nbytes = ((long) (rep.length) << 2) - OutputInfoExtra;
- 
-     nbytesRead = (long) (rep.nCrtcs * 4 +
-diff --git a/src/XrrProvider.c b/src/XrrProvider.c
-index 9e620c7..d796cd0 100644
---- a/src/XrrProvider.c
-+++ b/src/XrrProvider.c
-@@ -25,6 +25,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -59,12 +60,20 @@ XRRGetProviderResources(Display *dpy, Window window)
-       return NULL;
-     }
- 
--    nbytes = (long) rep.length << 2;
-+    if (rep.length < INT_MAX >> 2) {
-+	nbytes = (long) rep.length << 2;
- 
--    nbytesRead = (long) (rep.nProviders * 4);
-+	nbytesRead = (long) (rep.nProviders * 4);
- 
--    rbytes = (sizeof(XRRProviderResources) + rep.nProviders * sizeof(RRProvider));
--    xrpr = (XRRProviderResources *) Xmalloc(rbytes);
-+	rbytes = (sizeof(XRRProviderResources) + rep.nProviders *
-+		  sizeof(RRProvider));
-+	xrpr = (XRRProviderResources *) Xmalloc(rbytes);
-+    } else {
-+	nbytes = 0;
-+	nbytesRead = 0;
-+	rbytes = 0;
-+	xrpr = NULL;
-+    }
- 
-     if (xrpr == NULL) {
-        _XEatDataWords (dpy, rep.length);
-@@ -121,6 +130,17 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
- 	return NULL;
-     }
- 
-+    if (rep.length > INT_MAX >> 2 || rep.length < ProviderInfoExtra >> 2)
-+    {
-+	if (rep.length < ProviderInfoExtra >> 2)
-+	    _XEatDataWords (dpy, rep.length);
-+	else
-+	    _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2));
-+	UnlockDisplay (dpy);
-+	SyncHandle ();
-+	return NULL;
-+    }
-+
-     nbytes = ((long) rep.length << 2) - ProviderInfoExtra;
- 
-     nbytesRead = (long)(rep.nCrtcs * 4 +
-diff --git a/src/XrrScreen.c b/src/XrrScreen.c
-index b8ce7e5..1f7ffe6 100644
---- a/src/XrrScreen.c
-+++ b/src/XrrScreen.c
-@@ -24,6 +24,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -105,27 +106,36 @@ doGetScreenResources (Display *dpy, Window window, int poll)
- 	xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version);
-     }
- 
--    nbytes = (long) rep.length << 2;
-+    if (rep.length < INT_MAX >> 2) {
-+	nbytes = (long) rep.length << 2;
- 
--    nbytesRead = (long) (rep.nCrtcs * 4 +
--			 rep.nOutputs * 4 +
--			 rep.nModes * SIZEOF (xRRModeInfo) +
--			 ((rep.nbytesNames + 3) & ~3));
-+	nbytesRead = (long) (rep.nCrtcs * 4 +
-+			     rep.nOutputs * 4 +
-+			     rep.nModes * SIZEOF (xRRModeInfo) +
-+			     ((rep.nbytesNames + 3) & ~3));
- 
--    /*
--     * first we must compute how much space to allocate for
--     * randr library's use; we'll allocate the structures in a single
--     * allocation, on cleanlyness grounds.
--     */
-+	/*
-+	 * first we must compute how much space to allocate for
-+	 * randr library's use; we'll allocate the structures in a single
-+	 * allocation, on cleanlyness grounds.
-+	 */
-+
-+	rbytes = (sizeof (XRRScreenResources) +
-+		  rep.nCrtcs * sizeof (RRCrtc) +
-+		  rep.nOutputs * sizeof (RROutput) +
-+		  rep.nModes * sizeof (XRRModeInfo) +
-+		  rep.nbytesNames + rep.nModes);    /* '\0' terminate names */
- 
--    rbytes = (sizeof (XRRScreenResources) +
--	      rep.nCrtcs * sizeof (RRCrtc) +
--	      rep.nOutputs * sizeof (RROutput) +
--	      rep.nModes * sizeof (XRRModeInfo) +
--	      rep.nbytesNames + rep.nModes);	/* '\0' terminate names */
-+	xrsr = (XRRScreenResources *) Xmalloc(rbytes);
-+	wire_names = (char *) Xmalloc (rep.nbytesNames);
-+    } else {
-+	nbytes = 0;
-+	nbytesRead = 0;
-+	rbytes = 0;
-+	xrsr = NULL;
-+	wire_names = NULL;
-+    }
- 
--    xrsr = (XRRScreenResources *) Xmalloc(rbytes);
--    wire_names = (char *) Xmalloc (rep.nbytesNames);
-     if (xrsr == NULL || wire_names == NULL) {
- 	Xfree (xrsr);
- 	Xfree (wire_names);
-@@ -174,6 +184,14 @@ doGetScreenResources (Display *dpy, Window window, int poll)
-     wire_name = wire_names;
-     for (i = 0; i < rep.nModes; i++)  {
- 	xrsr->modes[i].name = names;
-+	if (xrsr->modes[i].nameLength > rep.nbytesNames) {
-+	    Xfree (xrsr);
-+	    Xfree (wire_names);
-+	    UnlockDisplay (dpy);
-+	    SyncHandle ();
-+	    return NULL;
-+	}
-+	rep.nbytesNames -= xrsr->modes[i].nameLength;
- 	memcpy (names, wire_name, xrsr->modes[i].nameLength);
- 	names[xrsr->modes[i].nameLength] = '\0';
- 	names += xrsr->modes[i].nameLength + 1;
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxrender-CVE-2016-7949.patch b/gnu/packages/patches/libxrender-CVE-2016-7949.patch
deleted file mode 100644
index 3a2be4ea8e..0000000000
--- a/gnu/packages/patches/libxrender-CVE-2016-7949.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-Fix CVE-2016-7949:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7949
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4
-
-From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:43:09 +0200
-Subject: [PATCH] Validate lengths while parsing server data.
-
-Individual lengths inside received server data can overflow
-the previously reserved memory.
-
-It is therefore important to validate every single length
-field to not overflow the previously agreed sum of all invidual
-length fields.
-
-v2: consume remaining bytes in the reply buffer on error.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb@laas.fr
----
- src/Xrender.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/src/Xrender.c b/src/Xrender.c
-index 3102eb2..71cf3e6 100644
---- a/src/Xrender.c
-+++ b/src/Xrender.c
-@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
- 	screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
- 	screen->subpixel = SubPixelUnknown;
- 	xDepth = (xPictDepth *) (xScreen + 1);
-+	if (screen->ndepths > rep.numDepths) {
-+	    Xfree (xri);
-+	    Xfree (xData);
-+	    _XEatDataWords (dpy, rep.length);
-+	    UnlockDisplay (dpy);
-+	    SyncHandle ();
-+	    return 0;
-+	}
-+	rep.numDepths -= screen->ndepths;
- 	for (nd = 0; nd < screen->ndepths; nd++)
- 	{
- 	    depth->depth = xDepth->depth;
- 	    depth->nvisuals = xDepth->nPictVisuals;
- 	    depth->visuals = visual;
- 	    xVisual = (xPictVisual *) (xDepth + 1);
-+	    if (depth->nvisuals > rep.numVisuals) {
-+		Xfree (xri);
-+		Xfree (xData);
-+		_XEatDataWords (dpy, rep.length);
-+		UnlockDisplay (dpy);
-+		SyncHandle ();
-+		return 0;
-+	    }
-+	    rep.numVisuals -= depth->nvisuals;
- 	    for (nv = 0; nv < depth->nvisuals; nv++)
- 	    {
- 		visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxrender-CVE-2016-7950.patch b/gnu/packages/patches/libxrender-CVE-2016-7950.patch
deleted file mode 100644
index 1a64b6e724..0000000000
--- a/gnu/packages/patches/libxrender-CVE-2016-7950.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-Fix CVE-2016-7950:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714
-
-From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:42:09 +0200
-Subject: [PATCH] Avoid OOB write in XRenderQueryFilters
-
-The memory for filter names is reserved right after receiving the reply.
-After that, filters are iterated and each individual filter name is
-stored in that reserved memory.
-
-The individual name lengths are not checked for validity, which means
-that a malicious server can reserve less memory than it will write to
-during each iteration.
