summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/clang-runtime-asan-build-fixes.patch92
-rw-r--r--gnu/packages/patches/clang-runtime-esan-build-fixes.patch19
-rw-r--r--gnu/packages/patches/clementine-remove-crypto++-dependency.patch19
-rw-r--r--gnu/packages/patches/clisp-glibc-2.26.patch20
-rw-r--r--gnu/packages/patches/crypto++-fix-dos-in-asn.1-decoders.patch65
-rw-r--r--gnu/packages/patches/dovecot-CVE-2017-15132.patch36
-rw-r--r--gnu/packages/patches/dtc-32-bits-check.patch134
-rw-r--r--gnu/packages/patches/dtc-format-modifier.patch38
-rw-r--r--gnu/packages/patches/emacs-browse-at-remote-cgit-gnu.patch59
-rw-r--r--gnu/packages/patches/emacs-json-reformat-fix-tests.patch32
-rw-r--r--gnu/packages/patches/freetype-CVE-2018-6942.patch31
-rw-r--r--gnu/packages/patches/gcc-4.9-libsanitizer-fix.patch66
-rw-r--r--gnu/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch61
-rw-r--r--gnu/packages/patches/gpsbabel-minizip.patch13
-rw-r--r--gnu/packages/patches/gpsbabel-qstring.patch69
-rw-r--r--gnu/packages/patches/gzdoom-search-in-installed-share.patch23
-rw-r--r--gnu/packages/patches/hwloc-tests-without-sysfs.patch42
-rw-r--r--gnu/packages/patches/icecat-bug-1427870-spectre-mitigation.patch49
-rw-r--r--gnu/packages/patches/icecat-glibc-2.26.patch261
-rw-r--r--gnu/packages/patches/icecat-use-system-graphite2.patch248
-rw-r--r--gnu/packages/patches/icecat-use-system-harfbuzz.patch279
-rw-r--r--gnu/packages/patches/java-xerces-bootclasspath.patch38
-rw-r--r--gnu/packages/patches/java-xerces-build_dont_unzip.patch44
-rw-r--r--gnu/packages/patches/java-xerces-xjavac_taskdef.patch45
-rw-r--r--gnu/packages/patches/ktexteditor-5.39.0-autotests-dependencies.patch49
-rw-r--r--gnu/packages/patches/libexif-CVE-2016-6328.patch72
-rw-r--r--gnu/packages/patches/libgnomeui-utf8.patch51
-rw-r--r--gnu/packages/patches/libsndfile-CVE-2017-12562.patch97
-rw-r--r--gnu/packages/patches/libtasn1-CVE-2018-6003.patch73
-rw-r--r--gnu/packages/patches/libtiff-CVE-2017-18013.patch45
-rw-r--r--gnu/packages/patches/libtiff-CVE-2017-9935.patch162
-rw-r--r--gnu/packages/patches/luajit-symlinks.patch25
-rw-r--r--gnu/packages/patches/lxterminal-CVE-2016-10369.patch37
-rw-r--r--gnu/packages/patches/mailutils-uninitialized-memory.patch87
-rw-r--r--gnu/packages/patches/mupdf-CVE-2017-17858.patch111
-rw-r--r--gnu/packages/patches/ninja-zero-mtime.patch19
-rw-r--r--gnu/packages/patches/opencascade-oce-glibc-2.26.patch62
-rw-r--r--gnu/packages/patches/p7zip-CVE-2017-17969.patch35
-rw-r--r--gnu/packages/patches/policycoreutils-make-sepolicy-use-python3.patch335
-rw-r--r--gnu/packages/patches/python-axolotl-AES-fix.patch24
-rw-r--r--gnu/packages/patches/python-pandas-skip-failing-tests.patch49
-rw-r--r--gnu/packages/patches/python-waitress-fix-tests.patch29
-rw-r--r--gnu/packages/patches/qtbase-use-TZDIR.patch39
-rw-r--r--gnu/packages/patches/rct-add-missing-headers.patch43
-rw-r--r--gnu/packages/patches/reposurgeon-add-missing-docbook-files.patch22
-rw-r--r--gnu/packages/patches/rsync-CVE-2017-16548.patch31
-rw-r--r--gnu/packages/patches/rsync-CVE-2017-17433-fix-tests.patch42
-rw-r--r--gnu/packages/patches/rsync-CVE-2017-17433.patch45
-rw-r--r--gnu/packages/patches/rsync-CVE-2017-17434-pt1.patch28
-rw-r--r--gnu/packages/patches/rsync-CVE-2017-17434-pt2.patch39
-rw-r--r--gnu/packages/patches/rtags-separate-rct.patch72
-rw-r--r--gnu/packages/patches/ruby-rubygems-276-for-ruby24.patch605
-rw-r--r--gnu/packages/patches/shepherd-herd-status-sorted.patch79
-rw-r--r--gnu/packages/patches/slurm-configure-remove-nonfree-contribs.patch45
-rw-r--r--gnu/packages/patches/webkitgtk-mitigate-spectre.patch107
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5974.patch28
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5975.patch32
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5976.patch61
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5978.patch37
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5979.patch19
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5981.patch19
61 files changed, 2944 insertions, 1594 deletions
diff --git a/gnu/packages/patches/clang-runtime-asan-build-fixes.patch b/gnu/packages/patches/clang-runtime-asan-build-fixes.patch
new file mode 100644
index 0000000000..e9db57d7cb
--- /dev/null
+++ b/gnu/packages/patches/clang-runtime-asan-build-fixes.patch
@@ -0,0 +1,92 @@
+This patch works around build issues in libsanitizer.  Note that we carry the
+same patches for GCC since it includes the same libsanitizer.
+
+Work around this build error on glibc 2.26:
+
+  /tmp/guix-build-clang-runtime-3.5.2.drv-0/compiler-rt-3.5.2.src/lib/asan/asan_linux.cc: In function 'bool __asan::AsanInterceptsSignal(int)':
+  /tmp/guix-build-clang-runtime-3.5.2.drv-0/compiler-rt-3.5.2.src/lib/asan/asan_linux.cc:224:20: error: 'SIGSEGV' was not declared in this scope
+
+diff --git a/libsanitizer/asan/asan_linux.cc b/libsanitizer/asan/asan_linux.cc
+index c504168..59087b9 100644
+--- a/lib/asan/asan_linux.cc
++++ b/lib/asan/asan_linux.cc
+@@ -29,6 +29,7 @@
+ #include <dlfcn.h>
+ #include <fcntl.h>
+ #include <pthread.h>
++#include <signal.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <unwind.h>
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Now, work around this other error:
+
+  /tmp/guix-build-clang-runtime-3.5.2.drv-0/compiler-rt-3.5.2.src/lib/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc: In function 'int __sanitizer::TracerThread(void*)':
+  /tmp/guix-build-clang-runtime-3.5.2.drv-0/compiler-rt-3.5.2.src/lib/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc:239:22: error: aggregate 'sigaltstack handler_stack' has incomplete type and cannot be defined
+
+
+diff --git a/lib/sanitizer_common/sanitizer_linux.cc b/lib/sanitizer_common/sanitizer_linux.cc
+index 2cefa20..223d9c6 100644
+--- a/lib/sanitizer_common/sanitizer_linux.cc
++++ b/lib/sanitizer_common/sanitizer_linux.cc
+@@ -546,8 +546,7 @@ uptr internal_prctl(int option, uptr arg2, uptr arg3, uptr arg4, uptr arg5) {
+ }
+ #endif
+ 
+-uptr internal_sigaltstack(const struct sigaltstack *ss,
+-                         struct sigaltstack *oss) {
++uptr internal_sigaltstack(const void *ss, void *oss) {
+   return internal_syscall(SYSCALL(sigaltstack), (uptr)ss, (uptr)oss);
+ }
+ 
+diff --git a/lib/sanitizer_common/sanitizer_linux.h b/lib/sanitizer_common/sanitizer_linux.h
+index 4497702..1594058 100644
+--- a/lib/sanitizer_common/sanitizer_linux.h
++++ b/lib/sanitizer_common/sanitizer_linux.h
+@@ -19,7 +19,6 @@
+ #include "sanitizer_platform_limits_posix.h"
+ 
+ struct link_map;  // Opaque type returned by dlopen().
+-struct sigaltstack;
+ 
+ namespace __sanitizer {
+ // Dirent structure for getdents(). Note that this structure is different from
+@@ -28,8 +27,7 @@ struct linux_dirent;
+ 
+ // Syscall wrappers.
+ uptr internal_getdents(fd_t fd, struct linux_dirent *dirp, unsigned int count);
+-uptr internal_sigaltstack(const struct sigaltstack* ss,
+-                          struct sigaltstack* oss);
++uptr internal_sigaltstack(const void* ss, void* oss);
+ uptr internal_sigprocmask(int how, __sanitizer_sigset_t *set,
+     __sanitizer_sigset_t *oldset);
+ void internal_sigfillset(__sanitizer_sigset_t *set);
+diff --git a/lib/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc b/lib/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc
+index c919e4f..014162af 100644
+--- a/lib/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc
++++ b/lib/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc
+@@ -267,7 +267,7 @@ static int TracerThread(void* argument) {
+ 
+   // Alternate stack for signal handling.
+   InternalScopedBuffer<char> handler_stack_memory(kHandlerStackSize);
+-  struct sigaltstack handler_stack;
++  stack_t handler_stack;
+   internal_memset(&handler_stack, 0, sizeof(handler_stack));
+   handler_stack.ss_sp = handler_stack_memory.data();
+   handler_stack.ss_size = kHandlerStackSize;
+diff --git a/lib/tsan/tsan_platform_linux.cc b/lib/tsan/tsan_platform_linux.cc
+index 09cec5f..908f4fe 100644
+--- a/lib/tsan/rtl/tsan_platform_linux.cc
++++ b/lib/tsan/rtl/tsan_platform_linux.cc
+@@ -291,7 +291,7 @@ bool IsGlobalVar(uptr addr) {
+ int ExtractResolvFDs(void *state, int *fds, int nfd) {
+ #if SANITIZER_LINUX
+   int cnt = 0;
+-  __res_state *statp = (__res_state*)state;
++  struct __res_state *statp = (struct __res_state*)state;
+   for (int i = 0; i < MAXNS && cnt < nfd; i++) {
+     if (statp->_u._ext.nsaddrs[i] && statp->_u._ext.nssocks[i] != -1)
+       fds[cnt++] = statp->_u._ext.nssocks[i];
+-- 
+2.9.3
diff --git a/gnu/packages/patches/clang-runtime-esan-build-fixes.patch b/gnu/packages/patches/clang-runtime-esan-build-fixes.patch
new file mode 100644
index 0000000000..743051ac15
--- /dev/null
+++ b/gnu/packages/patches/clang-runtime-esan-build-fixes.patch
@@ -0,0 +1,19 @@
+Fix esan compilation against glibc 2.26:
+
+  /tmp/guix-build-clang-runtime-3.9.1.drv-0/compiler-rt-3.9.1.src/lib/esan/esan_sideline_linux.cpp: In static member function ‘static int __esan::SidelineThread::runSideline(void*)’:
+  /tmp/guix-build-clang-runtime-3.9.1.drv-0/compiler-rt-3.9.1.src/lib/esan/esan_sideline_linux.cpp:73:22: error: aggregate ‘__esan::SidelineThread::runSideline(void*)::sigaltstack SigAltStack’ has incomplete type and cannot be defined
+
+Patch from <https://github.com/google/sanitizers/issues/822>.
+
+index d04f5909d..bc272dfe4 100644
+--- a/lib/esan/esan_sideline_linux.cpp
++++ b/lib/esan/esan_sideline_linux.cpp
+@@ -70,7 +70,7 @@ int SidelineThread::runSideline(void *Arg) {
+ 
+   // Set up a signal handler on an alternate stack for safety.
+   InternalScopedBuffer<char> StackMap(SigAltStackSize);
+-  struct sigaltstack SigAltStack;
++  stack_t SigAltStack;
+   SigAltStack.ss_sp = StackMap.data();
+   SigAltStack.ss_size = SigAltStackSize;
+   SigAltStack.ss_flags = 0;
diff --git a/gnu/packages/patches/clementine-remove-crypto++-dependency.patch b/gnu/packages/patches/clementine-remove-crypto++-dependency.patch
new file mode 100644
index 0000000000..e7cf80ddee
--- /dev/null
+++ b/gnu/packages/patches/clementine-remove-crypto++-dependency.patch
@@ -0,0 +1,19 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 3202b8b..473ecb9 100755
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -279,14 +279,6 @@ optional_component(LIBPULSE ON "Pulse audio integration"
+ 
+ optional_component(VISUALISATIONS ON "Visualisations")
+ 
+-if(NOT HAVE_SPOTIFY_BLOB AND NOT CRYPTOPP_FOUND)
+-  message(FATAL_ERROR "Either crypto++ must be available or the non-GPL Spotify "
+-          "code must be compiled in")
+-elseif(CRYPTOPP_FOUND)
+-  set(HAVE_CRYPTOPP ON)
+-  set(HAVE_SPOTIFY_DOWNLOADER ON)
+-endif()
+-
+ # Find DBus if it's enabled
+ if (HAVE_DBUS)
+   find_package(Qt5 COMPONENTS DBus)
diff --git a/gnu/packages/patches/clisp-glibc-2.26.patch b/gnu/packages/patches/clisp-glibc-2.26.patch
new file mode 100644
index 0000000000..c8920ceccc
--- /dev/null
+++ b/gnu/packages/patches/clisp-glibc-2.26.patch
@@ -0,0 +1,20 @@
+This patch comes from Debian.
+
+Description: cfree is not present in glibc-2.26, stop wrapping it
+Author: Adam Conrad <adconrad@ubuntu.com>
+Bug: https://sourceforge.net/p/clisp/bugs/717/
+Bug-Debian: https://bugs.debian.org/880686
+Applied-Upstream: https://sourceforge.net/p/clisp/clisp/ci/3bc928712d150ff1e5f6b2bfb7838655f3ff52fa/
+Reviewed-By: Sébastien Villemot <sebastien@debian.org>
+Last-Update: 2017-11-27
+
+--- clisp-2.49.20170913.orig/modules/bindings/glibc/linux.lisp
++++ clisp-2.49.20170913/modules/bindings/glibc/linux.lisp
+@@ -649,7 +649,6 @@
+ (def-call-out calloc (:arguments (nmemb size_t) (size size_t))
+   (:return-type c-pointer))
+ (def-call-out free (:arguments (ptr c-pointer)) (:return-type nil))
+-(def-call-out cfree (:arguments (ptr c-pointer)) (:return-type nil))
+ (def-call-out valloc (:arguments (size size_t)) (:return-type c-pointer))
+ 
+ (def-call-out abort (:arguments) (:return-type nil))
diff --git a/gnu/packages/patches/crypto++-fix-dos-in-asn.1-decoders.patch b/gnu/packages/patches/crypto++-fix-dos-in-asn.1-decoders.patch
deleted file mode 100644
index 88b2e7f25a..0000000000
--- a/gnu/packages/patches/crypto++-fix-dos-in-asn.1-decoders.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 3d9181d7bdd8e491f745dbc9e34bd20b6f6da069 Mon Sep 17 00:00:00 2001
-From: Gergely Nagy <ngg@tresorit.com>
-Date: Wed, 14 Dec 2016 13:19:01 +0100
-Subject: [PATCH] Fix possible DoS in ASN.1 decoders (CVE-2016-9939)
-
----
- asn.cpp | 10 ++++++++++
- asn.h   |  2 ++
- 2 files changed, 12 insertions(+)
-
-diff --git a/asn.cpp b/asn.cpp
-index 297ff010..2e923ef7 100644
---- a/asn.cpp
-+++ b/asn.cpp
-@@ -123,6 +123,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, SecByteBlock &str)
- 	size_t bc;

- 	if (!BERLengthDecode(bt, bc))

- 		BERDecodeError();

-+	if (bc > bt.MaxRetrievable())

-+		BERDecodeError();

- 

- 	str.New(bc);

- 	if (bc != bt.Get(str, bc))

-@@ -139,6 +141,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, BufferedTransformation &
- 	size_t bc;

- 	if (!BERLengthDecode(bt, bc))

- 		BERDecodeError();

-+	if (bc > bt.MaxRetrievable())

-+		BERDecodeError();

- 

- 	bt.TransferTo(str, bc);

- 	return bc;

-@@ -161,6 +165,8 @@ size_t BERDecodeTextString(BufferedTransformation &bt, std::string &str, byte as
- 	size_t bc;

- 	if (!BERLengthDecode(bt, bc))

- 		BERDecodeError();

-+	if (bc > bt.MaxRetrievable())

-+		BERDecodeError();

- 

- 	SecByteBlock temp(bc);

- 	if (bc != bt.Get(temp, bc))

-@@ -188,6 +194,10 @@ size_t BERDecodeBitString(BufferedTransformation &bt, SecByteBlock &str, unsigne
- 	size_t bc;

- 	if (!BERLengthDecode(bt, bc))

- 		BERDecodeError();

-+	if (bc == 0)

-+		BERDecodeError();

-+	if (bc > bt.MaxRetrievable())

-+		BERDecodeError();

- 

- 	byte unused;

- 	if (!bt.Get(unused))

-diff --git a/asn.h b/asn.h
-index ed9de52c..33f0dd09 100644
---- a/asn.h
-+++ b/asn.h
-@@ -498,6 +498,8 @@ void BERDecodeUnsigned(BufferedTransformation &in, T &w, byte asnTag = INTEGER,
- 	bool definite = BERLengthDecode(in, bc);

- 	if (!definite)

- 		BERDecodeError();

-+	if (bc > in.MaxRetrievable())

-+		BERDecodeError();

- 

- 	SecByteBlock buf(bc);

