9 files changed, 476 insertions, 284 deletions
diff --git a/gnu/packages/patches/jasper-CVE-2017-6850.patch b/gnu/packages/patches/jasper-CVE-2017-6850.patch
deleted file mode 100644
index 07672762a1..0000000000
--- a/gnu/packages/patches/jasper-CVE-2017-6850.patch
+++ /dev/null
@@ -1,284 +0,0 @@
-This patch is from upstream and should be fixed included in the next release
-
-From e96fc4fdd525fa0ede28074a7e2b1caf94b58b0d Mon Sep 17 00:00:00 2001
-From: Michael Adams <mdadams@ece.uvic.ca>
-Date: Sat, 4 Mar 2017 14:43:24 -0800
-Subject: [PATCH] Fixed bugs due to uninitialized data in the JP2 decoder.
- Also, added some comments marking I/O stream interfaces that probably need to
- be changed (in the long term) to fix integer overflow problems.
-
----
- src/libjasper/base/jas_stream.c | 18 +++++++++++++++++
- src/libjasper/jp2/jp2_cod.c     | 44 ++++++++++++++++++++++++++++-------------
- 2 files changed, 48 insertions(+), 14 deletions(-)
-
-diff --git a/src/libjasper/base/jas_stream.c b/src/libjasper/base/jas_stream.c
-index 327ee57..d70408f 100644
---- a/src/libjasper/base/jas_stream.c
-+++ b/src/libjasper/base/jas_stream.c
-@@ -664,6 +664,7 @@ int jas_stream_ungetc(jas_stream_t *stream, int c)
- 	return 0;
- }
- 
-+/* FIXME integral type */
- int jas_stream_read(jas_stream_t *stream, void *buf, int cnt)
- {
- 	int n;
-@@ -690,6 +691,7 @@ int jas_stream_read(jas_stream_t *stream, void *buf, int cnt)
- 	return n;
- }
- 
-+/* FIXME integral type */
- int jas_stream_write(jas_stream_t *stream, const void *buf, int cnt)
- {
- 	int n;
-@@ -742,6 +744,7 @@ int jas_stream_puts(jas_stream_t *stream, const char *s)
- 	return 0;
- }
- 
-+/* FIXME integral type */
- char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize)
- {
- 	int c;
-@@ -765,6 +768,7 @@ char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize)
- 	return buf;
- }
- 
-+/* FIXME integral type */
- int jas_stream_gobble(jas_stream_t *stream, int n)
- {
- 	int m;
-@@ -783,6 +787,7 @@ int jas_stream_gobble(jas_stream_t *stream, int n)
- 	return n;
- }
- 
-+/* FIXME integral type */
- int jas_stream_pad(jas_stream_t *stream, int n, int c)
- {
- 	int m;
-@@ -885,6 +890,7 @@ long jas_stream_tell(jas_stream_t *stream)
- * Buffer initialization code.
- \******************************************************************************/
- 
-+/* FIXME integral type */
- static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
-   int bufsize)
- {
-@@ -1060,6 +1066,7 @@ static int jas_strtoopenmode(const char *s)
- 	return openmode;
- }
- 
-+/* FIXME integral type */
- int jas_stream_copy(jas_stream_t *out, jas_stream_t *in, int n)
- {
- 	int all;
-@@ -1085,6 +1092,7 @@ int jas_stream_copy(jas_stream_t *out, jas_stream_t *in, int n)
- 	return 0;
- }
- 
-+/* FIXME integral type */
- long jas_stream_setrwcount(jas_stream_t *stream, long rwcnt)
- {
- 	int old;
-@@ -1094,6 +1102,7 @@ long jas_stream_setrwcount(jas_stream_t *stream, long rwcnt)
- 	return old;
- }
- 
-+/* FIXME integral type */
- int jas_stream_display(jas_stream_t *stream, FILE *fp, int n)
- {
- 	unsigned char buf[16];
-@@ -1168,6 +1177,7 @@ long jas_stream_length(jas_stream_t *stream)
- * Memory stream object.