-
-v2: consume remaining bytes in reply buffer on error.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/Filter.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/src/Filter.c b/src/Filter.c
-index edfa572..8d701eb 100644
---- a/src/Filter.c
-+++ b/src/Filter.c
-@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
-     char			*name;
-     char			len;
-     int				i;
--    unsigned long		nbytes, nbytesAlias, nbytesName;
-+    unsigned long		nbytes, nbytesAlias, nbytesName, reply_left;
- 
-     if (!RenderHasExtension (info))
- 	return NULL;
-@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
-      * Read the filter aliases
-      */
-     _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
-+    reply_left = 8 + rep.length - 2 * rep.numAliases;;
- 
-     /*
-      * Read the filter names
-@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
-     {
- 	int	l;
- 	_XRead (dpy, &len, 1);
-+	reply_left--;
- 	l = len & 0xff;
-+	if ((unsigned long)l + 1 > nbytesName) {
-+            _XEatDataWords(dpy, reply_left);
-+	    Xfree(filters);
-+	    UnlockDisplay (dpy);
-+	    SyncHandle ();
-+	    return NULL;
-+	}
-+	nbytesName -= l + 1;
- 	filters->filter[i] = name;
- 	_XRead (dpy, name, l);
-+        reply_left -= l;
- 	name[l] = '\0';
- 	name += l + 1;
-     }
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch b/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch
deleted file mode 100644
index 9df6cf3f4d..0000000000
--- a/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-Fix CVE-2016-7951 and CVE-2016-7952
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7951
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7952
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af3129ec4a7a4f4b54a0d59701beeae3
-
-From 9556ad67af3129ec4a7a4f4b54a0d59701beeae3 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:37:01 +0200
-Subject: [PATCH] Out of boundary access and endless loop in libXtst
-
-A lack of range checks in libXtst allows out of boundary accesses.
-The checks have to be done in-place here, because it cannot be done
-without in-depth knowledge of the read data.
-
-If XRecordStartOfData, XRecordEndOfData, or XRecordClientDied
-without a client sequence have attached data, an endless loop would
-occur. The do-while-loop continues until the current index reaches
-the end. But in these cases, the current index would not be
-incremented, leading to an endless processing.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/XRecord.c | 43 +++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 39 insertions(+), 4 deletions(-)
-
-diff --git a/src/XRecord.c b/src/XRecord.c
-index 50420c0..fefd842 100644
---- a/src/XRecord.c
-+++ b/src/XRecord.c
-@@ -749,15 +749,23 @@ parse_reply_call_callback(
- 	switch (rep->category) {
- 	case XRecordFromServer:
- 	    if (rep->elementHeader&XRecordFromServerTime) {
-+		if (current_index + 4 > rep->length << 2)
-+		    return Error;
- 		EXTRACT_CARD32(rep->clientSwapped,
- 			       reply->buf+current_index,
- 			       data->server_time);
- 		current_index += 4;
- 	    }
-+	    if (current_index + 1 > rep->length << 2)
-+		return Error;
- 	    switch (reply->buf[current_index]) {
- 	    case X_Reply: /* reply */
-+		if (current_index + 8 > rep->length << 2)
-+		    return Error;
- 		EXTRACT_CARD32(rep->clientSwapped,
- 			       reply->buf+current_index+4, datum_bytes);
-+		if (datum_bytes < 0 || datum_bytes > ((INT_MAX >> 2) - 8))
-+		    return Error;
- 		datum_bytes = (datum_bytes+8) << 2;
- 		break;
- 	    default: /* error or event */
-@@ -766,52 +774,73 @@ parse_reply_call_callback(
- 	    break;
- 	case XRecordFromClient:
- 	    if (rep->elementHeader&XRecordFromClientTime) {
-+		if (current_index + 4 > rep->length << 2)
-+		    return Error;
- 		EXTRACT_CARD32(rep->clientSwapped,
- 			       reply->buf+current_index,
- 			       data->server_time);
- 		current_index += 4;
- 	    }
- 	    if (rep->elementHeader&XRecordFromClientSequence) {
-+		if (current_index + 4 > rep->length << 2)
-+		    return Error;
- 		EXTRACT_CARD32(rep->clientSwapped,
- 			       reply->buf+current_index,
- 			       data->client_seq);
- 		current_index += 4;
- 	    }
-+	    if (current_index + 4 > rep->length<<2)
-+		return Error;
- 	    if (reply->buf[current_index+2] == 0
- 		&& reply->buf[current_index+3] == 0) /* needn't swap 0 */
- 	    {	/* BIG-REQUESTS */
-+		if (current_index + 8 > rep->length << 2)
-+		    return Error;
- 		EXTRACT_CARD32(rep->clientSwapped,
- 			       reply->buf+current_index+4, datum_bytes);
- 	    } else {
- 		EXTRACT_CARD16(rep->clientSwapped,
- 			       reply->buf+current_index+2, datum_bytes);
- 	    }
-+	    if (datum_bytes < 0 || datum_bytes > INT_MAX >> 2)
-+		return Error;
- 	    datum_bytes <<= 2;
- 	    break;
- 	case XRecordClientStarted:
-+	    if (current_index + 8 > rep->length << 2)
-+		return Error;
- 	    EXTRACT_CARD16(rep->clientSwapped,
- 			   reply->buf+current_index+6, datum_bytes);
- 	    datum_bytes = (datum_bytes+2) << 2;
- 	    break;
- 	case XRecordClientDied:
- 	    if (rep->elementHeader&XRecordFromClientSequence) {
-+		if (current_index + 4 > rep->length << 2)
-+		    return Error;
- 		EXTRACT_CARD32(rep->clientSwapped,
- 			       reply->buf+current_index,
- 			       data->client_seq);
- 		current_index += 4;
--	    }
--	    /* fall through */
-+	    } else if (current_index < rep->length << 2)
-+		return Error;
-+	    datum_bytes = 0;
-+	    break;
- 	case XRecordStartOfData:
- 	case XRecordEndOfData:
-+	    if (current_index < rep->length << 2)
-+		return Error;
- 	    datum_bytes = 0;
-+	    break;
- 	}
- 
- 	if (datum_bytes > 0) {
--	    if (current_index + datum_bytes > rep->length << 2)
-+	    if (INT_MAX - datum_bytes < (rep->length << 2) - current_index) {
- 		fprintf(stderr,
- 			"XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n",
--			(long)rep->length << 2, current_index + datum_bytes,
-+			(unsigned long)rep->length << 2, current_index + datum_bytes,
- 			dpy->last_request_read);
-+		return Error;
-+	    }
- 	    /*
- 	     * This assignment (and indeed the whole buffer sharing
- 	     * scheme) assumes arbitrary 4-byte boundaries are
-@@ -863,6 +892,12 @@ XRecordEnableContext(Display *dpy, XRecordContext context,
- 	    return 0;
- 	}
- 
-+	if (rep.length > INT_MAX >> 2) {
-+	    UnlockDisplay(dpy);
-+	    SyncHandle();
-+	    return 0;
-+	}
-+
- 	if (rep.length > 0) {
- 	    reply = alloc_reply_buffer(info, rep.length<<2);
- 	    if (!reply) {
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxv-CVE-2016-5407.patch b/gnu/packages/patches/libxv-CVE-2016-5407.patch
deleted file mode 100644
index e6a76c9f70..0000000000
--- a/gnu/packages/patches/libxv-CVE-2016-5407.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-Fix CVE-2016-5407:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17
-
-From d9da580b46a28ab497de2e94fdc7b9ff953dab17 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:30:03 +0200
-Subject: [PATCH] Protocol handling issues in libXv - CVE-2016-5407
-
-The Xv query functions for adaptors and encodings suffer from out of
-boundary accesses if a hostile X server sends a maliciously crafted
-response.
-
-A previous fix already checks the received length against fixed values
-but ignores additional length specifications which are stored inside
-the received data.
-
-These lengths are accessed in a for-loop. The easiest way to guarantee
-a correct processing is by validating all lengths against the
-remaining size left before accessing referenced memory.