- 

diff --git a/gnu/packages/patches/dovecot-CVE-2017-15132.patch b/gnu/packages/patches/dovecot-CVE-2017-15132.patch
new file mode 100644
index 0000000000..32666b8557
--- /dev/null
+++ b/gnu/packages/patches/dovecot-CVE-2017-15132.patch
@@ -0,0 +1,36 @@
+Fix CVE-2017-15132:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15132
+
+Patch copied from upstream source repository:
+
+https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060
+
+From 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@dovecot.fi>
+Date: Mon, 18 Dec 2017 16:50:51 +0200
+Subject: [PATCH] lib-auth: Fix memory leak in auth_client_request_abort()
+
+This caused memory leaks when authentication was aborted. For example
+with IMAP:
+
+a AUTHENTICATE PLAIN
+*
+
+Broken by 9137c55411aa39d41c1e705ddc34d5bd26c65021
+---
+ src/lib-auth/auth-client-request.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
+index 480fb42b30..046f7c307d 100644
+--- a/src/lib-auth/auth-client-request.c
++++ b/src/lib-auth/auth-client-request.c
+@@ -186,6 +186,7 @@ void auth_client_request_abort(struct auth_client_request **_request)
+ 
+ 	auth_client_send_cancel(request->conn->client, request->id);
+ 	call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL);
++	pool_unref(&request->pool);
+ }
+ 
+ unsigned int auth_client_request_get_id(struct auth_client_request *request)
diff --git a/gnu/packages/patches/dtc-32-bits-check.patch b/gnu/packages/patches/dtc-32-bits-check.patch
deleted file mode 100644
index cf15be3404..0000000000
--- a/gnu/packages/patches/dtc-32-bits-check.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-This fixes tests on 32 bits platforms. Patch taken from upstream.
-
-commit f8872e29ce06d78d3db71b3ab26a7465fc8a9586
-Author: David Gibson <david@gibson.dropbear.id.au>
-Date:   Fri Oct 6 23:07:30 2017 +1100
-
-    tests: Avoid 64-bit arithmetic in assembler
-    
-    For testing we (ab)use the assembler to build us a sample dtb, independent
-    of the other tools (dtc and libfdt) that we're trying to test.  In a few
-    places this uses 64-bit arithmetic to decompose 64-bit constants into
-    the individual bytes in the blob.
-    
-    Unfortunately, it seems that some builds of GNU as don't support >32 bit
-    arithmetic, though it's not entirely clear to me which do and which don't
-    (Fedora i386 does support 64-bit, Debian arm32 doesn't).
-    
-    Anyway, to be safe, this avoids 64-bit arithmetic in assembler at the cost
-    of some extra awkwardness because we have to define the values in 32-bit
-    halves.
-    
-    Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
-
-diff --git a/tests/testdata.h b/tests/testdata.h
-index 3588778..f6bbe1d 100644
---- a/tests/testdata.h
-+++ b/tests/testdata.h
-@@ -4,15 +4,25 @@
- #define ASM_CONST_LL(x)	(x##ULL)
- #endif
- 
--#define TEST_ADDR_1	ASM_CONST_LL(0xdeadbeef00000000)
--#define TEST_SIZE_1	ASM_CONST_LL(0x100000)
--#define TEST_ADDR_2	ASM_CONST_LL(123456789)
--#define TEST_SIZE_2	ASM_CONST_LL(010000)
-+#define TEST_ADDR_1H	ASM_CONST_LL(0xdeadbeef)
-+#define TEST_ADDR_1L	ASM_CONST_LL(0x00000000)
-+#define TEST_ADDR_1	((TEST_ADDR_1H << 32) | TEST_ADDR_1L)
-+#define TEST_SIZE_1H	ASM_CONST_LL(0x00000000)
-+#define TEST_SIZE_1L	ASM_CONST_LL(0x00100000)
-+#define TEST_SIZE_1	((TEST_SIZE_1H << 32) | TEST_SIZE_1L)
-+#define TEST_ADDR_2H	ASM_CONST_LL(0)
-+#define TEST_ADDR_2L	ASM_CONST_LL(123456789)
-+#define TEST_ADDR_2	((TEST_ADDR_2H << 32) | TEST_ADDR_2L)
-+#define TEST_SIZE_2H	ASM_CONST_LL(0)
-+#define TEST_SIZE_2L	ASM_CONST_LL(010000)
-+#define TEST_SIZE_2	((TEST_SIZE_2H << 32) | TEST_SIZE_2L)
- 
- #define TEST_VALUE_1	0xdeadbeef
- #define TEST_VALUE_2	123456789
- 
--#define TEST_VALUE64_1	ASM_CONST_LL(0xdeadbeef01abcdef)
-+#define TEST_VALUE64_1H	ASM_CONST_LL(0xdeadbeef)
-+#define TEST_VALUE64_1L	ASM_CONST_LL(0x01abcdef)
-+#define TEST_VALUE64_1	((TEST_VALUE64_1H << 32) | TEST_VALUE64_1L)
- 
- #define PHANDLE_1	0x2000
- #define PHANDLE_2	0x2001
-diff --git a/tests/trees.S b/tests/trees.S
-index 9854d1d..9859914 100644
---- a/tests/trees.S
-+++ b/tests/trees.S
-@@ -7,16 +7,6 @@
- 	.byte	((val) >> 8) & 0xff ; \
- 	.byte	(val) & 0xff	;
- 
--#define FDTQUAD(val) \
--	.byte	((val) >> 56) & 0xff ; \
--	.byte	((val) >> 48) & 0xff ; \
--	.byte	((val) >> 40) & 0xff ; \
--	.byte	((val) >> 32) & 0xff ; \
--	.byte	((val) >> 24) & 0xff ; \
--	.byte	((val) >> 16) & 0xff ; \
--	.byte	((val) >> 8) & 0xff ; \
--	.byte	(val) & 0xff	;
--
- #define TREE_HDR(tree) \
- 	.balign	8		; \
- 	.globl	_##tree		; \
-@@ -33,14 +23,16 @@ tree:	\
- 	FDTLONG(tree##_strings_end - tree##_strings) ; \
- 	FDTLONG(tree##_struct_end - tree##_struct) ;
- 
--#define RSVMAP_ENTRY(addr, len) \
--	FDTQUAD(addr)		; \
--	FDTQUAD(len)		; \
-+#define RSVMAP_ENTRY(addrh, addrl, lenh, lenl) \
-+	FDTLONG(addrh)		; \
-+	FDTLONG(addrl)		; \
-+	FDTLONG(lenh)		; \
-+	FDTLONG(lenl)
- 
- #define EMPTY_RSVMAP(tree) \
- 	.balign	8		; \
- tree##_rsvmap:			; \
--	RSVMAP_ENTRY(0, 0) \
-+	RSVMAP_ENTRY(0, 0, 0, 0) \
- tree##_rsvmap_end:		;
- 
- #define PROPHDR(tree, name, len) \
-@@ -52,9 +44,10 @@ tree##_rsvmap_end:		;
- 	PROPHDR(tree, name, 4) \
- 	FDTLONG(val)		;
- 
--#define PROP_INT64(tree, name, val) \
-+#define PROP_INT64(tree, name, valh, vall) \
- 	PROPHDR(tree, name, 8) \
--	FDTQUAD(val)		;
-+	FDTLONG(valh)		; \
-+	FDTLONG(vall)		;
- 
- #define PROP_STR(tree, name, str) \
- 	PROPHDR(tree, name, 55f - 54f) \
-@@ -81,16 +74,16 @@ tree##_##name:			; \
- 
- 	.balign	8
- test_tree1_rsvmap:
--	RSVMAP_ENTRY(TEST_ADDR_1, TEST_SIZE_1)
--	RSVMAP_ENTRY(TEST_ADDR_2, TEST_SIZE_2)
--	RSVMAP_ENTRY(0, 0)
-+	RSVMAP_ENTRY(TEST_ADDR_1H, TEST_ADDR_1L, TEST_SIZE_1H, TEST_SIZE_1L)
-+	RSVMAP_ENTRY(TEST_ADDR_2H, TEST_ADDR_2L, TEST_SIZE_2H, TEST_SIZE_2L)
-+	RSVMAP_ENTRY(0, 0, 0, 0)
- test_tree1_rsvmap_end:
- 
- test_tree1_struct:
- 	BEGIN_NODE("")
- 	PROP_STR(test_tree1, compatible, "test_tree1")
- 	PROP_INT(test_tree1, prop_int, TEST_VALUE_1)
--	PROP_INT64(test_tree1, prop_int64, TEST_VALUE64_1)
-+	PROP_INT64(test_tree1, prop_int64, TEST_VALUE64_1H, TEST_VALUE64_1L)
- 	PROP_STR(test_tree1, prop_str, TEST_STRING_1)
- 	PROP_INT(test_tree1, address_cells, 1)
- 	PROP_INT(test_tree1, size_cells, 0)
diff --git a/gnu/packages/patches/dtc-format-modifier.patch b/gnu/packages/patches/dtc-format-modifier.patch
deleted file mode 100644
index c33d16857f..0000000000
--- a/gnu/packages/patches/dtc-format-modifier.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-This fixes build on 32 bits platforms. This patch is taken from upstream.
-
-commit 497432fd2131967f349e69dc5d259072151cc4b4
-Author: Thierry Reding <treding@nvidia.com>
-Date:   Wed Sep 27 15:04:09 2017 +0200
-
-    checks: Use proper format modifier for size_t
-    
-    The size of size_t can vary between architectures, so using %ld isn't
-    going to work on 32-bit builds. Use the %zu modifier to make sure it is
-    always correct.
-    
-    Signed-off-by: Thierry Reding <treding@nvidia.com>
-    Acked-by: Rob Herring <robh@kernel.org>
-    Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
-
-diff --git a/checks.c b/checks.c
-index 902f2e3..08a3a29 100644
---- a/checks.c
-+++ b/checks.c
-@@ -972,7 +972,7 @@ static void check_property_phandle_args(struct check *c,
- 	int cell, cellsize = 0;
- 
- 	if (prop->val.len % sizeof(cell_t)) {
--		FAIL(c, dti, "property '%s' size (%d) is invalid, expected multiple of %ld in node %s",
-+		FAIL(c, dti, "property '%s' size (%d) is invalid, expected multiple of %zu in node %s",
- 		     prop->name, prop->val.len, sizeof(cell_t), node->fullpath);
- 		return;
- 	}
-@@ -1163,7 +1163,7 @@ static void check_interrupts_property(struct check *c,
- 		return;
- 
- 	if (irq_prop->val.len % sizeof(cell_t))
--		FAIL(c, dti, "property '%s' size (%d) is invalid, expected multiple of %ld in node %s",
-+		FAIL(c, dti, "property '%s' size (%d) is invalid, expected multiple of %zu in node %s",
- 		     irq_prop->name, irq_prop->val.len, sizeof(cell_t),
- 		     node->fullpath);
- 
diff --git a/gnu/packages/patches/emacs-browse-at-remote-cgit-gnu.patch b/gnu/packages/patches/emacs-browse-at-remote-cgit-gnu.patch
new file mode 100644
index 0000000000..b90017fdb4
--- /dev/null
+++ b/gnu/packages/patches/emacs-browse-at-remote-cgit-gnu.patch
@@ -0,0 +1,59 @@
+Copyright © 2018 Oleg Pykhalov <go.wigust@gmail.com>
+
+This patch adds a support for Git repositories hosted on git.savannah.gnu.org.
+
+Upstream bug URL:
+
+https://github.com/rmuslimov/browse-at-remote/pull/46
+
+From cd2ccdaef8b1d97337d790175f71cc3dbcfcff64 Mon Sep 17 00:00:00 2001
+From: Oleg Pykhalov <go.wigust@gmail.com>
+Date: Fri, 26 Jan 2018 00:05:30 +0300
+Subject: [PATCH] Add support for repositories that are hosted on gnu cgit
+
+---
+ browse-at-remote.el | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/browse-at-remote.el b/browse-at-remote.el
+index 66967b3..e210d18 100644
+--- a/browse-at-remote.el
++++ b/browse-at-remote.el
+@@ -44,7 +44,8 @@
+ (defcustom browse-at-remote-remote-type-domains
+   '(("bitbucket.org" ."bitbucket")
+     ("github.com" . "github")
+-    ("gitlab.com" . "gitlab"))
++    ("gitlab.com" . "gitlab")
++    ("git.savannah.gnu.org" . "gnu"))
+   "Alist of domain patterns to remote types."
+ 
+   :type '(alist :key-type (string :tag "Domain")
+@@ -199,6 +200,24 @@ If HEAD is detached, return nil."
+     (if (fboundp formatter)
+         formatter nil)))
+ 
++(defun browse-at-remote-gnu-format-url (repo-url)
++  "Get a gnu formatted URL."
++  (replace-regexp-in-string
++   (concat "https://" (car (rassoc "gnu" browse-at-remote-remote-type-domains))
++           "/\\(git\\).*\\'")
++   "cgit" repo-url nil nil 1))
++
++(defun browse-at-remote--format-region-url-as-gnu (repo-url location filename &optional linestart lineend)
++  "URL formatter for gnu."
++  (let ((repo-url (browse-at-remote-gnu-format-url repo-url)))
++    (cond
++     (linestart (format "%s.git/tree/%s?h=%s#n%d" repo-url filename location linestart))
++     (t (format "%s.git/tree/%s?h=%s" repo-url filename location)))))
++
++(defun browse-at-remote--format-commit-url-as-gnu (repo-url commithash)
++  "Commit URL formatted for gnu"
++  (format "%s.git/commit/?id=%s" (browse-at-remote-gnu-format-url repo-url) commithash))
++
+ (defun browse-at-remote--format-region-url-as-github (repo-url location filename &optional linestart lineend)
+   "URL formatted for github."
+   (cond
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/emacs-json-reformat-fix-tests.patch b/gnu/packages/patches/emacs-json-reformat-fix-tests.patch
new file mode 100644
index 0000000000..977e50fc68
--- /dev/null
+++ b/gnu/packages/patches/emacs-json-reformat-fix-tests.patch
@@ -0,0 +1,32 @@
+Copyright © 2018 Oleg Pykhalov <go.wigust@gmail.com>
+
+This patch fixes tests for Emacs 25.
+
+Upstream bug URL:
+
+https://github.com/gongo/json-reformat/issues/33
+
+diff --git a/test/json-reformat-test.el b/test/json-reformat-test.el
+index 7de3be1..b4a4dde 100644
+--- a/test/json-reformat-test.el
++++ b/test/json-reformat-test.el
+@@ -58,7 +58,7 @@
+ (ert-deftest json-reformat-test:string-to-string ()
+   (should (string= "\"foobar\"" (json-reformat:string-to-string "foobar")))
+   (should (string= "\"fo\\\"o\\nbar\"" (json-reformat:string-to-string "fo\"o\nbar")))
+-  (should (string= "\"\\u2661\"" (json-reformat:string-to-string "\u2661")))
++  (should (string= "\"♡\"" (json-reformat:string-to-string "\u2661")))
+ 
+   (should (string= "\"^(amq\\\\.gen.*|amq\\\\.default)$\"" (json-reformat:string-to-string "^(amq\\.gen.*|amq\\.default)$")))
+   )
+@@ -148,6 +148,6 @@ bar\"" (json-reformat:string-to-string "fo\"o\nbar")))
+ [{ foo : \"bar\" }, { \"foo\" : \"baz\" }]") ;; At 3 (line)
+         (json-reformat-region (point-min) (point-max)))
+       (should (string=
+-               "JSON parse error [Reason] Bad string format: \"doesn't start with '\\\"'!\" [Position] In buffer, line 3 (char 6)"
++               "JSON parse error [Reason] Bad string format: \"doesn't start with \`\\\"'!\" [Position] In buffer, line 3 (char 6)"
+                message-string))
+       )))
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/freetype-CVE-2018-6942.patch b/gnu/packages/patches/freetype-CVE-2018-6942.patch
new file mode 100644
index 0000000000..680f357765
--- /dev/null
+++ b/gnu/packages/patches/freetype-CVE-2018-6942.patch
@@ -0,0 +1,31 @@
+Fix CVE-2018-6942:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6942
+https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6942.html
+
+Copied from upstream (ChangeLog section removed):
+https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=29c759284e305ec428703c9a5831d0b1fc3497ef
+
+diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
+index d855aaa..551f14a 100644
+--- a/src/truetype/ttinterp.c
++++ b/src/truetype/ttinterp.c
+@@ -7532,8 +7532,16 @@
+       return;
+     }
+ 
+-    for ( i = 0; i < num_axes; i++ )
+-      args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */
++    if ( coords )
++    {
++      for ( i = 0; i < num_axes; i++ )
++        args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */
++    }
++    else
++    {
++      for ( i = 0; i < num_axes; i++ )
++        args[i] = 0;
++    }
+   }
+ 
+ 
diff --git a/gnu/packages/patches/gcc-4.9-libsanitizer-fix.patch b/gnu/packages/patches/gcc-4.9-libsanitizer-fix.patch
new file mode 100644
index 0000000000..e76caf3e11
--- /dev/null
+++ b/gnu/packages/patches/gcc-4.9-libsanitizer-fix.patch
@@ -0,0 +1,66 @@
+This is a backport of this patch from 6.5 to 4.9:
+
+  https://gcc.gnu.org/git/?p=gcc.git;a=patch;h=8937b94d1a643fd9760714642296d034a45254a8
+
+diff --git a/libsanitizer/sanitizer_common/sanitizer_linux.cc b/libsanitizer/sanitizer_common/sanitizer_linux.cc
+index 69c9c10..8e53673 100644
+--- a/libsanitizer/sanitizer_common/sanitizer_linux.cc
++++ b/libsanitizer/sanitizer_common/sanitizer_linux.cc
+@@ -599,8 +599,7 @@ uptr internal_prctl(int option, uptr arg2, uptr arg3, uptr arg4, uptr arg5) {
+   return internal_syscall(__NR_prctl, option, arg2, arg3, arg4, arg5);
+ }
+ 
+-uptr internal_sigaltstack(const struct sigaltstack *ss,
+-                         struct sigaltstack *oss) {
++uptr internal_sigaltstack(const void *ss, void *oss) {
+   return internal_syscall(__NR_sigaltstack, (uptr)ss, (uptr)oss);
+ }
+ 
+diff --git a/libsanitizer/sanitizer_common/sanitizer_linux.h b/libsanitizer/sanitizer_common/sanitizer_linux.h
+index 6422df1..8a8e526 100644
+--- a/libsanitizer/sanitizer_common/sanitizer_linux.h
++++ b/libsanitizer/sanitizer_common/sanitizer_linux.h
+@@ -18,7 +18,6 @@
+ #include "sanitizer_platform_limits_posix.h"
+ 
+ struct link_map;  // Opaque type returned by dlopen().
+-struct sigaltstack;
+ 
+ namespace __sanitizer {
+ // Dirent structure for getdents(). Note that this structure is different from
+@@ -28,8 +27,7 @@ struct linux_dirent;
+ // Syscall wrappers.
+ uptr internal_getdents(fd_t fd, struct linux_dirent *dirp, unsigned int count);
+ uptr internal_prctl(int option, uptr arg2, uptr arg3, uptr arg4, uptr arg5);
+-uptr internal_sigaltstack(const struct sigaltstack* ss,
+-                          struct sigaltstack* oss);
++uptr internal_sigaltstack(const void *ss, void *oss);
+ uptr internal_sigaction(int signum, const __sanitizer_kernel_sigaction_t *act,
+     __sanitizer_kernel_sigaction_t *oldact);
+ uptr internal_sigprocmask(int how, __sanitizer_kernel_sigset_t *set,
+diff --git a/libsanitizer/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc b/libsanitizer/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc
+index 6ee63ec..50c21a3 100644
+--- a/libsanitizer/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc
++++ b/libsanitizer/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc
+@@ -238,7 +238,7 @@ static int TracerThread(void* argument) {
+ 
+   // Alternate stack for signal handling.
+   InternalScopedBuffer<char> handler_stack_memory(kHandlerStackSize);
+-  struct sigaltstack handler_stack;
++  stack_t handler_stack;
+   internal_memset(&handler_stack, 0, sizeof(handler_stack));
+   handler_stack.ss_sp = handler_stack_memory.data();
+   handler_stack.ss_size = kHandlerStackSize;
+diff --git a/libsanitizer/tsan/tsan_platform_linux.cc b/libsanitizer/tsan/tsan_platform_linux.cc
+index fe69430..49f5270 100644
+--- a/libsanitizer/tsan/tsan_platform_linux.cc
++++ b/libsanitizer/tsan/tsan_platform_linux.cc
+@@ -351,7 +351,7 @@ bool IsGlobalVar(uptr addr) {
+ // closes within glibc. The code is a pure hack.
+ int ExtractResolvFDs(void *state, int *fds, int nfd) {
+   int cnt = 0;
+-  __res_state *statp = (__res_state*)state;
++  struct __res_state *statp = (struct __res_state*)state;
+   for (int i = 0; i < MAXNS && cnt < nfd; i++) {
+     if (statp->_u._ext.nsaddrs[i] && statp->_u._ext.nssocks[i] != -1)
+       fds[cnt++] = statp->_u._ext.nssocks[i];
diff --git a/gnu/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch b/gnu/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch
new file mode 100644
index 0000000000..1838c5bd35
--- /dev/null
+++ b/gnu/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch
@@ -0,0 +1,61 @@
+ghc runtime by default (otherwise depending on a "configure" option)
+does memory allocation on their own by first mmapping a 1 TB range of
+memory into the process and then parceling out chunks from it.
+
+If one of the chunks is not needed, the kernel needs to be informed -
+otherwise the system would quickly run out of available RAM.
+
+ghc does that via madvise(2).
+
+There are two options when doing this informing:
+
+MADV_FREE - Means "I don't need this range or the data in it any more". 
+Kernel promises to fail later accesses to it.
+
+MADV_DONTNEED - Means "I don't need this range right now - and I don't
+need the data in it anymore". Kernel promises to make later accesses to
+it succeed (if necessary by providing a new page initialized with zeroes).
+
+MADV_FREE was introduced in Linux 4.5.
+glibc 2.25 and later always define MADV_FREE.
+
+Unpatched ghc 8.0.2 will use either MADV_FREE or MADV_DONTNEED, determined
+at ghc compile time.  Which of them will actually succeed is determined
+by the Linux kernel at run time.
+
+This patch makes ghc try MADV_FREE.  If it doesn't work, it falls back to
+MADV_DONTNEED.
+
+The end result is that ghc programs free their memory with Linux < 4.5 again.
+
+See https://git.haskell.org/ghc.git/commitdiff/6576bf83cdf4eac05eb88a24aa934a736c91e3da for more information.
+--- a/rts/posix/OSMem.c
++++ b/rts/posix/OSMem.c
+@@ -541,11 +541,24 @@ void osDecommitMemory(void *at, W_ size)
+ 
+ #ifdef MADV_FREE
+     // Try MADV_FREE first, FreeBSD has both and MADV_DONTNEED
+-    // just swaps memory out
++    // just swaps memory out. Linux >= 4.5 has both DONTNEED and FREE; either
++    // will work as they both allow the system to free anonymous pages.
++    // It is important that we try both methods as the kernel which we were
++    // built on may differ from the kernel we are now running on.
+     r = madvise(at, size, MADV_FREE);
+-#else
+-    r = madvise(at, size, MADV_DONTNEED);
++    if(r < 0) {
++        if (errno == EINVAL) {
++            // Perhaps the system doesn't support MADV_FREE; fall-through and
++            // try MADV_DONTNEED.
++        } else {
++            sysErrorBelch("unable to decommit memory");
++        }
++    } else {
++        return;
++    }
+ #endif
++
++    r = madvise(at, size, MADV_DONTNEED);
+     if(r < 0)
+         sysErrorBelch("unable to decommit memory");
+ }
diff --git a/gnu/packages/patches/gpsbabel-minizip.patch b/gnu/packages/patches/gpsbabel-minizip.patch
new file mode 100644
index 0000000000..8f3bb36f57
--- /dev/null
+++ b/gnu/packages/patches/gpsbabel-minizip.patch
@@ -0,0 +1,13 @@
+Patch taken from https://sources.debian.org/data/main/g/gpsbabel/1.5.3-2/debian/patches/use_minizip.
+
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -120,7 +120,7 @@ LIBOBJS = queue.o route.o waypt.o filter
+ 	  src/core/usasciicodec.o\
+ 	  src/core/ziparchive.o \
+ 	  $(GARMIN) $(JEEPS) $(SHAPE) @ZLIB@ $(FMTS) $(FILTERS)
+-OBJS = main.o globals.o $(LIBOBJS) @FILEINFO@
++OBJS = main.o globals.o $(MINIZIP) $(LIBOBJS) @FILEINFO@
+ 
+ DEPFILES = $(OBJS:.o=.d)
+ 
\ No newline at end of file
diff --git a/gnu/packages/patches/gpsbabel-qstring.patch b/gnu/packages/patches/gpsbabel-qstring.patch
new file mode 100644
index 0000000000..8ba1a7213b
--- /dev/null
+++ b/gnu/packages/patches/gpsbabel-qstring.patch
@@ -0,0 +1,69 @@
+Extracted from following patch of gpsbabel:
+https://github.com/gpsbabel/gpsbabel/commit/604178aa8ad4d3c3ad218df24c1e9a6a1f683bb3
+
+From 604178aa8ad4d3c3ad218df24c1e9a6a1f683bb3 Mon Sep 17 00:00:00 2001
+From: Harel Mazor <harel.mazor@gmail.com>
+Date: Tue, 24 Jan 2017 00:35:04 +0200
+Subject: [PATCH] Added geojson read capablity, moved magic strings to
+ constants, fixed windows compilation issues.
+
+--- a/tef_xml.cc
++++ b/tef_xml.cc
+@@ -72,11 +72,11 @@ tef_start(xg_string args, const QXmlStreamAttributes* attrv)
+   bool valid = false;
+ 
+   foreach(QXmlStreamAttribute attr, *attrv) {
+-    if (attr.name().compare("Comment", Qt::CaseInsensitive) == 0) {
+-      if (attr.value().compare("TourExchangeFormat", Qt::CaseInsensitive) == 0) {
++    if (attr.name().compare(QString("Comment"), Qt::CaseInsensitive) == 0) {
++      if (attr.value().compare(QString("TourExchangeFormat"), Qt::CaseInsensitive) == 0) {
+         valid = true;
+       }
+-    } else if (attr.name().compare("Version", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("Version"), Qt::CaseInsensitive) == 0) {
+       version = attr.value().toString().toDouble();
+     }
+   }
+@@ -95,9 +95,9 @@ tef_header(xg_string args, const QXmlStreamAttributes* attrv)
+ {
+   route = route_head_alloc();
+   foreach(QXmlStreamAttribute attr, *attrv) {
+-    if (attr.name().compare("Name", Qt::CaseInsensitive) == 0) {
++    if (attr.name().compare(QString("Name"), Qt::CaseInsensitive) == 0) {
+       route->rte_name = attr.value().toString().trimmed();
+-    } else if (attr.name().compare("Software", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("Software"), Qt::CaseInsensitive) == 0) {
+       route->rte_desc = attr.value().toString().trimmed();
+     }
+   }
+@@ -248,20 +248,20 @@ tef_item_start(xg_string args, const QXmlStreamAttributes* attrv)
+     QString attrstr = attr.value().toString();
+     QByteArray attrtext = attrstr.toUtf8();
+ 
+-    if (attr.name().compare("SegDescription", Qt::CaseInsensitive) == 0) {
++    if (attr.name().compare(QString("SegDescription"), Qt::CaseInsensitive) == 0) {
+       wpt_tmp->shortname = attrstr.trimmed();
+-    } else if (attr.name().compare("PointDescription", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("PointDescription"), Qt::CaseInsensitive) == 0) {
+       wpt_tmp->description = attrstr.trimmed();
+-    } else if (attr.name().compare("ViaStation", Qt::CaseInsensitive) == 0 &&
+-               attr.value().compare("true", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("ViaStation"), Qt::CaseInsensitive) == 0 &&
++               attr.value().compare(QString("true"), Qt::CaseInsensitive) == 0) {
+       wpt_tmp->wpt_flags.fmt_use = 1;  /* only a flag */
+ 
+       /* new in TEF V2 */
+-    } else if (attr.name().compare("Instruction", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("Instruction"), Qt::CaseInsensitive) == 0) {
+       wpt_tmp->description = attrstr.trimmed();
+-    } else if (attr.name().compare("Altitude", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("Altitude"), Qt::CaseInsensitive) == 0) {
+       wpt_tmp->altitude = attrstr.toDouble();
+-    } else if (attr.name().compare("TimeStamp", Qt::CaseInsensitive) == 0) {
++    } else if (attr.name().compare(QString("TimeStamp"), Qt::CaseInsensitive) == 0) {
+       /* nothing for the moment */
+     }
+   }
+-- 
+2.16.1
+
diff --git a/gnu/packages/patches/gzdoom-search-in-installed-share.patch b/gnu/packages/patches/gzdoom-search-in-installed-share.patch
new file mode 100644
index 0000000000..f312686566
--- /dev/null
+++ b/gnu/packages/patches/gzdoom-search-in-installed-share.patch
@@ -0,0 +1,23 @@
+Lookup gzdoom pk3 files in the installed directory in
+addition to the path that is stored in ~/.config/gzdoom/.
+
+Simply replacing the hardcoded /usr/share would leave the
+configfile pointing to outdated guix builds, which could get
+garbage collected and break the gzdoom installation.
+This ensures that the files installed with the corresponding
+build will be used.
+
+--- /src/d_main.cpp	2018-01-16 22:13:09.700602781 +0200
++++ /src/d_main.cpp	2018-01-16 22:22:36.560617961 +0200
+@@ -1716,6 +1716,11 @@
+ 		return wad;
+ 	}
+ 
++    mysnprintf (wad, countof(wad), "%s/%s", GUIX_OUT_PK3, file);
++    if (DirEntryExists (wad)) {
++        return wad;
++    }
++
+ 	if (GameConfig != NULL && GameConfig->SetSection ("FileSearch.Directories"))
+ 	{
+ 		const char *key;
diff --git a/gnu/packages/patches/hwloc-tests-without-sysfs.patch b/gnu/packages/patches/hwloc-tests-without-sysfs.patch
new file mode 100644
index 0000000000..ea6ec41616
--- /dev/null
+++ b/gnu/packages/patches/hwloc-tests-without-sysfs.patch
@@ -0,0 +1,42 @@
+Fix a test failure in the build environment, where /sys is missing.
+From <https://github.com/bgoglin/hwloc/commit/a2cc4f2e2bf4a8bbdd61b578a62e27e7482799cf.patch>.
+
+From a2cc4f2e2bf4a8bbdd61b578a62e27e7482799cf Mon Sep 17 00:00:00 2001
+From: Brice Goglin <Brice.Goglin@inria.fr>
+Date: Tue, 6 Feb 2018 17:13:26 +0100
+Subject: [PATCH] linux: honor the filtering cores and packages when reading
+ topology from cpuinfo
+
+Caused a make check crash in lstopo --filter all:none in chroot without sysfs.
+
+Thanks to Ludovic Courtes for the report.
+
+Signed-off-by: Brice Goglin <Brice.Goglin@inria.fr>
+---
+ hwloc/topology-linux.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/hwloc/topology-linux.c b/hwloc/topology-linux.c
+index 290da0d72..e1bbf94e1 100644
+--- a/hwloc/topology-linux.c
++++ b/hwloc/topology-linux.c
+@@ -4101,7 +4101,8 @@ look_cpuinfo(struct hwloc_topology *topology,
+     }
+   /* create package objects */
+   hwloc_debug("%u pkgs%s\n", numpkgs, missingpkg ? ", but some missing package" : "");
+-  if (!missingpkg && numpkgs>0) {
++  if (!missingpkg && numpkgs>0
++      && hwloc_filter_check_keep_object_type(topology, HWLOC_OBJ_PACKAGE)) {
+     for (i = 0; i < numpkgs; i++) {
+       struct hwloc_obj *obj = hwloc_alloc_setup_object(topology, HWLOC_OBJ_PACKAGE, Lpkg_to_Ppkg[i]);
+       int doneinfos = 0;
+@@ -4145,7 +4146,8 @@ look_cpuinfo(struct hwloc_topology *topology,
+     }
+   /* create Core objects */
+   hwloc_debug("%u cores%s\n", numcores, missingcore ? ", but some missing core" : "");
+-  if (!missingcore && numcores>0) {
++  if (!missingcore && numcores>0
++      && hwloc_filter_check_keep_object_type(topology, HWLOC_OBJ_CORE)) {
+     for (i = 0; i < numcores; i++) {
+       struct hwloc_obj *obj = hwloc_alloc_setup_object(topology, HWLOC_OBJ_CORE, Lcore_to_Pcore[i]);
+       obj->cpuset = hwloc_bitmap_alloc();
diff --git a/gnu/packages/patches/icecat-bug-1427870-spectre-mitigation.patch b/gnu/packages/patches/icecat-bug-1427870-spectre-mitigation.patch
deleted file mode 100644
index 6b088286cb..0000000000
--- a/gnu/packages/patches/icecat-bug-1427870-spectre-mitigation.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-Mitigate Spectre by reducing the resolution of performance.now() to 20
-microseconds.  Based on:
-
-  https://hg.mozilla.org/releases/mozilla-release/rev/afa87f9be3a8
-
-For more details, see:
-
-  https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
-
-This patch was modified to apply cleanly to GNU IceCat.
-
-
-# HG changeset patch
-# User Tom Ritter <tom@mozilla.com>
-# Date 1514660820 21600
-# Node ID afa87f9be3a8852da3a30f286b15ae599c7874f6
-# Parent  6caa457ebedc915b43dc1d054b8fe22e82ca7447
-Bug 1427870 - Change resolution of .now() to 20us. r=bkelly, a=lizzard
-
-The comment about workers was introduced in Bug 1186489 but became obsolete some time after that
-(definitely by Bug 1278838)
-
-diff --git a/dom/performance/Performance.cpp b/dom/performance/Performance.cpp
---- a/dom/performance/Performance.cpp
-+++ b/dom/performance/Performance.cpp
-@@ -234,20 +234,19 @@ Performance::ClearResourceTimings()
- {
-   MOZ_ASSERT(NS_IsMainThread());
-   mResourceEntries.Clear();
- }
- 
- DOMHighResTimeStamp
- Performance::RoundTime(double aTime) const
- {
--  // Round down to the nearest 5us, because if the timer is too accurate people
--  // can do nasty timing attacks with it.  See similar code in the worker
--  // Performance implementation.
--  const double maxResolutionMs = 0.005;
-+  // Round down to the nearest 20us, because if the timer is too accurate people
-+  // can do nasty timing attacks with it.
-+  const double maxResolutionMs = 0.020;
-   return floor(aTime / maxResolutionMs) * maxResolutionMs;
- }
- 
- 
- void
- Performance::Mark(const nsAString& aName, ErrorResult& aRv)
- {
-   // Don't add the entry if the buffer is full. XXX should be removed by bug 1159003.
diff --git a/gnu/packages/patches/icecat-glibc-2.26.patch b/gnu/packages/patches/icecat-glibc-2.26.patch
deleted file mode 100644
index 45ebd5f700..0000000000
--- a/gnu/packages/patches/icecat-glibc-2.26.patch
+++ /dev/null
@@ -1,261 +0,0 @@
-Fix compilation with glibc 2.26. Patch found
-at <https://aur.archlinux.org/cgit/aur.git/plain/glibc-2.26-fix.diff?h=firefox-esr>,
-adjusted so that file names match.
-
-From 6a0b7c8ecf0734ba1bcdccf8e0ee97e721fd5420 Mon Sep 17 00:00:00 2001
-Message-Id: <6a0b7c8ecf0734ba1bcdccf8e0ee97e721fd5420.1505113337.git.jan.steffens@gmail.com>
-From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= <emilio@crisal.io>
-Date: Sat, 19 Aug 2017 20:14:25 +0200