- \******************************************************************************/
- 
-+/* FIXME integral type */
- static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt)
- {
- 	ssize_t n;
-@@ -1209,6 +1219,7 @@ static int mem_resize(jas_stream_memobj_t *m, size_t bufsize)
- 	return 0;
- }
- 
-+/* FIXME integral type */
- static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt)
- {
- 	size_t n;
-@@ -1264,6 +1275,7 @@ static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt)
- 	return ret;
- }
- 
-+/* FIXME integral type */
- static long mem_seek(jas_stream_obj_t *obj, long offset, int origin)
- {
- 	jas_stream_memobj_t *m = (jas_stream_memobj_t *)obj;
-@@ -1310,6 +1322,7 @@ static int mem_close(jas_stream_obj_t *obj)
- * File stream object.
- \******************************************************************************/
- 
-+/* FIXME integral type */
- static int file_read(jas_stream_obj_t *obj, char *buf, int cnt)
- {
- 	jas_stream_fileobj_t *fileobj;
-@@ -1318,6 +1331,7 @@ static int file_read(jas_stream_obj_t *obj, char *buf, int cnt)
- 	return read(fileobj->fd, buf, cnt);
- }
- 
-+/* FIXME integral type */
- static int file_write(jas_stream_obj_t *obj, char *buf, int cnt)
- {
- 	jas_stream_fileobj_t *fileobj;
-@@ -1326,6 +1340,7 @@ static int file_write(jas_stream_obj_t *obj, char *buf, int cnt)
- 	return write(fileobj->fd, buf, cnt);
- }
- 
-+/* FIXME integral type */
- static long file_seek(jas_stream_obj_t *obj, long offset, int origin)
- {
- 	jas_stream_fileobj_t *fileobj;
-@@ -1352,6 +1367,7 @@ static int file_close(jas_stream_obj_t *obj)
- * Stdio file stream object.
- \******************************************************************************/
- 
-+/* FIXME integral type */
- static int sfile_read(jas_stream_obj_t *obj, char *buf, int cnt)
- {
- 	FILE *fp;
-@@ -1367,6 +1383,7 @@ static int sfile_read(jas_stream_obj_t *obj, char *buf, int cnt)
- 	return result;
- }
- 
-+/* FIXME integral type */
- static int sfile_write(jas_stream_obj_t *obj, char *buf, int cnt)
- {
- 	FILE *fp;
-@@ -1377,6 +1394,7 @@ static int sfile_write(jas_stream_obj_t *obj, char *buf, int cnt)
- 	return (n != JAS_CAST(size_t, cnt)) ? (-1) : cnt;
- }
- 
-+/* FIXME integral type */
- static long sfile_seek(jas_stream_obj_t *obj, long offset, int origin)
- {
- 	FILE *fp;
-diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c
-index 7f3608a..8d98a2c 100644
---- a/src/libjasper/jp2/jp2_cod.c
-+++ b/src/libjasper/jp2/jp2_cod.c
-@@ -183,15 +183,28 @@ jp2_boxinfo_t jp2_boxinfo_unk = {
- * Box constructor.
- \******************************************************************************/
- 
--jp2_box_t *jp2_box_create(int type)
-+jp2_box_t *jp2_box_create0()
- {
- 	jp2_box_t *box;
--	jp2_boxinfo_t *boxinfo;
--
- 	if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
- 		return 0;
- 	}
- 	memset(box, 0, sizeof(jp2_box_t));
-+	box->type = 0;
-+	box->len = 0;
-+	// Mark the box data as never having been constructed
-+	// so that we will not errantly attempt to destroy it later.