-
-This makes the previously applied check obsolete, therefore I removed
-it.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/Xv.c | 46 +++++++++++++++++++++++++++++-----------------
- 1 file changed, 29 insertions(+), 17 deletions(-)
-
-diff --git a/src/Xv.c b/src/Xv.c
-index e47093a..be450c4 100644
---- a/src/Xv.c
-+++ b/src/Xv.c
-@@ -158,6 +158,7 @@ XvQueryAdaptors(
-     size_t size;
-     unsigned int ii, jj;
-     char *name;
-+    char *end;
-     XvAdaptorInfo *pas = NULL, *pa;
-     XvFormat *pfs, *pf;
-     char *buffer = NULL;
-@@ -197,17 +198,13 @@ XvQueryAdaptors(
-     /* GET INPUT ADAPTORS */
- 
-     if (rep.num_adaptors == 0) {
--        /* If there's no adaptors, there's nothing more to do. */
-+        /* If there are no adaptors, there's nothing more to do. */
-         status = Success;
-         goto out;
-     }
- 
--    if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) {
--        /* If there's not enough data for the number of adaptors,
--           then we have a problem. */
--        status = XvBadReply;
--        goto out;
--    }
-+    u.buffer = buffer;
-+    end = buffer + size;
- 
-     size = rep.num_adaptors * sizeof(XvAdaptorInfo);
-     if ((pas = Xmalloc(size)) == NULL) {
-@@ -225,9 +222,12 @@ XvQueryAdaptors(
-         pa++;
-     }
- 
--    u.buffer = buffer;
-     pa = pas;
-     for (ii = 0; ii < rep.num_adaptors; ii++) {
-+        if (u.buffer + sz_xvAdaptorInfo > end) {
-+            status = XvBadReply;
-+            goto out;
-+        }
-         pa->type = u.pa->type;
-         pa->base_id = u.pa->base_id;
-         pa->num_ports = u.pa->num_ports;
-@@ -239,6 +239,10 @@ XvQueryAdaptors(
-         size = u.pa->name_size;
-         u.buffer += pad_to_int32(sz_xvAdaptorInfo);
- 
-+        if (u.buffer + size > end) {
-+            status = XvBadReply;
-+            goto out;
-+        }
-         if ((name = Xmalloc(size + 1)) == NULL) {
-             status = XvBadAlloc;
-             goto out;
-@@ -259,6 +263,11 @@ XvQueryAdaptors(
- 
-         pf = pfs;
-         for (jj = 0; jj < pa->num_formats; jj++) {
-+            if (u.buffer + sz_xvFormat > end) {
-+                Xfree(pfs);
-+                status = XvBadReply;
-+                goto out;
-+            }
-             pf->depth = u.pf->depth;
-             pf->visual_id = u.pf->visual;
-             pf++;
-@@ -327,6 +336,7 @@ XvQueryEncodings(
-     size_t size;
-     unsigned int jj;
-     char *name;
-+    char *end;
-     XvEncodingInfo *pes = NULL, *pe;
-     char *buffer = NULL;
-     union {
-@@ -364,17 +374,13 @@ XvQueryEncodings(
-     /* GET ENCODINGS */
- 
-     if (rep.num_encodings == 0) {
--        /* If there's no encodings, there's nothing more to do. */
-+        /* If there are no encodings, there's nothing more to do. */
-         status = Success;
-         goto out;
-     }
- 
--    if (size < (rep.num_encodings * sz_xvEncodingInfo)) {
--        /* If there's not enough data for the number of adaptors,
--           then we have a problem. */
--        status = XvBadReply;
--        goto out;
--    }
-+    u.buffer = buffer;
-+    end = buffer + size;
- 
-     size = rep.num_encodings * sizeof(XvEncodingInfo);
-     if ((pes = Xmalloc(size)) == NULL) {
-@@ -391,10 +397,12 @@ XvQueryEncodings(
-         pe++;
-     }
- 
--    u.buffer = buffer;
--
-     pe = pes;
-     for (jj = 0; jj < rep.num_encodings; jj++) {
-+        if (u.buffer + sz_xvEncodingInfo > end) {
-+            status = XvBadReply;
-+            goto out;
-+        }
-         pe->encoding_id = u.pe->encoding;
-         pe->width = u.pe->width;
-         pe->height = u.pe->height;
-@@ -405,6 +413,10 @@ XvQueryEncodings(
-         size = u.pe->name_size;
-         u.buffer += pad_to_int32(sz_xvEncodingInfo);
- 
-+        if (u.buffer + size > end) {
-+            status = XvBadReply;
-+            goto out;
-+        }
-         if ((name = Xmalloc(size + 1)) == NULL) {
-             status = XvBadAlloc;
-             goto out;
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxvmc-CVE-2016-7953.patch b/gnu/packages/patches/libxvmc-CVE-2016-7953.patch
deleted file mode 100644
index 737abdeb9f..0000000000
--- a/gnu/packages/patches/libxvmc-CVE-2016-7953.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Fix CVE-2016-7953:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7953
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb
-
-From 2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 22:34:27 +0200
-Subject: [PATCH] Avoid buffer underflow on empty strings.
-
-If an empty string is received from an x-server, do not underrun the
-buffer by accessing "rep.nameLen - 1" unconditionally, which could end
-up being -1.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/XvMC.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/XvMC.c b/src/XvMC.c
-index 7336760..3ee4212 100644
---- a/src/XvMC.c
-+++ b/src/XvMC.c
-@@ -576,9 +576,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
- 	if (*name && *busID && tmpBuf) {
- 	    _XRead(dpy, tmpBuf, realSize);
- 	    strncpy(*name,tmpBuf,rep.nameLen);
--	    (*name)[rep.nameLen - 1] = '\0';
-+	    (*name)[rep.nameLen == 0 ? 0 : rep.nameLen - 1] = '\0';
- 	    strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
--	    (*busID)[rep.busIDLen - 1] = '\0';
-+	    (*busID)[rep.busIDLen == 0 ? 0 : rep.busIDLen - 1] = '\0';
- 	    XFree(tmpBuf);
- 	} else {
- 	    XFree(*name);
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/linux-pam-no-setfsuid.patch b/gnu/packages/patches/linux-pam-no-setfsuid.patch
new file mode 100644
index 0000000000..f92fbc057a
--- /dev/null
+++ b/gnu/packages/patches/linux-pam-no-setfsuid.patch
@@ -0,0 +1,75 @@
+On systems without 'setfsuid', use 'setreuid' instead.
+
+The patch originates from the Debian project for GNU/Hurd.
+Authors: Steve Langasek <vorlon@debian.org>
+Upstream status: A ticket was opened to request apply the patch,
+ticket: 'https://fedorahosted.org/linux-pam/ticket/64'.
+
+--- Linux-PAM-1.2.1/libpam/pam_modutil_priv.c	2015-03-24 06:02:32.000000000 -0600
++++ pam_modutil_priv-mod.c	2016-09-20 13:36:53.150663205 -0500
+@@ -14,7 +14,9 @@
+ #include <syslog.h>
+ #include <pwd.h>
+ #include <grp.h>
++#ifdef HAVE_SYS_FSUID_H
+ #include <sys/fsuid.h>
++#endif /* HAVE_SYS_FSUID_H */
+ 
+ /*
+  * Two setfsuid() calls in a row are necessary to check
+@@ -22,17 +24,55 @@
+  */
+ static int change_uid(uid_t uid, uid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ 	uid_t tmp = setfsuid(uid);
+ 	if (save)
+ 		*save = tmp;
+ 	return (uid_t) setfsuid(uid) == uid ? 0 : -1;
++#else
++	uid_t euid = geteuid();
++	uid_t ruid = getuid();
++	if (save)
++		*save = ruid;
++	if (ruid == uid && uid != 0)
++		if (setreuid(euid, uid))
++			return -1;
++	else {
++		setreuid(0, -1);
++		if (setreuid(-1, uid)) {
++			setreuid(-1, 0);
++			setreuid(0, -1);
++			if (setreuid(-1, uid))
++				return -1;
++		}
++	}
++#endif
+ }
+ static int change_gid(gid_t gid, gid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ 	gid_t tmp = setfsgid(gid);
+ 	if (save)
+ 		*save = tmp;
+ 	return (gid_t) setfsgid(gid) == gid ? 0 : -1;
++#else
++	gid_t egid = getegid();
++	gid_t rgid = getgid();
++	if (save)
++		*save = rgid;
++	if (rgid == gid)
++		if (setregid(egid, gid))
++			return -1;
++	else {
++		setregid(0, -1);
++		if (setregid(-1, gid)) {
++			setregid(-1, 0);
++			setregid(0, -1);
++			if (setregid(-1, gid))
++				return -1;
++		}
++	}
++#endif
+ }
+ 
+ static int cleanup(struct pam_modutil_privs *p)
diff --git a/gnu/packages/patches/mesa-wayland-egl-symbols-check-mips.patch b/gnu/packages/patches/mesa-wayland-egl-symbols-check-mips.patch
new file mode 100644
index 0000000000..aa2278697e
--- /dev/null
+++ b/gnu/packages/patches/mesa-wayland-egl-symbols-check-mips.patch
@@ -0,0 +1,15 @@
+Fix 'wayland-egl-symbols-check' on mips64el-linux, where an additional symbol
+(_ftext) is present in libwayland-egl.so.