-Subject: [PATCH] Fix use of struct ucontext (squash 2 commits)
-
-Needed for building with glibc 2.26.
-
-Bug 1385667: Use ucontext_t consistently in breakpad-client. r=ted
-MozReview-Commit-ID: AJhzJdNXP0f
-
-Bug 1394149: Fix remaining uses of ucontext in breakpad-client. r=ted
-MozReview-Commit-ID: 5tP7fXsI7dQ
----
- .../linux/dump_writer_common/ucontext_reader.cc    | 30 +++++++++++-----------
- .../linux/dump_writer_common/ucontext_reader.h     | 10 ++++----
- .../linux/handler/exception_handler.cc             | 10 ++++----
- .../linux/handler/exception_handler.h              |  2 +-
- .../linux/microdump_writer/microdump_writer.cc     |  2 +-
- .../linux/minidump_writer/minidump_writer.cc       |  2 +-
- 6 files changed, 28 insertions(+), 28 deletions(-)
-
-diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc b/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc
-index 999960912e459e1b..303c0ebd32b663c4 100644
---- a/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc
-+++ b/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc
-@@ -40,15 +40,15 @@ namespace google_breakpad {
- 
- #if defined(__i386__)
- 
--uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
-+uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
-   return uc->uc_mcontext.gregs[REG_ESP];
- }
- 
--uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
-+uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
-   return uc->uc_mcontext.gregs[REG_EIP];
- }
- 
--void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
-+void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
-                                     const struct _libc_fpstate* fp) {
-   const greg_t* regs = uc->uc_mcontext.gregs;
- 
-@@ -88,15 +88,15 @@ void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
- 
- #elif defined(__x86_64)
- 
--uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
-+uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
-   return uc->uc_mcontext.gregs[REG_RSP];
- }
- 
--uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
-+uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
-   return uc->uc_mcontext.gregs[REG_RIP];
- }
- 
--void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
-+void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
-                                     const struct _libc_fpstate* fpregs) {
-   const greg_t* regs = uc->uc_mcontext.gregs;
- 
-@@ -145,15 +145,15 @@ void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
- 
- #elif defined(__ARM_EABI__)
- 
--uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
-+uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
-   return uc->uc_mcontext.arm_sp;
- }
- 
--uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
-+uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
-   return uc->uc_mcontext.arm_pc;
- }
- 
--void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc) {
-+void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc) {
-   out->context_flags = MD_CONTEXT_ARM_FULL;
- 
-   out->iregs[0] = uc->uc_mcontext.arm_r0;
-@@ -184,41 +184,41 @@ void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc) {
- 
- #elif defined(__aarch64__)
- 
--uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
-+uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
-   return uc->uc_mcontext.sp;
- }
- 
--uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
-+uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
-   return uc->uc_mcontext.pc;
- }
- 
--void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
-+void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
-                                     const struct fpsimd_context* fpregs) {
-   out->context_flags = MD_CONTEXT_ARM64_FULL;
- 
-   out->cpsr = static_cast<uint32_t>(uc->uc_mcontext.pstate);
-   for (int i = 0; i < MD_CONTEXT_ARM64_REG_SP; ++i)
-     out->iregs[i] = uc->uc_mcontext.regs[i];
-   out->iregs[MD_CONTEXT_ARM64_REG_SP] = uc->uc_mcontext.sp;
-   out->iregs[MD_CONTEXT_ARM64_REG_PC] = uc->uc_mcontext.pc;
- 
-   out->float_save.fpsr = fpregs->fpsr;
-   out->float_save.fpcr = fpregs->fpcr;
-   my_memcpy(&out->float_save.regs, &fpregs->vregs,
-       MD_FLOATINGSAVEAREA_ARM64_FPR_COUNT * 16);
- }
- 
- #elif defined(__mips__)
- 
--uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
-+uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
-   return uc->uc_mcontext.gregs[MD_CONTEXT_MIPS_REG_SP];
- }
- 
--uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
-+uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
-   return uc->uc_mcontext.pc;
- }
- 
--void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc) {
-+void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc) {
- #if _MIPS_SIM == _ABI64
-   out->context_flags = MD_CONTEXT_MIPS64_FULL;
- #elif _MIPS_SIM == _ABIO32
-diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.h b/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.h
-index c533e28ba7441e83..039752a2dfb6e589 100644
---- a/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.h
-+++ b/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.h
-@@ -41,21 +41,21 @@ namespace google_breakpad {
- 
- // Wraps platform-dependent implementations of accessors to ucontext structs.
- struct UContextReader {
--  static uintptr_t GetStackPointer(const struct ucontext* uc);
-+  static uintptr_t GetStackPointer(const ucontext_t* uc);
- 
--  static uintptr_t GetInstructionPointer(const struct ucontext* uc);
-+  static uintptr_t GetInstructionPointer(const ucontext_t* uc);
- 
-   // Juggle a arch-specific ucontext into a minidump format
-   //   out: the minidump structure
-   //   info: the collection of register structures.
- #if defined(__i386__) || defined(__x86_64)
--  static void FillCPUContext(RawContextCPU *out, const ucontext *uc,
-+  static void FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
-                              const struct _libc_fpstate* fp);
- #elif defined(__aarch64__)
--  static void FillCPUContext(RawContextCPU *out, const ucontext *uc,
-+  static void FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
-                              const struct fpsimd_context* fpregs);
- #else
--  static void FillCPUContext(RawContextCPU *out, const ucontext *uc);
-+  static void FillCPUContext(RawContextCPU *out, const ucontext_t *uc);
- #endif
- };
- 
-diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.cc b/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.cc
-index 71a51a763938e39d..12df9bc96ec45fea 100644
---- a/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.cc
-+++ b/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.cc
-@@ -439,44 +439,44 @@ bool ExceptionHandler::HandleSignal(int sig, siginfo_t* info, void* uc) {
-   // Fill in all the holes in the struct to make Valgrind happy.
-   memset(&g_crash_context_, 0, sizeof(g_crash_context_));
-   memcpy(&g_crash_context_.siginfo, info, sizeof(siginfo_t));
--  memcpy(&g_crash_context_.context, uc, sizeof(struct ucontext));
-+  memcpy(&g_crash_context_.context, uc, sizeof(ucontext_t));
- #if defined(__aarch64__)
--  struct ucontext* uc_ptr = (struct ucontext*)uc;
-+  ucontext_t* uc_ptr = (ucontext_t*)uc;
-   struct fpsimd_context* fp_ptr =
-       (struct fpsimd_context*)&uc_ptr->uc_mcontext.__reserved;
-   if (fp_ptr->head.magic == FPSIMD_MAGIC) {
-     memcpy(&g_crash_context_.float_state, fp_ptr,
-            sizeof(g_crash_context_.float_state));
-   }
- #elif !defined(__ARM_EABI__) && !defined(__mips__)
-   // FP state is not part of user ABI on ARM Linux.
--  // In case of MIPS Linux FP state is already part of struct ucontext
-+  // In case of MIPS Linux FP state is already part of ucontext_t
-   // and 'float_state' is not a member of CrashContext.
--  struct ucontext* uc_ptr = (struct ucontext*)uc;
-+  ucontext_t* uc_ptr = (ucontext_t*)uc;
-   if (uc_ptr->uc_mcontext.fpregs) {
-     memcpy(&g_crash_context_.float_state, uc_ptr->uc_mcontext.fpregs,
-            sizeof(g_crash_context_.float_state));
-   }
- #endif
-   g_crash_context_.tid = syscall(__NR_gettid);
-   if (crash_handler_ != NULL) {
-     if (crash_handler_(&g_crash_context_, sizeof(g_crash_context_),
-                        callback_context_)) {
-       return true;
-     }
-   }
-   return GenerateDump(&g_crash_context_);
- }
- 
- // This is a public interface to HandleSignal that allows the client to
- // generate a crash dump. This function may run in a compromised context.
- bool ExceptionHandler::SimulateSignalDelivery(int sig) {
-   siginfo_t siginfo = {};
-   // Mimic a trusted signal to allow tracing the process (see
-   // ExceptionHandler::HandleSignal().
-   siginfo.si_code = SI_USER;
-   siginfo.si_pid = getpid();
--  struct ucontext context;
-+  ucontext_t context;
-   getcontext(&context);
-   return HandleSignal(sig, &siginfo, &context);
- }
-diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.h b/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.h
-index 711586fec7ddae59..be1880170e2826b0 100644
---- a/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.h
-+++ b/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.h
-@@ -191,7 +191,7 @@ class ExceptionHandler {
-   struct CrashContext {
-     siginfo_t siginfo;
-     pid_t tid;  // the crashing thread.
--    struct ucontext context;
-+    ucontext_t context;
- #if !defined(__ARM_EABI__) && !defined(__mips__)
-     // #ifdef this out because FP state is not part of user ABI for Linux ARM.
-     // In case of MIPS Linux FP state is already part of struct
-diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/microdump_writer/microdump_writer.cc b/toolkit/crashreporter/google-breakpad/src/client/linux/microdump_writer/microdump_writer.cc
-index ff20bf36584c876b..a0b90e08fc5f0cff 100644
---- a/toolkit/crashreporter/google-breakpad/src/client/linux/microdump_writer/microdump_writer.cc
-+++ b/toolkit/crashreporter/google-breakpad/src/client/linux/microdump_writer/microdump_writer.cc
-@@ -571,7 +571,7 @@ class MicrodumpWriter {
- 
-   void* Alloc(unsigned bytes) { return dumper_->allocator()->Alloc(bytes); }
- 
--  const struct ucontext* const ucontext_;
-+  const ucontext_t* const ucontext_;
- #if !defined(__ARM_EABI__) && !defined(__mips__)
-   const google_breakpad::fpstate_t* const float_state_;
- #endif
-diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/minidump_writer/minidump_writer.cc b/toolkit/crashreporter/google-breakpad/src/client/linux/minidump_writer/minidump_writer.cc
-index 0650bb95c179464a..6b5304bcd605ca3a 100644
---- a/toolkit/crashreporter/google-breakpad/src/client/linux/minidump_writer/minidump_writer.cc
-+++ b/toolkit/crashreporter/google-breakpad/src/client/linux/minidump_writer/minidump_writer.cc
-@@ -1247,7 +1247,7 @@ class MinidumpWriter {
-   const int fd_;  // File descriptor where the minidum should be written.
-   const char* path_;  // Path to the file where the minidum should be written.
- 
--  const struct ucontext* const ucontext_;  // also from the signal handler
-+  const ucontext_t* const ucontext_;  // also from the signal handler
- #if !defined(__ARM_EABI__) && !defined(__mips__)
-   const google_breakpad::fpstate_t* const float_state_;  // ditto
- #endif
--- 
-2.14.1
diff --git a/gnu/packages/patches/icecat-use-system-graphite2.patch b/gnu/packages/patches/icecat-use-system-graphite2.patch
new file mode 100644
index 0000000000..188fba2bc9
--- /dev/null
+++ b/gnu/packages/patches/icecat-use-system-graphite2.patch
@@ -0,0 +1,248 @@
+Copied from <https://reviewboard.mozilla.org/r/90218/diff/4>
+See <https://bugzilla.mozilla.org/show_bug.cgi?id=847568>
+
+diff --git a/config/Makefile.in b/config/Makefile.in
+--- a/config/Makefile.in
++++ b/config/Makefile.in
+@@ -36,16 +36,17 @@ ifdef WRAP_SYSTEM_INCLUDES
+ export-preqs = \
+   $(call mkdir_deps,system_wrappers) \
+   $(NULL)
+ 
+ export:: $(export-preqs)
+ 	$(PYTHON) -m mozbuild.action.preprocessor $(DEFINES) $(ACDEFINES) \
+ 		-DMOZ_TREE_CAIRO=$(MOZ_TREE_CAIRO) \
+ 		-DMOZ_TREE_PIXMAN=$(MOZ_TREE_PIXMAN) \
++		-DMOZ_SYSTEM_GRAPHITE2=$(MOZ_SYSTEM_GRAPHITE2) \
+ 		-DMOZ_SYSTEM_HARFBUZZ=$(MOZ_SYSTEM_HARFBUZZ) \
+ 		-DMOZ_SYSTEM_HUNSPELL=$(MOZ_SYSTEM_HUNSPELL) \
+ 		-DMOZ_SYSTEM_BZ2=$(MOZ_SYSTEM_BZ2) \
+ 		-DMOZ_SYSTEM_ZLIB=$(MOZ_SYSTEM_ZLIB) \
+ 		-DMOZ_SYSTEM_PNG=$(MOZ_SYSTEM_PNG) \
+ 		-DMOZ_SYSTEM_JPEG=$(MOZ_SYSTEM_JPEG) \
+ 		-DMOZ_SYSTEM_LIBEVENT=$(MOZ_SYSTEM_LIBEVENT) \
+ 		-DMOZ_SYSTEM_LIBVPX=$(MOZ_SYSTEM_LIBVPX) \
+diff --git a/config/system-headers b/config/system-headers
+--- a/config/system-headers
++++ b/config/system-headers
+@@ -1260,16 +1260,20 @@ zlib.h
+ #ifdef MOZ_ENABLE_STARTUP_NOTIFICATION
+ libsn/sn.h
+ libsn/sn-common.h
+ libsn/sn-launchee.h
+ libsn/sn-launcher.h
+ libsn/sn-monitor.h
+ libsn/sn-util.h
+ #endif
++#if MOZ_SYSTEM_GRAPHITE2==1
++graphite2/Font.h
++graphite2/Segment.h
++#endif
+ #if MOZ_SYSTEM_HARFBUZZ==1
+ harfbuzz/hb-glib.h
+ harfbuzz/hb-ot.h
+ harfbuzz/hb.h
+ #endif
+ #if MOZ_SYSTEM_HUNSPELL==1
+ hunspell.hxx
+ #endif
+diff --git a/gfx/graphite2/moz-gr-update.sh b/gfx/graphite2/moz-gr-update.sh
+--- a/gfx/graphite2/moz-gr-update.sh
++++ b/gfx/graphite2/moz-gr-update.sh
+@@ -1,11 +1,12 @@
+ #!/bin/bash
+ 
+ # Script used to update the Graphite2 library in the mozilla source tree
++# and bump version for --with-system-graphite2
+ 
+ # This script lives in gfx/graphite2, along with the library source,
+ # but must be run from the top level of the mozilla-central tree.
+ 
+ # Run as
+ #
+ #    ./gfx/graphite2/moz-gr-update.sh RELEASE
+ #
+@@ -32,22 +33,26 @@ echo "This directory contains the Graphi
+ echo "$TARBALL" >> gfx/graphite2/README.mozilla
+ echo ""
+ echo "See" $0 "for update procedure." >> gfx/graphite2/README.mozilla
+ 
+ # fix up includes because of bug 721839 (cstdio) and bug 803066 (Windows.h)
+ #find gfx/graphite2/ -name "*.cpp" -exec perl -p -i -e "s/<cstdio>/<stdio.h>/;s/Windows.h/windows.h/;" {} \;
+ #find gfx/graphite2/ -name "*.h" -exec perl -p -i -e "s/<cstdio>/<stdio.h>/;s/Windows.h/windows.h/;" {} \;
+ 
++# chase version for --with-system-graphite2
++perl -p -i -e "s/[0-9]+\,[0-9]+\,[0-9]+/$RELEASE/ and tr/./,/ \
++  if /GR2_VERSION_REQUIRE/" old-configure.in
++
+ # summarize what's been touched
+ echo Updated to $RELEASE.
+ echo Here is what changed in the gfx/graphite2 directory:
+ echo
+ 
+-hg stat gfx/graphite2
++hg stat old-configure.in gfx/graphite2
+ 
+ echo
+ echo If gfx/graphite2/src/files.mk has changed, please make corresponding
+ echo changes to gfx/graphite2/src/moz.build
+ echo
+ 
+ echo
+ echo Now use hg commands to create a patch for the mozilla tree.
+diff --git a/gfx/moz.build b/gfx/moz.build
+--- a/gfx/moz.build
++++ b/gfx/moz.build
+@@ -2,28 +2,30 @@
+ # vim: set filetype=python:
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
+ if CONFIG['MOZ_TREE_CAIRO']:
+     DIRS += ['cairo']
+ 
++if not CONFIG['MOZ_SYSTEM_GRAPHITE2']:
++    DIRS += ['graphite2/src' ]
++
+ if not CONFIG['MOZ_SYSTEM_HARFBUZZ']:
+     DIRS += ['harfbuzz/src']
+ 
+ DIRS += [
+     '2d',
+     'ycbcr',
+     'angle',
+     'src',
+     'qcms',
+     'gl',
+     'layers',
+-    'graphite2/src',
+     'ots/src',
+     'thebes',
+     'ipc',
+     'vr',
+     'config',
+ ]
+ 
+ if CONFIG['MOZ_ENABLE_SKIA']:
+diff --git a/gfx/thebes/moz.build b/gfx/thebes/moz.build
+--- a/gfx/thebes/moz.build
++++ b/gfx/thebes/moz.build
+@@ -261,16 +261,19 @@ if CONFIG['MOZ_WIDGET_TOOLKIT'] in ('and
+     CXXFLAGS += CONFIG['CAIRO_FT_CFLAGS']
+ 
+ if CONFIG['MOZ_WIDGET_TOOLKIT'] in ('gtk2', 'gtk3'):
+     CXXFLAGS += CONFIG['MOZ_PANGO_CFLAGS']
+ 
+ LOCAL_INCLUDES += CONFIG['SKIA_INCLUDES']
+ LOCAL_INCLUDES += ['/media/libyuv/include']
+ 
+-DEFINES['GRAPHITE2_STATIC'] = True
++if CONFIG['MOZ_SYSTEM_GRAPHITE2']:
++    CXXFLAGS += CONFIG['MOZ_GRAPHITE2_CFLAGS']
++else:
++    DEFINES['GRAPHITE2_STATIC'] = True
+ 
+ if CONFIG['MOZ_SYSTEM_HARFBUZZ']:
+     CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']
+ 
+ if CONFIG['CLANG_CXX']:
+     # Suppress warnings from Skia header files.
+     SOURCES['gfxPlatform.cpp'].flags += ['-Wno-implicit-fallthrough']
+diff --git a/moz.configure b/moz.configure
+--- a/moz.configure
++++ b/moz.configure
+@@ -260,16 +260,28 @@ def extra_programs(target):
+ 
+ check_prog('DSYMUTIL', delayed_getattr(extra_programs, 'DSYMUTIL'),
+            allow_missing=True)
+ check_prog('GENISOIMAGE', delayed_getattr(extra_programs, 'GENISOIMAGE'),
+            allow_missing=True)
+ check_prog('RPMBUILD', delayed_getattr(extra_programs, 'RPMBUILD'),
+            allow_missing=True)
+ 
++option('--with-system-graphite2',
++       help="Use system graphite2 (located with pkgconfig)")
++
++@depends('--with-system-graphite2', compile_environment)
++def check_for_graphite2(value, compile_env):
++    return value and compile_env
++
++system_graphite2 = pkg_check_modules('MOZ_GRAPHITE2', 'graphite2',
++                                    check_for_graphite2)
++
++set_config('MOZ_SYSTEM_GRAPHITE2', depends_if(system_graphite2)(lambda _: True))
++
+ option('--with-system-harfbuzz',
+        help="Use system harfbuzz (located with pkgconfig)")
+ 
+ @depends('--with-system-harfbuzz', compile_environment)
+ def check_for_harfbuzz(value, compile_env):
+     return value and compile_env
+ 
+ system_harfbuzz = pkg_check_modules('MOZ_HARFBUZZ', 'harfbuzz >= 1.3.3',
+diff --git a/old-configure.in b/old-configure.in
+--- a/old-configure.in
++++ b/old-configure.in
+@@ -5060,16 +5060,37 @@ if test "$USE_FC_FREETYPE"; then
+         CPPFLAGS="$CPPFLAGS $FT2_CFLAGS $XCFLAGS"
+         MOZ_CHECK_HEADERS([fontconfig/fcfreetype.h], ,
+             [AC_MSG_ERROR(Can't find header fontconfig/fcfreetype.h.)], [#include <fontconfig/fontconfig.h>])
+         CPPFLAGS="$_SAVE_CPPFLAGS"
+     fi
+ fi
+ 
+ dnl ========================================================
++dnl Check for graphite2
++dnl ========================================================
++if test -n "$MOZ_SYSTEM_GRAPHITE2"; then
++    dnl graphite2.pc has bogus version, check manually
++    _SAVE_CFLAGS=$CFLAGS
++    CFLAGS="$CFLAGS $MOZ_GRAPHITE2_CFLAGS"
++    AC_TRY_COMPILE([ #include <graphite2/Font.h>
++                     #define GR2_VERSION_REQUIRE(major,minor,bugfix)  \
++                             ( GR2_VERSION_MAJOR * 10000 + GR2_VERSION_MINOR \
++                               * 100 + GR2_VERSION_BUGFIX >= \
++                               (major) * 10000 + (minor) * 100 + (bugfix) )
++                   ], [
++                     #if !GR2_VERSION_REQUIRE(1,3,8)
++                     #error "Insufficient graphite2 version."
++                     #endif
++                   ], [],
++                   [AC_MSG_ERROR([--with-system-graphite2 requested but no working libgraphite2 found])])
++    CFLAGS=$_SAVE_CFLAGS
++fi
++
++dnl ========================================================
+ dnl Check for pixman and cairo
+ dnl ========================================================
+ 
+ MOZ_TREE_CAIRO=1
+ MOZ_ARG_ENABLE_BOOL(system-cairo,
+ [  --enable-system-cairo   Use system cairo (located with pkgconfig)],
+ MOZ_TREE_CAIRO=,
+ MOZ_TREE_CAIRO=1 )
+diff --git a/toolkit/library/moz.build b/toolkit/library/moz.build
+--- a/toolkit/library/moz.build
++++ b/toolkit/library/moz.build
+@@ -221,16 +221,19 @@ if CONFIG['SERVO_TARGET_DIR']:
+         OS_LIBS += ['-L%s' % CONFIG['SERVO_TARGET_DIR'], '-lgeckoservo']
+ 
+ if CONFIG['MOZ_SYSTEM_JPEG']:
+     OS_LIBS += CONFIG['MOZ_JPEG_LIBS']
+ 
+ if CONFIG['MOZ_SYSTEM_PNG']:
+     OS_LIBS += CONFIG['MOZ_PNG_LIBS']
+ 
++if CONFIG['MOZ_SYSTEM_GRAPHITE2']:
++    OS_LIBS += CONFIG['MOZ_GRAPHITE2_LIBS']
++
+ if CONFIG['MOZ_SYSTEM_HARFBUZZ']:
+     OS_LIBS += CONFIG['MOZ_HARFBUZZ_LIBS']
+ 
+ if CONFIG['MOZ_SYSTEM_HUNSPELL']:
+     OS_LIBS += CONFIG['MOZ_HUNSPELL_LIBS']
+ 
+ if CONFIG['MOZ_SYSTEM_LIBEVENT']:
+     OS_LIBS += CONFIG['MOZ_LIBEVENT_LIBS']
+
diff --git a/gnu/packages/patches/icecat-use-system-harfbuzz.patch b/gnu/packages/patches/icecat-use-system-harfbuzz.patch
new file mode 100644
index 0000000000..083d404c13
--- /dev/null
+++ b/gnu/packages/patches/icecat-use-system-harfbuzz.patch
@@ -0,0 +1,279 @@
+Copied from <https://reviewboard.mozilla.org/r/35763/diff/9>
+See <https://bugzilla.mozilla.org/show_bug.cgi?id=847568>
+
+diff --git a/config/Makefile.in b/config/Makefile.in
+--- a/config/Makefile.in
++++ b/config/Makefile.in
+@@ -36,16 +36,17 @@ ifdef WRAP_SYSTEM_INCLUDES
+ export-preqs = \
+   $(call mkdir_deps,system_wrappers) \
+   $(NULL)
+ 
+ export:: $(export-preqs)
+ 	$(PYTHON) -m mozbuild.action.preprocessor $(DEFINES) $(ACDEFINES) \
+ 		-DMOZ_TREE_CAIRO=$(MOZ_TREE_CAIRO) \
+ 		-DMOZ_TREE_PIXMAN=$(MOZ_TREE_PIXMAN) \
++		-DMOZ_SYSTEM_HARFBUZZ=$(MOZ_SYSTEM_HARFBUZZ) \
+ 		-DMOZ_SYSTEM_HUNSPELL=$(MOZ_SYSTEM_HUNSPELL) \
+ 		-DMOZ_SYSTEM_BZ2=$(MOZ_SYSTEM_BZ2) \
+ 		-DMOZ_SYSTEM_ZLIB=$(MOZ_SYSTEM_ZLIB) \
+ 		-DMOZ_SYSTEM_PNG=$(MOZ_SYSTEM_PNG) \
+ 		-DMOZ_SYSTEM_JPEG=$(MOZ_SYSTEM_JPEG) \
+ 		-DMOZ_SYSTEM_LIBEVENT=$(MOZ_SYSTEM_LIBEVENT) \
+ 		-DMOZ_SYSTEM_LIBVPX=$(MOZ_SYSTEM_LIBVPX) \
+ 		-DMOZ_SYSTEM_ICU=$(MOZ_SYSTEM_ICU) \
+diff --git a/config/system-headers b/config/system-headers
+--- a/config/system-headers
++++ b/config/system-headers
+@@ -1260,16 +1260,21 @@ zlib.h
+ #ifdef MOZ_ENABLE_STARTUP_NOTIFICATION
+ libsn/sn.h
+ libsn/sn-common.h
+ libsn/sn-launchee.h
+ libsn/sn-launcher.h
+ libsn/sn-monitor.h
+ libsn/sn-util.h
+ #endif
++#if MOZ_SYSTEM_HARFBUZZ==1
++harfbuzz/hb-glib.h
++harfbuzz/hb-ot.h
++harfbuzz/hb.h
++#endif
+ #if MOZ_SYSTEM_HUNSPELL==1
+ hunspell.hxx
+ #endif
+ #if MOZ_SYSTEM_BZ2==1
+ bzlib.h
+ #endif
+ #ifdef MOZ_ENABLE_GIO
+ gio/gio.h
+diff --git a/dom/base/moz.build b/dom/base/moz.build
+--- a/dom/base/moz.build
++++ b/dom/base/moz.build
+@@ -474,16 +474,19 @@ for var in ('MOZ_B2G_RIL'):
+         DEFINES[var] = True
+ 
+ if CONFIG['MOZ_BUILD_APP'] in ['browser', 'mobile/android', 'xulrunner']:
+     DEFINES['HAVE_SIDEBAR'] = True
+ 
+ if CONFIG['MOZ_X11']:
+     CXXFLAGS += CONFIG['TK_CFLAGS']
+ 
++if CONFIG['MOZ_SYSTEM_HARFBUZZ']:
++    CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']
++
+ GENERATED_FILES += [
+     'PropertyUseCounterMap.inc',
+     'UseCounterList.h',
+ ]
+ 
+ countermap = GENERATED_FILES['PropertyUseCounterMap.inc']
+ countermap.script = 'gen-usecounters.py:property_map'
+ countermap.inputs = ['UseCounters.conf']
+diff --git a/gfx/harfbuzz/README-mozilla b/gfx/harfbuzz/README-mozilla
+--- a/gfx/harfbuzz/README-mozilla
++++ b/gfx/harfbuzz/README-mozilla
+@@ -14,8 +14,13 @@ this file when updating harfbuzz, and ch
+ 
+ The normal approach to updating harfbuzz, therefore, is to pull the latest HB
+ source into a scratch directory and do a local build; then copy the original
+ sources AND the generated header mentioned above from the build directory into
+ the mozilla tree.
+ 
+ If the collection of source files changes, manual updates to moz.build may be
+ needed, as we don't use the upstream makefiles.
++
++The in-tree copy may be omitted during build by --with-system-harfbuzz.
++Make sure to keep pkg-config version check within old-configure.in in sync
++with checkout version or increment latest tag by one if it's not based
++on upstream release.
+diff --git a/gfx/moz.build b/gfx/moz.build
+--- a/gfx/moz.build
++++ b/gfx/moz.build
+@@ -2,26 +2,28 @@
+ # vim: set filetype=python:
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
+ if CONFIG['MOZ_TREE_CAIRO']:
+     DIRS += ['cairo']
+ 
++if not CONFIG['MOZ_SYSTEM_HARFBUZZ']:
++    DIRS += ['harfbuzz/src']
++
+ DIRS += [
+     '2d',
+     'ycbcr',
+     'angle',
+     'src',
+     'qcms',
+     'gl',
+     'layers',
+     'graphite2/src',
+-    'harfbuzz/src',
+     'ots/src',
+     'thebes',
+     'ipc',
+     'vr',
+     'config',
+ ]
+ 
+ if CONFIG['MOZ_ENABLE_SKIA']:
+diff --git a/gfx/skia/generate_mozbuild.py b/gfx/skia/generate_mozbuild.py
+--- a/gfx/skia/generate_mozbuild.py
++++ b/gfx/skia/generate_mozbuild.py
+@@ -138,16 +138,19 @@ if CONFIG['GNU_CXX'] and not CONFIG['CLA
+ if CONFIG['CLANG_CXX'] or CONFIG['CLANG_CL']:
+     CXXFLAGS += [
+         '-Wno-implicit-fallthrough',
+         '-Wno-inconsistent-missing-override',
+         '-Wno-macro-redefined',
+         '-Wno-unused-private-field',
+     ]
+ 
++if CONFIG['MOZ_SYSTEM_HARFBUZZ']:
++    CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']
++
+ if CONFIG['MOZ_WIDGET_TOOLKIT'] in ('gtk2', 'gtk3', 'android'):
+     CXXFLAGS += CONFIG['MOZ_CAIRO_CFLAGS']
+     CXXFLAGS += CONFIG['CAIRO_FT_CFLAGS']
+ 
+ if CONFIG['MOZ_WIDGET_TOOLKIT'] in ('gtk2', 'gtk3'):
+     CXXFLAGS += CONFIG['MOZ_PANGO_CFLAGS']
+ """
+ 
+diff --git a/gfx/skia/moz.build b/gfx/skia/moz.build
+--- a/gfx/skia/moz.build
++++ b/gfx/skia/moz.build
+@@ -748,14 +748,17 @@ if CONFIG['GNU_CXX'] and not CONFIG['CLA
+ if CONFIG['CLANG_CXX'] or CONFIG['CLANG_CL']:
+     CXXFLAGS += [
+         '-Wno-implicit-fallthrough',
+         '-Wno-inconsistent-missing-override',
+         '-Wno-macro-redefined',
+         '-Wno-unused-private-field',
+     ]
+ 
++if CONFIG['MOZ_SYSTEM_HARFBUZZ']:
++    CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']
++
+ if CONFIG['MOZ_WIDGET_TOOLKIT'] in ('gtk2', 'gtk3', 'android'):
+     CXXFLAGS += CONFIG['MOZ_CAIRO_CFLAGS']
+     CXXFLAGS += CONFIG['CAIRO_FT_CFLAGS']
+ 
+ if CONFIG['MOZ_WIDGET_TOOLKIT'] in ('gtk2', 'gtk3'):
+     CXXFLAGS += CONFIG['MOZ_PANGO_CFLAGS']
+diff --git a/gfx/thebes/moz.build b/gfx/thebes/moz.build
+--- a/gfx/thebes/moz.build
++++ b/gfx/thebes/moz.build
+@@ -263,11 +263,14 @@ if CONFIG['MOZ_WIDGET_TOOLKIT'] in ('and
+ if CONFIG['MOZ_WIDGET_TOOLKIT'] in ('gtk2', 'gtk3'):
+     CXXFLAGS += CONFIG['MOZ_PANGO_CFLAGS']
+ 
+ LOCAL_INCLUDES += CONFIG['SKIA_INCLUDES']
+ LOCAL_INCLUDES += ['/media/libyuv/include']
+ 
+ DEFINES['GRAPHITE2_STATIC'] = True
+ 
++if CONFIG['MOZ_SYSTEM_HARFBUZZ']:
++    CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']
++
+ if CONFIG['CLANG_CXX']:
+     # Suppress warnings from Skia header files.
+     SOURCES['gfxPlatform.cpp'].flags += ['-Wno-implicit-fallthrough']
+diff --git a/intl/unicharutil/util/moz.build b/intl/unicharutil/util/moz.build
+--- a/intl/unicharutil/util/moz.build
++++ b/intl/unicharutil/util/moz.build
+@@ -37,9 +37,12 @@ if CONFIG['_MSC_VER']:
+     DEFINES['_USE_ANSI_CPP'] = True
+     # Don't include directives about which CRT to use
+     CFLAGS += ['-Zl']
+     CXXFLAGS += ['-Zl']
+ 
+ if CONFIG['ENABLE_INTL_API']:
+     USE_LIBS += ['icu']
+ 
++if CONFIG['MOZ_SYSTEM_HARFBUZZ']:
++    CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']
++
+ DIST_INSTALL = True
+diff --git a/moz.configure b/moz.configure
+--- a/moz.configure
++++ b/moz.configure
+@@ -260,16 +260,28 @@ def extra_programs(target):
+ 
+ check_prog('DSYMUTIL', delayed_getattr(extra_programs, 'DSYMUTIL'),
+            allow_missing=True)
+ check_prog('GENISOIMAGE', delayed_getattr(extra_programs, 'GENISOIMAGE'),
+            allow_missing=True)
+ check_prog('RPMBUILD', delayed_getattr(extra_programs, 'RPMBUILD'),
+            allow_missing=True)
+ 
++option('--with-system-harfbuzz',
++       help="Use system harfbuzz (located with pkgconfig)")
++
++@depends('--with-system-harfbuzz', compile_environment)
++def check_for_harfbuzz(value, compile_env):
++    return value and compile_env
++
++system_harfbuzz = pkg_check_modules('MOZ_HARFBUZZ', 'harfbuzz >= 1.3.3',
++                                    check_for_harfbuzz)
++
++set_config('MOZ_SYSTEM_HARFBUZZ', depends_if(system_harfbuzz)(lambda _: True))
++
+ option('--enable-system-hunspell',
+        help="Use system hunspell (located with pkgconfig)")
+ 
+ @depends('--enable-system-hunspell', compile_environment)
+ def check_for_hunspell(value, compile_env):
+     return value and compile_env
+ 
+ system_hunspell = pkg_check_modules('MOZ_HUNSPELL', 'hunspell',
+diff --git a/netwerk/dns/moz.build b/netwerk/dns/moz.build
+--- a/netwerk/dns/moz.build
++++ b/netwerk/dns/moz.build
+@@ -61,16 +61,19 @@ etld_data = GENERATED_FILES['etld_data.i
+ etld_data.script = 'prepare_tlds.py'
+ etld_data.inputs = ['effective_tld_names.dat']
+ 
+ # need to include etld_data.inc
+ LOCAL_INCLUDES += [
+     '/netwerk/base',
+ ]
+ 
++if CONFIG['MOZ_SYSTEM_HARFBUZZ']:
++    CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']
++
+ if CONFIG['ENABLE_INTL_API']:
+     DEFINES['IDNA2008'] = True
+     USE_LIBS += ['icu']
+ else:
+     UNIFIED_SOURCES += [
+         'nameprep.c',
+     ]
+ 
+diff --git a/toolkit/library/moz.build b/toolkit/library/moz.build
+--- a/toolkit/library/moz.build
++++ b/toolkit/library/moz.build
+@@ -221,16 +221,19 @@ if CONFIG['SERVO_TARGET_DIR']:
+         OS_LIBS += ['-L%s' % CONFIG['SERVO_TARGET_DIR'], '-lgeckoservo']
+ 
+ if CONFIG['MOZ_SYSTEM_JPEG']:
+     OS_LIBS += CONFIG['MOZ_JPEG_LIBS']
+ 
+ if CONFIG['MOZ_SYSTEM_PNG']:
+     OS_LIBS += CONFIG['MOZ_PNG_LIBS']
+ 
++if CONFIG['MOZ_SYSTEM_HARFBUZZ']:
++    OS_LIBS += CONFIG['MOZ_HARFBUZZ_LIBS']
++
+ if CONFIG['MOZ_SYSTEM_HUNSPELL']:
+     OS_LIBS += CONFIG['MOZ_HUNSPELL_LIBS']
+ 
+ if CONFIG['MOZ_SYSTEM_LIBEVENT']:
+     OS_LIBS += CONFIG['MOZ_LIBEVENT_LIBS']
+ 
+ if CONFIG['MOZ_SYSTEM_LIBVPX']:
+     OS_LIBS += CONFIG['MOZ_LIBVPX_LIBS']
+
diff --git a/gnu/packages/patches/java-xerces-bootclasspath.patch b/gnu/packages/patches/java-xerces-bootclasspath.patch
new file mode 100644
index 0000000000..efaa548a62
--- /dev/null
+++ b/gnu/packages/patches/java-xerces-bootclasspath.patch
@@ -0,0 +1,38 @@
+Based on https://anonscm.debian.org/viewvc/pkg-java/trunk/libxerces2-java/debian/patches/03_bootclasspath.patch?revision=14509, adopted for guix
+
+--- xerces-2_11_0/build.xml.orig	2010-11-26 21:42:11.000000000 +0100
++++ xerces-2_11_0/build.xml	2017-03-28 14:04:41.946606996 +0200
+@@ -290,13 +290,14 @@
+            destdir="${build.dest}"