-+	box->ops = &jp2_boxinfo_unk.ops;
-+	return box;
-+}
-+
-+jp2_box_t *jp2_box_create(int type)
-+{
-+	jp2_box_t *box;
-+	jp2_boxinfo_t *boxinfo;
-+	if (!(box = jp2_box_create0())) {
-+		return 0;
-+	}
- 	box->type = type;
- 	box->len = 0;
- 	if (!(boxinfo = jp2_boxinfolookup(type))) {
-@@ -248,14 +261,9 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
- 	box = 0;
- 	tmpstream = 0;
- 
--	if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
-+	if (!(box = jp2_box_create0())) {
- 		goto error;
- 	}
--
--	// Mark the box data as never having been constructed
--	// so that we will not errantly attempt to destroy it later.
--	box->ops = &jp2_boxinfo_unk.ops;
--
- 	if (jp2_getuint32(in, &len) || jp2_getuint32(in, &box->type)) {
- 		goto error;
- 	}
-@@ -263,10 +271,12 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
- 	box->info = boxinfo;
- 	box->len = len;
- 	JAS_DBGLOG(10, (
--	  "preliminary processing of JP2 box: type=%c%s%c (0x%08x); length=%d\n",
-+	  "preliminary processing of JP2 box: "
-+	  "type=%c%s%c (0x%08x); length=%"PRIuFAST32"\n",
- 	  '"', boxinfo->name, '"', box->type, box->len
- 	  ));
- 	if (box->len == 1) {
-+		JAS_DBGLOG(10, ("big length\n"));
- 		if (jp2_getuint64(in, &extlen)) {
- 			goto error;
- 		}
-@@ -382,6 +392,7 @@ static int jp2_bpcc_getdata(jp2_box_t *box, jas_stream_t *in)
- {
- 	jp2_bpcc_t *bpcc = &box->data.bpcc;
- 	unsigned int i;
-+	bpcc->bpcs = 0;
- 	bpcc->numcmpts = box->datalen;
- 	if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) {
- 		return -1;
-@@ -462,6 +473,7 @@ static int jp2_cdef_getdata(jp2_box_t *box, jas_stream_t *in)
- 	jp2_cdef_t *cdef = &box->data.cdef;
- 	jp2_cdefchan_t *chan;
- 	unsigned int channo;
-+	cdef->ents = 0;
- 	if (jp2_getuint16(in, &cdef->numchans)) {
- 		return -1;
- 	}
-@@ -518,7 +530,9 @@ int jp2_box_put(jp2_box_t *box, jas_stream_t *out)
- 	}
- 
- 	if (dataflag) {
--		if (jas_stream_copy(out, tmpstream, box->len - JP2_BOX_HDRLEN(false))) {
-+		if (jas_stream_copy(out, tmpstream, box->len -
-+		  JP2_BOX_HDRLEN(false))) {
-+			jas_eprintf("cannot copy box data\n");
- 			goto error;
- 		}
- 		jas_stream_close(tmpstream);
-@@ -777,6 +791,7 @@ static int jp2_cmap_getdata(jp2_box_t *box, jas_stream_t *in)
- 	jp2_cmap_t *cmap = &box->data.cmap;
- 	jp2_cmapent_t *ent;
- 	unsigned int i;
-+	cmap->ents = 0;
- 
- 	cmap->numchans = (box->datalen) / 4;
- 	if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) {
-@@ -835,6 +850,7 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in)
- 	int_fast32_t x;
- 
- 	pclr->lutdata = 0;
-+	pclr->bpc = 0;
- 
- 	if (jp2_getuint16(in, &pclr->numlutents) ||
- 	  jp2_getuint8(in, &pclr->numchans)) {
-@@ -869,9 +885,9 @@ static int jp2_pclr_putdata(jp2_box_t *box, jas_stream_t *out)
- #if 0
- 	jp2_pclr_t *pclr = &box->data.pclr;
- #endif
--/* Eliminate warning about unused variable. */
--box = 0;
--out = 0;
-+	/* Eliminate warning about unused variable. */
-+	box = 0;
-+	out = 0;
- 	return -1;
- }
- 
diff --git a/gnu/packages/patches/libgit2-0.25.1-mtime-0.patch b/gnu/packages/patches/libgit2-0.25.1-mtime-0.patch
new file mode 100644
index 0000000000..a6fdb50fff
--- /dev/null
+++ b/gnu/packages/patches/libgit2-0.25.1-mtime-0.patch
@@ -0,0 +1,14 @@
+The Clar test framework has a bug whereby it skips the parsing phase
+on files with mtime=0.
+
+Reported upstream at <https://github.com/vmg/clar/pull/78>.
+
+diff --git a/tests/generate.py b/tests/generate.py
+index b639c8f..111ca41 100644
+--- a/tests/generate.py
++++ b/tests/generate.py
+@@ -63,3 +63,3 @@ class Module(object):
+ 
+-        self.mtime = 0
++        self.mtime = None # Guix sets all file mtimes to '0'
+         self.enabled = True
diff --git a/gnu/packages/patches/libssh-hostname-parser-bug.patch b/gnu/packages/patches/libssh-hostname-parser-bug.patch
new file mode 100644
index 0000000000..69f46cbdd6
--- /dev/null
+++ b/gnu/packages/patches/libssh-hostname-parser-bug.patch
@@ -0,0 +1,31 @@
+Fix "Hostname" parsing in OpenSSH config files, as reported
+at <https://red.libssh.org/issues/260>.
+
+From: Niels Ole Salscheider <niels_ole@salscheider-online.de>
+Date: Mon, 8 May 2017 17:36:13 +0200
+Subject: [PATCH] Fix reading of the first parameter
+
+This is a fixup for 7b8b5eb4eac314a3a29be812bef0264c6611f6e7.
+Previously, it would return as long as the parameter was _not_ seen
+before. It also did not handle the case for the unsupported opcode (-1)
+which would cause a segfault when accessing the "seen" array.
+---
+ src/config.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/config.c b/src/config.c
+index 7c03b27..238a655 100644
+--- a/src/config.c
++++ b/src/config.c
+@@ -218,8 +218,9 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
+   }
+ 
+   opcode = ssh_config_get_opcode(keyword);
+-  if (*parsing == 1 && opcode != SOC_HOST) {
+-      if (seen[opcode] == 0) {
++  if (*parsing == 1 && opcode != SOC_HOST &&
++      opcode > SOC_UNSUPPORTED && opcode < SOC_END) {
++      if (seen[opcode] == 1) {
+           return 0;
+       }
+       seen[opcode] = 1;
diff --git a/gnu/packages/patches/openldap-CVE-2017-9287.patch b/gnu/packages/patches/openldap-CVE-2017-9287.patch
new file mode 100644
index 0000000000..5ca2a60c60
--- /dev/null
+++ b/gnu/packages/patches/openldap-CVE-2017-9287.patch
@@ -0,0 +1,37 @@
+Fix CVE-2017-9287:
+
+https://www.openldap.org/its/?findid=8655
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9287
+
+Patch copied from upstream source repository:
+
+https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e
+
+From 0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan@nardis.ca>
+Date: Wed, 17 May 2017 20:07:39 -0700
+Subject: [PATCH] ITS#8655 fix double free on paged search with pagesize 0
+
+Fixes a double free when a search includes the Paged Results control
+with a page size of 0 and the search base matches the filter.
+---
+ servers/slapd/back-mdb/search.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c
+index 301d1a498c..43442aa242 100644
+--- a/servers/slapd/back-mdb/search.c
++++ b/servers/slapd/back-mdb/search.c
+@@ -1066,7 +1066,8 @@ notfound:
+ 			/* check size limit */
+ 			if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) {
+ 				if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) {
+-					mdb_entry_return( op, e );
++					if (e != base)
++						mdb_entry_return( op, e );
+ 					e = NULL;
+ 					send_paged_response( op, rs, &lastid, tentries );
+ 					goto done;
+-- 
+2.13.0
+
diff --git a/gnu/packages/patches/openscenegraph-ffmpeg3.patch b/gnu/packages/patches/openscenegraph-ffmpeg3.patch
new file mode 100644
index 0000000000..02c04a5583
--- /dev/null
+++ b/gnu/packages/patches/openscenegraph-ffmpeg3.patch
@@ -0,0 +1,156 @@
+Description: Replace deprecated FFmpeg API
+Author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
+See <http://forum.openscenegraph.org/viewtopic.php?t=15832>.
+--- a/src/osgPlugins/ffmpeg/FFmpegDecoderVideo.cpp
++++ b/src/osgPlugins/ffmpeg/FFmpegDecoderVideo.cpp
+@@ -71,7 +71,7 @@ void FFmpegDecoderVideo::open(AVStream *
+     findAspectRatio();
+ 
+     // Find out whether we support Alpha channel
+-    m_alpha_channel = (m_context->pix_fmt == PIX_FMT_YUVA420P);
++    m_alpha_channel = (m_context->pix_fmt == AV_PIX_FMT_YUVA420P);
+ 
+     // Find out the framerate
+     m_frame_rate = av_q2d(stream->avg_frame_rate);
+@@ -91,20 +91,19 @@ void FFmpegDecoderVideo::open(AVStream *
+         throw std::runtime_error("avcodec_open() failed");
+ 
+     // Allocate video frame
+-    m_frame.reset(avcodec_alloc_frame());
++    m_frame.reset(av_frame_alloc());
+ 
+     // Allocate converted RGB frame
+-    m_frame_rgba.reset(avcodec_alloc_frame());
+-    m_buffer_rgba[0].resize(avpicture_get_size(PIX_FMT_RGB24, width(), height()));
++    m_frame_rgba.reset(av_frame_alloc());
++    m_buffer_rgba[0].resize(avpicture_get_size(AV_PIX_FMT_RGB24, width(), height()));
+     m_buffer_rgba[1].resize(m_buffer_rgba[0].size());
+ 
+     // Assign appropriate parts of the buffer to image planes in m_frame_rgba
+-    avpicture_fill((AVPicture *) (m_frame_rgba).get(), &(m_buffer_rgba[0])[0], PIX_FMT_RGB24, width(), height());
++    avpicture_fill((AVPicture *) (m_frame_rgba).get(), &(m_buffer_rgba[0])[0], AV_PIX_FMT_RGB24, width(), height());
+ 
+     // Override get_buffer()/release_buffer() from codec context in order to retrieve the PTS of each frame.
+     m_context->opaque = this;
+-    m_context->get_buffer = getBuffer;
+-    m_context->release_buffer = releaseBuffer;
++    m_context->get_buffer2 = getBuffer;
+ }
+ 
+ 
+@@ -263,8 +262,8 @@ int FFmpegDecoderVideo::convert(AVPictur
+ #ifdef USE_SWSCALE
+     if (m_swscale_ctx==0)
+     {
+-        m_swscale_ctx = sws_getContext(src_width, src_height, (PixelFormat) src_pix_fmt,
+-                                      src_width, src_height, (PixelFormat) dst_pix_fmt,
++        m_swscale_ctx = sws_getContext(src_width, src_height, (AVPixelFormat) src_pix_fmt,
++                                      src_width, src_height, (AVPixelFormat) dst_pix_fmt,
+                                       /*SWS_BILINEAR*/ SWS_BICUBIC, NULL, NULL, NULL);
+     }
+ 
+@@ -311,14 +310,14 @@ void FFmpegDecoderVideo::publishFrame(co
+     AVPicture * const dst = (AVPicture *) m_frame_rgba.get();
+ 
+     // Assign appropriate parts of the buffer to image planes in m_frame_rgba
+-    avpicture_fill((AVPicture *) (m_frame_rgba).get(), &(m_buffer_rgba[m_writeBuffer])[0], PIX_FMT_RGB24, width(), height());
++    avpicture_fill((AVPicture *) (m_frame_rgba).get(), &(m_buffer_rgba[m_writeBuffer])[0], AV_PIX_FMT_RGB24, width(), height());
+ 
+     // Convert YUVA420p (i.e. YUV420p plus alpha channel) using our own routine
+ 
+-    if (m_context->pix_fmt == PIX_FMT_YUVA420P)
++    if (m_context->pix_fmt == AV_PIX_FMT_YUVA420P)
+         yuva420pToRgba(dst, src, width(), height());
+     else
+-        convert(dst, PIX_FMT_RGB24, src, m_context->pix_fmt, width(), height());
++        convert(dst, AV_PIX_FMT_RGB24, src, m_context->pix_fmt, width(), height());
+ 
+     // Wait 'delay' seconds before publishing the picture.
+     int i_delay = static_cast<int>(delay * 1000000 + 0.5);
+@@ -345,7 +344,7 @@ void FFmpegDecoderVideo::publishFrame(co
+ 
+ void FFmpegDecoderVideo::yuva420pToRgba(AVPicture * const dst, AVPicture * const src, int width, int height)
+ {
+-    convert(dst, PIX_FMT_RGB24, src, m_context->pix_fmt, width, height);
++    convert(dst, AV_PIX_FMT_RGB24, src, m_context->pix_fmt, width, height);
+ 
+     const size_t bpp = 4;
+ 
+@@ -363,31 +362,28 @@ void FFmpegDecoderVideo::yuva420pToRgba(
+     }
+ }
+ 
+-
+-
+-int FFmpegDecoderVideo::getBuffer(AVCodecContext * const context, AVFrame * const picture)
++int FFmpegDecoderVideo::getBuffer(AVCodecContext * const context, AVFrame * const picture, int flags)
+ {
++    AVBufferRef *ref;
+     const FFmpegDecoderVideo * const this_ = reinterpret_cast<const FFmpegDecoderVideo*>(context->opaque);
+ 
+-    const int result = avcodec_default_get_buffer(context, picture);
++    const int result = avcodec_default_get_buffer2(context, picture, flags);
+     int64_t * p_pts = reinterpret_cast<int64_t*>( av_malloc(sizeof(int64_t)) );
+ 
+     *p_pts = this_->m_packet_pts;
+     picture->opaque = p_pts;
+ 
++    ref = av_buffer_create((uint8_t *)picture->opaque, sizeof(int64_t), FFmpegDecoderVideo::freeBuffer, picture->buf[0], flags);
++    picture->buf[0] = ref;
++
+     return result;
+ }
+ 
+-
+-
+-void FFmpegDecoderVideo::releaseBuffer(AVCodecContext * const context, AVFrame * const picture)
++void FFmpegDecoderVideo::freeBuffer(void *opaque, uint8_t *data)
+ {
+-    if (picture != 0)
+-        av_freep(&picture->opaque);
+-
+-    avcodec_default_release_buffer(context, picture);
++    AVBufferRef *ref = (AVBufferRef *)opaque;
++    av_buffer_unref(&ref);
++    av_free(data);
+ }
+ 
+-
+-
+ } // namespace osgFFmpeg
+--- a/src/osgPlugins/ffmpeg/FFmpegDecoderVideo.hpp
++++ b/src/osgPlugins/ffmpeg/FFmpegDecoderVideo.hpp
+@@ -94,8 +94,8 @@ private:
+                 int src_pix_fmt, int src_width, int src_height);
+ 
+ 
+-    static int getBuffer(AVCodecContext * context, AVFrame * picture);
+-    static void releaseBuffer(AVCodecContext * context, AVFrame * picture);
++    static int getBuffer(AVCodecContext * context, AVFrame * picture, int flags);
++    static void freeBuffer(void * opaque, uint8_t *data);
+ 
+     PacketQueue &           m_packets;
+     FFmpegClocks &          m_clocks;
+--- a/src/osgPlugins/ffmpeg/FFmpegParameters.cpp
++++ b/src/osgPlugins/ffmpeg/FFmpegParameters.cpp
+@@ -19,7 +19,7 @@ extern "C"
+     #include <libavutil/pixdesc.h>
+ }
+ 
+-inline PixelFormat osg_av_get_pix_fmt(const char *name) { return av_get_pix_fmt(name); }
++inline AVPixelFormat osg_av_get_pix_fmt(const char *name) { return av_get_pix_fmt(name); }
+ 
+ 
+ namespace osgFFmpeg {
+--- a/src/osgPlugins/ffmpeg/FFmpegDecoderAudio.cpp	2016-02-18 21:25:39.627923629 +0000
++++ b/src/osgPlugins/ffmpeg/FFmpegDecoderAudio.cpp	2016-02-18 21:26:17.071140100 +0000
+@@ -227,8 +227,7 @@
+         if (avcodec_open2(m_context, p_codec, NULL) < 0)
+             throw std::runtime_error("avcodec_open() failed");
+ 
+-        m_context->get_buffer = avcodec_default_get_buffer;
+-        m_context->release_buffer = avcodec_default_release_buffer;
++        m_context->get_buffer2 = avcodec_default_get_buffer2;
+ 
+     }
+ 
diff --git a/gnu/packages/patches/qemu-CVE-2017-8112.patch b/gnu/packages/patches/qemu-CVE-2017-8112.patch
new file mode 100644
index 0000000000..88b33aa2f0
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8112.patch
@@ -0,0 +1,41 @@
+Fix CVE-2017-8112:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8112
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=f68826989cd4d1217797251339579c57b3c0934e
+
+From f68826989cd4d1217797251339579c57b3c0934e Mon Sep 17 00:00:00 2001
+From: P J P <ppandit@redhat.com>
+Date: Tue, 25 Apr 2017 18:36:23 +0530
+Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation
+
+A guest could set the message ring page count to zero, resulting in
+infinite loop. Add check to avoid it.
+
+Reported-by: YY Z <bigbird475958471@gmail.com>
+Signed-off-by: P J P <ppandit@redhat.com>
+Message-Id: <20170425130623.3649-1-ppandit@redhat.com>
+Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/vmw_pvscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 75575461e2..4a106da856 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
+     uint32_t len_log2;
+     uint32_t ring_size;
+ 
+-    if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
++    if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
+         return -1;
+     }
+     ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
+-- 
+2.13.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-8309.patch b/gnu/packages/patches/qemu-CVE-2017-8309.patch
new file mode 100644
index 0000000000..dc4b4006b7
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8309.patch
@@ -0,0 +1,46 @@
+Fix CVE-2017-8309:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8309
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3268a845f41253fb55852a8429c32b50f36f349a
+
+From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 28 Apr 2017 09:56:12 +0200
+Subject: [PATCH] audio: release capture buffers
+
+AUD_add_capture() allocates two buffers which are never released.
+Add the missing calls to AUD_del_capture().
+
+Impact: Allows vnc clients to exhaust host memory by repeatedly
+starting and stopping audio capture.
+
+Fixes: CVE-2017-8309
+Cc: P J P <ppandit@redhat.com>
+Cc: Huawei PSIRT <PSIRT@huawei.com>
+Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20170428075612.9997-1-kraxel@redhat.com
+---
+ audio/audio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/audio/audio.c b/audio/audio.c
+index c8898d8422..beafed209b 100644
+--- a/audio/audio.c
++++ b/audio/audio.c
+@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
+                     sw = sw1;
+                 }
+                 QLIST_REMOVE (cap, entries);
++                g_free (cap->hw.mix_buf);
++                g_free (cap->buf);
+                 g_free (cap);
+             }
+             return;
+-- 
+2.13.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-8379.patch b/gnu/packages/patches/qemu-CVE-2017-8379.patch
new file mode 100644
index 0000000000..200b133d3e
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8379.patch
@@ -0,0 +1,98 @@
+Fix CVE-2017-8379:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8379
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=fa18f36a461984eae50ab957e47ec78dae3c14fc
+
+From fa18f36a461984eae50ab957e47ec78dae3c14fc Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 28 Apr 2017 10:42:37 +0200
+Subject: [PATCH] input: limit kbd queue depth
+
+Apply a limit to the number of items we accept into the keyboard queue.
+
+Impact: Without this limit vnc clients can exhaust host memory by
+sending keyboard events faster than qemu feeds them to the guest.
+
+Fixes: CVE-2017-8379
+Cc: P J P <ppandit@redhat.com>
+Cc: Huawei PSIRT <PSIRT@huawei.com>
+Reported-by: jiangxin1@huawei.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20170428084237.23960-1-kraxel@redhat.com
+---
+ ui/input.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/ui/input.c b/ui/input.c
+index ed88cda6d6..fb1f404095 100644
+--- a/ui/input.c
++++ b/ui/input.c
+@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
+     QTAILQ_HEAD_INITIALIZER(kbd_queue);
+ static QEMUTimer *kbd_timer;
+ static uint32_t kbd_default_delay_ms = 10;
++static uint32_t queue_count;
++static uint32_t queue_limit = 1024;
+ 
+ QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
+                                                    QemuInputHandler *handler)
+@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
+             break;
+         }
+         QTAILQ_REMOVE(queue, item, node);
++        queue_count--;
+         g_free(item);
+     }
+ }
+@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
+     item->delay_ms = delay_ms;
+     item->timer = timer;
+     QTAILQ_INSERT_TAIL(queue, item, node);
++    queue_count++;
+ 
+     if (start_timer) {
+         timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
+@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
+     item->src = src;
+     item->evt = evt;
+     QTAILQ_INSERT_TAIL(queue, item, node);
++    queue_count++;
+ }
+ 
+ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
+@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
+ 
+     item->type = QEMU_INPUT_QUEUE_SYNC;
+     QTAILQ_INSERT_TAIL(queue, item, node);
++    queue_count++;
+ }
+ 
+ void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
+@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
+         qemu_input_event_send(src, evt);
+         qemu_input_event_sync();
+         qapi_free_InputEvent(evt);
+-    } else {
++    } else if (queue_count < queue_limit) {
+         qemu_input_queue_event(&kbd_queue, src, evt);
+         qemu_input_queue_sync(&kbd_queue);
+     }
+@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
+         kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
+                                  &kbd_queue);
+     }
+-    qemu_input_queue_delay(&kbd_queue, kbd_timer,
+-                           delay_ms ? delay_ms : kbd_default_delay_ms);
++    if (queue_count < queue_limit) {
++        qemu_input_queue_delay(&kbd_queue, kbd_timer,
++                               delay_ms ? delay_ms : kbd_default_delay_ms);
++    }
+ }
+ 
+ InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
+-- 
+2.13.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-8380.patch b/gnu/packages/patches/qemu-CVE-2017-8380.patch
new file mode 100644
index 0000000000..65e49fc885
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8380.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-8380:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8380
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f
+
+From 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 24 Apr 2017 17:36:34 +0530
+Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write
+
+While reading magic sequence(MFI_SEQ) in megasas_mmio_write,
+an off-by-one error could occur as 's->adp_reset' index is not
+reset after reading the last sequence.
+
+Reported-by: YY Z <bigbird475958471@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20170424120634.12268-1-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/megasas.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 84b8caf901..804122ab05 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr,
+     case MFI_SEQ:
+         trace_megasas_mmio_writel("MFI_SEQ", val);
+         /* Magic sequence to start ADP reset */
+-        if (adp_reset_seq[s->adp_reset] == val) {
+-            s->adp_reset++;
++        if (adp_reset_seq[s->adp_reset++] == val) {
++            if (s->adp_reset == 6) {
++                s->adp_reset = 0;
++                s->diag = MFI_DIAG_WRITE_ENABLE;
++            }
+         } else {
+             s->adp_reset = 0;
+             s->diag = 0;
+         }
+-        if (s->adp_reset == 6) {
+-            s->diag = MFI_DIAG_WRITE_ENABLE;
+-        }
+         break;
+     case MFI_DIAG:
+         trace_megasas_mmio_writel("MFI_DIAG", val);
+-- 
+2.13.0
+