+
+Patch by Mark H Weaver <mhw@netris.org>
+
+--- mesa-12.0.1/src/egl/wayland/wayland-egl/wayland-egl-symbols-check.orig	2016-01-18 02:39:25.000000000 -0500
++++ mesa-12.0.1/src/egl/wayland/wayland-egl/wayland-egl-symbols-check	2016-10-24 16:25:07.110721426 -0400
+@@ -7,6 +7,7 @@
+ wl_egl_window_destroy
+ wl_egl_window_get_attached_size
+ _fini
++_ftext
+ _init
+ EOF
+ done)
diff --git a/gnu/packages/patches/ola-readdir-r.patch b/gnu/packages/patches/ola-readdir-r.patch
new file mode 100644
index 0000000000..b4bd98137e
--- /dev/null
+++ b/gnu/packages/patches/ola-readdir-r.patch
@@ -0,0 +1,62 @@
+Fix build failure caused by use of the deprecated readdir_r(3) while
+building with -Werror=deprecated-declarations
+
+Patch copied from upstream source repository:
+https://github.com/daveol/ola/commit/9d8575ff38f76df698ea8889e07a3dee8f21bd68
+
+From 9d8575ff38f76df698ea8889e07a3dee8f21bd68 Mon Sep 17 00:00:00 2001
+From: Dave Olsthoorn <dave.olsthoorn@gmail.com>
+Date: Wed, 2 Mar 2016 11:22:17 +0100
+Subject: [PATCH] Use readdir instead of readdir_r
+
+This replacec the use of readdir_r with readdir since readdir seems to
+be both dangarous and deprecated in newer versions of glibc.
+
+This fixes #1055
+---
+ common/file/Util.cpp | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/common/file/Util.cpp b/common/file/Util.cpp
+index e2261fd..0ffddd3 100644
+--- a/common/file/Util.cpp
++++ b/common/file/Util.cpp
+@@ -128,30 +128,29 @@ bool FindMatchingFiles(const string &directory,
+   FindClose(h_find);
+ #else
+   DIR *dp;
+-  struct dirent dir_ent;
+-  struct dirent *dir_ent_p;
++  struct dirent *dir_ent;
+   if ((dp = opendir(directory.data())) == NULL) {
+     OLA_WARN << "Could not open " << directory << ":" << strerror(errno);
+     return false;
+   }
+ 
+-  if (readdir_r(dp, &dir_ent, &dir_ent_p)) {
+-    OLA_WARN << "readdir_r(" << directory << "): " << strerror(errno);
++  if ((dir_ent = readdir(dp)) == NULL) {
++    OLA_WARN << "readdir(" << directory << "): " << strerror(errno);
+     closedir(dp);
+     return false;
+   }
+ 
+-  while (dir_ent_p != NULL) {
++  while (dir_ent != NULL) {
+     vector<string>::const_iterator iter;
+     for (iter = prefixes.begin(); iter != prefixes.end(); ++iter) {
+-      if (!strncmp(dir_ent_p->d_name, iter->data(), iter->size())) {
++      if (!strncmp(dir_ent->d_name, iter->data(), iter->size())) {
+         std::ostringstream str;
+-        str << directory << PATH_SEPARATOR << dir_ent_p->d_name;
++        str << directory << PATH_SEPARATOR << dir_ent->d_name;
+         files->push_back(str.str());
+       }
+     }
+-    if (readdir_r(dp, &dir_ent, &dir_ent_p)) {
+-      OLA_WARN << "readdir_r(" << directory << "): " << strerror(errno);
++    if ((dir_ent = readdir(dp)) == NULL) {
++      OLA_WARN << "readdir(" << directory << "): " << strerror(errno);
+       closedir(dp);
+       return false;
+     }
diff --git a/gnu/packages/patches/openssl-CVE-2016-2177.patch b/gnu/packages/patches/openssl-CVE-2016-2177.patch
deleted file mode 100644
index f6465aeaa7..0000000000
--- a/gnu/packages/patches/openssl-CVE-2016-2177.patch
+++ /dev/null
@@ -1,286 +0,0 @@
-Fix CVE-2016-2177.
-
-<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177>
-
-Source:
-<https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7>
-
-From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Thu, 5 May 2016 11:10:26 +0100
-Subject: [PATCH] Avoid some undefined pointer arithmetic
-
-A common idiom in the codebase is:
-
-if (p + len > limit)
-{
-    return; /* Too long */
-}
-
-Where "p" points to some malloc'd data of SIZE bytes and
-limit == p + SIZE
-
-"len" here could be from some externally supplied data (e.g. from a TLS
-message).
-
-The rules of C pointer arithmetic are such that "p + len" is only well
-defined where len <= SIZE. Therefore the above idiom is actually
-undefined behaviour.
-
-For example this could cause problems if some malloc implementation
-provides an address for "p" such that "p + len" actually overflows for
-values of len that are too big and therefore p + len < limit!
-
-Issue reported by Guido Vranken.
-
-CVE-2016-2177
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
----
- ssl/s3_srvr.c  | 14 +++++++-------
- ssl/ssl_sess.c |  2 +-
- ssl/t1_lib.c   | 56 ++++++++++++++++++++++++++++++--------------------------
- 3 files changed, 38 insertions(+), 34 deletions(-)
-
-diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
-index ab28702..ab7f690 100644
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
-@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-         session_length = *(p + SSL3_RANDOM_SIZE);
- 
--        if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
-+        if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s)
-     /* get the session-id */
-     j = *(p++);
- 
--    if (p + j > d + n) {
-+    if ((d + n) - p < j) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
-@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s)
- 
-     if (SSL_IS_DTLS(s)) {
-         /* cookie stuff */
--        if (p + 1 > d + n) {
-+        if ((d + n) - p < 1) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-         }
-         cookie_len = *(p++);
- 
--        if (p + cookie_len > d + n) {
-+        if ((d + n ) - p < cookie_len) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s)
-         }
-     }
- 
--    if (p + 2 > d + n) {
-+    if ((d + n ) - p < 2) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
-@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s)
-     }
- 
-     /* i bytes of cipher data + 1 byte for compression length later */
--    if ((p + i + 1) > (d + n)) {
-+    if ((d + n) - p < i + 1) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-     /* compression */
-     i = *(p++);
--    if ((p + i) > (d + n)) {
-+    if ((d + n) - p < i) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
-index b182998..54ee783 100644
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
-     int r;
- #endif
- 
--    if (session_id + len > limit) {
-+    if (limit - session_id < len) {
-         fatal = 1;
-         goto err;
-     }
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index fb64607..cdac011 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         0x02, 0x03,             /* SHA-1/ECDSA */
-     };
- 
--    if (data >= (limit - 2))
-+    if (limit - data <= 2)
-         return;
-     data += 2;
- 
--    if (data > (limit - 4))
-+    if (limit - data < 4)
-         return;
-     n2s(data, type);
-     n2s(data, size);
-@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     if (type != TLSEXT_TYPE_server_name)
-         return;
- 
--    if (data + size > limit)
-+    if (limit - data < size)
-         return;
-     data += size;
- 
-@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         const size_t len1 = sizeof(kSafariExtensionsBlock);
-         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
- 
--        if (data + len1 + len2 != limit)
-+        if (limit - data != (int)(len1 + len2))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
-             return;
-@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     } else {
-         const size_t len = sizeof(kSafariExtensionsBlock);
- 
--        if (data + len != limit)
-+        if (limit - data != (int)(len))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
-             return;
-@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
-     if (data == limit)
-         goto ri_check;
- 
--    if (data > (limit - 2))
-+    if (limit - data < 2)
-         goto err;
- 
-     n2s(data, len);
- 
--    if (data + len != limit)
-+    if (limit - data != len)
-         goto err;
- 
--    while (data <= (limit - 4)) {
-+    while (limit - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > (limit))
-+        if (limit - data < size)
-             goto err;
- # if 0
-         fprintf(stderr, "Received extension type %d size %d\n", type, size);
-@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s,
-     if (s->hit || s->cert->srv_ext.meths_count == 0)
-         return 1;
- 
--    if (data >= limit - 2)
-+    if (limit - data <= 2)
-         return 1;
-     n2s(data, len);
- 
--    if (data > limit - len)
-+    if (limit - data < len)
-         return 1;
- 
--    while (data <= limit - 4) {
-+    while (limit - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > limit)