+            source="${javac.source}"

+            target="${javac.target}"

+-           classpath="${build.dir}/classes:${tools.dir}/${jar.apis}:${tools.dir}/${jar.resolver}:${tools.dir}/${jar.serializer}"

++           classpath="${build.dir}/classes:${jar.jaxp}:${jar.apis-ext}:${jar.resolver}"

+            debug="${debug}" nowarn="true"

+            debuglevel="${debuglevel}"

+            deprecation="${deprecation}"

+            optimize="${optimize}"

+            includeAntRuntime="false"

+-           includeJavaRuntime="false"

++           includeJavaRuntime="true"

++           bootclasspath="${jar.jaxp}:${jar.apis-ext}:${jar.resolver}"

+            excludes="org/xml/sax/** 

+                 javax/xml/**

+                 org/w3c/dom/*

+@@ -1451,13 +1452,14 @@
+                destdir="${build.dest}"

+                source="${javac.source}"

+                target="${javac.target}"

+-               classpath="${build.dir}/classes:${tools.dir}/${jar.apis}:${tools.dir}/${jar.resolver}:${tools.dir}/${jar.serializer}"

++               classpath="${build.dir}/classes:${jar.jaxp}:${jar.apis-ext}:${jar.resolver}"

+                debug="${debug}"

+                debuglevel="${debuglevel}"

+                deprecation="${deprecation}"

+                optimize="${optimize}"

+                includeAntRuntime="false"

+-               includeJavaRuntime="false"

++               includeJavaRuntime="true"

++               bootclasspath="${jar.jaxp}:${jar.apis-ext}:${jar.resolver}"

+                excludes="org/xml/sax/** 

+                     javax/xml/**

+                     org/w3c/dom/*

diff --git a/gnu/packages/patches/java-xerces-build_dont_unzip.patch b/gnu/packages/patches/java-xerces-build_dont_unzip.patch
new file mode 100644
index 0000000000..2ff5628865
--- /dev/null
+++ b/gnu/packages/patches/java-xerces-build_dont_unzip.patch
@@ -0,0 +1,44 @@
+Don't unzip the sources which were bundled originally. Guix strips them from
+the source and uses pre-build packages.
+
+Taken from https://anonscm.debian.org/viewvc/pkg-java/trunk/libxerces2-java/debian/patches/02_build_dont_unzip.patch?revision=14507
+
+Index: b/build.xml
+===================================================================
+--- a/build.xml
++++ b/build.xml
+@@ -247,7 +247,7 @@
+     <copy file="${src.dir}/org/apache/xerces/impl/xpath/regex/message.properties"

+       tofile="${build.src}/org/apache/xerces/impl/xpath/regex/message_en.properties"/>

+ 

+-    <!-- now deal with API's:  -->

++    <!-- not needed for Debian

+     <unzip src="${src.apis.zip}" dest="${build.src}">

+         <patternset

+             includes="org/xml/sax/** 

+@@ -270,6 +270,7 @@
+                 org/w3c/dom/xpath/**"

+         />

+     </unzip>

++    -->

+     

+     <!-- substitute tokens as needed -->

+     <replace file="${build.dir}/src/org/apache/xerces/impl/Version.java" 

+@@ -1232,7 +1233,7 @@
+     <replace file="${build.dir}/src/org/apache/xerces/parsers/AbstractSAXParser.java"

+              token="return (fConfiguration instanceof XML11Configurable);" value="return false;"/>

+  

+-    <!-- now deal with API's:  -->

++    <!-- not needed for Debian

+     <unzip src="${src.apis.zip}" dest="${build.src}">

+         <patternset

+             includes="org/xml/sax/** 

+@@ -1255,7 +1256,7 @@
+                 org/w3c/dom/xpath/**"

+         />

+     </unzip>

+-

++    -->

+ 

+     <!-- substitute tokens as needed -->

+     <replace file="${build.dir}/src/org/apache/xerces/impl/Version.java" 

diff --git a/gnu/packages/patches/java-xerces-xjavac_taskdef.patch b/gnu/packages/patches/java-xerces-xjavac_taskdef.patch
new file mode 100644
index 0000000000..4f5d008c28
--- /dev/null
+++ b/gnu/packages/patches/java-xerces-xjavac_taskdef.patch
@@ -0,0 +1,45 @@
+This patch eliminates the need for providing "xjavac", which saves building a
+package for the unmaintained "xerces-tools".
+
+Taken from https://anonscm.debian.org/viewvc/pkg-java/trunk/libxerces2-java/debian/patches/01_xjavac_taskdef.patch?revision=14507
+
+Index: b/build.xml
+===================================================================
+--- a/build.xml
++++ b/build.xml
+@@ -39,7 +39,7 @@
+   <property name="tools.dir" value="./tools"/>

+ 

+   <!-- enable compilation under JDK 1.4 and above -->

+-  <taskdef name="xjavac" classname="org.apache.xerces.util.XJavac">

++  <taskdef name="xjavac" classname="org.apache.tools.ant.taskdefs.Javac">

+     <classpath>

+       <pathelement location="${tools.dir}/bin/xjavac.jar"/>

+     </classpath>

+@@ -291,7 +291,7 @@
+            source="${javac.source}"

+            target="${javac.target}"

+            classpath="${build.dir}/classes:${tools.dir}/${jar.apis}:${tools.dir}/${jar.resolver}:${tools.dir}/${jar.serializer}"

+-           debug="${debug}"

++           debug="${debug}" nowarn="true"

+            debuglevel="${debuglevel}"

+            deprecation="${deprecation}"

+            optimize="${optimize}"

+@@ -359,7 +359,7 @@
+            source="${javac.source}"

+            target="${javac.target}"

+            classpath="${build.dir}/classes:${tools.dir}/${jar.apis}"

+-           debug="${debug}"

++           debug="${debug}" nowarn="true"

+            debuglevel="${debuglevel}"

+            includeAntRuntime="false"

+            includeJavaRuntime="true"/>

+@@ -379,7 +379,7 @@
+            source="${javac.source}"

+            target="${javac.target}"

+            classpath="${tools.dir}/${jar.apis}:${build.dir}/classes:./tools/junit.jar"

+-           debug="${debug}"

++           debug="${debug}" nowarn="true"

+            debuglevel="${debuglevel}"

+            includeAntRuntime="false"