-+        if (limit - data < size)
-             return 1;
-         if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
-             return 0;
-@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
-                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
- # endif
- 
--    if (data >= (d + n - 2))
-+    if ((d + n) - data <= 2)
-         goto ri_check;
- 
-     n2s(data, length);
--    if (data + length != d + n) {
-+    if ((d + n) - data != length) {
-         *al = SSL_AD_DECODE_ERROR;
-         return 0;
-     }
- 
--    while (data <= (d + n - 4)) {
-+    while ((d + n) - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > (d + n))
-+        if ((d + n) - data < size)
-             goto ri_check;
- 
-         if (s->tlsext_debug_cb)
-@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
-     /* Skip past DTLS cookie */
-     if (SSL_IS_DTLS(s)) {
-         i = *(p++);
--        p += i;
--        if (p >= limit)
-+
-+        if (limit - p <= i)
-             return -1;
-+
-+        p += i;
-     }
-     /* Skip past cipher list */
-     n2s(p, i);
--    p += i;
--    if (p >= limit)
-+    if (limit - p <= i)
-         return -1;
-+    p += i;
-+
-     /* Skip past compression algorithm list */
-     i = *(p++);
--    p += i;
--    if (p > limit)
-+    if (limit - p < i)
-         return -1;
-+    p += i;
-+
-     /* Now at start of extensions */
--    if ((p + 2) >= limit)
-+    if (limit - p <= 2)
-         return 0;
-     n2s(p, i);
--    while ((p + 4) <= limit) {
-+    while (limit - p >= 4) {
-         unsigned short type, size;
-         n2s(p, type);
-         n2s(p, size);
--        if (p + size > limit)
-+        if (limit - p < size)
-             return 0;
-         if (type == TLSEXT_TYPE_session_ticket) {
-             int r;
--- 
-2.8.4
-
diff --git a/gnu/packages/patches/openssl-CVE-2016-2178.patch b/gnu/packages/patches/openssl-CVE-2016-2178.patch
deleted file mode 100644
index 37cf2763af..0000000000
--- a/gnu/packages/patches/openssl-CVE-2016-2178.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-Fix CVE-2016-2178.
-
-<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178>
-
-Source:
-<https://git.openssl.org/?p=openssl.git;a=commit;h=621eaf49a289bfac26d4cbcdb7396e796784c534>
-<https://git.openssl.org/?p=openssl.git;a=commit;h=b7d0f2834e139a20560d64c73e2565e93715ce2b>
-
-From 621eaf49a289bfac26d4cbcdb7396e796784c534 Mon Sep 17 00:00:00 2001
-From: Cesar Pereida <cesar.pereida@aalto.fi>
-Date: Mon, 23 May 2016 12:45:25 +0300
-Subject: [PATCH 1/2] Fix DSA, preserve BN_FLG_CONSTTIME
-
-Operations in the DSA signing algorithm should run in constant time in
-order to avoid side channel attacks. A flaw in the OpenSSL DSA
-implementation means that a non-constant time codepath is followed for
-certain operations. This has been demonstrated through a cache-timing
-attack to be sufficient for an attacker to recover the private DSA key.
-
-CVE-2016-2178
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
----
- crypto/dsa/dsa_ossl.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
-index efc4f1b..b29eb4b 100644
---- a/crypto/dsa/dsa_ossl.c
-+++ b/crypto/dsa/dsa_ossl.c
-@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-         if (!BN_rand_range(&k, dsa->q))
-             goto err;
-     while (BN_is_zero(&k)) ;
--    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
--        BN_set_flags(&k, BN_FLG_CONSTTIME);
--    }
- 
-     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
-         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
-@@ -279,9 +276,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-         }
- 
-         K = &kq;
-+
-+        BN_set_flags(K, BN_FLG_CONSTTIME);
-     } else {
-         K = &k;
-     }
-+
-     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
-                    dsa->method_mont_p);
-     if (!BN_mod(r, r, dsa->q, ctx))
--- 
-2.8.4
-
-From b7d0f2834e139a20560d64c73e2565e93715ce2b Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 7 Jun 2016 09:12:51 +0100
-Subject: [PATCH 2/2] More fix DSA, preserve BN_FLG_CONSTTIME
-
-The previous "fix" still left "k" exposed to constant time problems in
-the later BN_mod_inverse() call. Ensure both k and kq have the
-BN_FLG_CONSTTIME flag set at the earliest opportunity after creation.
-
-CVE-2016-2178
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
----
- crypto/dsa/dsa_ossl.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
-index b29eb4b..58013a4 100644
---- a/crypto/dsa/dsa_ossl.c
-+++ b/crypto/dsa/dsa_ossl.c
-@@ -247,7 +247,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-     do
-         if (!BN_rand_range(&k, dsa->q))
-             goto err;
--    while (BN_is_zero(&k)) ;
-+    while (BN_is_zero(&k));
-+
-+    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-+        BN_set_flags(&k, BN_FLG_CONSTTIME);
-+    }
-+
- 
-     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
-         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
-@@ -261,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-         if (!BN_copy(&kq, &k))
-             goto err;
- 
-+        BN_set_flags(&kq, BN_FLG_CONSTTIME);
-+
-         /*
-          * We do not want timing information to leak the length of k, so we
-          * compute g^k using an equivalent exponent of fixed length. (This
-@@ -276,8 +283,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-         }
- 
-         K = &kq;
--
--        BN_set_flags(K, BN_FLG_CONSTTIME);
-     } else {
-         K = &k;
-     }
--- 
-2.8.4
-
diff --git a/gnu/packages/patches/perl-CVE-2015-8607.patch b/gnu/packages/patches/perl-CVE-2015-8607.patch
deleted file mode 100644
index 4c25d41740..0000000000
--- a/gnu/packages/patches/perl-CVE-2015-8607.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 3a629609084d147838368262171b923f0770e564 Mon Sep 17 00:00:00 2001
-From: Tony Cook <tony@develop-help.com>
-Date: Tue, 15 Dec 2015 10:56:54 +1100
-Subject: ensure File::Spec::canonpath() preserves taint
-
-Previously the unix specific XS implementation of canonpath() would
-return an untainted path when supplied a tainted path.
-
-For the empty string case, newSVpvs() already sets taint as needed on
-its result.
-
-This issue was assigned CVE-2015-8607.
-
-Bug: https://rt.perl.org/Ticket/Display.html?id=126862
-Bug-Debian: https://bugs.debian.org/810719
-Origin: upstream
-Patch-Name: fixes/CVE-2015-8607_file_spec_taint_fix.diff
----
- dist/PathTools/Cwd.xs    |  1 +
- dist/PathTools/t/taint.t | 19 ++++++++++++++++++-
- 2 files changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs
-index 9d4dcf0..3d018dc 100644
---- a/dist/PathTools/Cwd.xs
-+++ b/dist/PathTools/Cwd.xs
-@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path)
-     *o = 0;
-     SvPOK_on(retval);
-     SvCUR_set(retval, o - SvPVX(retval));
-+    SvTAINT(retval);
-     return retval;
- }
- 
-diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t
-index 309b3e5..48f8c5b 100644
---- a/dist/PathTools/t/taint.t
-+++ b/dist/PathTools/t/taint.t
-@@ -12,7 +12,7 @@ use Test::More;
- BEGIN {
-     plan(
-         ${^TAINT}
--        ? (tests => 17)
-+        ? (tests => 21)
-         : (skip_all => "A perl without taint support")
-     );
- }
-@@ -34,3 +34,20 @@ foreach my $func (@Functions) {
- 
- # Previous versions of Cwd tainted $^O
- is !tainted($^O), 1, "\$^O should not be tainted";
-+
-+{
-+    # [perl #126862] canonpath() loses taint
-+    my $tainted = substr($ENV{PATH}, 0, 0);
-+    # yes, getcwd()'s result should be tainted, and is tested above
-+    # but be sure
-+    ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)),
-+        "canonpath() keeps taint on non-empty string";
-+    ok tainted(File::Spec->canonpath($tainted)),
-+        "canonpath() keeps taint on empty string";
-+
-+    (Cwd::getcwd() =~ /^(.*)/);
-+    my $untainted = $1;
-+    ok !tainted($untainted), "make sure our untainted value is untainted";
-+    ok !tainted(File::Spec->canonpath($untainted)),
-+        "canonpath() doesn't add taint to untainted string";
-+}
diff --git a/gnu/packages/patches/perl-CVE-2016-2381.patch b/gnu/packages/patches/perl-CVE-2016-2381.patch
deleted file mode 100644
index 99d1944a5d..0000000000
--- a/gnu/packages/patches/perl-CVE-2016-2381.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-Fix CVE-2016-2381 (ambiguous handling of duplicated environment variables).