+            includeJavaRuntime="true"/>

diff --git a/gnu/packages/patches/ktexteditor-5.39.0-autotests-dependencies.patch b/gnu/packages/patches/ktexteditor-5.39.0-autotests-dependencies.patch
deleted file mode 100644
index 01a0e572cc..0000000000
--- a/gnu/packages/patches/ktexteditor-5.39.0-autotests-dependencies.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-Add missing dependencies, see <https://phabricator.kde.org/D8577>.
-
-diff -r -U5 ktexteditor-5.39.0.orig/autotests/CMakeLists.txt ktexteditor-5.39.0/autotests/CMakeLists.txt
---- ktexteditor-5.39.0.orig/autotests/CMakeLists.txt	2017-10-31 16:28:45.018163060 +0100
-+++ ktexteditor-5.39.0/autotests/CMakeLists.txt	2017-10-31 16:28:16.439559888 +0100
-@@ -37,10 +37,11 @@
- set (KTEXTEDITOR_TEST_LINK_LIBS KF5TextEditor
-   KF5::I18n
-   KF5::IconThemes
-   KF5::GuiAddons
-   Qt5::Qml
-+  Qt5::Script
- )
- 
- include(ECMMarkAsTest)
- 
- # test executable for encoding
-diff -r -U5 ktexteditor-5.39.0.orig/CMakeLists.txt ktexteditor-5.39.0/CMakeLists.txt
---- ktexteditor-5.39.0.orig/CMakeLists.txt	2017-10-31 16:28:38.578252490 +0100
-+++ ktexteditor-5.39.0/CMakeLists.txt	2017-10-31 16:30:24.656778737 +0100
-@@ -38,11 +38,12 @@
- 
- # Dependencies
- set(REQUIRED_QT_VERSION 5.7.0)
- 
- # Required Qt5 components to build this framework
--find_package(Qt5 ${REQUIRED_QT_VERSION} NO_MODULE REQUIRED Core Widgets Qml PrintSupport Xml XmlPatterns)
-+find_package(Qt5 ${REQUIRED_QT_VERSION} NO_MODULE REQUIRED Core Widgets Qml
-+  Script PrintSupport Xml XmlPatterns)
- 
- find_package(KF5Archive ${KF5_DEP_VERSION} REQUIRED)
- find_package(KF5Config ${KF5_DEP_VERSION} REQUIRED)
- find_package(KF5GuiAddons ${KF5_DEP_VERSION} REQUIRED)
- find_package(KF5I18n ${KF5_DEP_VERSION} REQUIRED)
-diff -r -U5 ktexteditor-5.39.0/autotests/src/vimode/CMakeLists.txt ktexteditor-5.39.0.new/autotests/src/vimode/CMakeLists.txt
---- ktexteditor-5.39.0/autotests/src/vimode/CMakeLists.txt	1970-01-01 01:00:00.000000000 +0100
-+++ ktexteditor-5.39.0.new/autotests/src/vimode/CMakeLists.txt	2017-10-31 16:58:29.909003953 +0100
-@@ -4,10 +4,11 @@
-   ${CMAKE_SOURCE_DIR}/src/vimode
- )
- 
- set (VIMODE_TEST_LINK_LIBS KF5TextEditor
-   KF5::I18n
-+  Qt5::Qml
-   Qt5::Test
- )
- 
- macro(vimode_unit_test)
-   ecm_add_test(${ARGN} TEST_NAME "vimode_${ARGV0}"
diff --git a/gnu/packages/patches/libexif-CVE-2016-6328.patch b/gnu/packages/patches/libexif-CVE-2016-6328.patch
new file mode 100644
index 0000000000..67fee0f528
--- /dev/null
+++ b/gnu/packages/patches/libexif-CVE-2016-6328.patch
@@ -0,0 +1,72 @@
+Fix CVE-2016-6328:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1366239
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6328
+
+Patch copied from upstream source repository:
+
+https://github.com/libexif/libexif/commit/41bd04234b104312f54d25822f68738ba8d7133d
+
+From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Tue, 25 Jul 2017 23:44:44 +0200
+Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
+ makernote entries.
+
+This should fix:
+https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
+---
+ libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
+index d03d159..ea0429a 100644
+--- a/libexif/pentax/mnote-pentax-entry.c
++++ b/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 		case EXIF_FORMAT_SHORT:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 2)
++					break;
+ 				vs = exif_get_short (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%i ", vs);
+ 				len = strlen(val);
+ 				data += 2;
++				sizeleft -= 2;
+ 			}
+ 		  }
+ 		  break;
+ 		case EXIF_FORMAT_LONG:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 4)
++					break;
+ 				vl = exif_get_long (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
+ 				len = strlen(val);
+ 				data += 4;
++				sizeleft -= 4;
+ 			}
+ 		  }
+ 		  break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 		break;
+ 	}
+ 
+-	return (val);
++	return val;
+ }
+-- 
+2.16.0
+
diff --git a/gnu/packages/patches/libgnomeui-utf8.patch b/gnu/packages/patches/libgnomeui-utf8.patch
new file mode 100644
index 0000000000..304d74e1e2
--- /dev/null
+++ b/gnu/packages/patches/libgnomeui-utf8.patch
@@ -0,0 +1,51 @@
+Fixes build with Python >= 3.6:
+
+------
+Making all in libgnomeui
+make[2]: Entering directory '/tmp/guix-build-libgnomeui-2.24.5.drv-0/libgnomeui-2.24.5/libgnomeui'
+  GEN    stamp-gnome-marshal.h
+  GEN    stamp-gnometypebuiltins.h
+INFO: Reading ./gnome-marshal.list...
+  GEN    gnome-marshal.h
+Traceback (most recent call last):
+  File "/gnu/store/azh1is0xknn4xphwj33iqcb5ic9qhk8l-glib-2.54.2-bin/bin/glib-mkenums", line 688, in <module>
+    process_file(fname)
+  File "/gnu/store/azh1is0xknn4xphwj33iqcb5ic9qhk8l-glib-2.54.2-bin/bin/glib-mkenums", line 420, in process_file
+    line = curfile.readline()
+  File "/gnu/store/3lkypf5wnsnvkaidhw0pv7k3yjfh1r9g-python-3.6.3/lib/python3.6/codecs.py", line 321, in decode
+    (result, consumed) = self._buffer_decode(data, self.errors, final)
+UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf1 in position 1009: invalid continuation byte
+make[2]: *** [Makefile:1109: stamp-gnometypebuiltins.h] Error 1
+make[2]: Leaving directory '/tmp/guix-build-libgnomeui-2.24.5.drv-0/libgnomeui-2.24.5/libgnomeui'
+make[1]: *** [Makefile:369: all-recursive] Error 1
+make[1]: Leaving directory '/tmp/guix-build-libgnomeui-2.24.5.drv-0/libgnomeui-2.24.5'
+make: *** [Makefile:296: all] Error 2
+------
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libgnomeui/commit/?id=30334c28794ef85d8973f4ed0779b5ceed6594f2
+
+From 30334c28794ef85d8973f4ed0779b5ceed6594f2 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Mon, 7 Aug 2017 13:15:26 -0400
+Subject: [PATCH] gnome-scores.h: Convert to UTF-8
+
+The new Python `glib-mkenums` barfs on ISO-8859-1 input.
+---
+ libgnomeui/gnome-scores.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libgnomeui/gnome-scores.h b/libgnomeui/gnome-scores.h
+index 911b12d1..4e641d22 100644
+--- a/libgnomeui/gnome-scores.h
++++ b/libgnomeui/gnome-scores.h
+@@ -27,7 +27,7 @@
+  * "High Scores" Widget 
+  *
+  * AUTHOR: 
+- * Horacio J. Peña <horape@compendium.com.ar>
++ * Horacio J. Peña <horape@compendium.com.ar>
+  *
+  * This is free software (under the terms of the GNU LGPL)
+  *
diff --git a/gnu/packages/patches/libsndfile-CVE-2017-12562.patch b/gnu/packages/patches/libsndfile-CVE-2017-12562.patch
new file mode 100644
index 0000000000..58cb242b10
--- /dev/null
+++ b/gnu/packages/patches/libsndfile-CVE-2017-12562.patch
@@ -0,0 +1,97 @@
+Fix CVE-2017-12562:
+
+https://github.com/erikd/libsndfile/issues/292
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12562
+
+Patch copied from upstream source repository:
+
+https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8
+
+From cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de>
+Date: Wed, 14 Jun 2017 12:25:40 +0200
+Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings
+ in binheader
+
+Fixes the following problems:
+ 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
+ 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
+    big switch statement by an amount (16 bytes) which is enough for all cases
+    where only a single value gets added. Cases 's', 'S', 'p' however
+    additionally write an arbitrary length block of data and again enlarge the
+    buffer to the required amount. However, the required space calculation does
+    not take into account the size of the length field which gets output before
+    the data.
+ 3. Buffer size requirement calculation in case 'S' does not account for the
+    padding byte ("size += (size & 1) ;" happens after the calculation which
+    uses "size").
+ 4. Case 'S' can overrun the header buffer by 1 byte when no padding is
+    involved
+    ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
+    the buffer is only guaranteed to have "size" space available).
+ 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
+    beyond the space which is guaranteed to be allocated in the header buffer.
+ 6. Case 's' can overrun the provided source string by 1 byte if padding is
+    involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
+    where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
+    plus optionally another 1 which is padding and not guaranteed to be
+    readable via the source string pointer).
+
+Closes: https://github.com/erikd/libsndfile/issues/292
+---
+ src/common.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/src/common.c b/src/common.c
+index 1a6204ca..6b2a2ee9 100644
+--- a/src/common.c
++++ b/src/common.c
+@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					/* Write a C string (guaranteed to have a zero terminator). */
+ 					strptr = va_arg (argptr, char *) ;
+ 					size = strlen (strptr) + 1 ;
+-					size += (size & 1) ;
+ 
+-					if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
++					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ 						return count ;
+ 
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+-						header_put_be_int (psf, size) ;
++						header_put_be_int (psf, size + (size & 1)) ;
+ 					else
+-						header_put_le_int (psf, size) ;
++						header_put_le_int (psf, size + (size & 1)) ;
+ 					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
++					size += (size & 1) ;
+ 					psf->header.indx += size ;
+ 					psf->header.ptr [psf->header.indx - 1] = 0 ;
+ 					count += 4 + size ;
+@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					*/
+ 					strptr = va_arg (argptr, char *) ;
+ 					size = strlen (strptr) ;
+-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
++					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ 						return count ;
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+ 						header_put_be_int (psf, size) ;
+ 					else
+ 						header_put_le_int (psf, size) ;
+-					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;
++					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;
+ 					size += (size & 1) ;
+ 					psf->header.indx += size ;
+-					psf->header.ptr [psf->header.indx] = 0 ;
+ 					count += 4 + size ;
+ 					break ;
+ 
+@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					size = (size & 1) ? size : size + 1 ;
+ 					size = (size > 254) ? 254 : size ;
+ 
+-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
++					if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
+ 						return count ;
+ 
+ 					header_put_byte (psf, size) ;
diff --git a/gnu/packages/patches/libtasn1-CVE-2018-6003.patch b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch
new file mode 100644
index 0000000000..3e6140518d
--- /dev/null
+++ b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch
@@ -0,0 +1,73 @@
+Fix CVE-2018-6003:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003
+https://lists.gnu.org/archive/html/help-libtasn1/2018-01/msg00000.html
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/gnutls/libtasn1/commit/c593ae84cfcde8fea45787e53950e0ac71e9ca97
+
+From c593ae84cfcde8fea45787e53950e0ac71e9ca97 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 4 Jan 2018 10:52:05 +0100
+Subject: [PATCH] _asn1_decode_simple_ber: restrict the levels of recursion to 3
+
+On indefinite string decoding, setting a maximum level of recursions
+protects the BER decoder from a stack exhaustion due to large amounts
+of recursion.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/decoding.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/lib/decoding.c b/lib/decoding.c
+index 2240b09..0ee35d3 100644
+--- a/lib/decoding.c
++++ b/lib/decoding.c
+@@ -45,6 +45,13 @@
+ 
+ #define DECODE_FLAG_HAVE_TAG 1
+ #define DECODE_FLAG_INDEFINITE (1<<1)
++/* On indefinite string decoding, allow this maximum levels
++ * of recursion. Allowing infinite recursion, makes the BER
++ * decoder susceptible to stack exhaustion due to that recursion.
++ */
++#define DECODE_FLAG_LEVEL1 (1<<2)
++#define DECODE_FLAG_LEVEL2 (1<<3)
++#define DECODE_FLAG_LEVEL3 (1<<4)
+ 
+ #define DECR_LEN(l, s) do { \
+ 	  l -= s; \
+@@ -2216,7 +2223,8 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der,
+     }
+ 
+   /* indefinite constructed */
+-  if (((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype))
++  if ((((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) &&
++      !(dflags & DECODE_FLAG_LEVEL3))
+     {
+       len_len = 1;
+ 
+@@ -2236,8 +2244,17 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der,
+       do
+         {
+           unsigned tmp_len;
++          unsigned flags = DECODE_FLAG_HAVE_TAG;
++
++          if (dflags & DECODE_FLAG_LEVEL1)
++                flags |= DECODE_FLAG_LEVEL2;
++          else if (dflags & DECODE_FLAG_LEVEL2)
++		flags |= DECODE_FLAG_LEVEL3;
++	  else
++		flags |= DECODE_FLAG_LEVEL1;
+ 
+-          result = asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len);
++          result = _asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len,
++                                           flags);
+           if (result != ASN1_SUCCESS)
+             {
+               warn();
+--
+libgit2 0.26.0
+
diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013.patch b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
new file mode 100644
index 0000000000..ba03c83847
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-18013:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2770
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
+
+From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 31 Dec 2017 15:09:41 +0100
+Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
+ dereference on corrupted file. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2770
+
+---
+ libtiff/tif_print.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index 9959d353..8deceb2b 100644
+--- a/libtiff/tif_print.c
++++ b/libtiff/tif_print.c
+@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
+ 			    (unsigned long) s,
+-			    (unsigned __int64) td->td_stripoffset[s],
+-			    (unsigned __int64) td->td_stripbytecount[s]);
++			    td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
++			    td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
+ #else
+ 			fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
+ 			    (unsigned long) s,
+-			    (unsigned long long) td->td_stripoffset[s],
+-			    (unsigned long long) td->td_stripbytecount[s]);
++			    td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
++			    td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
+ #endif
+ 	}
+ }
+-- 
+2.16.1
+
diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935.patch b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
new file mode 100644
index 0000000000..5685d81f68
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
@@ -0,0 +1,162 @@
+Fix CVE-2017-9935
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935
+http://bugzilla.maptools.org/show_bug.cgi?id=2704
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
+
+From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
+From: Brian May <brian@linuxpenguins.xyz>
+Date: Thu, 7 Dec 2017 07:46:47 +1100
+Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
+
+Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
+
+This vulnerability - at least for the supplied test case - is because we
+assume that a tiff will only have one transfer function that is the same
+for all pages. This is not required by the TIFF standards.
+
+We than read the transfer function for every page.  Depending on the
+transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
+We allocate this memory after we read in the transfer function for the
+page.
+
+For the first exploit - POC1, this file has 3 pages. For the first page
+we allocate 2 extra extra XREF entries. Then for the next page 2 more
+entries. Then for the last page the transfer function changes and we
+allocate 4 more entries.
+
+When we read the file into memory, we assume we have 4 bytes extra for
+each and every page (as per the last transfer function we read). Which
+is not correct, we only have 2 bytes extra for the first 2 pages. As a
+result, we end up writing past the end of the buffer.
+
+There are also some related issues that this also fixes. For example,
+TIFFGetField can return uninitalized pointer values, and the logic to
+detect a N=3 vs N=1 transfer function seemed rather strange.
+
+It is also strange that we declare the transfer functions to be of type
+float, when the standard says they are unsigned 16 bit values. This is
+fixed in another patch.
+
+This patch will check to ensure that the N value for every transfer
+function is the same for every page. If this changes, we abort with an
+error. In theory, we should perhaps check that the transfer function
+itself is identical for every page, however we don't do that due to the
+confusion of the type of the data in the transfer function.
+---
+ libtiff/tif_dir.c |  3 +++
+ tools/tiff2pdf.c  | 65 +++++++++++++++++++++++++++++++++++++------------------
+ 2 files changed, 47 insertions(+), 21 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 2ccaf448..cbf2b693 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
+ 			if (td->td_samplesperpixel - td->td_extrasamples > 1) {
+ 				*va_arg(ap, uint16**) = td->td_transferfunction[1];
+ 				*va_arg(ap, uint16**) = td->td_transferfunction[2];
++			} else {
++				*va_arg(ap, uint16**) = NULL;
++				*va_arg(ap, uint16**) = NULL;
+ 			}
+ 			break;
+ 		case TIFFTAG_REFERENCEBLACKWHITE:
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index d1a9b095..c3ec0746 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ 	uint16 pagen=0;
+ 	uint16 paged=0;
+ 	uint16 xuint16=0;
++	uint16 tiff_transferfunctioncount=0;
++	float* tiff_transferfunction[3];
+ 
+ 	directorycount=TIFFNumberOfDirectories(input);
+ 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+                 }
+ #endif
+ 		if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
+-                                 &(t2p->tiff_transferfunction[0]),
+-                                 &(t2p->tiff_transferfunction[1]),
+-                                 &(t2p->tiff_transferfunction[2]))) {
+-			if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+-                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+-                           (t2p->tiff_transferfunction[1] !=
+-                            t2p->tiff_transferfunction[0])) {
+-				t2p->tiff_transferfunctioncount = 3;
+-				t2p->tiff_pages[i].page_extra += 4;
+-				t2p->pdf_xrefcount += 4;
+-			} else {
+-				t2p->tiff_transferfunctioncount = 1;
+-				t2p->tiff_pages[i].page_extra += 2;
+-				t2p->pdf_xrefcount += 2;
+-			}
+-			if(t2p->pdf_minorversion < 2)
+-				t2p->pdf_minorversion = 2;
++                                 &(tiff_transferfunction[0]),
++                                 &(tiff_transferfunction[1]),
++                                 &(tiff_transferfunction[2]))) {
++
++                        if((tiff_transferfunction[1] != (float*) NULL) &&
++                           (tiff_transferfunction[2] != (float*) NULL)
++                          ) {
++                            tiff_transferfunctioncount=3;
++                        } else {
++                            tiff_transferfunctioncount=1;
++                        }
+                 } else {
+-			t2p->tiff_transferfunctioncount=0;
++			tiff_transferfunctioncount=0;
+ 		}
++
++                if (i > 0){
++                    if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
++                        TIFFError(
++                            TIFF2PDF_MODULE,
++                            "Different transfer function on page %d",
++                            i);
++                        t2p->t2p_error = T2P_ERR_ERROR;
++                        return;
++                    }
++                }
++
++                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
++                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
++                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
++                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
++                if(tiff_transferfunctioncount == 3){
++                        t2p->tiff_pages[i].page_extra += 4;
++                        t2p->pdf_xrefcount += 4;
++                        if(t2p->pdf_minorversion < 2)
++                                t2p->pdf_minorversion = 2;
++                } else if (tiff_transferfunctioncount == 1){
++                        t2p->tiff_pages[i].page_extra += 2;
++                        t2p->pdf_xrefcount += 2;
++                        if(t2p->pdf_minorversion < 2)
++                                t2p->pdf_minorversion = 2;
++                }
++
+ 		if( TIFFGetField(
+ 			input, 
+ 			TIFFTAG_ICCPROFILE, 
+@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ 			 &(t2p->tiff_transferfunction[1]),
+ 			 &(t2p->tiff_transferfunction[2]))) {
+ 		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+-                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+-                   (t2p->tiff_transferfunction[1] !=
+-                    t2p->tiff_transferfunction[0])) {
++                   (t2p->tiff_transferfunction[2] != (float*) NULL)
++                  ) {
+ 			t2p->tiff_transferfunctioncount=3;
+ 		} else {
+ 			t2p->tiff_transferfunctioncount=1;
+-- 
+2.16.1
+
diff --git a/gnu/packages/patches/luajit-symlinks.patch b/gnu/packages/patches/luajit-symlinks.patch
deleted file mode 100644
index 2466c34144..0000000000
--- a/gnu/packages/patches/luajit-symlinks.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 0a54a8f125d7ab508c7c88d5ad4ed1b0c63cb5b6 Mon Sep 17 00:00:00 2001
-From: =?utf8?q?Tom=C3=A1=C5=A1=20=C4=8Cech?= <sleep_walker@suse.cz>
-Date: Wed, 4 Feb 2015 11:32:55 +0100
-Subject: [PATCH 1/2] Provide two symlinks for dynamic library during install
-
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 0891b71..343ecb5 100644
---- a/Makefile
-+++ b/Makefile
-@@ -56,7 +56,7 @@ INSTALL_PCNAME= luajit.pc
- INSTALL_STATIC= $(INSTALL_LIB)/$(INSTALL_ANAME)
- INSTALL_DYN= $(INSTALL_LIB)/$(INSTALL_SONAME)
- INSTALL_SHORT1= $(INSTALL_LIB)/$(INSTALL_SOSHORT)
--INSTALL_SHORT2= $(INSTALL_LIB)/$(INSTALL_SOSHORT)
-+INSTALL_SHORT2= $(INSTALL_LIB)/$(INSTALL_SOSHORT).$(MAJVER)
- INSTALL_T= $(INSTALL_BIN)/$(INSTALL_TNAME)
- INSTALL_TSYM= $(INSTALL_BIN)/$(INSTALL_TSYMNAME)
- INSTALL_PC= $(INSTALL_PKGCONFIG)/$(INSTALL_PCNAME)
--- 
-2.2.2
-
diff --git a/gnu/packages/patches/lxterminal-CVE-2016-10369.patch b/gnu/packages/patches/lxterminal-CVE-2016-10369.patch
deleted file mode 100644
index 809eef08da..0000000000
--- a/gnu/packages/patches/lxterminal-CVE-2016-10369.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Fix CVE-2016-10369:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10369
-
-Patch copied from upstream source repository:
-
-https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
-
-From f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 Mon Sep 17 00:00:00 2001
-From: Yao Wei <mwei@lxde.org>
-Date: Mon, 8 May 2017 00:47:55 +0800
-Subject: [PATCH] fix: use g_get_user_runtime_dir for socket directory
-
-This bug is pointed out by stackexchange user that putting socket file in
-/tmp is a potential risk. Putting the socket dir in user directory could
-mitigate the risk.
----
- src/unixsocket.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/unixsocket.c b/src/unixsocket.c
-index 4c660ac..f88284c 100644
---- a/src/unixsocket.c
-+++ b/src/unixsocket.c
-@@ -140,7 +140,8 @@ gboolean lxterminal_socket_initialize(LXTermWindow * lxtermwin, gint argc, gchar
-      * This function returns TRUE if this process should keep running and FALSE if it should exit. */
- 
-     /* Formulate the path for the Unix domain socket. */
--    gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_display_get_name(gdk_display_get_default()), g_get_user_name());
-+    gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
-+    printf("%s\n", socket_path);
- 
-     /* Create socket. */
-     int fd = socket(PF_UNIX, SOCK_STREAM, 0);
--- 
-2.1.4
-
diff --git a/gnu/packages/patches/mailutils-uninitialized-memory.patch b/gnu/packages/patches/mailutils-uninitialized-memory.patch
new file mode 100644
index 0000000000..ef4daf94cb
--- /dev/null
+++ b/gnu/packages/patches/mailutils-uninitialized-memory.patch
@@ -0,0 +1,87 @@
+Without this patch, the MH test suite would fail when building with
+glibc 2.26, with 'ali' segfaulting like this:
+
+  Core was generated by `/tmp/guix-build-mailutils-3.4.drv-0/mailutils-3.4/mh/.libs/ali -a ./Mail/mh_ali'.
+  Program terminated with signal SIGSEGV, Segmentation fault.
+  #0  0x00007f8eac263a14 in hash (
+      name=0x72642e342e332d73 <error: Cannot access memory at address 0x72642e342e332d73>, hash_num=0) at assoc.c:102
+  102	  for (i = 0; *name; name++)
+  (gdb) bt
+  #0  0x00007f8eac263a14 in hash (
+      name=0x72642e342e332d73 <error: Cannot access memory at address 0x72642e342e332d73>, hash_num=0) at assoc.c:102
+  #1  0x00007f8eac263e6b in assoc_find_slot (assoc=0xaa59e0, 
+      name=0x72642e342e332d73 <error: Cannot access memory at address 0x72642e342e332d73>, install=0x0, slot=0x7ffcddcbf2b8) at assoc.c:219
+  #2  0x00007f8eac264124 in mu_assoc_lookup (assoc=0xaa59e0, 
+      name=0x72642e342e332d73 <error: Cannot access memory at address 0x72642e342e332d73>, dataptr=0x7ffcddcbf2e0) at assoc.c:308
+  #3  0x00007f8eac29e8ac in mu_ident_deref (
+      name=0x72642e342e332d73 <error: Cannot access memory at address 0x72642e342e332d73>) at ident.c:98
+  #4  0x00007f8eac29f8a6 in mu_locus_point_deinit (pt=0xaa5718) at locus.c:48
+  #5  0x00007f8eac29fa1b in mu_locus_range_deinit (lr=0xaa5718) at locus.c:99
+  #6  0x00007f8eac29f9db in mu_locus_range_copy (dest=0xaa5718, 
+      src=0x622be0 <ali_yylloc>) at locus.c:89
+  #7  0x0000000000408a2a in push_source (name=0xaa74bc "mh_aliases2", fail=1)
+      at mh_alias_lex.l:170
+
+commit b330af9008e4c9168b379867b854f5900a539ad7
+Author: Sergey Poznyakoff <gray@gnu.org>
+Date:   Sat Nov 18 10:15:48 2017 +0200
+
+    Fix the use of uninitialized memory
+    
+    * mh/mh_alias_lex.l (push_source): Initialize locus range prior to copying
+    to it.
+    * libmailutils/cfg/parser.y (mu_cfg_tree_create_node): Likewise.
+    * libmu_sieve/util.c: (mu_sieve_value_create): Likewise.
+
+diff --git a/libmailutils/cfg/parser.y b/libmailutils/cfg/parser.y
+index 4503c7781..3436b8d90 100644
+--- a/libmailutils/cfg/parser.y
++++ b/libmailutils/cfg/parser.y
+@@ -1134,10 +1134,9 @@ mu_cfg_tree_create_node (struct mu_cfg_tree *tree,
+   
+   np = mu_alloc (size);
+   np->type = type;
++  mu_locus_range_init (&np->locus);
+   if (loc)
+     mu_locus_range_copy (&np->locus, loc);
+-  else
+-    memset (&np->locus, 0, sizeof np->locus);
+   p = (char*) (np + 1);
+   np->tag = p;
+   strcpy (p, tag);
+diff --git a/libmu_sieve/sieve-lex.l b/libmu_sieve/sieve-lex.l
+index fd145bfe1..f14e80194 100644
+--- a/libmu_sieve/sieve-lex.l
++++ b/libmu_sieve/sieve-lex.l
+@@ -190,6 +190,7 @@ push_source (const char *name)
+     {
+       ctx = mu_sieve_malloc (mu_sieve_machine, sizeof (*ctx));
+       ctx->trk = trk;
++      mu_locus_range_init (&ctx->incl_range);
+       mu_locus_range_copy (&ctx->incl_range, &yylloc);
+       ctx->i_node = sieve_source_inode;
+       ctx->input = input_stream;
+diff --git a/libmu_sieve/util.c b/libmu_sieve/util.c
+index 8d62a60c2..7d71b5509 100644
+--- a/libmu_sieve/util.c
++++ b/libmu_sieve/util.c
+@@ -55,6 +55,7 @@ mu_sieve_value_create (mu_sieve_machine_t mach, mu_sieve_data_type type,
+   val->locus.end.mu_line = locus->end.mu_line;
+   val->locus.end.mu_col = locus->end.mu_col;
+   
++  mu_locus_range_init (&val->locus);
+   mu_locus_range_copy (&val->locus, locus);
+   switch (type)
+     {
+diff --git a/mh/mh_alias_lex.l b/mh/mh_alias_lex.l
+index 371353ed3..b97264b38 100644
+--- a/mh/mh_alias_lex.l
++++ b/mh/mh_alias_lex.l
+@@ -167,6 +167,7 @@ push_source (const char *name, int fail)
+     {
+       ctx = mu_alloc (sizeof (*ctx));
+       ctx->trk = trk;
++      mu_locus_range_init (&ctx->incl_range);
+       mu_locus_range_copy (&ctx->incl_range, &yylloc);
+       ctx->exec_p = exec_p;
+       ctx->i_node = ali_source_inode;
diff --git a/gnu/packages/patches/mupdf-CVE-2017-17858.patch b/gnu/packages/patches/mupdf-CVE-2017-17858.patch
new file mode 100644
index 0000000000..66df127509
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-17858.patch
@@ -0,0 +1,111 @@
+Fix CVE-2017-17858:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17858
+https://bugs.ghostscript.com/show_bug.cgi?id=698819
+https://github.com/mzet-/Security-Advisories/blob/master/mzet-adv-2017-01.md
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=mupdf.git;a=commit;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731
+
+From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Mon, 11 Dec 2017 14:09:15 +0100
+Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below
+ limit.
+
+This ensures that:
+ * xref tables with objects pointers do not grow out of bounds.
+ * other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf.
+---
+ include/mupdf/pdf/object.h |  3 +++
+ source/pdf/pdf-repair.c    |  5 +----
+ source/pdf/pdf-xref.c      | 21 ++++++++++++---------
+ 3 files changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
+index 21ed8595..4177112b 100644
+--- a/include/mupdf/pdf/object.h
++++ b/include/mupdf/pdf/object.h
+@@ -3,6 +3,9 @@
+ 
+ typedef struct pdf_document_s pdf_document;
+ 
++/* Defined in PDF 1.7 according to Acrobat limit. */
++#define PDF_MAX_OBJECT_NUMBER 8388607
++
+ /*
+  * Dynamic objects.
+  * The same type of objects as found in PDF and PostScript.
+diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
+index ca149bd3..0c29758e 100644
+--- a/source/pdf/pdf-repair.c
++++ b/source/pdf/pdf-repair.c
+@@ -6,9 +6,6 @@
+ 
+ /* Scan file for objects and reconstruct xref table */
+ 
+-/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */
+-#define MAX_OBJECT_NUMBER (10 << 20)
+-
+ struct entry
+ {
+ 	int num;
+@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
+ 					break;
+ 				}
+ 
+-				if (num <= 0 || num > MAX_OBJECT_NUMBER)
++				if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER)
+ 				{
+ 					fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
+ 					goto have_next_token;
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 00586dbd..6284e70b 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ 			fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR);
+ 		}
+ 
+-		if (ofs < 0)
+-			fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs);
+-		if (ofs > INT64_MAX - len)
+-			fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big");
+-
++		if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER
++				|| len < 0 || len > PDF_MAX_OBJECT_NUMBER
++				|| ofs + len - 1 > PDF_MAX_OBJECT_NUMBER)
++		{
++			fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
++		}
+ 		/* broken pdfs where size in trailer undershoots entries in xref sections */
+ 		if (ofs + len > xref_len)
+ 		{
+@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, in
+ 	pdf_xref_entry *table;
+ 	int i, n;
+ 
+-	if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1)
+-		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
+-	//if (i0 + i1 > pdf_xref_len(ctx, doc))
+-	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
++	if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER)
++		fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
+ 
+ 	table = pdf_xref_find_subsection(ctx, doc, i0, i1);
+ 	for (i = i0; i < i0 + i1; i++)
+@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_document *doc)
+ 	/* TODO: reuse free object slots by properly linking free object chains in the ofs field */
+ 	pdf_xref_entry *entry;
+ 	int num = pdf_xref_len(ctx, doc);
++
++	if (num > PDF_MAX_OBJECT_NUMBER)
++		fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf");
++
+ 	entry = pdf_get_incremental_xref_entry(ctx, doc, num);
+ 	entry->type = 'f';
+ 	entry->ofs = -1;
+-- 
+2.16.1
+
diff --git a/gnu/packages/patches/ninja-zero-mtime.patch b/gnu/packages/patches/ninja-zero-mtime.patch
deleted file mode 100644
index c9b9e8d798..0000000000
--- a/gnu/packages/patches/ninja-zero-mtime.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Work around a design defect in Ninja whereby a zero mtime is used to
-denote missing files (we happen to produce files that have a zero mtime
-and yet really do exist.)
-
---- ninja-1.5.3/src/disk_interface.cc	2014-11-24 18:37:47.000000000 +0100
-+++ ninja-1.5.3/src/disk_interface.cc	2015-07-18 23:20:38.572290139 +0200
-@@ -194,6 +194,12 @@ TimeStamp RealDiskInterface::Stat(const
-     }
-     return -1;
-   }
-+
-+  if (st.st_mtime == 0)
-+    // All the code assumes that mtime == 0 means "file missing".  Here we
-+    // know the file is not missing, so tweak the mtime.
-+    st.st_mtime = 1;
-+
-   return st.st_mtime;
- #endif
- }
diff --git a/gnu/packages/patches/opencascade-oce-glibc-2.26.patch b/gnu/packages/patches/opencascade-oce-glibc-2.26.patch
new file mode 100644
index 0000000000..ee5ed572c8
--- /dev/null
+++ b/gnu/packages/patches/opencascade-oce-glibc-2.26.patch
@@ -0,0 +1,62 @@
+Fix build with glibc 2.26:
+
+https://github.com/tpaviot/oce/issues/675
+
+Patch copied from upstream source repository:
+
+https://github.com/tpaviot/oce/commit/aa1321e68cc004e3debe38d79ae74581a617c767
+
+From aa1321e68cc004e3debe38d79ae74581a617c767 Mon Sep 17 00:00:00 2001
+From: Janus Weil <janus@gcc.gnu.org>
+Date: Mon, 18 Dec 2017 11:27:55 +0100
+Subject: [PATCH] fix build errors with glibc 2.26+ due to missing xlocale.h
+ (issue #675)
+
+* check for the presence of xlocale.h via cmake
+* remove related logic from Standard_CLocaleSentry.hxx
+---
+ CMakeLists.txt                          |  1 +
+ src/Standard/Standard_CLocaleSentry.hxx | 15 ---------------
+ 2 files changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index b782b4101..50e9500b2 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -616,6 +616,7 @@ if (NOT WIN32)
+ 	# compilation anywhere in OCE
+ 	include(CheckIncludeFile)
+ 	check_include_file(strings.h HAVE_STRINGS_H)
++	check_include_file(xlocale.h HAVE_XLOCALE_H)
+ 	include(CheckIncludeFileCXX)
+ 	check_include_file_cxx(mm_malloc.h HAVE_MM_MALLOC_H)
+ 	check_include_file_cxx(atomic.h OCE_HAVE_ATOMIC_H)
+diff --git a/src/Standard/Standard_CLocaleSentry.hxx b/src/Standard/Standard_CLocaleSentry.hxx
+index 2b226e7f3..1a4c1dadc 100644
+--- a/src/Standard/Standard_CLocaleSentry.hxx
++++ b/src/Standard/Standard_CLocaleSentry.hxx
+@@ -20,21 +20,6 @@
+ 
+ #include <locale.h>
+ 
+-#ifndef HAVE_XLOCALE_H
+-  //! "xlocale.h" available in Mac OS X and glibc (Linux) for a long time as an extension
+-  //! and become part of POSIX since '2008.
+-  //! Notice that this is impossible to test (_POSIX_C_SOURCE >= 200809L)
+-  //! since POSIX didn't declared such identifier.
+-  #if defined(__APPLE__)
+-    #define HAVE_XLOCALE_H
+-  #endif
+-
+-  //! We check _GNU_SOURCE for glibc extensions here and it is always defined by g++ compiler.
+-  #if defined(_GNU_SOURCE) && !defined(__ANDROID__)
+-    #define HAVE_XLOCALE_H
+-  #endif
+-#endif // ifndef HAVE_LOCALE_H
+-
+ #ifdef HAVE_XLOCALE_H
+   #include <xlocale.h>
+ #endif
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/p7zip-CVE-2017-17969.patch b/gnu/packages/patches/p7zip-CVE-2017-17969.patch
new file mode 100644
index 0000000000..51c24000e5
--- /dev/null
+++ b/gnu/packages/patches/p7zip-CVE-2017-17969.patch
@@ -0,0 +1,35 @@
+Fix CVE-2017-17969:
+
+https://sourceforge.net/p/p7zip/bugs/204/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17969
+
+Patch copied from Debian.
+
+Subject: Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp
+Origin: vendor, https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/27d7/attachment/CVE-2017-17969.patch
+Forwarded: https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/#27d7
+Bug: https://sourceforge.net/p/p7zip/bugs/204/
+Bug-Debian: https://bugs.debian.org/888297
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17969
+Author: Antoine Beaupré <anarcat@debian.org>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2018-02-01
+Applied-Upstream: 18.00-beta
+
+--- a/CPP/7zip/Compress/ShrinkDecoder.cpp
++++ b/CPP/7zip/Compress/ShrinkDecoder.cpp
+@@ -121,8 +121,13 @@ HRESULT CDecoder::CodeReal(ISequentialIn
+     {
+       _stack[i++] = _suffixes[cur];
+       cur = _parents[cur];
++      if (cur >= kNumItems || i >= kNumItems)
++        break;
+     }
+-    
++
++    if (cur >= kNumItems || i >= kNumItems)
++      break;
++
+     _stack[i++] = (Byte)cur;
+     lastChar2 = (Byte)cur;
+ 
diff --git a/gnu/packages/patches/policycoreutils-make-sepolicy-use-python3.patch b/gnu/packages/patches/policycoreutils-make-sepolicy-use-python3.patch
deleted file mode 100644
index befe9fbb2a..0000000000
--- a/gnu/packages/patches/policycoreutils-make-sepolicy-use-python3.patch
+++ /dev/null
@@ -1,335 +0,0 @@
-Downloaded from https://anonscm.debian.org/cgit/selinux/policycoreutils.git/plain/debian/patches/policycoreutils-Make-sepolicy-work-with-python3.patch
-
-From 2d7ca0b862a35196d562f59bd098df011fd7f0e6 Mon Sep 17 00:00:00 2001
-From: Laurent Bigonville <bigon@bigon.be>
-Date: Mon, 7 Nov 2016 10:51:08 +0100
-Subject: [PATCH] policycoreutils: Make sepolicy work with python3
-
-Add python3 support for sepolicy
-
-Signed-off-by: Laurent Bigonville <bigon@bigon.be>
----
- policycoreutils/sepolicy/selinux_client.py       |  6 ++--
- policycoreutils/sepolicy/sepolicy.py             | 38 ++++++++++++------------
- policycoreutils/sepolicy/sepolicy/__init__.py    | 16 ++++++----
- policycoreutils/sepolicy/sepolicy/communicate.py |  4 +--
- policycoreutils/sepolicy/sepolicy/generate.py    | 30 +++++++++----------
- policycoreutils/sepolicy/sepolicy/interface.py   | 14 ++++++---
- policycoreutils/sepolicy/sepolicy/manpage.py     |  7 +++--
- 7 files changed, 65 insertions(+), 50 deletions(-)
-
-diff --git a/policycoreutils/sepolicy/selinux_client.py b/policycoreutils/sepolicy/selinux_client.py
-index 7f4a91c..dc29f28 100644
---- a/sepolicy/selinux_client.py
-+++ b/sepolicy/selinux_client.py
-@@ -39,6 +39,6 @@ if __name__ == "__main__":
-     try:
-         dbus_proxy = SELinuxDBus()
-         resp = dbus_proxy.customized()
--        print convert_customization(resp)
--    except dbus.DBusException, e:
--        print e
-+        print(convert_customization(resp))
-+    except dbus.DBusException as e:
-+        print(e)
-diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
-index 3e502a7..5bf9b52 100755
---- a/sepolicy/sepolicy.py
-+++ b/sepolicy/sepolicy.py
-@@ -262,7 +262,7 @@ def _print_net(src, protocol, perm):
-     if len(portdict) > 0:
-         bold_start = "\033[1m"
-         bold_end = "\033[0;0m"
--        print "\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + bold_end
-+        print("\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + bold_end)
-         port_strings = []
-         boolean_text = ""
-         for p in portdict:
-@@ -275,7 +275,7 @@ def _print_net(src, protocol, perm):
-                     port_strings.append("%s (%s)" % (", ".join(recs), t))
-         port_strings.sort(numcmp)
-         for p in port_strings:
--            print "\t" + p
-+            print("\t" + p)
- 
- 
- def network(args):
-@@ -286,7 +286,7 @@ def network(args):
-             if i[0] not in all_ports:
-                 all_ports.append(i[0])
-         all_ports.sort()
--        print "\n".join(all_ports)
-+        print("\n".join(all_ports))
- 
-     for port in args.port:
-         found = False
-@@ -297,18 +297,18 @@ def network(args):
-                 else:
-                     range = "%s-%s" % (i[0], i[1])
-                 found = True
--                print "%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range)
-+                print("%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range))
-         if not found:
-             if port < 500:
--                print "Undefined reserved port type"
-+                print("Undefined reserved port type")
-             else:
--                print "Undefined port type"
-+                print("Undefined port type")
- 
-     for t in args.type:
-         if (t, 'tcp') in portrecs.keys():
--            print "%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp']))
-+            print("%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp'])))
-         if (t, 'udp') in portrecs.keys():
--            print "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp']))
-+            print( "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp'])))
- 
-     for a in args.applications:
-         d = sepolicy.get_init_transtype(a)
-@@ -357,7 +357,7 @@ def manpage(args):
- 
-     for domain in test_domains:
-         m = ManPage(domain, path, args.root, args.source_files, args.web)
--        print m.get_man_page_path()
-+        print(m.get_man_page_path())
- 
-     if args.web:
-         HTMLManPages(manpage_roles, manpage_domains, path, args.os)
-@@ -418,7 +418,7 @@ def communicate(args):
-     out = list(set(writable) & set(readable))
- 
-     for t in out:
--        print t
-+        print(t)
- 
- 
- def gen_communicate_args(parser):
-@@ -445,7 +445,7 @@ def booleans(args):
-     args.booleans.sort()
- 
-     for b in args.booleans:
--        print "%s=_(\"%s\")" % (b, boolean_desc(b))
-+        print("%s=_(\"%s\")" % (b, boolean_desc(b)))
- 
- 
- def gen_booleans_args(parser):
-@@ -484,16 +484,16 @@ def print_interfaces(interfaces, args, append=""):
-     for i in interfaces:
-         if args.verbose:
-             try:
--                print get_interface_format_text(i + append)
-+                print(get_interface_format_text(i + append))
-             except KeyError:
--                print i
-+                print(i)
-         if args.compile:
-             try:
-                 interface_compile_test(i)
-             except KeyError:
--                print i
-+                print(i)
-         else:
--            print i
-+            print(i)
- 
- 
- def interface(args):
-@@ -565,7 +565,7 @@ def generate(args):
-     if args.policytype in APPLICATIONS:
-         mypolicy.gen_writeable()
-         mypolicy.gen_symbols()
--    print mypolicy.generate(args.path)
-+    print(mypolicy.generate(args.path))
- 
- 
- def gen_interface_args(parser):
-@@ -698,12 +698,12 @@ if __name__ == '__main__':
-         args = parser.parse_args(args=parser_args)
-         args.func(args)
-         sys.exit(0)
--    except ValueError, e:
-+    except ValueError as e:
-         sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
-         sys.exit(1)
--    except IOError, e:
-+    except IOError as e:
-         sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
-         sys.exit(1)
-     except KeyboardInterrupt:
--        print "Out"
-+        print("Out")
-         sys.exit(0)
-diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
-index 8fbd5b4..fee6438 100644
---- a/sepolicy/sepolicy/__init__.py
-+++ b/sepolicy/sepolicy/__init__.py
-@@ -695,7 +695,7 @@ def get_methods():
-     # List of per_role_template interfaces
-         ifs = interfaces.InterfaceSet()
-         ifs.from_file(fd)
--        methods = ifs.interfaces.keys()
-+        methods = list(ifs.interfaces.keys())
-         fd.close()
-     except:
-         sys.stderr.write("could not open interface info [%s]\n" % fn)
-@@ -752,7 +752,10 @@ def get_all_entrypoint_domains():
- 
- 
- def gen_interfaces():
--    import commands
-+    try:
-+        from commands import getstatusoutput
-+    except ImportError:
-+        from subprocess import getstatusoutput
-     ifile = defaults.interface_info()
-     headers = defaults.headers()
-     try:
-@@ -763,7 +766,7 @@ def gen_interfaces():
- 
-     if os.getuid() != 0:
-         raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen"))
--    print(commands.getstatusoutput("/usr/bin/sepolgen-ifgen")[1])
-+    print(getstatusoutput("/usr/bin/sepolgen-ifgen")[1])
- 
- 
- def gen_port_dict():
-@@ -1085,8 +1088,11 @@ def get_os_version():
-     os_version = ""
-     pkg_name = "selinux-policy"
-     try:
--        import commands
--        rc, output = commands.getstatusoutput("rpm -q '%s'" % pkg_name)
-+        try:
-+            from commands import getstatusoutput
-+        except ImportError:
-+            from subprocess import getstatusoutput
-+        rc, output = getstatusoutput("rpm -q '%s'" % pkg_name)
-         if rc == 0:
-             os_version = output.split(".")[-2]
-     except:
-diff --git a/policycoreutils/sepolicy/sepolicy/communicate.py b/policycoreutils/sepolicy/sepolicy/communicate.py
-index b96c4b9..299316e 100755
---- a/sepolicy/sepolicy/communicate.py
-+++ b/sepolicy/sepolicy/communicate.py
-@@ -34,8 +34,8 @@ def usage(parser, msg):
- 
- def expand_attribute(attribute):
-     try:
--        return sepolicy.info(sepolicy.ATTRIBUTE, attribute)[0]["types"]
--    except RuntimeError:
-+        return list(next(sepolicy.info(sepolicy.ATTRIBUTE, attribute))["types"])
-+    except StopIteration:
-         return [attribute]
- 
- 
-diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
-index 65b33b6..5696110 100644
---- a/sepolicy/sepolicy/generate.py
-+++ b/sepolicy/sepolicy/generate.py
-@@ -31,21 +31,21 @@ import time
- import types
- import platform
- 
--from templates import executable
--from templates import boolean
--from templates import etc_rw
--from templates import unit_file
--from templates import var_cache
--from templates import var_spool
--from templates import var_lib
--from templates import var_log
--from templates import var_run
--from templates import tmp
--from templates import rw
--from templates import network
--from templates import script
--from templates import spec
--from templates import user
-+from .templates import executable
-+from .templates import boolean
-+from .templates import etc_rw
-+from .templates import unit_file
-+from .templates import var_cache
-+from .templates import var_spool
-+from .templates import var_lib
-+from .templates import var_log
-+from .templates import var_run
-+from .templates import tmp
-+from .templates import rw
-+from .templates import network
-+from .templates import script
-+from .templates import spec
-+from .templates import user
- import sepolgen.interfaces as interfaces
- import sepolgen.defaults as defaults
- 
-diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py
-index c2cb971..8956f39 100644
---- a/sepolicy/sepolicy/interface.py
-+++ b/sepolicy/sepolicy/interface.py
-@@ -192,10 +192,13 @@ def generate_compile_te(interface, idict, name="compiletest"):
- def get_xml_file(if_file):
-     """ Returns xml format of interfaces for given .if policy file"""
-     import os
--    import commands
-+    try:
-+            from commands import getstatusoutput
-+    except ImportError:
-+            from subprocess import getstatusoutput
-     basedir = os.path.dirname(if_file) + "/"
-     filename = os.path.basename(if_file).split(".")[0]
--    rc, output = commands.getstatusoutput("python /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % basedir + filename)
-+    rc, output = getstatusoutput("python /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % basedir + filename)
-     if rc != 0:
-         sys.stderr.write("\n Could not proceed selected interface file.\n")
-         sys.stderr.write("\n%s" % output)
-@@ -208,7 +211,10 @@ def interface_compile_test(interface, path="/usr/share/selinux/devel/policy.xml"
-     exclude_interfaces = ["userdom", "kernel", "corenet", "files", "dev"]
-     exclude_interface_type = ["template"]
- 
--    import commands
-+    try:
-+            from commands import getstatusoutput
-+    except ImportError:
-+            from subprocess import getstatusoutput
-     import os
-     policy_files = {'pp': "compiletest.pp", 'te': "compiletest.te", 'fc': "compiletest.fc", 'if': "compiletest.if"}
-     idict = get_interface_dict(path)
-@@ -219,7 +225,7 @@ def interface_compile_test(interface, path="/usr/share/selinux/devel/policy.xml"
-             fd = open(policy_files['te'], "w")
-             fd.write(generate_compile_te(interface, idict))
-             fd.close()
--            rc, output = commands.getstatusoutput("make -f /usr/share/selinux/devel/Makefile %s" % policy_files['pp'])
-+            rc, output = getstatusoutput("make -f /usr/share/selinux/devel/Makefile %s" % policy_files['pp'])
-             if rc != 0:
-                 sys.stderr.write(output)
-                 sys.stderr.write(_("\nCompile test for %s failed.\n") % interface)
-diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
-index 7365f93..773a9ab 100755
---- a/sepolicy/sepolicy/manpage.py
-+++ b/sepolicy/sepolicy/manpage.py
-@@ -27,7 +27,6 @@ __all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_d
- import string
- import selinux
- import sepolicy
--import commands
- import os
- import time
- 
-@@ -162,7 +161,11 @@ def get_alphabet_manpages(manpage_list):
- 
- 
- def convert_manpage_to_html(html_manpage, manpage):
--    rc, output = commands.getstatusoutput("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage)
-+    try:
-+            from commands import getstatusoutput
-+    except ImportError:
-+            from subprocess import getstatusoutput
-+    rc, output = getstatusoutput("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage)
-     if rc == 0:
-         print(html_manpage, "has been created")
-         fd = open(html_manpage, 'w')
--- 
-2.10.2
-
diff --git a/gnu/packages/patches/python-axolotl-AES-fix.patch b/gnu/packages/patches/python-axolotl-AES-fix.patch
new file mode 100644
index 0000000000..d34f4855cb
--- /dev/null
+++ b/gnu/packages/patches/python-axolotl-AES-fix.patch
@@ -0,0 +1,24 @@
+Patch taken from the Debian package for python-axolotl-0.1.39.
+See <https://bugs.gnu.org/29415>.
+
+Description: Removes IV paramenter from AES constructor, since it is not necessary for ctr mode.
+Author: Josue Ortega <josue@debian.org>
+Last-Update: 2017-04-13
+
+--- a/axolotl/sessioncipher.py
++++ b/axolotl/sessioncipher.py
+@@ -228,13 +228,7 @@
+         # counterint = struct.unpack(">L", counterbytes)[0]
+         # counterint = int.from_bytes(counterbytes, byteorder='big')
+         ctr = Counter.new(128, initial_value=counter)
+-
+-        # cipher = AES.new(key, AES.MODE_CTR, counter=ctr)
+-        ivBytes = bytearray(16)
+-        ByteUtil.intToByteArray(ivBytes, 0, counter)
+-
+-        cipher = AES.new(key, AES.MODE_CTR, IV=bytes(ivBytes), counter=ctr)
+-
++        cipher = AES.new(key, AES.MODE_CTR, counter=ctr)
+         return cipher
+ 
+ 
diff --git a/gnu/packages/patches/python-pandas-skip-failing-tests.patch b/gnu/packages/patches/python-pandas-skip-failing-tests.patch
deleted file mode 100644
index 8ac330c18f..0000000000
--- a/gnu/packages/patches/python-pandas-skip-failing-tests.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-These tests fail on 32bit architectures.
-
-Upstream bug URL: https://github.com/pandas-dev/pandas/issues/14866
-
---- a/pandas/tests/indexes/common.py	2017-03-09 00:10:26.063996176 +0100
-+++ b/pandas/tests/indexes/common.py	2017-03-09 00:10:53.152844191 +0100
-@@ -119,20 +119,6 @@
-         with tm.assertRaisesRegexp(ValueError, 'Invalid fill method'):
-             idx.get_indexer(idx, method='invalid')
- 
--    def test_ndarray_compat_properties(self):
--
--        idx = self.create_index()
--        self.assertTrue(idx.T.equals(idx))
--        self.assertTrue(idx.transpose().equals(idx))
--
--        values = idx.values
--        for prop in self._compat_props:
--            self.assertEqual(getattr(idx, prop), getattr(values, prop))
--
--        # test for validity
--        idx.nbytes
--        idx.values.nbytes
--
-     def test_repr_roundtrip(self):
- 
-         idx = self.create_index()
---- a/pandas/tools/tests/test_tile.py	2017-03-08 17:47:39.762261841 +0100
-+++ b/pandas/tools/tests/test_tile.py	2017-03-08 17:48:26.831780495 +0100
-@@ -271,19 +271,6 @@
-                                     np.array([0, 0, 1, 1], dtype=np.int8))
-         tm.assert_numpy_array_equal(bins, np.array([0, 1.5, 3]))
- 
--    def test_single_bin(self):
--        # issue 14652
--        expected = Series([0, 0])
--
--        s = Series([9., 9.])
--        result = cut(s, 1, labels=False)
--        tm.assert_series_equal(result, expected)
--
--        s = Series([-9., -9.])
--        result = cut(s, 1, labels=False)
--        tm.assert_series_equal(result, expected)
--
--
- def curpath():
-     pth, _ = os.path.split(os.path.abspath(__file__))
-     return pth
diff --git a/gnu/packages/patches/python-waitress-fix-tests.patch b/gnu/packages/patches/python-waitress-fix-tests.patch
new file mode 100644
index 0000000000..110492a604
--- /dev/null
+++ b/gnu/packages/patches/python-waitress-fix-tests.patch
@@ -0,0 +1,29 @@
+Skip test that requires getaddrinfo(), which is not available in the build
+environment.  This package uses a regexp for finding tests (see runner.py),
+so using @unittest.skip does not work.
+
+--- a/waitress/tests/test_adjustments.py
++++ b/waitress/tests/test_adjustments.py
+@@ -185,22 +185,6 @@
+     def test_bad_port(self):
+         self.assertRaises(ValueError, self._makeOne, listen='127.0.0.1:test')
+ 
+-    def test_service_port(self):
+-        if WIN and PY2: # pragma: no cover
+-            # On Windows and Python 2 this is broken, so we raise a ValueError
+-            self.assertRaises(
+-                ValueError,
+-                self._makeOne,
+-                listen='127.0.0.1:http',
+-            )
+-            return
+-
+-        inst = self._makeOne(listen='127.0.0.1:http 0.0.0.0:https')
+-
+-        bind_pairs = [sockaddr[:2] for (_, _, _, sockaddr) in inst.listen]
+-
+-        self.assertEqual(bind_pairs, [('127.0.0.1', 80), ('0.0.0.0', 443)])
+-
+     def test_dont_mix_host_port_listen(self):
+         self.assertRaises(
+             ValueError,
diff --git a/gnu/packages/patches/qtbase-use-TZDIR.patch b/gnu/packages/patches/qtbase-use-TZDIR.patch
new file mode 100644
index 0000000000..11c737d844
--- /dev/null
+++ b/gnu/packages/patches/qtbase-use-TZDIR.patch
@@ -0,0 +1,39 @@