-
-Copied from upstream:
-http://perl5.git.perl.org/perl.git/commit/ae37b791a73a9e78dedb89fb2429d2628cf58076
-
-References:
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
-http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html
-https://security-tracker.debian.org/tracker/CVE-2016-2381
-
----
-
-From 1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 Mon Sep 17 00:00:00 2001
-From: Tony Cook <tony@develop-help.com>
-Date: Wed, 27 Jan 2016 11:52:15 +1100
-Subject: remove duplicate environment variables from environ
-
-If we see duplicate environment variables while iterating over
-environ[]:
-
-a) make sure we use the same value in %ENV that getenv() returns.
-
-Previously on a duplicate, %ENV would have the last entry for the name
-from environ[], but a typical getenv() would return the first entry.
-
-Rather than assuming all getenv() implementations return the first entry
-explicitly call getenv() to ensure they agree.
-
-b) remove duplicate entries from environ
-
-Previously if there was a duplicate definition for a name in environ[]
-setting that name in %ENV could result in an unsafe value being passed
-to a child process, so ensure environ[] has no duplicates.
-
-Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff
----
- perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 49 insertions(+), 2 deletions(-)
-
-diff --git a/perl.c b/perl.c
-index 67d32ce..26aeb91 100644
---- a/perl.c
-+++ b/perl.c
-@@ -4277,23 +4277,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env)
- 	}
- 	if (env) {
- 	  char *s, *old_var;
-+          STRLEN nlen;
- 	  SV *sv;
-+          HV *dups = newHV();
-+
- 	  for (; *env; env++) {
- 	    old_var = *env;
- 
- 	    if (!(s = strchr(old_var,'=')) || s == old_var)
- 		continue;
-+            nlen = s - old_var;
- 
- #if defined(MSDOS) && !defined(DJGPP)
- 	    *s = '\0';
- 	    (void)strupr(old_var);
- 	    *s = '=';
- #endif
--	    sv = newSVpv(s+1, 0);
--	    (void)hv_store(hv, old_var, s - old_var, sv, 0);
-+            if (hv_exists(hv, old_var, nlen)) {
-+                const char *name = savepvn(old_var, nlen);
-+
-+                /* make sure we use the same value as getenv(), otherwise code that
-+                   uses getenv() (like setlocale()) might see a different value to %ENV
-+                 */
-+                sv = newSVpv(PerlEnv_getenv(name), 0);
-+
-+                /* keep a count of the dups of this name so we can de-dup environ later */
-+                if (hv_exists(dups, name, nlen))
-+                    ++SvIVX(*hv_fetch(dups, name, nlen, 0));
-+                else
-+                    (void)hv_store(dups, name, nlen, newSViv(1), 0);
-+
-+                Safefree(name);
-+            }
-+            else {
-+                sv = newSVpv(s+1, 0);
-+            }
-+	    (void)hv_store(hv, old_var, nlen, sv, 0);
- 	    if (env_is_not_environ)
- 	        mg_set(sv);
- 	  }
-+          if (HvKEYS(dups)) {
-+              /* environ has some duplicate definitions, remove them */
-+              HE *entry;
-+              hv_iterinit(dups);
-+              while ((entry = hv_iternext_flags(dups, 0))) {
-+                  STRLEN nlen;
-+                  const char *name = HePV(entry, nlen);
-+                  IV count = SvIV(HeVAL(entry));
-+                  IV i;
-+                  SV **valp = hv_fetch(hv, name, nlen, 0);
-+
-+                  assert(valp);
-+
-+                  /* try to remove any duplicate names, depending on the
-+                   * implementation used in my_setenv() the iteration might
-+                   * not be necessary, but let's be safe.
-+                   */
-+                  for (i = 0; i < count; ++i)
-+                      my_setenv(name, 0);
-+
-+                  /* and set it back to the value we set $ENV{name} to */
-+                  my_setenv(name, SvPV_nolen(*valp));
-+              }
-+          }
-+          SvREFCNT_dec_NN(dups);
-       }
- #endif /* USE_ENVIRON_ARRAY */
- #endif /* !PERL_MICRO */
diff --git a/gnu/packages/patches/perl-no-build-time.patch b/gnu/packages/patches/perl-no-build-time.patch
deleted file mode 100644
index 5d78e8f462..0000000000
--- a/gnu/packages/patches/perl-no-build-time.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Do not record the configuration and build time so that builds can be
-reproduced bit-for-bit.
-
---- perl-5.22.0/Configure	1970-01-01 01:00:00.000000000 +0100
-+++ perl-5.22.0/Configure	2015-12-13 00:14:43.148165080 +0100
-@@ -3834,6 +3817,7 @@ esac
- 
- : who configured the system
- cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1`
-+cf_time='Thu Jan  1 00:00:01 UTC 1970'
- case "$cf_by" in
- "")
- 	cf_by=`(logname) 2>/dev/null`
-
---- perl-5.22.0/perl.c	2015-12-13 00:25:30.269156627 +0100
-+++ perl-5.22.0/perl.c	2015-12-13 00:25:38.265218175 +0100
-@@ -1795,7 +1795,7 @@ S_Internals_V(pTHX_ CV *cv)
-     PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options,
- 			      sizeof(non_bincompat_options) - 1, SVs_TEMP));
- 
--#ifdef __DATE__
-+#if 0
- #  ifdef __TIME__
-     PUSHs(Perl_newSVpvn_flags(aTHX_
- 			      STR_WITH_LEN("Compiled at " __DATE__ " " __TIME__),
-
diff --git a/gnu/packages/patches/perl-reproducible-build-date.patch b/gnu/packages/patches/perl-reproducible-build-date.patch
new file mode 100644
index 0000000000..bf0d4b8f6d
--- /dev/null
+++ b/gnu/packages/patches/perl-reproducible-build-date.patch
@@ -0,0 +1,50 @@
+Don't encode the current timestamp.
+
+This affects the output of `perl -V`, specifically the message "Compiled
+at [...]".
+
+The 'cf_time' and 'cf_by' values show up in 'config.h' and
+in 'Config_heavy.pl'.
+
+Use the output of 'uname -s' instead of 'uname -a' to avoid recording
+the kernel version ('uname -o' leads to directory names like
+'x86_64-gnulinux' instead of 'x86_64-linux', which might cause breakage
+down the road.)
+
+diff --git a/perl.c b/perl.c
+index 228a0d8..ed38313 100644
+--- a/perl.c
++++ b/perl.c
+@@ -1825,6 +1825,7 @@ S_Internals_V(pTHX_ CV *cv)
+     PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options,
+ 			      sizeof(non_bincompat_options) - 1, SVs_TEMP));
+ 
++#define PERL_BUILD_DATE "Jan  1 1970 00:00:00"
+ #ifndef PERL_BUILD_DATE
+ #  ifdef __DATE__
+ #    ifdef __TIME__
+
+--- a/Configure	1970-01-01 01:00:00.000000000 +0100
++++ b/Configure	2016-10-01 14:47:20.017319739 +0200
+@@ -3276,7 +3276,7 @@ $eunicefix tr
+ : Try to determine whether config.sh was made on this system
+ case "$config_sh" in
+ '')
+-myuname=`$uname -a 2>/dev/null`
++myuname=`$uname -s 2>/dev/null`
+ $test -z "$myuname" && myuname=`hostname 2>/dev/null`
+ # Downcase everything to avoid ambiguity.
+ # Remove slashes and single quotes so we can use parts of this in
+@@ -3845,10 +3845,10 @@
+ . ./posthint.sh
+ 
+ : who configured the system
+-cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1`
++cf_time="1970-01-01"
+ case "$cf_by" in
+ "")
+-	cf_by=`(logname) 2>/dev/null`
++	cf_by="guix"
+ 	case "$cf_by" in
+ 	"")
+ 		cf_by=`(whoami) 2>/dev/null`
diff --git a/gnu/packages/patches/perl-source-date-epoch.patch b/gnu/packages/patches/perl-source-date-epoch.patch
deleted file mode 100644
index 37330c9537..0000000000
--- a/gnu/packages/patches/perl-source-date-epoch.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Adapted from <https://bugs.debian.org/801621>.
-Make Pod::Man honor the SOURCE_DATE_EPOCH environment variable.
-
---- perl-5.22.0/cpan/podlators/lib/Pod/Man.pm	2015-12-12 22:33:03.321787590 +0100
-+++ perl-5.22.0/cpan/podlators/lib/Pod/Man.pm	2015-12-12 22:36:33.367361338 +0100
-@@ -884,7 +884,12 @@ sub devise_date {
-     my ($self) = @_;
-     my $input = $self->source_filename;
-     my $time;
--    if ($input) {
-+
-+    if (defined($ENV{SOURCE_DATE_EPOCH}) &&
-+        $ENV{SOURCE_DATE_EPOCH} !~ /\D/) {
-+        $time = $ENV{SOURCE_DATE_EPOCH};
-+    }
-+    elsif ($input) {
-         $time = (stat $input)[9] || time;
-     } else {
-         $time = time;
diff --git a/gnu/packages/patches/perl-www-curl-remove-symbol.patch b/gnu/packages/patches/perl-www-curl-remove-symbol.patch
new file mode 100644
index 0000000000..ae3486708b
--- /dev/null
+++ b/gnu/packages/patches/perl-www-curl-remove-symbol.patch
@@ -0,0 +1,39 @@
+Fix build failure caused by erroneous use of an undeclared symbol.
+
+Patch copied from upstream bug report:
+https://rt.cpan.org/Public/Bug/Display.html?id=117793
+
+From 0be0223422e6e5f4091c6e4e058d213623eed105 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 12 Sep 2016 14:40:44 +0200
+Subject: [PATCH] Skip preprocessor symbol only CURL_STRICTER
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CURL_STRICTER leaked into curl-constants.c when building against
+curl-7.50.2. This is a preprocessor only macro without a value.
+
+CPAN RT#117793
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ Makefile.PL | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.PL b/Makefile.PL
+index f9170bb..ad2bd3d 100644
+--- a/Makefile.PL
++++ b/Makefile.PL
+@@ -127,7 +127,7 @@ if (!defined($curl_h)) {
+     close H;
+ 
+     for my $e (sort @syms) {
+-       if($e =~ /(OBSOLETE|^CURL_EXTERN|_LAST\z|_LASTENTRY\z)/) {
++       if($e =~ /(OBSOLETE|^CURL_EXTERN|^CURL_STRICTER\z|_LAST\z|_LASTENTRY\z)/) {
+           next;
+        }
+        my ($group) = $e =~ m/^([^_]+_)/;
+-- 
+2.7.4
+
diff --git a/gnu/packages/patches/procps-non-linux.patch b/gnu/packages/patches/procps-non-linux.patch
deleted file mode 100644
index 9d369aeb2c..0000000000
--- a/gnu/packages/patches/procps-non-linux.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From aa9bd38d0a6fe53aff7f78fb2d9f61e55677c7b5 Mon Sep 17 00:00:00 2001
-From: Craig Small <csmall@enc.com.au>
-Date: Sun, 17 Apr 2016 09:09:41 +1000
-Subject: [PATCH] tests: Conditionally add prctl to test process
-
-prctl was already bypassed on Cygwin systems. This extends to
-non-Linux systems such as kFreeBSD and Hurd.
-
----
- lib/test_process.c | 4 ++--
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/lib/test_process.c b/lib/test_process.c
-index 6e652ed..6a4776c 100644
---- a/lib/test_process.c
-+++ b/lib/test_process.c
-@@ -21,7 +21,9 @@
- #include <stdlib.h>
- #include <unistd.h>
- #include <signal.h>
-+#ifdef __linux__
- #include <sys/prctl.h>
-+#endif
- #include "c.h"
- 
- #define DEFAULT_SLEEPTIME 300
-@@ -78,8 +80,10 @@
-     sigaction(SIGUSR1, &signal_action, NULL);
-     sigaction(SIGUSR2, &signal_action, NULL);
- 
-+#ifdef __linux__
-     /* set process name */
-     prctl(PR_SET_NAME, MY_NAME, NULL, NULL, NULL);
-+#endif
- 
-     while (sleep_time > 0) {
- 	sleep_time = sleep(sleep_time);
--- 
-2.8.2
-
diff --git a/gnu/packages/patches/python-3.4-fix-tests.patch b/gnu/packages/patches/python-3.4-fix-tests.patch
new file mode 100644
index 0000000000..d1f8138e79
--- /dev/null
+++ b/gnu/packages/patches/python-3.4-fix-tests.patch
@@ -0,0 +1,12 @@
+--- Lib/test/test_posixpath.py  2014-03-01 05:46:56.984311000 +0100
++++ Lib/test/test_posixpath.py  2014-03-07 00:59:20.888311000 +0100
+@@ -319,7 +319,11 @@
+                 del env['HOME']
+                 home = pwd.getpwuid(os.getuid()).pw_dir
+                 # $HOME can end with a trailing /, so strip it (see #17809)
+-                self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
++                # The Guix builders have '/' as a home directory, so
++                # home.rstrip("/") will be an empty string and the test will
++                # fail. Let's just disable it since it does not really make
++                # sense with such a bizarre setup.
++                # self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
diff --git a/gnu/packages/patches/python-3.5-fix-tests.patch b/gnu/packages/patches/python-3.5-fix-tests.patch
new file mode 100644
index 0000000000..46d2a84efb
--- /dev/null
+++ b/gnu/packages/patches/python-3.5-fix-tests.patch
@@ -0,0 +1,46 @@
+Additional test fixes which affect Python 3.5 (and presumably later) but not
+prior revisions of Python.
+
+--- Lib/test/test_pathlib.py     2014-03-01 03:02:36.088311000 +0100
++++ Lib/test/test_pathlib.py     2014-03-01 04:56:37.768311000 +0100
+@@ -1986,8 +1986,9 @@
+         expect = set() if not support.fs_is_case_insensitive(BASE) else given
+         self.assertEqual(given, expect)
+         self.assertEqual(set(p.rglob("FILEd*")), set())
+ 
++    @unittest.skipIf(True, "Guix builder home is '/' which causes trouble for these tests")
+     def test_expanduser(self):
+         P = self.cls
+         support.import_module('pwd')
+         import pwd
+--- Lib/test/test_tarfile.py        2016-02-24 19:22:52.597208055 +0000
++++ Lib/test/test_tarfile.py     2016-02-24 20:50:48.941950135 +0000
+@@ -2305,11 +2305,14 @@
+     try:
+         import pwd, grp
+     except ImportError:
+         return False
+-    if pwd.getpwuid(0)[0] != 'root':
+-        return False
+-    if grp.getgrgid(0)[0] != 'root':
++    try:
++        if pwd.getpwuid(0)[0] != 'root':
++            return False
++        if grp.getgrgid(0)[0] != 'root':
++            return False
++    except KeyError:
+         return False
+     return True
+
+
+--- Lib/test/test_asyncio/test_base_events.py
++++ Lib/test/test_asyncio/test_base_events.py
+@@ -142,6 +142,8 @@ class BaseEventTests(test_utils.TestCase):
+             (INET, STREAM, TCP, '', ('1.2.3.4', 1)),
+             base_events._ipaddr_info('1.2.3.4', b'1', INET, STREAM, TCP))
+ 
++    @unittest.skipUnless(support.is_resource_enabled('network'),
++                         'network is not enabled')
+     def test_getaddrinfo_servname(self):
+         INET = socket.AF_INET
+         STREAM = socket.SOCK_STREAM
diff --git a/gnu/packages/patches/python-disable-ssl-test.patch b/gnu/packages/patches/python-disable-ssl-test.patch
deleted file mode 100644
index e351c77505..0000000000
--- a/gnu/packages/patches/python-disable-ssl-test.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Disable a test that fails with openssl-1.0.2b.
-
---- Lib/test/test_ssl.py.orig	2015-02-25 06:27:45.000000000 -0500
-+++ Lib/test/test_ssl.py	2015-06-12 03:14:09.395212502 -0400
-@@ -2718,6 +2718,7 @@
-                                        chatty=True, connectionchatty=True)
-             self.assertIs(stats['compression'], None)
- 
-+        @unittest.skipIf(True, "openssl 1.0.2b complains: dh key too small")
-         def test_dh_params(self):
-             # Check we can get a connection with ephemeral Diffie-Hellman
-             context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
diff --git a/gnu/packages/patches/python-file-double-encoding-bug.patch b/gnu/packages/patches/python-file-double-encoding-bug.patch
new file mode 100644
index 0000000000..bbe825c36a
--- /dev/null
+++ b/gnu/packages/patches/python-file-double-encoding-bug.patch
@@ -0,0 +1,50 @@
+Fix bug that breaks file's Python bindings when using Python 3. This patch
+should not be applied when using Python 2.
+
+Copied from upstream source repository:
+
+https://github.com/file/file/commit/73e043d2a986234b187a00ed0c8d1f7bf83df372
+
+From 73e043d2a986234b187a00ed0c8d1f7bf83df372 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Tue, 28 Jun 2016 17:10:22 +0000
+Subject: [PATCH] PR/562: Reiner Herrmann: Avoid double encoding with python3
+
+---
+ python/magic.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/python/magic.py b/python/magic.py
+index c48f7d5..b0f7a17 100644
+--- a/python/magic.py
++++ b/python/magic.py
+@@ -134,7 +134,7 @@ class Magic(object):
+         if isinstance(r, str):
+             return r
+         else:
+-            return str(r).encode('utf-8')
++            return str(r, 'utf-8')
+ 
+     def descriptor(self, fd):
+         """
+@@ -152,7 +152,7 @@ class Magic(object):
+         if isinstance(r, str):
+             return r
+         else:
+-            return str(r).encode('utf-8')
++            return str(r, 'utf-8')
+ 
+     def error(self):
+         """
+@@ -163,7 +163,7 @@ class Magic(object):
+         if isinstance(e, str):
+             return e
+         else:
+-            return str(e).encode('utf-8')
++            return str(e, 'utf-8')
+ 
+     def setflags(self, flags):
+         """
+-- 
+2.10.1
+
diff --git a/gnu/packages/patches/python-fix-tests.patch b/gnu/packages/patches/python-fix-tests.patch
index 82c19980f9..e093307c51 100644
--- a/gnu/packages/patches/python-fix-tests.patch
+++ b/gnu/packages/patches/python-fix-tests.patch
@@ -20,21 +20,6 @@ http://bugs.python.org/issue20868 .
      def test_tarfile_root_owner(self):
          tmpdir, tmpdir2, base_name =  self._create_files()
 
---- Lib/test/test_posixpath.py	2014-03-01 05:46:56.984311000 +0100
-+++ Lib/test/test_posixpath.py	2014-03-07 00:59:20.888311000 +0100
-@@ -319,7 +319,11 @@
-                 del env['HOME']
-                 home = pwd.getpwuid(os.getuid()).pw_dir
-                 # $HOME can end with a trailing /, so strip it (see #17809)
--                self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
-+                # The Guix builders have '/' as a home directory, so
-+                # home.rstrip("/") will be an empty string and the test will
-+                # fail. Let's just disable it since it does not really make
-+                # sense with such a bizarre setup.
-+                # self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
- 
-     def test_normpath(self):
-         self.assertEqual(posixpath.normpath(""), ".")
 --- Lib/test/test_socket.py.orig	2014-03-02 22:14:12.264311000 +0100
 +++ Lib/test/test_socket.py	2014-03-21 03:50:45.660311000 +0100
 @@ -819,6 +819,8 @@
diff --git a/gnu/packages/patches/python-parse-too-many-fields.patch b/gnu/packages/patches/python-parse-too-many-fields.patch
new file mode 100644
index 0000000000..9db6b91a7f
--- /dev/null
+++ b/gnu/packages/patches/python-parse-too-many-fields.patch
@@ -0,0 +1,52 @@
+From 32f15cfefb7c7b6476360ac65cba807aa3dfccfa Mon Sep 17 00:00:00 2001
+From: David King <dking@redhat.com>
+Date: Mon, 14 Dec 2015 09:58:19 +0000
+Subject: [PATCH] Fix test_too_many_fields with Python 3.5
+
+taken from https://github.com/r1chardj0n3s/parse/pull/34
+
+Python versions before 3.5 had a limit of 100 groups in regular
+expressions. This limit was removed during 3.5 development:
+
+http://bugs.python.org/issue22437
+https://hg.python.org/cpython/rev/0b85ea4bd1af
+
+The test_too_many_fields test asserts that the limit exists by
+attempting to parse a string with 15 fields, which triggers the 100
+named groups limit.
+
+Adjust the test so that if first checks to see whether the limit of 100
+named groups exists, and only assert that parsing 15 fields fails if
+that is the case.
+---
+ test_parse.py | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/test_parse.py b/test_parse.py
+index c524349..1d50568 100755
+--- a/test_parse.py
++++ b/test_parse.py
+@@ -6,6 +6,7 @@
+ 
+ import unittest
+ from datetime import datetime, time
++import re
+ 
+ import parse
+ 
+@@ -624,8 +625,13 @@ def test_mixed_type_variant(self):
+         self.assertEqual(r.fixed[21], 'spam')
+ 
+     def test_too_many_fields(self):
+-        p = parse.compile('{:ti}' * 15)
+-        self.assertRaises(parse.TooManyFields, p.parse, '')
++        # Python 3.5 removed the limit of 100 named groups in a regular expression,
++        # so only test for the exception if the limit exists.
++        try:
++            re.compile("".join("(?P<n{n}>{n}-)".format(n=i) for i in range(101)))
++        except AssertionError:
++            p = parse.compile('{:ti}' * 15)
++            self.assertRaises(parse.TooManyFields, p.parse, '')
+ 
+ 
+ class TestSearch(unittest.TestCase):
diff --git a/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch b/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch
new file mode 100644
index 0000000000..1426883216
--- /dev/null
+++ b/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch
@@ -0,0 +1,33 @@
+Do not define BSDWAIT to avoid error "storage size of ‘w’ isn’t known".
+
+This is an adapted version of the upstream patch taken from here:
+https://github.com/tcsh-org/tcsh/commit/4689eb60a74bf13bc146ca3d76e9d7a124ab7b49.patch
+
+From 4689eb60a74bf13bc146ca3d76e9d7a124ab7b49 Mon Sep 17 00:00:00 2001
+From: christos <christos>
+Date: Fri, 23 Sep 2016 19:17:28 +0000
+Subject: [PATCH] Don't define BSDWAIT for linux anymore.
+
+---
+ sh.proc.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/sh.proc.c b/sh.proc.c
+index 49b199f..874d67c 100644
+--- sh.proc.c
++++ sh.proc.c
+@@ -47,11 +47,9 @@ RCSID("$tcsh$")
+ # define HZ 16
+ #endif /* aiws */
+ 
+-#if defined(_BSD) || (defined(IRIS4D) && __STDC__) || defined(__lucid) || defined(__linux__) || defined(__GNU__) || defined(__GLIBC__)
+-# if !defined(__ANDROID__)
+-#  define BSDWAIT
+-# endif
+-#endif /* _BSD || (IRIS4D && __STDC__) || __lucid || glibc */
++#if defined(_BSD) || (defined(IRIS4D) && __STDC__) || defined(__lucid)
++# define BSDWAIT
++#endif /* _BSD || (IRIS4D && __STDC__) || __lucid */
+ #ifndef WTERMSIG
+ # define WTERMSIG(w)	(((union wait *) &(w))->w_termsig)
+ # ifndef BSDWAIT