+Use $TZDIR to search for time-zone data. Thus avoid depending on package
+"tzdata", which often introduces changes with near-immediate effects, so it's
+important to be able to update it fast.
+
+Based on a patch fron NixOS.
+===================================================================
+--- qtbase-opensource-src-5.9.4.orig/src/corelib/tools/qtimezoneprivate_tz.cpp
++++ qtbase-opensource-src-5.9.4/src/corelib/tools/qtimezoneprivate_tz.cpp
+@@ -70,7 +70,11 @@
+ // Parse zone.tab table, assume lists all installed zones, if not will need to read directories
+ static QTzTimeZoneHash loadTzTimeZones()
+ {
+-    QString path = QStringLiteral("/usr/share/zoneinfo/zone.tab");
++    // Try TZDIR first, in case we're running on GuixSD.
++    QString path = QFile::decodeName(qgetenv("TZDIR")) + QStringLiteral("/zone.tab");
++    // Fallback to traditional paths in case we are not on GuixSD.
++    if (!QFile::exists(path))
++        path = QStringLiteral("/usr/share/zoneinfo/zone.tab");
+     if (!QFile::exists(path))
+         path = QStringLiteral("/usr/lib/zoneinfo/zone.tab");
+ 
+@@ -645,6 +649,9 @@
+         if (!tzif.open(QIODevice::ReadOnly))
+             return;
+     } else {
++      // Try TZDIR first, in case we're running on GuixSD.
++      tzif.setFileName(QFile::decodeName(qgetenv("TZDIR")) + QStringLiteral("/") + QString::fromLocal8Bit(ianaId));
++      if (!tzif.open(QIODevice::ReadOnly)) {
+         // Open named tz, try modern path first, if fails try legacy path
+         tzif.setFileName(QLatin1String("/usr/share/zoneinfo/") + QString::fromLocal8Bit(ianaId));
+         if (!tzif.open(QIODevice::ReadOnly)) {
+@@ -652,6 +659,7 @@
+             if (!tzif.open(QIODevice::ReadOnly))
+                 return;
+         }
++      }
+     }
+ 
+     QDataStream ds(&tzif);
diff --git a/gnu/packages/patches/rct-add-missing-headers.patch b/gnu/packages/patches/rct-add-missing-headers.patch
new file mode 100644
index 0000000000..4d133aa249
--- /dev/null
+++ b/gnu/packages/patches/rct-add-missing-headers.patch
@@ -0,0 +1,43 @@
+From: fis <ybbs.daans@hotmail.com>
+Date: Sat, 20 Jan 2018 07:42:38 +0800
+Subject: [PATCH] rct.cmake: Add missing headers.
+
+---
+ rct.cmake | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/rct.cmake b/rct.cmake
+index 323e7b9..3e0ac6b 100644
+--- a/rct.cmake
++++ b/rct.cmake
+@@ -339,7 +339,27 @@ if (NOT RCT_NO_INSTALL)
+     rct/Timer.h
+     rct/Value.h
+     rct/WriteLocker.h
++    rct/CpuUsage.h
++    rct/DataFile.h
++    rct/Date.h
++    rct/EmbeddedLinkedList.h
++    rct/FinishMessage.h
++    rct/Flags.h
++    rct/Hash.h
++    rct/LinkedList.h
++    rct/Map.h
++    rct/MemoryMappedFile.h
++    rct/OnDestruction.h
++    rct/QuitMessage.h
++    rct/ResponseMessage.h
++    rct/ScriptEngine.h
++    rct/StackBuffer.h
++    rct/WindowsUnicodeConversion.h
+     DESTINATION include/rct)
+
++  install(FILES
++    json/json.hpp
++    DESTINATION include/rct/json)
++
+   install(EXPORT "rct" DESTINATION lib/cmake)
+ endif ()
+--
+2.13.6
+
diff --git a/gnu/packages/patches/reposurgeon-add-missing-docbook-files.patch b/gnu/packages/patches/reposurgeon-add-missing-docbook-files.patch
new file mode 100644
index 0000000000..707d032744
--- /dev/null
+++ b/gnu/packages/patches/reposurgeon-add-missing-docbook-files.patch
@@ -0,0 +1,22 @@
+Author: Tobias Geerinckx-Rice <me@tobias.gr>
+Upstream issue: <https://gitlab.com/esr/reposurgeon/merge_requests/101>
+
+Two files required to build the documentation (including man pages) are
+not included in the latest reposurgeon release, breaking ‘make all’.
+
+Luckily, they are tiny:
+
+--- a/docbook-extra.xml	1970-01-01 01:00:00.000000000 +0100
++++ b/docbook-extra.xml	2018-01-25 00:17:18.236727017 +0100
+@@ -0,0 +1,5 @@
++<?xml version='1.0'?>
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++<xsl:param name="variablelist.term.separator"></xsl:param>
++<xsl:param name="variablelist.term.break.after">1</xsl:param>
++</xsl:stylesheet>
+diff -Naur reposurgeon-3.43/nofooter.conf reposurgeon-3.43-b/nofooter.conf
+--- a/nofooter.conf	1970-01-01 01:00:00.000000000 +0100
++++ b/nofooter.conf	2018-01-25 00:23:15.384498847 +0100
+@@ -0,0 +1,2 @@
++[footer-text]
++ 
diff --git a/gnu/packages/patches/rsync-CVE-2017-16548.patch b/gnu/packages/patches/rsync-CVE-2017-16548.patch
deleted file mode 100644
index 52a75ea241..0000000000
--- a/gnu/packages/patches/rsync-CVE-2017-16548.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-https://bugzilla.samba.org/show_bug.cgi?id=13112
-https://git.samba.org/rsync.git/?p=rsync.git;a=patch;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
-
-From 47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 Mon Sep 17 00:00:00 2001
-From: Wayne Davison <wayned@samba.org>
-Date: Sun, 5 Nov 2017 11:33:15 -0800
-Subject: [PATCH] Enforce trailing \0 when receiving xattr name values. Fixes
- bug 13112.
-
----
- xattrs.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/xattrs.c b/xattrs.c
-index 68305d7..4867e6f 100644
---- a/xattrs.c
-+++ b/xattrs.c
-@@ -824,6 +824,10 @@ void receive_xattr(int f, struct file_struct *file)
- 			out_of_memory("receive_xattr");
- 		name = ptr + dget_len + extra_len;
- 		read_buf(f, name, name_len);
-+		if (name_len < 1 || name[name_len-1] != '\0') {
-+			rprintf(FERROR, "Invalid xattr name received (missing trailing \\0).\n");
-+			exit_cleanup(RERR_FILEIO);
-+		}
- 		if (dget_len == datum_len)
- 			read_buf(f, ptr, dget_len);
- 		else {
--- 
-1.9.1
-
diff --git a/gnu/packages/patches/rsync-CVE-2017-17433-fix-tests.patch b/gnu/packages/patches/rsync-CVE-2017-17433-fix-tests.patch
deleted file mode 100644
index 74bac0fc33..0000000000
--- a/gnu/packages/patches/rsync-CVE-2017-17433-fix-tests.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-https://git.samba.org/?p=rsync.git;a=patch;h=f5e8a17e093065fb20fea00a29540fe2c7896441
-minor edits were made to get the patch to apply
-
-From f5e8a17e093065fb20fea00a29540fe2c7896441 Mon Sep 17 00:00:00 2001
-From: Wayne Davison <wayned@samba.org>
-Date: Sun, 3 Dec 2017 15:49:56 -0800
-Subject: [PATCH] Fix issue with earlier path-check (fixes "make check") and
- make a BOOL more explicit.
-
----
- checksum.c |  2 +-
- receiver.c | 10 +++++-----
- 2 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/receiver.c b/receiver.c
-index 9c46242..75cb00d 100644
---- a/receiver.c
-+++ b/receiver.c
-@@ -574,15 +574,15 @@ int recv_files(int f_in, int f_out, char *local_name)
- 			file = dir_flist->files[cur_flist->parent_ndx];
- 		fname = local_name ? local_name : f_name(file, fbuf);
- 
--		if (daemon_filter_list.head
--		    && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
-+		if (DEBUG_GTE(RECV, 1))
-+			rprintf(FINFO, "recv_files(%s)\n", fname);
-+
-+		if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')
-+		 && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
- 			rprintf(FERROR, "attempt to hack rsync failed.\n");
- 			exit_cleanup(RERR_PROTOCOL);
- 		}
- 
--		if (DEBUG_GTE(RECV, 1))
--			rprintf(FINFO, "recv_files(%s)\n", fname);
--
- #ifdef SUPPORT_XATTRS
- 		if (preserve_xattrs && iflags & ITEM_REPORT_XATTR && do_xfers
- 		 && !(want_xattr_optim && BITS_SET(iflags, ITEM_XNAME_FOLLOWS|ITEM_LOCAL_CHANGE)))
--- 
-1.9.1
-
diff --git a/gnu/packages/patches/rsync-CVE-2017-17433.patch b/gnu/packages/patches/rsync-CVE-2017-17433.patch
deleted file mode 100644
index 84e4067509..0000000000
--- a/gnu/packages/patches/rsync-CVE-2017-17433.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17433
-https://git.samba.org/?p=rsync.git;a=patch;h=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51
-
-From 3e06d40029cfdce9d0f73d87cfd4edaf54be9c51 Mon Sep 17 00:00:00 2001
-From: Jeriko One <jeriko.one@gmx.us>
-Date: Thu, 2 Nov 2017 23:44:19 -0700
-Subject: [PATCH] Check fname in recv_files sooner.
-
----
- receiver.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/receiver.c b/receiver.c
-index baae3a9..9fdafa1 100644
---- a/receiver.c
-+++ b/receiver.c
-@@ -574,6 +574,12 @@ int recv_files(int f_in, int f_out, char *local_name)
- 			file = dir_flist->files[cur_flist->parent_ndx];
- 		fname = local_name ? local_name : f_name(file, fbuf);
- 
-+		if (daemon_filter_list.head
-+		    && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
-+			rprintf(FERROR, "attempt to hack rsync failed.\n");
-+			exit_cleanup(RERR_PROTOCOL);
-+		}
-+
- 		if (DEBUG_GTE(RECV, 1))
- 			rprintf(FINFO, "recv_files(%s)\n", fname);
- 
-@@ -645,12 +651,6 @@ int recv_files(int f_in, int f_out, char *local_name)
- 
- 		cleanup_got_literal = 0;
- 
--		if (daemon_filter_list.head
--		    && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
--			rprintf(FERROR, "attempt to hack rsync failed.\n");
--			exit_cleanup(RERR_PROTOCOL);
--		}
--
- 		if (read_batch) {
- 			int wanted = redoing
- 				   ? we_want_redo(ndx)
--- 
-1.9.1
-
diff --git a/gnu/packages/patches/rsync-CVE-2017-17434-pt1.patch b/gnu/packages/patches/rsync-CVE-2017-17434-pt1.patch
deleted file mode 100644
index 0d9298743d..0000000000
--- a/gnu/packages/patches/rsync-CVE-2017-17434-pt1.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17434
-https://git.samba.org/?p=rsync.git;a=patch;h=5509597decdbd7b91994210f700329d8a35e70a1
-
-From 5509597decdbd7b91994210f700329d8a35e70a1 Mon Sep 17 00:00:00 2001
-From: Jeriko One <jeriko.one@gmx.us>
-Date: Thu, 16 Nov 2017 17:26:03 -0800
-Subject: [PATCH] Check daemon filter against fnamecmp in recv_files().
-
----
- receiver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/receiver.c b/receiver.c
-index 9fdafa1..9c46242 100644
---- a/receiver.c
-+++ b/receiver.c
-@@ -722,7 +722,7 @@ int recv_files(int f_in, int f_out, char *local_name)
- 				break;
- 			}
- 			if (!fnamecmp || (daemon_filter_list.head
--			  && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0)) {
-+			  && check_filter(&daemon_filter_list, FLOG, fnamecmp, 0) < 0)) {
- 				fnamecmp = fname;
- 				fnamecmp_type = FNAMECMP_FNAME;
- 			}
--- 
-1.9.1
-
diff --git a/gnu/packages/patches/rsync-CVE-2017-17434-pt2.patch b/gnu/packages/patches/rsync-CVE-2017-17434-pt2.patch
deleted file mode 100644
index fad19d01fb..0000000000
--- a/gnu/packages/patches/rsync-CVE-2017-17434-pt2.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17434
-https://git.samba.org/?p=rsync.git;a=patch;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9
-
-From 70aeb5fddd1b2f8e143276f8d5a085db16c593b9 Mon Sep 17 00:00:00 2001
-From: Jeriko One <jeriko.one@gmx.us>
-Date: Thu, 16 Nov 2017 17:05:42 -0800
-Subject: [PATCH] Sanitize xname in read_ndx_and_attrs.
-
----
- rsync.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/rsync.c b/rsync.c
-index b82e598..a0945ba 100644
---- a/rsync.c
-+++ b/rsync.c
-@@ -49,6 +49,7 @@ extern int flist_eof;
- extern int file_old_total;
- extern int keep_dirlinks;
- extern int make_backups;
-+extern int sanitize_paths;
- extern struct file_list *cur_flist, *first_flist, *dir_flist;
- extern struct chmod_mode_struct *daemon_chmod_modes;
- #ifdef ICONV_OPTION
-@@ -396,6 +397,11 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr,
- 	if (iflags & ITEM_XNAME_FOLLOWS) {
- 		if ((len = read_vstring(f_in, buf, MAXPATHLEN)) < 0)
- 			exit_cleanup(RERR_PROTOCOL);
-+
-+		if (sanitize_paths) {
-+			sanitize_path(buf, buf, "", 0, SP_DEFAULT);
-+			len = strlen(buf);
-+		}
- 	} else {
- 		*buf = '\0';
- 		len = -1;
--- 
-1.9.1
-
diff --git a/gnu/packages/patches/rtags-separate-rct.patch b/gnu/packages/patches/rtags-separate-rct.patch
new file mode 100644
index 0000000000..533e28b02e
--- /dev/null
+++ b/gnu/packages/patches/rtags-separate-rct.patch
@@ -0,0 +1,72 @@
+Unbundle RCT and use our own copy.
+
+--- rtags-2.16/src/CMakeLists.txt	2018-01-23 10:36:17.645855140 +0100
++++ rtags-2.16/src/CMakeLists.txt	2018-01-23 10:38:14.605234740 +0100
+@@ -105,12 +105,6 @@ if (LUA_ENABLED)
+         CMAKE_ARGS -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=0 -DCMAKE_GENERATOR=${CMAKE_GENERATOR})
+ endif ()
+ 
+-set(RCT_RTTI_ENABLED 1)
+-set(RCT_NO_INSTALL 1)
+-set(RCT_NO_LIBRARY 1)
+-# Everyting which as been set either in rct/rct.cmake or rct/compiler.cmake
+-# doesn't need to be set in this file again.
+-include(rct/rct.cmake)
+ 
+ set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wstrict-aliasing=2 -Wcast-qual -fPIC")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wstrict-aliasing=2 -Wcast-qual -fPIC")
+@@ -128,8 +122,7 @@ add_definitions(
+     "-DRTAGS_SOURCE_DIR=${CMAKE_CURRENT_SOURCE_DIR}"
+     "-DCLANG_LIBDIR=${LIBCLANG_LIBDIR}"
+     "-DCLANG_VERSION=${LIBCLANG_VERSION_STRING}"
+-    "-DOS_${CMAKE_SYSTEM_NAME}"
+-    ${RCT_DEFINITIONS})
++    "-DOS_${CMAKE_SYSTEM_NAME}")
+ 
+ if (CMAKE_SYSTEM_NAME MATCHES "FreeBSD")
+     add_definitions(-D__LONG_LONG_SUPPORTED)
+@@ -172,8 +165,7 @@ set(RTAGS_SOURCES
+     Symbol.cpp
+     SymbolInfoJob.cpp
+     Token.cpp
+-    TokensJob.cpp
+-    ${RCT_SOURCES})
++    TokensJob.cpp)
+ 
+ if (LUA_ENABLED)
+     list(APPEND RTAGS_SOURCES AST.cpp)
+@@ -195,10 +187,10 @@ endif ()
+ 
+ include_directories(
+     ${CMAKE_CURRENT_LIST_DIR}
+-    ${RCT_INCLUDE_DIRS}
+     ${CMAKE_CURRENT_LIST_DIR}/selene/include
+     ${CMAKE_CURRENT_BINARY_DIR}/lua-prefix/src/lua-build
+-    ${CMAKE_CURRENT_LIST_DIR}/lua/src)
++    ${CMAKE_CURRENT_LIST_DIR}/lua/src
++    ${CMAKE_CURRENT_BINARY_DIR}/include)
+ 
+ if (CMAKE_SYSTEM_NAME MATCHES "Darwin")
+     set(START_GROUP "")
+@@ -223,17 +215,17 @@ else ()
+ endif()
+ 
+ # RCT_LIBRARIES and stdc++ library must be at the end
+-set(RTAGS_LIBRARIES ${RTAGS_LIBRARIES} -lstdc++ ${RCT_LIBRARIES})
++set(RTAGS_LIBRARIES ${RTAGS_LIBRARIES} -lstdc++)
+ add_executable(rc rc.cpp)
+-target_link_libraries(rc ${RTAGS_LIBRARIES})
++target_link_libraries(rc ${RTAGS_LIBRARIES} rct)
+ 
+ add_executable(rdm rdm.cpp)
+-target_link_libraries(rdm ${RTAGS_LIBRARIES})
++target_link_libraries(rdm ${RTAGS_LIBRARIES} rct)
+ 
+ set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${PROJECT_BINARY_DIR}/bin)
+ 
+ add_executable(rp rp.cpp)
+-target_link_libraries(rp ${RTAGS_LIBRARIES})
++target_link_libraries(rp ${RTAGS_LIBRARIES} rct)
+ 
+ if (CYGWIN)
+     EnsureLibraries(rdm rct)
diff --git a/gnu/packages/patches/ruby-rubygems-276-for-ruby24.patch b/gnu/packages/patches/ruby-rubygems-276-for-ruby24.patch
new file mode 100644
index 0000000000..0d0ed6b204
--- /dev/null
+++ b/gnu/packages/patches/ruby-rubygems-276-for-ruby24.patch
@@ -0,0 +1,605 @@
+diff --git lib/rubygems.rb lib/rubygems.rb
+index 0685bcb3c6..a5a9202e56 100644
+--- ruby-2.4.3/lib/rubygems.rb
++++ ruby-2.4.3/lib/rubygems.rb
+@@ -10,7 +10,7 @@
+ require 'thread'
+ 
+ module Gem
+-  VERSION = "2.6.14"
++  VERSION = "2.6.14.1"
+ end
+ 
+ # Must be first since it unloads the prelude from 1.9.2
+diff --git lib/rubygems/commands/owner_command.rb lib/rubygems/commands/owner_command.rb
+index 4b99434e87..2ee7f84462 100644
+--- ruby-2.4.3/lib/rubygems/commands/owner_command.rb
++++ ruby-2.4.3/lib/rubygems/commands/owner_command.rb
+@@ -62,7 +62,7 @@ def show_owners name
+     end
+ 
+     with_response response do |resp|
+-      owners = YAML.load resp.body
++      owners = Gem::SafeYAML.load resp.body
+ 
+       say "Owners for gem: #{name}"
+       owners.each do |owner|
+diff --git lib/rubygems/package.rb lib/rubygems/package.rb
+index 77811ed5ec..b5a5fe2a26 100644
+--- ruby-2.4.3/lib/rubygems/package.rb
++++ ruby-2.4.3/lib/rubygems/package.rb
+@@ -378,7 +378,7 @@ def extract_tar_gz io, destination_dir, pattern = "*" # :nodoc:
+             File.dirname destination
+           end
+ 
+-        FileUtils.mkdir_p mkdir, mkdir_options
++        mkdir_p_safe mkdir, mkdir_options, destination_dir, entry.full_name
+ 
+         open destination, 'wb' do |out|
+           out.write entry.read
+@@ -416,20 +416,35 @@ def install_location filename, destination_dir # :nodoc:
+     raise Gem::Package::PathError.new(filename, destination_dir) if
+       filename.start_with? '/'
+ 
+-    destination_dir = File.realpath destination_dir if
+-      File.respond_to? :realpath
++    destination_dir = realpath destination_dir
+     destination_dir = File.expand_path destination_dir
+ 
+     destination = File.join destination_dir, filename
+     destination = File.expand_path destination
+ 
+     raise Gem::Package::PathError.new(destination, destination_dir) unless
+-      destination.start_with? destination_dir
++      destination.start_with? destination_dir + '/'
+ 
+     destination.untaint
+     destination
+   end
+ 
++  def mkdir_p_safe mkdir, mkdir_options, destination_dir, file_name
++    destination_dir = realpath File.expand_path(destination_dir)
++    parts = mkdir.split(File::SEPARATOR)
++    parts.reduce do |path, basename|
++      path = realpath path  unless path == ""
++      path = File.expand_path(path + File::SEPARATOR + basename)
++      lstat = File.lstat path rescue nil
++      if !lstat || !lstat.directory?
++        unless path.start_with? destination_dir and (FileUtils.mkdir path, mkdir_options rescue false)
++          raise Gem::Package::PathError.new(file_name, destination_dir)
++        end
++      end
++      path
++    end
++  end
++
+   ##
+   # Loads a Gem::Specification from the TarEntry +entry+
+ 
+@@ -603,6 +618,10 @@ def verify_files gem
+       raise Gem::Package::FormatError.new \
+               'package content (data.tar.gz) is missing', @gem
+     end
++
++    if duplicates = @files.group_by {|f| f }.select {|k,v| v.size > 1 }.map(&:first) and duplicates.any?
++      raise Gem::Security::Exception, "duplicate files in the package: (#{duplicates.map(&:inspect).join(', ')})"
++    end
+   end
+ 
+   ##
+@@ -616,6 +635,16 @@ def verify_gz entry # :nodoc:
+     raise Gem::Package::FormatError.new(e.message, entry.full_name)
+   end
+ 
++  if File.respond_to? :realpath
++    def realpath file
++      File.realpath file
++    end
++  else
++    def realpath file
++      file
++    end
++  end
++
+ end
+ 
+ require 'rubygems/package/digest_io'
+diff --git lib/rubygems/package/tar_header.rb lib/rubygems/package/tar_header.rb
+index c54bd14d57..d557357114 100644
+--- ruby-2.4.3/lib/rubygems/package/tar_header.rb
++++ ruby-2.4.3/lib/rubygems/package/tar_header.rb
+@@ -104,25 +104,30 @@ def self.from(stream)
+     fields = header.unpack UNPACK_FORMAT
+ 
+     new :name     => fields.shift,
+-        :mode     => fields.shift.oct,
+-        :uid      => fields.shift.oct,
+-        :gid      => fields.shift.oct,
+-        :size     => fields.shift.oct,
+-        :mtime    => fields.shift.oct,
+-        :checksum => fields.shift.oct,
++        :mode     => strict_oct(fields.shift),
++        :uid      => strict_oct(fields.shift),
++        :gid      => strict_oct(fields.shift),
++        :size     => strict_oct(fields.shift),
++        :mtime    => strict_oct(fields.shift),
++        :checksum => strict_oct(fields.shift),
+         :typeflag => fields.shift,
+         :linkname => fields.shift,
+         :magic    => fields.shift,
+-        :version  => fields.shift.oct,
++        :version  => strict_oct(fields.shift),
+         :uname    => fields.shift,
+         :gname    => fields.shift,
+-        :devmajor => fields.shift.oct,
+-        :devminor => fields.shift.oct,
++        :devmajor => strict_oct(fields.shift),
++        :devminor => strict_oct(fields.shift),
+         :prefix   => fields.shift,
+ 
+         :empty => empty
+   end
+ 
++  def self.strict_oct(str)
++    return str.oct if str =~ /\A[0-7]*\z/
++    raise ArgumentError, "#{str.inspect} is not an octal string"
++  end
++
+   ##
+   # Creates a new TarHeader using +vals+
+ 
+diff --git lib/rubygems/package/tar_writer.rb lib/rubygems/package/tar_writer.rb
+index f68b8d4c5e..390f7851a3 100644
+--- ruby-2.4.3/lib/rubygems/package/tar_writer.rb
++++ ruby-2.4.3/lib/rubygems/package/tar_writer.rb
+@@ -196,6 +196,8 @@ def add_file_signed name, mode, signer
+       digest_name == signer.digest_name
+     end
+ 
++    raise "no #{signer.digest_name} in #{digests.values.compact}" unless signature_digest
++
+     if signer.key then
+       signature = signer.sign signature_digest.digest
+ 
+diff --git lib/rubygems/server.rb lib/rubygems/server.rb
+index df4eb566d3..a7b5243ba0 100644
+--- ruby-2.4.3/lib/rubygems/server.rb
++++ ruby-2.4.3/lib/rubygems/server.rb
+@@ -631,6 +631,18 @@ def root(req, res)
+       executables = nil if executables.empty?
+       executables.last["is_last"] = true if executables
+ 
++      # Pre-process spec homepage for safety reasons
++      begin
++        homepage_uri = URI.parse(spec.homepage)
++        if [URI::HTTP, URI::HTTPS].member? homepage_uri.class
++          homepage_uri = spec.homepage
++        else
++          homepage_uri = "."
++        end
++      rescue URI::InvalidURIError
++        homepage_uri = "."
++      end
++
+       specs << {
+         "authors"             => spec.authors.sort.join(", "),
+         "date"                => spec.date.to_s,
+@@ -640,7 +652,7 @@ def root(req, res)
+         "only_one_executable" => (executables && executables.size == 1),
+         "full_name"           => spec.full_name,
+         "has_deps"            => !deps.empty?,
+-        "homepage"            => spec.homepage,
++        "homepage"            => homepage_uri,
+         "name"                => spec.name,
+         "rdoc_installed"      => Gem::RDoc.new(spec).rdoc_installed?,
+         "ri_installed"        => Gem::RDoc.new(spec).ri_installed?,
+diff --git lib/rubygems/specification.rb lib/rubygems/specification.rb
+index 40e3a70d47..0a154b9001 100644
+--- ruby-2.4.3/lib/rubygems/specification.rb
++++ ruby-2.4.3/lib/rubygems/specification.rb
+@@ -15,6 +15,7 @@
+ require 'rubygems/stub_specification'
+ require 'rubygems/util/list'
+ require 'stringio'
++require 'uri'
+ 
+ ##
+ # The Specification class contains the information for a Gem.  Typically
+@@ -2813,10 +2814,16 @@ def validate packaging = true
+       raise Gem::InvalidSpecificationException, "#{lazy} is not a summary"
+     end
+ 
+-    if homepage and not homepage.empty? and
+-       homepage !~ /\A[a-z][a-z\d+.-]*:/i then
+-      raise Gem::InvalidSpecificationException,
+-            "\"#{homepage}\" is not a URI"
++    # Make sure a homepage is valid HTTP/HTTPS URI
++    if homepage and not homepage.empty?
++      begin
++        homepage_uri = URI.parse(homepage)
++        unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class
++          raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI"
++        end
++      rescue URI::InvalidURIError
++        raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI"
++      end
+     end
+ 
+     # Warnings
+diff --git test/rubygems/test_gem_commands_owner_command.rb test/rubygems/test_gem_commands_owner_command.rb
+index 44652c1093..53cac4ce87 100644
+--- ruby-2.4.3/test/rubygems/test_gem_commands_owner_command.rb
++++ ruby-2.4.3/test/rubygems/test_gem_commands_owner_command.rb
+@@ -43,6 +43,31 @@ def test_show_owners
+     assert_match %r{- 4}, @ui.output
+   end
+ 
++  def test_show_owners_dont_load_objects
++    skip "testing a psych-only API" unless defined?(::Psych::DisallowedClass)
++
++    response = <<EOF
++---
++- email: !ruby/object:Object {}
++  id: 1
++  handle: user1
++- email: user2@example.com
++- id: 3
++  handle: user3
++- id: 4
++EOF
++
++    @fetcher.data["#{Gem.host}/api/v1/gems/freewill/owners.yaml"] = [response, 200, 'OK']
++
++    assert_raises Psych::DisallowedClass do
++      use_ui @ui do
++        @cmd.show_owners("freewill")
++      end
++    end
++
++  end
++
++
+   def test_show_owners_setting_up_host_through_env_var
+     response = "- email: user1@example.com\n"
+     host = "http://rubygems.example"
+diff --git test/rubygems/test_gem_package.rb test/rubygems/test_gem_package.rb
+index 9d47f0dea4..5b93475314 100644
+--- ruby-2.4.3/test/rubygems/test_gem_package.rb
++++ ruby-2.4.3/test/rubygems/test_gem_package.rb
+@@ -455,6 +455,31 @@ def test_extract_tar_gz_symlink_relative_path
+                  File.read(extracted)
+   end
+ 
++  def test_extract_symlink_parent
++   skip 'symlink not supported' if Gem.win_platform?
++
++   package = Gem::Package.new @gem
++
++   tgz_io = util_tar_gz do |tar|
++     tar.mkdir       'lib',               0755
++     tar.add_symlink 'lib/link', '../..', 0644
++     tar.add_file    'lib/link/outside.txt', 0644 do |io| io.write 'hi' end
++   end
++
++   # Extract into a subdirectory of @destination; if this test fails it writes
++   # a file outside destination_subdir, but we want the file to remain inside
++   # @destination so it will be cleaned up.
++   destination_subdir = File.join @destination, 'subdir'
++   FileUtils.mkdir_p destination_subdir
++
++   e = assert_raises Gem::Package::PathError do
++     package.extract_tar_gz tgz_io, destination_subdir
++   end
++
++   assert_equal("installing into parent path lib/link/outside.txt of " +
++                 "#{destination_subdir} is not allowed", e.message)
++  end
++
+   def test_extract_tar_gz_directory
+     package = Gem::Package.new @gem
+ 
+@@ -566,6 +591,21 @@ def test_install_location_relative
+                  "#{@destination} is not allowed", e.message)
+   end
+ 
++  def test_install_location_suffix
++    package = Gem::Package.new @gem
++
++    filename = "../#{File.basename(@destination)}suffix.rb"
++
++    e = assert_raises Gem::Package::PathError do
++      package.install_location filename, @destination
++    end
++
++    parent = File.expand_path File.join @destination, filename
++
++    assert_equal("installing into parent path #{parent} of " +
++                 "#{@destination} is not allowed", e.message)
++  end
++
+   def test_load_spec
+     entry = StringIO.new Gem.gzip @spec.to_yaml
+     def entry.full_name() 'metadata.gz' end
+@@ -723,6 +763,32 @@ def test_verify_nonexistent
+     assert_match %r%nonexistent.gem$%,           e.message
+   end
+ 
++  def test_verify_duplicate_file
++    FileUtils.mkdir_p 'lib'
++    FileUtils.touch 'lib/code.rb'
++
++    build = Gem::Package.new @gem
++    build.spec = @spec
++    build.setup_signer
++    open @gem, 'wb' do |gem_io|
++      Gem::Package::TarWriter.new gem_io do |gem|
++        build.add_metadata gem
++        build.add_contents gem
++
++        gem.add_file_simple 'a.sig', 0444, 0
++        gem.add_file_simple 'a.sig', 0444, 0
++      end
++    end
++
++    package = Gem::Package.new @gem
++
++    e = assert_raises Gem::Security::Exception do
++      package.verify
++    end
++
++    assert_equal 'duplicate files in the package: ("a.sig")', e.message
++  end
++
+   def test_verify_security_policy
+     skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+ 
+@@ -780,7 +846,13 @@ def test_verify_security_policy_checksum_missing
+ 
+         # write bogus data.tar.gz to foil signature
+         bogus_data = Gem.gzip 'hello'
+-        gem.add_file_simple 'data.tar.gz', 0444, bogus_data.length do |io|
++        fake_signer = Class.new do
++          def digest_name; 'SHA512'; end
++          def digest_algorithm; Digest(:SHA512); end
++          def key; 'key'; end
++          def sign(*); 'fake_sig'; end
++        end
++        gem.add_file_signed 'data2.tar.gz', 0444, fake_signer.new do |io|
+           io.write bogus_data
+         end
+ 
+diff --git test/rubygems/test_gem_package_tar_header.rb test/rubygems/test_gem_package_tar_header.rb
+index d33877057d..43f508df45 100644
+--- ruby-2.4.3/test/rubygems/test_gem_package_tar_header.rb
++++ ruby-2.4.3/test/rubygems/test_gem_package_tar_header.rb
+@@ -143,5 +143,26 @@ def test_update_checksum
+     assert_equal '012467', @tar_header.checksum
+   end
+ 
++  def test_from_bad_octal
++    test_cases = [
++      "00000006,44\000", # bogus character
++      "00000006789\000", # non-octal digit
++      "+0000001234\000", # positive sign
++      "-0000001000\000", # negative sign
++      "0x000123abc\000", # radix prefix
++    ]
++
++    test_cases.each do |val|
++      header_s = @tar_header.to_s
++      # overwrite the size field
++      header_s[124, 12] = val
++      io = TempIO.new header_s
++      assert_raises ArgumentError do
++        new_header = Gem::Package::TarHeader.from io
++      end
++      io.close! if io.respond_to? :close!
++    end
++  end
++
+ end
+ 
+diff --git test/rubygems/test_gem_server.rb test/rubygems/test_gem_server.rb
+index 4873fac5b6..96ed9194e9 100644
+--- ruby-2.4.3/test/rubygems/test_gem_server.rb
++++ ruby-2.4.3/test/rubygems/test_gem_server.rb
+@@ -336,6 +336,171 @@ def test_root_gemdirs
+     assert_match 'z 9', @res.body
+   end
+ 
++
++  def test_xss_homepage_fix_289313
++    data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
++    dir = "#{@gemhome}2"
++
++    spec = util_spec 'xsshomepagegem', 1
++    spec.homepage = "javascript:confirm(document.domain)"
++
++    specs_dir = File.join dir, 'specifications'
++    FileUtils.mkdir_p specs_dir
++
++    open File.join(specs_dir, spec.spec_name), 'w' do |io|
++      io.write spec.to_ruby
++    end
++
++    server = Gem::Server.new dir, process_based_port, false
++
++    @req.parse data
++
++    server.root @req, @res
++
++    assert_equal 200, @res.status
++    assert_match 'xsshomepagegem 1', @res.body
++
++    # This verifies that the homepage for this spec is not displayed and is set to ".", because it's not a 
++    # valid HTTP/HTTPS URL and could be unsafe in an HTML context.  We would prefer to throw an exception here,
++    # but spec.homepage is currently free form and not currently required to be a URL, this behavior may be 
++    # validated in future versions of Gem::Specification.
++    #
++    # There are two variant we're checking here, one where rdoc is not present, and one where rdoc is present in the same regex:
++    #
++    # Variant #1 - rdoc not installed
++    #
++    #   <b>xsshomepagegem 1</b>
++    #
++    #
++    #  <span title="rdoc not installed">[rdoc]</span>
++    #
++    #
++    #
++    #  <a href="." title=".">[www]</a>
++    #
++    # Variant #2 - rdoc installed
++    #
++    #   <b>xsshomepagegem 1</b>
++    #
++    #
++    #  <a href="\/doc_root\/xsshomepagegem-1\/">\[rdoc\]<\/a>
++    #
++    #
++    #
++    #  <a href="." title=".">[www]</a>
++    regex_match = /xsshomepagegem 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/xsshomepagegem-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="\." title="\.">\[www\]<\/a>/
++    assert_match regex_match, @res.body
++  end
++
++  def test_invalid_homepage
++    data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
++    dir = "#{@gemhome}2"
++
++    spec = util_spec 'invalidhomepagegem', 1
++    spec.homepage = "notavalidhomepageurl"
++
++    specs_dir = File.join dir, 'specifications'
++    FileUtils.mkdir_p specs_dir
++
++    open File.join(specs_dir, spec.spec_name), 'w' do |io|
++      io.write spec.to_ruby
++    end
++
++    server = Gem::Server.new dir, process_based_port, false
++
++    @req.parse data
++
++    server.root @req, @res
++
++    assert_equal 200, @res.status
++    assert_match 'invalidhomepagegem 1', @res.body
++
++    # This verifies that the homepage for this spec is not displayed and is set to ".", because it's not a 
++    # valid HTTP/HTTPS URL and could be unsafe in an HTML context.  We would prefer to throw an exception here,
++    # but spec.homepage is currently free form and not currently required to be a URL, this behavior may be 
++    # validated in future versions of Gem::Specification.
++    #
++    # There are two variant we're checking here, one where rdoc is not present, and one where rdoc is present in the same regex:
++    #
++    # Variant #1 - rdoc not installed
++    #
++    #   <b>invalidhomepagegem 1</b>
++    #
++    #
++    #  <span title="rdoc not installed">[rdoc]</span>
++    #
++    #
++    #
++    #  <a href="." title=".">[www]</a>
++    #
++    # Variant #2 - rdoc installed
++    #
++    #   <b>invalidhomepagegem 1</b>
++    #
++    #
++    #  <a href="\/doc_root\/invalidhomepagegem-1\/">\[rdoc\]<\/a>
++    #
++    #
++    #
++    #  <a href="." title=".">[www]</a>
++    regex_match = /invalidhomepagegem 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/invalidhomepagegem-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="\." title="\.">\[www\]<\/a>/
++    assert_match regex_match, @res.body
++  end
++
++  def test_valid_homepage_http
++    data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
++    dir = "#{@gemhome}2"
++
++    spec = util_spec 'validhomepagegemhttp', 1
++    spec.homepage = "http://rubygems.org"
++
++    specs_dir = File.join dir, 'specifications'
++    FileUtils.mkdir_p specs_dir
++
++    open File.join(specs_dir, spec.spec_name), 'w' do |io|
++      io.write spec.to_ruby
++    end
++
++    server = Gem::Server.new dir, process_based_port, false
++
++    @req.parse data
++
++    server.root @req, @res
++
++    assert_equal 200, @res.status
++    assert_match 'validhomepagegemhttp 1', @res.body
++
++    regex_match = /validhomepagegemhttp 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/validhomepagegemhttp-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="http:\/\/rubygems\.org" title="http:\/\/rubygems\.org">\[www\]<\/a>/
++    assert_match regex_match, @res.body
++  end
++
++  def test_valid_homepage_https
++    data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
++    dir = "#{@gemhome}2"
++
++    spec = util_spec 'validhomepagegemhttps', 1
++    spec.homepage = "https://rubygems.org"
++
++    specs_dir = File.join dir, 'specifications'
++    FileUtils.mkdir_p specs_dir
++
++    open File.join(specs_dir, spec.spec_name), 'w' do |io|
++      io.write spec.to_ruby
++    end
++
++    server = Gem::Server.new dir, process_based_port, false
++
++    @req.parse data
++
++    server.root @req, @res
++
++    assert_equal 200, @res.status
++    assert_match 'validhomepagegemhttps 1', @res.body
++
++    regex_match = /validhomepagegemhttps 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/validhomepagegemhttps-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="https:\/\/rubygems\.org" title="https:\/\/rubygems\.org">\[www\]<\/a>/
++    assert_match regex_match, @res.body
++  end
++
+   def test_specs
+     data = StringIO.new "GET /specs.#{Gem.marshal_version} HTTP/1.0\r\n\r\n"
+     @req.parse data
+diff --git test/rubygems/test_gem_specification.rb test/rubygems/test_gem_specification.rb
+index 0fcc11e78f..1c68826fb3 100644
+--- ruby-2.4.3/test/rubygems/test_gem_specification.rb
++++ ruby-2.4.3/test/rubygems/test_gem_specification.rb
+@@ -2890,7 +2890,22 @@ def test_validate_homepage
+         @a1.validate
+       end
+ 
+-      assert_equal '"over at my cool site" is not a URI', e.message
++      assert_equal '"over at my cool site" is not a valid HTTP URI', e.message
++
++      @a1.homepage = 'ftp://rubygems.org'
++
++      e = assert_raises Gem::InvalidSpecificationException do
++        @a1.validate
++      end
++
++      assert_equal '"ftp://rubygems.org" is not a valid HTTP URI', e.message
++
++      @a1.homepage = 'http://rubygems.org'
++      assert_equal true, @a1.validate
++
++      @a1.homepage = 'https://rubygems.org'
++      assert_equal true, @a1.validate
++
+     end
+   end
+ 
diff --git a/gnu/packages/patches/shepherd-herd-status-sorted.patch b/gnu/packages/patches/shepherd-herd-status-sorted.patch
new file mode 100644
index 0000000000..c6b9d870eb
--- /dev/null
+++ b/gnu/packages/patches/shepherd-herd-status-sorted.patch
@@ -0,0 +1,79 @@
+From cc9564586729a5bb90dd5d2722b543fdde9ab821 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
+Date: Sun, 4 Feb 2018 21:56:36 +0100
+Subject: [PATCH] herd: 'herd status' now sorts the result.
+
+Partly fixes <https://bugs.gnu.org/30299>.
+Reported by Mark H Weaver <mhw@netris.org>.
+
+Previously 'tests/basic.sh' could occasionally fail on:
+
+  test "`$herd status`" == "$pristine_status"
+
+because the order of stopped services were not always the same.  Indeed,
+those services come from 'service-list' on the shepherd side, which uses
+'hash-fold' to traverse the service hash table, and the traversal order
+of 'hash-fold' is undefined.
+
+* modules/shepherd/scripts/herd.scm (display-status-summary)[service<?]:
+New procedure.
+[display-services]: Call 'sort' and use the above.
+---
+ modules/shepherd/scripts/herd.scm | 8 ++++++--
+ modules/shepherd/service.scm      | 5 +++--
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/modules/shepherd/scripts/herd.scm b/modules/shepherd/scripts/herd.scm
+index ebcd1e1..697446c 100644
+--- a/modules/shepherd/scripts/herd.scm
++++ b/modules/shepherd/scripts/herd.scm
+@@ -1,5 +1,5 @@
+ ;; herd.scm -- The program to herd the Shepherd.
+-;; Copyright (C) 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
++;; Copyright (C) 2013, 2014, 2016, 2018 Ludovic Courtès <ludo@gnu.org>
+ ;; Copyright (C) 2002, 2003 Wolfgang Jährling <wolfgang@pro-linux.de>
+ ;;
+ ;; This file is part of the GNU Shepherd.
+@@ -46,13 +46,17 @@ of pairs."
+ 
+ (define (display-status-summary services)
+   "Display a summary of the status of all of SERVICES."
++  (define (service<? service1 service2)
++    (string<? (symbol->string (service-canonical-name service1))
++              (symbol->string (service-canonical-name service2))))
++
+   (define (display-services header bullet services)
+     (unless (null? services)
+       (display header)
+       (for-each (lambda (service)
+                   (format #t " ~a ~a~%" bullet
+                           (service-canonical-name service)))
+-                services)))
++                (sort services service<?))))      ;get deterministic output
+   (call-with-values
+       (lambda ()
+         (partition (match-lambda
+diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm
+index 0ad28a0..83600e4 100644
+--- a/modules/shepherd/service.scm
++++ b/modules/shepherd/service.scm
+@@ -1,5 +1,5 @@
+ ;; service.scm -- Representation of services.
+-;; Copyright (C) 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
++;; Copyright (C) 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
+ ;; Copyright (C) 2002, 2003 Wolfgang Järling <wolfgang@pro-linux.de>
+ ;; Copyright (C) 2014 Alex Sassmannshausen <alex.sassmannshausen@gmail.com>
+ ;; Copyright (C) 2016 Alex Kost <alezost@gmail.com>
+@@ -949,7 +949,8 @@ Return #f if service is not found."
+                  %services))
+ 
+ (define (service-list)
+-  "Return the list of services currently defined."
++  "Return the list of services currently defined.  Note: The order of the list
++returned in unspecified."
+   (hash-fold (lambda (name services result)
+                (let ((service (lookup-canonical-service name services)))
+                  (if service
+-- 
+2.16.1
+
diff --git a/gnu/packages/patches/slurm-configure-remove-nonfree-contribs.patch b/gnu/packages/patches/slurm-configure-remove-nonfree-contribs.patch
deleted file mode 100644
index 4092261f75..0000000000
--- a/gnu/packages/patches/slurm-configure-remove-nonfree-contribs.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 49d83e24a8e66977056fc9920812265c16806500 Mon Sep 17 00:00:00 2001
-From: carolili <carolili@iki.fi>
-Date: Thu, 9 Feb 2017 19:24:49 +0000
-Subject: [PATCH] Removing contribs
-
----
- configure.ac | 22 ----------------------
- 1 file changed, 22 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 1cf1051..5d76b44 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -435,28 +435,6 @@ dnl All slurm Makefiles:
- 
- AC_CONFIG_FILES([Makefile
- 		 auxdir/Makefile
--		 contribs/Makefile
--		 contribs/cray/Makefile
--		 contribs/cray/csm/Makefile
--		 contribs/lua/Makefile
--		 contribs/mic/Makefile
--		 contribs/pam/Makefile
--		 contribs/pam_slurm_adopt/Makefile
--		 contribs/perlapi/Makefile
--		 contribs/perlapi/libslurm/Makefile
--		 contribs/perlapi/libslurm/perl/Makefile.PL
--		 contribs/perlapi/libslurmdb/Makefile
--		 contribs/perlapi/libslurmdb/perl/Makefile.PL
--		 contribs/seff/Makefile
--		 contribs/torque/Makefile
--		 contribs/openlava/Makefile
--		 contribs/phpext/Makefile
--		 contribs/phpext/slurm_php/config.m4
--		 contribs/sgather/Makefile
--		 contribs/sgi/Makefile
--		 contribs/sjobexit/Makefile
--		 contribs/slurmdb-direct/Makefile
--		 contribs/pmi2/Makefile
- 		 doc/Makefile
- 		 doc/man/Makefile
- 		 doc/man/man1/Makefile
--- 
-2.11.0
-
diff --git a/gnu/packages/patches/webkitgtk-mitigate-spectre.patch b/gnu/packages/patches/webkitgtk-mitigate-spectre.patch
deleted file mode 100644
index 3d983ede66..0000000000
--- a/gnu/packages/patches/webkitgtk-mitigate-spectre.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-Disable SharedArrayBuffers to mitigate Spectre.  Based on:
-
-  https://trac.webkit.org/changeset/226386/webkit
-
-Backported to webkitgtk-2.18.4 by Mark H Weaver <mhw@netris.org>
-
-
---- webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.h.orig	2017-12-19 02:23:07.000000000 -0500
-+++ webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.h	2018-01-06 19:28:55.985066986 -0500
-@@ -338,8 +338,10 @@
-     WriteBarrier<Structure> m_moduleLoaderStructure;
-     WriteBarrier<JSArrayBufferPrototype> m_arrayBufferPrototype;
-     WriteBarrier<Structure> m_arrayBufferStructure;
-+#if ENABLE(SHARED_ARRAY_BUFFER)
-     WriteBarrier<JSArrayBufferPrototype> m_sharedArrayBufferPrototype;
-     WriteBarrier<Structure> m_sharedArrayBufferStructure;
-+#endif
- 
- #define DEFINE_STORAGE_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
-     WriteBarrier<capitalName ## Prototype> m_ ## lowerName ## Prototype; \
-@@ -670,8 +672,13 @@
-         switch (sharingMode) {
-         case ArrayBufferSharingMode::Default:
-             return m_arrayBufferPrototype.get();
-+#if ENABLE(SHARED_ARRAY_BUFFER)
-         case ArrayBufferSharingMode::Shared:
-             return m_sharedArrayBufferPrototype.get();
-+#else
-+        default:
-+            return m_arrayBufferPrototype.get();
-+#endif
-         }
-     }
-     Structure* arrayBufferStructure(ArrayBufferSharingMode sharingMode) const
-@@ -679,8 +686,13 @@
-         switch (sharingMode) {
-         case ArrayBufferSharingMode::Default:
-             return m_arrayBufferStructure.get();
-+#if ENABLE(SHARED_ARRAY_BUFFER)
-         case ArrayBufferSharingMode::Shared:
-             return m_sharedArrayBufferStructure.get();
-+#else
-+        default:
-+            return m_arrayBufferStructure.get();
-+#endif
-         }
-         RELEASE_ASSERT_NOT_REACHED();
-         return nullptr;
---- webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.cpp.orig	2017-12-19 02:23:07.000000000 -0500
-+++ webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.cpp	2018-01-06 19:27:16.628574304 -0500
-@@ -574,8 +574,10 @@
-     
-     m_arrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Default));
-     m_arrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_arrayBufferPrototype.get()));
-+#if ENABLE(SHARED_ARRAY_BUFFER)
-     m_sharedArrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Shared));
-     m_sharedArrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_sharedArrayBufferPrototype.get()));
-+#endif
- 
-     m_iteratorPrototype.set(vm, this, IteratorPrototype::create(vm, this, IteratorPrototype::createStructure(vm, this, m_objectPrototype.get())));
-     m_generatorPrototype.set(vm, this, GeneratorPrototype::create(vm, this, GeneratorPrototype::createStructure(vm, this, m_iteratorPrototype.get())));
-@@ -620,10 +622,11 @@
-     
-     JSArrayBufferConstructor* arrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_arrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Default);
-     m_arrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, arrayBufferConstructor, DontEnum);
-+#if ENABLE(SHARED_ARRAY_BUFFER)
-     JSArrayBufferConstructor* sharedArrayBufferConstructor = nullptr;
-     sharedArrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_sharedArrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Shared);
-     m_sharedArrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, sharedArrayBufferConstructor, DontEnum);
--    
-+#endif
- #define CREATE_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
- capitalName ## Constructor* lowerName ## Constructor = capitalName ## Constructor::create(vm, capitalName ## Constructor::createStructure(vm, this, m_functionPrototype.get()), m_ ## lowerName ## Prototype.get(), m_speciesGetterSetter.get()); \
- m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, lowerName ## Constructor, DontEnum); \
-@@ -686,7 +689,9 @@
-     putDirectWithoutTransition(vm, vm.propertyNames->builtinNames().ArrayPrivateName(), arrayConstructor, DontEnum | DontDelete | ReadOnly);
- 
-     putDirectWithoutTransition(vm, vm.propertyNames->ArrayBuffer, arrayBufferConstructor, DontEnum);
-+#if ENABLE(SHARED_ARRAY_BUFFER)
-     putDirectWithoutTransition(vm, vm.propertyNames->SharedArrayBuffer, sharedArrayBufferConstructor, DontEnum);
-+#endif
- 
- #define PUT_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
- putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Constructor, DontEnum); \
-@@ -1288,8 +1293,10 @@
-     
-     visitor.append(thisObject->m_arrayBufferPrototype);
-     visitor.append(thisObject->m_arrayBufferStructure);
-+#if ENABLE(SHARED_ARRAY_BUFFER)
-     visitor.append(thisObject->m_sharedArrayBufferPrototype);
-     visitor.append(thisObject->m_sharedArrayBufferStructure);
-+#endif
- 
- #define VISIT_SIMPLE_TYPE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
-     visitor.append(thisObject->m_ ## lowerName ## Prototype); \
---- webkitgtk-2.18.4/Source/WTF/wtf/Platform.h.orig	2017-10-16 08:18:56.000000000 -0400
-+++ webkitgtk-2.18.4/Source/WTF/wtf/Platform.h	2018-01-06 19:29:52.897349199 -0500
-@@ -1190,6 +1190,9 @@
- #define HAVE_NS_ACTIVITY 1
- #endif
- 
-+/* Disable SharedArrayBuffers until Spectre security concerns are mitigated. */
-+#define ENABLE_SHARED_ARRAY_BUFFER 0
-+
- #if (OS(DARWIN) && USE(CG)) || (USE(FREETYPE) && !PLATFORM(GTK)) || (PLATFORM(WIN) && (USE(CG) || USE(CAIRO)))
- #undef ENABLE_OPENTYPE_MATH
- #define ENABLE_OPENTYPE_MATH 1
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5974.patch b/gnu/packages/patches/zziplib-CVE-2017-5974.patch
deleted file mode 100644
index 9ae02103e7..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5974.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Fix CVE-2017-5974:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.c
-+++ zziplib-0.13.62/zzip/memdisk.c
-@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         /* override sizes/offsets with zip64 values for largefile support */
-         zzip_extra_zip64 *block = (zzip_extra_zip64 *)
-             zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64);
--        if (block)
-+        if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4))
-         {
--            item->zz_usize = __zzip_get64(block->z_usize);
--            item->zz_csize = __zzip_get64(block->z_csize);
--            item->zz_offset = __zzip_get64(block->z_offset);
--            item->zz_diskstart = __zzip_get32(block->z_diskstart);
-+            item->zz_usize = ZZIP_GET64(block->z_usize);
-+            item->zz_csize = ZZIP_GET64(block->z_csize);
-+            item->zz_offset = ZZIP_GET64(block->z_offset);
-+            item->zz_diskstart = ZZIP_GET32(block->z_diskstart);
-         }
-     }
-     /* NOTE:
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5975.patch b/gnu/packages/patches/zziplib-CVE-2017-5975.patch
deleted file mode 100644
index fad174b056..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5975.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Fix CVE-2017-5975:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.c
-+++ zziplib-0.13.62/zzip/memdisk.c
-@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         return 0;               /* errno=ENOMEM; */
-     ___ struct zzip_file_header *header =
-         zzip_disk_entry_to_file_header(disk, entry);
-+    if (!header)
-+	{ free(item); return 0; }
-     /*  there is a number of duplicated information in the file header
-      *  or the disk entry block. Theoretically some part may be missing
-      *  that exists in the other, ... but we will prefer the disk entry.
-Index: zziplib-0.13.62/zzip/mmapped.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/mmapped.c
-+++ zziplib-0.13.62/zzip/mmapped.c
-@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK
-         (disk->buffer + zzip_disk_entry_fileoffset(entry));
-     if (disk->buffer > file_header || file_header >= disk->endbuf)
-         return 0;
-+    if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC)
-+        return 0;
-     return (struct zzip_file_header *) file_header;
- }
- 
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5976.patch b/gnu/packages/patches/zziplib-CVE-2017-5976.patch
deleted file mode 100644
index 17fc30e302..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5976.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-Fix CVE-2017-5976:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.c
-+++ zziplib-0.13.62/zzip/memdisk.c
-@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         {
-             void *mem = malloc(ext1 + 2);
-             item->zz_ext[1] = mem;
-+	    item->zz_extlen[1] = ext1 + 2;
-             memcpy(mem, ptr1, ext1);
-             ((char *) (mem))[ext1 + 0] = 0;
-             ((char *) (mem))[ext1 + 1] = 0;
-@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         {
-             void *mem = malloc(ext2 + 2);
-             item->zz_ext[2] = mem;
-+	    item->zz_extlen[2] = ext2 + 2;
-             memcpy(mem, ptr2, ext2);
-             ((char *) (mem))[ext2 + 0] = 0;
-             ((char *) (mem))[ext2 + 1] = 0;
-@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
-     while (1)
-     {
-         ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];
--        if (ext)
-+        if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))
-         {
-+	    char *endblock = (char *)ext + entry->zz_extlen[i];
-+
-             while (*(short *) (ext->z_datatype))
-             {
-                 if (datatype == zzip_extra_block_get_datatype(ext))
-@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
-                 e += zzip_extra_block_headerlength;
-                 e += zzip_extra_block_get_datasize(ext);
-                 ext = (void *) e;
-+		if (e >= endblock)
-+		{
-+		    break;
-+		}
-                 ____;
-             }
-         }
-Index: zziplib-0.13.62/zzip/memdisk.h
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.h
-+++ zziplib-0.13.62/zzip/memdisk.h
-@@ -66,6 +66,7 @@ struct _zzip_mem_entry {
-     int              zz_filetype;  /* (from "z_filetype") */
-     char*            zz_comment;   /* zero-terminated (from "comment") */
-     ZZIP_EXTRA_BLOCK* zz_ext[3];   /* terminated by null in z_datatype */
-+    int              zz_extlen[3]; /* length of zz_ext[i] in bytes */
- };                                 /* the extra blocks are NOT converted */
- 
- #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5978.patch b/gnu/packages/patches/zziplib-CVE-2017-5978.patch
deleted file mode 100644
index 452b14f804..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5978.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Fix CVE-2017-5978:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.c
-+++ zziplib-0.13.62/zzip/memdisk.c
-@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-      *  that exists in the other, ... but we will prefer the disk entry.
-      */
-     item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry);
--    item->zz_name = zzip_disk_entry_strdup_name(disk, entry);
-+    item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup("");
-     item->zz_data = zzip_file_header_to_data(header);
-     item->zz_flags = zzip_disk_entry_get_flags(entry);
-     item->zz_compr = zzip_disk_entry_get_compr(entry);
-@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         int /*            */ ext2 = zzip_file_header_get_extras(header);
-         char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header);
- 
--        if (ext1)
-+        if (ext1 && ((ptr1 + ext1) < disk->endbuf))
-         {
-             void *mem = malloc(ext1 + 2);
-             item->zz_ext[1] = mem;
-@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-             ((char *) (mem))[ext1 + 0] = 0;
-             ((char *) (mem))[ext1 + 1] = 0;
-         }
--        if (ext2)
-+        if (ext2 && ((ptr2 + ext2) < disk->endbuf))
-         {
-             void *mem = malloc(ext2 + 2);
-             item->zz_ext[2] = mem;
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5979.patch b/gnu/packages/patches/zziplib-CVE-2017-5979.patch
deleted file mode 100644
index b38f50b172..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5979.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Fix CVE-2017-5979:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/fseeko.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/fseeko.c
-+++ zziplib-0.13.62/zzip/fseeko.c
-@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk)
-         return 0;
-     /* we read out chunks of 8 KiB in the hope to match disk granularity */
-     ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */
--    ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry));
-+    ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry));
-     if (! entry)
-         return 0;
-     ___ unsigned char *buffer = malloc(pagesize);
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5981.patch b/gnu/packages/patches/zziplib-CVE-2017-5981.patch
deleted file mode 100644
index ed82cb3b91..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5981.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Fix CVE-2017-5981:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981
-
-Patch copied from Debian.
-Index: zziplib-0.13.62/zzip/fseeko.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/fseeko.c
-+++ zziplib-0.13.62/zzip/fseeko.c
-@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk)
-             } else
-                 continue;
- 
--            assert(0 <= root && root < mapsize);
-+	    if (root < 0 || root >= mapsize)
-+	        goto error;
-             if (fseeko(disk, root, SEEK_SET) == -1)
-                 goto error;
-             if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk)