summary refs log tree commit diff
path: root/gnu/packages
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages')
-rw-r--r--gnu/packages/admin.scm2
-rw-r--r--gnu/packages/aidc.scm24
-rw-r--r--gnu/packages/audio.scm28
-rw-r--r--gnu/packages/backup.scm2
-rw-r--r--gnu/packages/bioinformatics.scm64
-rw-r--r--gnu/packages/calendar.scm2
-rw-r--r--gnu/packages/check.scm47
-rw-r--r--gnu/packages/compression.scm27
-rw-r--r--gnu/packages/cran.scm32
-rw-r--r--gnu/packages/databases.scm15
-rw-r--r--gnu/packages/dav.scm4
-rw-r--r--gnu/packages/disk.scm2
-rw-r--r--gnu/packages/display-managers.scm16
-rw-r--r--gnu/packages/djvu.scm8
-rw-r--r--gnu/packages/dns.scm4
-rw-r--r--gnu/packages/documentation.scm2
-rw-r--r--gnu/packages/emacs.scm153
-rw-r--r--gnu/packages/embedded.scm4
-rw-r--r--gnu/packages/engineering.scm1
-rw-r--r--gnu/packages/enlightenment.scm8
-rw-r--r--gnu/packages/finance.scm7
-rw-r--r--gnu/packages/fltk.scm2
-rw-r--r--gnu/packages/fonts.scm4
-rw-r--r--gnu/packages/freedesktop.scm2
-rw-r--r--gnu/packages/ftp.scm11
-rw-r--r--gnu/packages/game-development.scm14
-rw-r--r--gnu/packages/games.scm12
-rw-r--r--gnu/packages/gd.scm20
-rw-r--r--gnu/packages/gimp.scm4
-rw-r--r--gnu/packages/gnome.scm10
-rw-r--r--gnu/packages/gnunet.scm2
-rw-r--r--gnu/packages/gnupg.scm52
-rw-r--r--gnu/packages/gnustep.scm2
-rw-r--r--gnu/packages/gtk.scm2
-rw-r--r--gnu/packages/guile.scm2
-rw-r--r--gnu/packages/hexedit.scm2
-rw-r--r--gnu/packages/image.scm4
-rw-r--r--gnu/packages/imagemagick.scm5
-rw-r--r--gnu/packages/java.scm27
-rw-r--r--gnu/packages/javascript.scm12
-rw-r--r--gnu/packages/jemalloc.scm8
-rw-r--r--gnu/packages/kde-frameworks.scm26
-rw-r--r--gnu/packages/kde.scm8
-rw-r--r--gnu/packages/ldc.scm4
-rw-r--r--gnu/packages/linux.scm12
-rw-r--r--gnu/packages/mail.scm4
-rw-r--r--gnu/packages/maths.scm177
-rw-r--r--gnu/packages/messaging.scm4
-rw-r--r--gnu/packages/microcom.scm2
-rw-r--r--gnu/packages/music.scm96
-rw-r--r--gnu/packages/nano.scm4
-rw-r--r--gnu/packages/networking.scm2
-rw-r--r--gnu/packages/ocaml.scm40
-rw-r--r--gnu/packages/package-management.scm30
-rw-r--r--gnu/packages/patches/gd-CVE-2017-7890.patch30
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch195
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch179
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-0663.patch53
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-7375.patch45
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-7376.patch41
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch130
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch319
-rw-r--r--gnu/packages/patches/libzip-CVE-2017-12858.patch45
-rw-r--r--gnu/packages/patches/metabat-fix-boost-issue.patch27
-rw-r--r--gnu/packages/patches/metabat-remove-compilation-date.patch16
-rw-r--r--gnu/packages/patches/multiqc-fix-git-subprocess-error.patch16
-rw-r--r--gnu/packages/patches/python2-larch-coverage-4.0a6-compatibility.patch29
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-10664.patch27
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-10806.patch38
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-10911.patch106
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-11334.patch52
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-11434.patch25
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-12809.patch38
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-7493.patch182
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-8112.patch41
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-8309.patch46
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-8379.patch98
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-8380.patch53
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-9524.patch287
-rw-r--r--gnu/packages/patches/ruby-2.2.7-rubygems-2613-ruby22.patch355
-rw-r--r--gnu/packages/patches/ruby-2.3.4-rubygems-2613-ruby23.patch355
-rw-r--r--gnu/packages/patches/ruby-rubygems-2612-ruby24.patch437
-rw-r--r--gnu/packages/patches/ruby-rubygems-2613-ruby24.patch355
-rw-r--r--gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch2
-rw-r--r--gnu/packages/patches/wxwidgets-fix-windowGTK.patch18
-rw-r--r--gnu/packages/perl.scm14
-rw-r--r--gnu/packages/php.scm17
-rw-r--r--gnu/packages/python.scm306
-rw-r--r--gnu/packages/ruby.scm7
-rw-r--r--gnu/packages/screen.scm4
-rw-r--r--gnu/packages/search.scm10
-rw-r--r--gnu/packages/serialization.scm8
-rw-r--r--gnu/packages/shells.scm2
-rw-r--r--gnu/packages/shellutils.scm35
-rw-r--r--gnu/packages/statistics.scm146
-rw-r--r--gnu/packages/tcl.scm6
-rw-r--r--gnu/packages/tex.scm20
-rw-r--r--gnu/packages/textutils.scm2
-rw-r--r--gnu/packages/tls.scm4
-rw-r--r--gnu/packages/video.scm48
-rw-r--r--gnu/packages/virtualization.scm18
-rw-r--r--gnu/packages/w3m.scm2
-rw-r--r--gnu/packages/web-browsers.scm2
-rw-r--r--gnu/packages/web.scm76
-rw-r--r--gnu/packages/wine.scm4
-rw-r--r--gnu/packages/wxwidgets.scm6
-rw-r--r--gnu/packages/xfce.scm2
-rw-r--r--gnu/packages/xml.scm31
-rw-r--r--gnu/packages/xorg.scm17
109 files changed, 3976 insertions, 1509 deletions
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index fb7fcd6c4b..ea71de6f57 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -1832,7 +1832,7 @@ the status of your battery in the system tray.")
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
-                      (url "git://github.com/TrilbyWhite/interrobang")
+                      (url "https://github.com/TrilbyWhite/interrobang")
                       (commit commit)))
                 (file-name (string-append name "-" version))
                 (sha256
diff --git a/gnu/packages/aidc.scm b/gnu/packages/aidc.scm
index 0864aa6490..fa4555ede6 100644
--- a/gnu/packages/aidc.scm
+++ b/gnu/packages/aidc.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2014 John Darringon <jmd@gnu.org>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017 Hartmut Goebel <h.goebel@crazy-compilers.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -69,3 +70,26 @@ a mobile phone with CCD.  The capacity of QR Code is up to 7000 digits or 4000
 characters, and is highly robust.")
     (license license:lgpl2.1+)
     (home-page "https://fukuchi.org/works/qrencode")))
+
+(define-public libdmtx
+  (package
+    (name "libdmtx")
+    (version "0.7.4")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "mirror://sourceforge/libdmtx/" name "/" version "/"
+             name "-" version ".tar.bz2"))
+       (sha256
+        (base32 "0xnxx075ycy58n92yfda2z9zgd41h3d4ik5d9l197lzsqim5hb5n"))))
+    (build-system gnu-build-system)
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
+    (home-page "http://libdmtx.sourceforge.net/")
+    (synopsis "Library for reading and writing Data Matrix 2D barcodes")
+    (description "libdmtx is open source software for reading and writing Data
+Matrix 2D barcodes on Linux and Unix.  At its core libdmtx is a shared
+library, allowing C/C++ programs to use its capabilities without restrictions
+or overhead.")
+    (license license:bsd-3)))
diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm
index 40700cae3d..16bca3b6b3 100644
--- a/gnu/packages/audio.scm
+++ b/gnu/packages/audio.scm
@@ -190,7 +190,7 @@ streams from live audio.")
     (source (origin
               (method git-fetch)
               (uri (git-reference
-                    (url "git://git.ardour.org/ardour/ardour.git")
+                    (url "https://git.ardour.org/ardour/ardour.git")
                     (commit version)))
               (snippet
                ;; Ardour expects this file to exist at build time.  The revision
@@ -2906,3 +2906,29 @@ code, used in @code{libtoxcore}.")
 06.10 RPE-LTP lossy speech compression algorithm.")
     (home-page "http://quut.com/gsm/")
     (license (license:non-copyleft "file://COPYRIGHT"))))
+
+(define-public python-pyalsaaudio
+  (package
+    (name "python-pyalsaaudio")
+    (version "0.8.4")
+    (source (origin
+              (method url-fetch)
+              (uri (pypi-uri "pyalsaaudio" version))
+              (sha256
+               (base32
+                "1180ypn9596rq4b7y7dyv627j1q0fqilmkkrckclnzsdakdgis44"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:tests? #f))                   ; tests require access to ALSA devices.
+    (inputs
+     `(("alsa-lib" ,alsa-lib)))
+    (home-page "http://larsimmisch.github.io/pyalsaaudio/")
+    (synopsis "ALSA wrappers for Python")
+    (description
+     "This package contains wrappers for accessing the ALSA API from Python.
+It is currently fairly complete for PCM devices, and has some support for
+mixers.")
+    (license license:psfl)))
+
+(define-public python2-pyalsaaudio
+  (package-with-python2 python-pyalsaaudio))
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 157b6a7cc5..eca69bebed 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -5,7 +5,7 @@
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
-;;; Copyright © 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index c5157046ab..1f1b686c71 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -3475,7 +3475,7 @@ form of assemblies or reads.")
 (define-public metabat
   (package
     (name "metabat")
-    (version "2.11.2")
+    (version "2.12.1")
     (source
      (origin
        (method url-fetch)
@@ -3484,10 +3484,8 @@ form of assemblies or reads.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "0rws9r1ziv6way8cf49jg8bzj7x2131kfqkhj8byf0z5hnrq3bwv"))
-       (patches (search-patches "metabat-remove-compilation-date.patch"
-                                "metabat-fix-compilation.patch"
-                                "metabat-fix-boost-issue.patch"))))
+         "1hmvdalz3zj5sqqklg0l4npjdv37cv2hsdi1al9iby2ndxjs1b73"))
+       (patches (search-patches "metabat-fix-compilation.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
@@ -4751,6 +4749,13 @@ simultaneously.")
        #:tests? #f ; no "check" target
        #:phases
        (modify-phases %standard-phases
+         (add-before 'configure 'set-perl-search-path
+           (lambda _
+             ;; Work around "dotless @INC" build failure.
+             (setenv "PERL5LIB"
+                     (string-append (getcwd) "/setup:"
+                                    (getenv "PERL5LIB")))
+             #t))
          (replace 'configure
            (lambda* (#:key inputs outputs #:allow-other-keys)
              (let ((out (assoc-ref outputs "out")))
@@ -5056,6 +5061,13 @@ sequence itself can be retrieved from these databases.")
                                  "/lib32")))
        #:phases
        (modify-phases %standard-phases
+         (add-before 'configure 'set-perl-search-path
+           (lambda _
+             ;; Work around "dotless @INC" build failure.
+             (setenv "PERL5LIB"
+                     (string-append (getcwd) "/setup:"
+                                    (getenv "PERL5LIB")))
+             #t))
          (replace 'configure
            (lambda* (#:key inputs outputs #:allow-other-keys)
              ;; The build system expects a directory containing the sources and
@@ -5654,18 +5666,17 @@ information as possible.")
 (define-public r-vegan
   (package
     (name "r-vegan")
-    (version "2.4-3")
+    (version "2.4-4")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "vegan" version))
        (sha256
         (base32
-         "15zcxfix2d854897k1lr0sfmj2n00339nlsppcr3zrb238lb2mi5"))))
+         "1n57dzv2aid6iqd9fkqik401sidqanhzsawyak94qbiyh6dbd1x9"))))
     (build-system r-build-system)
     (native-inputs
-     `(("gfortran" ,gfortran)
-       ("r-knitr" ,r-knitr)))
+     `(("gfortran" ,gfortran)))
     (propagated-inputs
      `(("r-cluster" ,r-cluster)
        ("r-lattice" ,r-lattice)
@@ -6129,7 +6140,7 @@ track.  The database is exposed as a @code{TxDb} object.")
 (define-public vsearch
   (package
     (name "vsearch")
-    (version "2.4.3")
+    (version "2.4.4")
     (source
      (origin
        (method url-fetch)
@@ -6139,7 +6150,7 @@ track.  The database is exposed as a @code{TxDb} object.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "0hc110ycqpa54nr6x173qg7190hk08qp7yz7zzqxlsypqnpc5zzp"))
+         "1d8a4gjwaqdv57krlr80x18mg5py1bbdiqs5m0jdn38filc9z40k"))
        (patches (search-patches "vsearch-unbundle-cityhash.patch"))
        (snippet
         '(begin
@@ -6433,13 +6444,13 @@ also known as views, in a controlled vocabulary.")
 (define-public r-bookdown
   (package
   (name "r-bookdown")
-  (version "0.4")
+  (version "0.5")
   (source (origin
             (method url-fetch)
             (uri (cran-uri "bookdown" version))
             (sha256
              (base32
-              "1fp1k7hivrb7s2dwgrsqy9s7xg6pk9hczhrc149y1dwh901j6qvv"))))
+              "0zm63kr4f4kja4qpwkzl119zzyciqj7ihajfqgfjpgb4dzaiycxp"))))
   (build-system r-build-system)
   (propagated-inputs
    `(("r-htmltools" ,r-htmltools)
@@ -7109,13 +7120,13 @@ samples.")
 (define-public r-genomicalignments
   (package
     (name "r-genomicalignments")
-    (version "1.12.1")
+    (version "1.12.2")
     (source (origin
               (method url-fetch)
               (uri (bioconductor-uri "GenomicAlignments" version))
               (sha256
                (base32
-                "127690sys4i5q3l4vxnjg4xg8q19qlw2258vgs5d1156w9ypp04h"))))
+                "03ysxi9fdd3bcfj05iaysya9knn2aa2irwpypb5srg0xwv92bdb9"))))
     (properties
      `((upstream-name . "GenomicAlignments")))
     (build-system r-build-system)
@@ -7990,7 +8001,7 @@ paired-end data.")
 (define-public r-rcas
   (package
     (name "r-rcas")
-    (version "1.1.1")
+    (version "1.3.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/BIMSBbioinfo/RCAS/archive/v"
@@ -7998,7 +8009,7 @@ paired-end data.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "1hd0r66556bxbdd82ksjklq7nfli36l4k6y88ic7kkg9873wa1nw"))))
+                "19mk7vkbngmch54kzcxb52161ljfchhjsaanza8iwv5h98sjj66d"))))
     (build-system r-build-system)
     (native-inputs
      `(("r-knitr" ,r-knitr)
@@ -8032,7 +8043,7 @@ paired-end data.")
 intuitive reports and publication-ready graphics.  This package provides the R
 library implementing most of the pipeline's features.")
     (home-page "https://github.com/BIMSBbioinfo/RCAS")
-    (license license:expat)))
+    (license license:artistic2.0)))
 
 (define-public rcas-web
   (package
@@ -8575,25 +8586,24 @@ replacement for strverscmp.")
 (define-public multiqc
   (package
     (name "multiqc")
-    (version "0.9")
+    (version "1.2")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "multiqc" version))
        (sha256
         (base32
-         "12gs1jw2jrxrij529rnl5kaqxfcqn15yzcsggxkfhdx634ml0cny"))
-       (patches (search-patches "multiqc-fix-git-subprocess-error.patch"))))
+         "032svgym67k2ds7wp0cxzv79gi30yrdl45zbqn74lni3dk04qm33"))))
     (build-system python-build-system)
-    (arguments
-     ;; Tests are to be introduced in the next version, see
-     ;; https://github.com/ewels/MultiQC/issues/376
-     `(#:tests? #f))
     (propagated-inputs
      `(("python-jinja2" ,python-jinja2)
        ("python-simplejson" ,python-simplejson)
        ("python-pyyaml" ,python-pyyaml)
        ("python-click" ,python-click)
+       ("python-spectra" ,python-spectra)
+       ("python-requests" ,python-requests)
+       ("python-markdown" ,python-markdown)
+       ("python-lzstring" ,python-lzstring)
        ("python-matplotlib" ,python-matplotlib)
        ("python-numpy" ,python-numpy)
        ;; MultQC checks for the presence of nose at runtime.
@@ -8830,14 +8840,14 @@ trait.")
 (define-public r-maldiquant
   (package
     (name "r-maldiquant")
-    (version "1.16.2")
+    (version "1.16.4")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "MALDIquant" version))
        (sha256
         (base32
-         "0z5srzsfgsgi4bssr4chls4ry6d18y2g9143znqmraylppwrrqzr"))))
+         "1pmhsfvd45a44xdiml4zx3zd5fhygqyziqvygahkk9yibnyhv4cv"))))
     (properties `((upstream-name . "MALDIquant")))
     (build-system r-build-system)
     (home-page "http://cran.r-project.org/web/packages/MALDIquant")
diff --git a/gnu/packages/calendar.scm b/gnu/packages/calendar.scm
index 74601871cc..e7d21d2ce7 100644
--- a/gnu/packages/calendar.scm
+++ b/gnu/packages/calendar.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
 ;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Troy Sankey <sankeytms@gmail.com>
 ;;; Copyright © 2016 Stefan Reichoer <stefan@xsteve.at>
diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index 801bbf73e9..f978ef3055 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
 ;;; Copyright © 2016 Lukas Gradl <lgradl@openmailbox.org>
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
+;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -34,6 +35,7 @@
   #:use-module (guix git-download)
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
+  #:use-module (guix build-system python)
   #:use-module (guix build-system trivial))
 
 (define-public check
@@ -153,6 +155,51 @@ supervised tests.")
 multi-paradigm automated test framework for C++ and Objective-C.")
     (license boost1.0)))
 
+(define-public cmdtest
+  (package
+    (name "cmdtest")
+    (version "0.29")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "http://git.liw.fi/cmdtest/snapshot/"
+                                  name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1i6gi4yp4qqx1liax098c7nwdb24pghh11xqlrcs7lnhh079rqhb"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:python ,python-2
+       #:phases
+       (modify-phases %standard-phases
+         ;; check phase needs to be run before the build phase. If not, the
+         ;; coverage test runner looks for tests for the built source files,
+         ;; and fails.
+         (delete 'check)
+         (add-before 'build 'check
+           (lambda _
+             (substitute* "yarn"
+               (("/bin/sh") (which "sh")))
+             ;; yarn uses python2-ttystatus to print messages.
+             ;; python2-ttystatus requires /dev/tty which is not present in
+             ;; the build environment. Hence assuming-failure test fails.
+             (delete-file "yarn.tests/assuming-failure.script")
+             (delete-file "yarn.tests/assuming-failure.stdout")
+             (zero? (system* "python" "setup.py" "check")))))))
+    (native-inputs
+     `(("python2-coverage-test-runner" ,python2-coverage-test-runner)))
+    (propagated-inputs
+     `(("python2-cliapp" ,python2-cliapp)
+       ("python2-markdown" ,python2-markdown)
+       ("python2-ttystatus" ,python2-ttystatus)))
+    (home-page "https://liw.fi/cmdtest/")
+    (synopsis "Black box Unix program tester")
+    (description
+     "@code{cmdtest} black box tests Unix command line tools.  Roughly, it is
+given a command line and input files, and the expected output, and it verifies
+that the command line produces the expected output.  If not, it reports a
+problem, and shows the differences.")
+    (license gpl3+)))
+
 (define-public cmocka
   (package
     (name "cmocka")
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 7cd9842f94..da7765b013 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -4,7 +4,7 @@
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
 ;;; Copyright © 2015, 2016 Eric Bavier <bavier@member.fsf.org>
-;;; Copyright © 2015, 2016 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015, 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2015 Jeff Mickey <j@codemac.net>
 ;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
@@ -12,7 +12,7 @@
 ;;; Copyright © 2016 Danny Milosavljevic <dannym@scratchpost.org>
 ;;; Copyright © 2016, 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2016 David Craven <david@craven.ch>
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2016 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 ng0 <contact.ng0@cryptolab.net>
 ;;; Copyright © 2017 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
@@ -758,6 +758,28 @@ the LZ4 frame format.")
 (define-public python2-lz4
   (package-with-python2 python-lz4))
 
+(define-public python-lzstring
+  (package
+    (name "python-lzstring")
+    (version "1.0.3")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (pypi-uri "lzstring" version))
+       (sha256
+        (base32
+         "1d3ck454y41mii0gcjabpmp2skb7n0f9zk232gycqdv8z2jxakfm"))))
+    (build-system python-build-system)
+    (propagated-inputs
+     `(("python-future" ,python-future)))
+    (home-page "https://github.com/gkovacs/lz-string-python")
+    (synopsis "String compression")
+    (description "Lz-string is a string compressor library for Python.")
+    (license license:expat)))
+
+(define-public python2-lzstring
+  (package-with-python2 python-lzstring))
+
 (define-public squashfs-tools
   (package
     (name "squashfs-tools")
@@ -1525,6 +1547,7 @@ manipulate, read, and write Zip archive files.")
               (method url-fetch)
               (uri (string-append
                     "https://nih.at/libzip/libzip-" version ".tar.gz"))
+              (patches (search-patches "libzip-CVE-2017-12858.patch"))
               (sha256
                (base32
                 "17vxj2ffsxwh8lkc6801ppmwj15jp8q58rin76znxfbx88789ybc"))))
diff --git a/gnu/packages/cran.scm b/gnu/packages/cran.scm
index bb7576352f..80335c4686 100644
--- a/gnu/packages/cran.scm
+++ b/gnu/packages/cran.scm
@@ -202,14 +202,14 @@ on (non-orthogonal) variable vectors in scatterplots and biplots.")
 (define-public r-shape
   (package
     (name "r-shape")
-    (version "1.4.2")
+    (version "1.4.3")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "shape" version))
        (sha256
         (base32
-         "0yk3cmsa57svcvbnm21pyr0s0qbhnllka8nmsg4yb41frjlqph66"))))
+         "1v9xp60p813rnx41vchkh32qmcb4z2zp9l7r1a8a6f8aqylnq3vj"))))
     (build-system r-build-system)
     (home-page "http://cran.r-project.org/web/packages/shape")
     (synopsis "Functions for plotting graphical shapes")
@@ -241,14 +241,14 @@ validation and filtering on the values, making options invisible or private.")
 (define-public r-circlize
   (package
     (name "r-circlize")
-    (version "0.4.0")
+    (version "0.4.1")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "circlize" version))
        (sha256
         (base32
-         "0p1zx1aawkblz48kzzfn5w1k3lbwv9wrk1k5gcfjrr2b4sz1pp5b"))))
+         "1w7i3jgxgq510axglzmw54ma9kq7k4c86i9ccndz10mrwc51fji0"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-colorspace" ,r-colorspace)
@@ -271,14 +271,14 @@ patterns behind multiple dimensional data.")
 (define-public r-powerlaw
   (package
     (name "r-powerlaw")
-    (version "0.70.0")
+    (version "0.70.1")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "poweRlaw" version))
        (sha256
         (base32
-         "1p2la3hslxq2xa8jkwvci6zcpn47cvyr9xqd5agp1riwwp2xw5gh"))))
+         "04sr0nhdd1v915m0zf5gasznzgi08ykcy20kkwdw0l5mvvdbic8m"))))
     (properties `((upstream-name . "poweRlaw")))
     (build-system r-build-system)
     (propagated-inputs
@@ -459,14 +459,14 @@ quantities.")
 (define-public r-reshape
   (package
     (name "r-reshape")
-    (version "0.8.6")
+    (version "0.8.7")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "reshape" version))
        (sha256
         (base32
-         "1f1ngalc22knhdm9djv1m6abnjqpv1frdzxfkpakhph2l67bk7fq"))))
+         "14ir3w4bb3bsz8jsak27nj7kpn227pdgr9653gjq5wc93rywi9ig"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-plyr" ,r-plyr)
@@ -505,14 +505,14 @@ package also provides a C++ API, that works with or without Rcpp.")
 (define-public r-ggally
   (package
     (name "r-ggally")
-    (version "1.3.0")
+    (version "1.3.2")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "GGally" version))
        (sha256
         (base32
-         "12ddab0nd0f9c7bb6cx3c22mliyvc8xsxv26aqz3cvfbla8crp3b"))))
+         "02px7j28wzbhcgcwm2m0pxb6g7s5zvphl64ix55pkvag4m2ky57l"))))
     (properties `((upstream-name . "GGally")))
     (build-system r-build-system)
     (propagated-inputs
@@ -556,14 +556,14 @@ most popular ones.")
 (define-public r-sp
   (package
     (name "r-sp")
-    (version "1.2-4")
+    (version "1.2-5")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "sp" version))
        (sha256
         (base32
-         "0crba3j00mb2xv2yk60rpa57gn97xq4ql3a6p9cjzqjxzv2cknk2"))))
+         "09yydnacp33yx0kn537k96fjlbf75fjafqfknpa5gvci4l888bqd"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-lattice" ,r-lattice)))
@@ -623,14 +623,14 @@ quantile mixture from L-moments and trimmed L-moments.")
 (define-public r-distillery
   (package
     (name "r-distillery")
-    (version "1.0-2")
+    (version "1.0-4")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "distillery" version))
        (sha256
         (base32
-         "12m4cacvc18fd3aayc8iih5q6bwsmvf29b55fwp7vs8wp1h8nd8c"))))
+         "1m0pgmlvk7bsb6q3kxagnq422babk61sf73naavac68v8x2q8fix"))))
     (build-system r-build-system)
     (home-page "http://www.ral.ucar.edu/staff/ericg")
     (synopsis "Functions for confidence intervals and object information")
@@ -904,14 +904,14 @@ George Marsaglia are included.")
 (define-public r-ksamples
   (package
     (name "r-ksamples")
-    (version "1.2-6")
+    (version "1.2-7")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "kSamples" version))
        (sha256
         (base32
-         "1pbam0zqq44slpxdgl2s2fsfdgl7i0pgm8bzlvnm0fy0na24bgdj"))))
+         "0f19rjngk0lg6s8c6h5l55qpxp8sl4vxj3kpi05cizzncny9b9bj"))))
     (properties `((upstream-name . "kSamples")))
     (build-system r-build-system)
     (propagated-inputs
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 648ba81aaf..93d59837bb 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -371,12 +371,7 @@ applications.")
                        (for-each delete-file
                                  (find-files (string-append out "/bin")
                                              "_embedded$"))
-                       #t))))
-       ;; On aarch64 the test suite runs out of memory and fails.
-       ,@(if (string-prefix? "aarch64-linux"
-                             (or (%current-target-system) (%current-system)))
-           '(#:tests? #f)
-           '())))
+                       #t))))))
     (native-inputs
      `(("bison" ,bison)
        ("perl" ,perl)))
@@ -474,14 +469,14 @@ as a drop-in replacement of MySQL.")
 (define-public postgresql
   (package
     (name "postgresql")
-    (version "9.6.4")
+    (version "9.6.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://ftp.postgresql.org/pub/source/v"
                                   version "/postgresql-" version ".tar.bz2"))
               (sha256
                (base32
-                "04yffrrmn85k25n3nq389aa9c1j8mkimrf889kayl772h9nv2fib"))))
+                "0k3ls2x182jz6djjiqj9kycddabdl2gk1y1ajq1vipnxwfki5nh6"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags '("--with-uuid=e2fs")
@@ -793,14 +788,14 @@ is in the public domain.")
 (define-public tdb
   (package
     (name "tdb")
-    (version "1.3.14")
+    (version "1.3.15")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://www.samba.org/ftp/tdb/tdb-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1sfbia8xyaywgx9zy7x618vrvyx9gc3cgqf763shsii9javlnz9s"))))
+                "0a37jhpij8wr4f4pjqdlwnffy2l6a2vkqdpz1bqxj6v06cwbz8dl"))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases
diff --git a/gnu/packages/dav.scm b/gnu/packages/dav.scm
index 86cfaa64b1..6c466977d2 100644
--- a/gnu/packages/dav.scm
+++ b/gnu/packages/dav.scm
@@ -55,13 +55,13 @@ clients.")
 (define-public vdirsyncer
   (package
     (name "vdirsyncer")
-    (version "0.16.1")
+    (version "0.16.2")
     (source (origin
              (method url-fetch)
              (uri (pypi-uri name version))
              (sha256
               (base32
-               "0pnsb9h4r0hhmqhzx9nbrd7jawir9ysrh3wrrkhzi0ssarmxyp67"))))
+               "19xqzxcgmpm2z56l2d4a1n4sqmhrnzfwx3d9avfzgldwyhlrz0da"))))
     (build-system python-build-system)
     (arguments
       `(#:phases (modify-phases %standard-phases
diff --git a/gnu/packages/disk.scm b/gnu/packages/disk.scm
index 030fabfa58..49bbbfa92f 100644
--- a/gnu/packages/disk.scm
+++ b/gnu/packages/disk.scm
@@ -344,7 +344,7 @@ and can dramatically shorten the lifespan of the drive if left unchecked.")
     (native-inputs
      `(("intltool" ,intltool)
        ("pkg-config" ,pkg-config)))
-    (home-page "https://sourceforge.net/projects/gparted/")
+    (home-page "https://gparted.org/")
     (synopsis "Partition editor to graphically manage disk partitions")
     (description "GParted is a GNOME partition editor for creating,
 reorganizing, and deleting disk partitions.  It uses libparted from the parted
diff --git a/gnu/packages/display-managers.scm b/gnu/packages/display-managers.scm
index 869d6239ef..9f8d7b8250 100644
--- a/gnu/packages/display-managers.scm
+++ b/gnu/packages/display-managers.scm
@@ -132,23 +132,24 @@ Qt-style API for Wayland clients.")
 (define-public sddm
   (package
     (name "sddm")
-    (version "0.14.0")
+    (version "0.15.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
                     "https://github.com/sddm/sddm"
                     "/releases/download/v" version "/"
-                    "sddm-" version ".tar.xz"))
+                    "sddm-" version ".tar.gz"))
               (sha256
                (base32
-                "0y3pn8g2qj7q20zkmbasrfsj925lfzizk63sfrvzf84bc5c84d3y"))))
+                "0x1igkjm3k8q26xbmg0qah1fc2pn2sfc675w0xg42x7ncrdiw8d4"))))
     (build-system cmake-build-system)
     (native-inputs
      `(("extra-cmake-modules" ,extra-cmake-modules)
        ("pkg-config" ,pkg-config)
        ("qttools" ,qttools)))
     (inputs
-     `(("glib" ,glib)
+     `(("elogind" ,elogind)
+       ("glib" ,glib)
        ("libxcb" ,libxcb)
        ("libxkbcommon" ,libxkbcommon)
        ("linux-pam" ,linux-pam)
@@ -163,6 +164,8 @@ Qt-style API for Wayland clients.")
         ;; Option added by enable wayland greeters PR
         "-DENABLE_WAYLAND=ON"
         "-DENABLE_PAM=ON"
+        ;; Both flags are required for elogind support.
+        "-DNO_SYSTEMD=ON" "-DUSE_ELOGIND=ON"
         "-DCONFIG_FILE=/etc/sddm.conf"
         ;; Set path to /etc/login.defs
         ;; Alternatively use -DUID_MIN and -DUID_MAX
@@ -180,6 +183,11 @@ Qt-style API for Wayland clients.")
                            (guix build qt-utils))
        #:phases
        (modify-phases %standard-phases
+         (add-after 'unpack 'embed-loginctl-reference
+           (lambda _
+             (substitute* "CMakeLists.txt"
+               (("/usr/bin/loginctl") (which "loginctl")))
+             #t))
          (add-after 'install 'wrap-programs
            (lambda* (#:key outputs #:allow-other-keys)
              (let ((out (assoc-ref outputs "out")))
diff --git a/gnu/packages/djvu.scm b/gnu/packages/djvu.scm
index e739df3772..10cdbf31a8 100644
--- a/gnu/packages/djvu.scm
+++ b/gnu/packages/djvu.scm
@@ -34,6 +34,14 @@
                (base32
                 "0psh3zl9dj4n4r3lx25390nx34xz0bg0ql48zdskhq354ljni5p6"))))
     (build-system gnu-build-system)
+    (arguments
+     `(#:phases (modify-phases %standard-phases
+                  (add-after 'unpack 'reproducible
+                    (lambda _
+                      ;; Ensure there are no timestamps in .svgz files.
+                      (substitute* "desktopfiles/Makefile.in"
+                        (("gzip") "gzip -n"))
+                      #t)))))
     (home-page "http://djvu.sourceforge.net/")
     (synopsis "Implementation of DjVu, the document format")
     (description "DjVuLibre is an implementation of DjVu,
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index afae4596bd..702ed011f4 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -483,14 +483,14 @@ Extensions} (DNSSEC).")
 (define-public knot
   (package
     (name "knot")
-    (version "2.5.3")
+    (version "2.5.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://secure.nic.cz/files/knot-dns/"
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "13lxxnnw0v7s0q648grz87bwlfwjh5sfbj1qax7jdklalqqy52np"))
+                "1w14m9pmc8vl9mcgikvwbflwcxwz52l77jq98wvxyxab13lpdpiz"))
               (modules '((guix build utils)))
               (snippet
                '(begin
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index 5d3d6f170b..9c5ca74d73 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -4,7 +4,7 @@
 ;;; Copyright © 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
 ;;; Copyright © 2016 Thomas Danckaert <post@thomasdanckaert.be>
-;;; Copyright © 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index 140a532050..52f06d9e96 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -12,7 +12,7 @@
 ;;; Copyright © 2016 David Thompson <davet@gnu.org>
 ;;; Copyright © 2016 Matthew Jordan <matthewjordandevops@yandex.com>
 ;;; Copyright © 2016, 2017 Roel Janssen <roel@gnu.org>
-;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
+;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
 ;;; Copyright © 2016 Alex Griffin <a@ajgrf.com>
 ;;; Copyright © 2016, 2017 Nicolas Goaziou <mail@nicolasgoaziou.fr>
 ;;; Copyright © 2016 Alex Vong <alexvong1995@gmail.com>
@@ -22,12 +22,13 @@
 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
 ;;; Copyright © 2017 Vasile Dumitrascu <va511e@yahoo.com>
 ;;; Copyright © 2017 Kyle Meyer <kyle@kyleam.com>
-;;; Copyright © 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2017 George Clemmer <myglc2@gmail.com>
 ;;; Copyright © 2017 Feng Shu <tumashu@163.com>
 ;;; Copyright © 2017 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2017 Oleg Pykhalov <go.wigust@gmail.com>
 ;;; Copyright © 2017 Mekeor Melire <mekeor.melire@gmail.com>
+;;; Copyright © 2017 Peter Mikkelsen <petermikkelsen10@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -2603,6 +2604,27 @@ transparent background.  If you load it from a GUI, it will default to a
 dark background.")
     (license license:gpl3+)))
 
+(define-public emacs-2048-game
+  (package
+    (name "emacs-2048-game")
+    (version "20151026.1233")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://melpa.org/packages/2048-game-"
+                           version ".el"))
+       (sha256
+        (base32
+         "0gy2pvz79whpavp4jmz8h9krzn7brmvv3diixi1d4w51pcdvaldd"))))
+    (build-system emacs-build-system)
+    (home-page "https://bitbucket.org/zck/2048.el")
+    (synopsis "Implementation of the game 2048 in Emacs Lisp")
+    (description
+     "This program is an implementation of 2048 for Emacs.
+The goal of this game is to create a tile with value 2048.  The size of the
+board and goal value can be customized.")
+  (license license:gpl3+)))
+
 (define-public emacs-smartparens
   (package
     (name "emacs-smartparens")
@@ -3528,7 +3550,7 @@ for search-based navigation of buffers.")
 (define-public emacs-cider
   (package
     (name "emacs-cider")
-    (version "0.12.0")
+    (version "0.15.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -3537,8 +3559,11 @@ for search-based navigation of buffers.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "00qzbfjy3w6bcnki7gw0clmi0cc5yqjdrcyhgv4ymijjs79h9p5s"))))
+                "0j7qjcslh8mnxrr2m8qrscyq9ry240j5jd9dysbvih126lxisf12"))))
     (build-system emacs-build-system)
+    (arguments
+     '(#:exclude                        ; Don't exclude 'cider-test.el'.
+       '("^\\.dir-locals\\.el$" "^test/")))
     (propagated-inputs
      `(("emacs-clojure-mode" ,emacs-clojure-mode)
        ("emacs-spinner" ,emacs-spinner)
@@ -3561,30 +3586,32 @@ CIDER).")
     (license license:gpl3+)))
 
 (define-public emacs-lua-mode
-  (package
-    (name "emacs-lua-mode")
-    (version "20151025")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append
-                    "https://github.com/immerrr/lua-mode/archive/v"
-                    version ".tar.gz"))
-              (file-name (string-append name "-" version ".tar.gz"))
-              (sha256
-               (base32
-                "0sbhfny5ib65cnx6xcy6h9bbw27mw034s8m9cca00bhxqaqi6p4v"))))
-    (build-system emacs-build-system)
-    (home-page "https://github.com/immerrr/lua-mode/")
-    (synopsis "Major mode for lua")
-    (description
-     "This Emacs package provides a mode for @uref{https://www.lua.org/,
+  (let ((commit "652e299cb967fccca827dda381d61a9c144d97de")
+        (revision "1"))
+    (package
+      (name "emacs-lua-mode")
+      (version (string-append "20151025." revision "-" (string-take commit 9)))
+      (home-page "https://github.com/immerrr/lua-mode/")
+      (source (origin
+                (method git-fetch)
+                (uri (git-reference
+                      (url home-page)
+                      (commit commit)))
+                (file-name (string-append name "-" version ".checkout"))
+                (sha256
+                 (base32
+                  "053025k930wh0lak6rc1973ynfrmm8zsyzfqhhd39x7abkl41hc9"))))
+      (build-system emacs-build-system)
+      (synopsis "Major mode for lua")
+      (description
+       "This Emacs package provides a mode for @uref{https://www.lua.org/,
 Lua programing language}.")
-    (license license:gpl2+)))
+      (license license:gpl2+))))
 
 (define-public emacs-ebuild-mode
   (package
     (name "emacs-ebuild-mode")
-    (version "1.30")
+    (version "1.37")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -3593,7 +3620,7 @@ Lua programing language}.")
               (file-name (string-append name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0vp7lq1kvmh1b2bms2x1kf2k76dy9m02d7cirkxpiglwaxa0h9vz"))))
+                "07dzrdjjczkxdfdgi60h4jjkvzi4p0k9rij2wpfp8s03ay3qldpp"))))
     (build-system emacs-build-system)
     (home-page "https://devmanual.gentoo.org")
     (synopsis "Major modes for Gentoo package files")
@@ -3716,14 +3743,14 @@ passive voice.")
 (define-public emacs-org
   (package
     (name "emacs-org")
-    (version "20170622")
+    (version "20170828")
     (source (origin
               (method url-fetch)
               (uri (string-append "http://elpa.gnu.org/packages/org-"
                                   version ".tar"))
               (sha256
                (base32
-                "0922lcbr2r7bkswljqzbm5y3ny1n67qfrmf7h7z9hsw2wy0505dp"))))
+                "0frjwgjyy7rwb7si57h6nd1p35a4gcd1dc0aka19kn8r59hbi08p"))))
     (build-system emacs-build-system)
     (home-page "http://orgmode.org/")
     (synopsis "Outline-based notes management and organizer")
@@ -5258,23 +5285,6 @@ multiplexer.")
 editing RPM spec files.")
     (license license:gpl2+)))
 
-(define-public emacs-nix-mode
-  (package
-    (inherit nix)
-    (name "emacs-nix-mode")
-    (build-system emacs-build-system)
-    (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         (add-after 'unpack 'chdir-elisp
-           ;; Elisp directory is not in root of the source.
-           (lambda _
-             (chdir "misc/emacs"))))))
-    (synopsis "Emacs major mode for editing Nix expressions")
-    (description "@code{nixos-mode} provides an Emacs major mode for editing
-Nix expressions.  It supports syntax highlighting, indenting and refilling of
-comments.")))
-
 (define-public emacs-git-messenger
   (package
     (name "emacs-git-messenger")
@@ -5380,3 +5390,60 @@ enables you to easily define search engines, bind them to keybindings, and
 query them from the comfort of your editor.")
     (home-page "https://github.com/hrs/engine-mode")
     (license license:gpl3+)))
+
+(define-public emacs-prop-menu
+  (package
+    (name "emacs-prop-menu")
+    (version "0.1.2")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "http://stable.melpa.org/packages/prop-menu-"
+             version ".el"))
+       (sha256
+        (base32
+         "01bk4sjafzz7gqrkv9jg0pa85qr34vbk3q8ga2b0m61bndywzgpr"))))
+    (build-system emacs-build-system)
+    (home-page
+     "https://github.com/david-christiansen/prop-menu-el")
+    (synopsis
+     "Create and display a context menu based on text and overlay properties")
+    (description
+     "This is a library for computing context menus based on text
+properties and overlays.  The intended use is to have tools that
+annotate source code and others that use these annotations, without
+requiring a direct coupling between them, but maintaining
+discoverability.
+
+Major modes that wish to use this library should first define an
+appropriate value for @code{prop-menu-item-functions}.  Then, they should
+bind @code{prop-menu-by-completing-read} to an appropriate
+key.  Optionally, a mouse pop-up can be added by binding
+@code{prop-menu-show-menu} to a mouse event.")
+    (license license:gpl3+)))
+
+(define-public emacs-idris-mode
+  (package
+    (name "emacs-idris-mode")
+    (version "0.9.19")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "http://stable.melpa.org/packages/idris-mode-"
+             version ".tar"))
+       (sha256
+        (base32
+         "0ld4kfwnyyhlsnj5f6cbn4is4mpxdqalk2aifkw02r00mbr9n294"))))
+    (build-system emacs-build-system)
+    (propagated-inputs
+     `(("emacs-prop-menu" ,emacs-prop-menu)))
+    (home-page
+     "https://github.com/idris-hackers/idris-mode")
+    (synopsis "Major mode for editing Idris code")
+    (description
+     "This is an Emacs mode for editing Idris code.  It requires the latest
+version of Idris, and some features may rely on the latest Git version of
+Idris.")
+    (license license:gpl3+)))
diff --git a/gnu/packages/embedded.scm b/gnu/packages/embedded.scm
index 1f7176ae78..5e51fe2d01 100644
--- a/gnu/packages/embedded.scm
+++ b/gnu/packages/embedded.scm
@@ -299,7 +299,7 @@ languages are C and C++.")
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
-                      (url "git://git.zapb.de/libjaylink.git")
+                      (url "https://git.zapb.de/libjaylink.git")
                       (commit commit)))
                 (file-name (string-append name "-" version "-checkout"))
                 (sha256
@@ -365,7 +365,7 @@ language.")
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
-                      (url "git://git.code.sf.net/p/openocd/code.git")
+                      (url "https://git.code.sf.net/p/openocd/code.git")
                       (commit commit)))
                 (sha256
                  (base32
diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm
index 008a96b244..c4afe5ff95 100644
--- a/gnu/packages/engineering.scm
+++ b/gnu/packages/engineering.scm
@@ -23,7 +23,6 @@
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
 (define-module (gnu packages engineering)
-  #:use-module (srfi srfi-1)
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix gexp)
diff --git a/gnu/packages/enlightenment.scm b/gnu/packages/enlightenment.scm
index 8c25f38aae..9f2abb702a 100644
--- a/gnu/packages/enlightenment.scm
+++ b/gnu/packages/enlightenment.scm
@@ -59,7 +59,7 @@
 (define-public efl
   (package
     (name "efl")
-    (version "1.20.2")
+    (version "1.20.3")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -67,7 +67,7 @@
                     version ".tar.xz"))
               (sha256
                (base32
-                "0zll6k4xbbdsxqg53g8jddgv889g5m1xh20i03iz5a52y2bcnh55"))))
+                "148i8awjdrqzd0xqfc6q4qvhhs46jl15nx7n2nii7lrwzx502wqj"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
@@ -245,7 +245,7 @@ Libraries with some extra bells and whistles.")
 (define-public enlightenment
   (package
     (name "enlightenment")
-    (version "0.21.8")
+    (version "0.21.9")
     (source (origin
               (method url-fetch)
               (uri
@@ -253,7 +253,7 @@ Libraries with some extra bells and whistles.")
                               name "/" name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0cjjiip12hd8bfjl9ccl3vzl81pxh1wpymxk2yvrzf6ap5girhps"))))
+                "0w5f3707hyfc20i6xqh4jlr5p2yhy1z794061mjsz2rp4w00qmpb"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags '("--enable-mount-eeze")
diff --git a/gnu/packages/finance.scm b/gnu/packages/finance.scm
index 748b59c9e1..6d6844fa75 100644
--- a/gnu/packages/finance.scm
+++ b/gnu/packages/finance.scm
@@ -246,7 +246,7 @@ do so.")
 (define-public electrum
   (package
     (name "electrum")
-    (version "2.7.12")
+    (version "2.9.3")
     (source
      (origin
        (method url-fetch)
@@ -255,7 +255,7 @@ do so.")
                            version ".tar.gz"))
        (sha256
         (base32
-         "0vxdfl208if7mdsnva1jg37bnay2dsz3ww157aqwcv1j6512fi1n"))
+         "0d0fzb653g7b8ka3x90nl21md4g3n1fv11czdxpdq3s9yr6js6f2"))
        (modules '((guix build utils)))
        (snippet
         '(begin
@@ -264,7 +264,8 @@ do so.")
            #t))))
     (build-system python-build-system)
     (inputs
-     `(("python-slowaes" ,python2-slowaes)
+     `(("python-pyaes" ,python2-pyaes)
+       ("python-pysocks" ,python2-pysocks)
        ("python-sip" ,python2-sip)
        ("python-pyqt" ,python2-pyqt-4)
        ("python-ecdsa" ,python2-ecdsa)
diff --git a/gnu/packages/fltk.scm b/gnu/packages/fltk.scm
index 27d2f62ca7..0ca77cfa40 100644
--- a/gnu/packages/fltk.scm
+++ b/gnu/packages/fltk.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2014 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
diff --git a/gnu/packages/fonts.scm b/gnu/packages/fonts.scm
index 69ef743cba..97d399a4c8 100644
--- a/gnu/packages/fonts.scm
+++ b/gnu/packages/fonts.scm
@@ -560,7 +560,7 @@ languages, plus Greek and Cyrillic.")
 (define-public font-gnu-unifont
   (package
     (name "font-gnu-unifont")
-    (version "10.0.05")
+    (version "10.0.06")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -568,7 +568,7 @@ languages, plus Greek and Cyrillic.")
                     version ".tar.gz"))
               (sha256
                (base32
-                "07sajc32l2knnz6gmd81zxjhcxq8xr6r2kf42wig56vj05s3d1cb"))))
+                "0z8lglzwbkmya0gmhxd9m1x3nsd7flfsbsh0qy34dzqqdwjpyy2p"))))
     (build-system gnu-build-system)
     (outputs '("out" ; TrueType version
                "pcf" ; PCF (bitmap) version
diff --git a/gnu/packages/freedesktop.scm b/gnu/packages/freedesktop.scm
index 93df44cac7..a304c15334 100644
--- a/gnu/packages/freedesktop.scm
+++ b/gnu/packages/freedesktop.scm
@@ -6,7 +6,7 @@
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015 David Hashe <david.hashe@dhashe.com>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2017 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;;
diff --git a/gnu/packages/ftp.scm b/gnu/packages/ftp.scm
index eb108491a4..bbdb4e410b 100644
--- a/gnu/packages/ftp.scm
+++ b/gnu/packages/ftp.scm
@@ -173,7 +173,7 @@ as required.")
 (define-public libfilezilla
   (package
     (name "libfilezilla")
-    (version "0.9.0")
+    (version "0.10.1")
     (source
      (origin
        (method url-fetch)
@@ -181,10 +181,11 @@ as required.")
                            name "/" name "-" version ".tar.bz2"))
        (sha256
         (base32
-         "0340v5xs48f28q2d16ldb9359dkzlhl4l449mgyv3qabnlz2pl21"))))
+         "1yi9db0hpxh3giyjhkbz7ajmf95qw27xdvh3xvw208zri5k575x0"))))
     (build-system gnu-build-system)
     (native-inputs
-     `(("cppunit" ,cppunit)))
+     `(("cppunit" ,cppunit)
+       ("pkg-config" ,pkg-config)))
     (home-page "https://lib.filezilla-project.org")
     (synopsis "Cross-platform C++ library used by Filezilla client")
     (description
@@ -195,7 +196,7 @@ platform-independent programs.")
 (define-public filezilla
   (package
     (name "filezilla")
-    (version "3.24.1")
+    (version "3.27.1")
     (source
      (origin
        (method url-fetch)
@@ -204,7 +205,7 @@ platform-independent programs.")
                            "/FileZilla_" version "_src" ".tar.bz2"))
        (sha256
         (base32
-         "0ahcld3g6jj92nakm5i58wgmcv6f4l9yisw3aqbc2ry0gs679pg6"))))
+         "14lsplbp9fy7lk6cpwi3aj6jskz4j82h67x0fik82z1bns0zm2a3"))))
     (build-system gnu-build-system)
     (arguments
       ;; Don't let filezilla phone home to check for updates.
diff --git a/gnu/packages/game-development.scm b/gnu/packages/game-development.scm
index 95f8697b42..c8869a4944 100644
--- a/gnu/packages/game-development.scm
+++ b/gnu/packages/game-development.scm
@@ -5,7 +5,7 @@
 ;;; Copyright © 2015 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2015, 2016, 2017 David Thompson <davet@gnu.org>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2016, 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016, 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016, 2017 Julian Graham <joolean@gmail.com>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
@@ -248,14 +248,14 @@ files) into @file{.grf} and/or @file{.nfo} files.")
 (define-public python-sge-pygame
   (package
     (name "python-sge-pygame")
-    (version "1.5")
+    (version "1.5.1")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "sge-pygame" version))
        (sha256
         (base32
-         "0g0n722md6nfayiqzadwf0dh821hzqv0alp4by0vjfwr1xzv49mc"))))
+         "1rl3xjzh78sl0sq3xl8rl7cgp9v9v3h7s2pfwn7nj1vrmffzkcpd"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-pygame" ,python-pygame)
@@ -276,7 +276,7 @@ possible, and it also makes the SGE easy to learn.")
 (define-public python-tmx
   (package
     (name "python-tmx")
-    (version "1.9.1")
+    (version "1.10")
     (source
      (origin
        (method url-fetch)
@@ -285,7 +285,7 @@ possible, and it also makes the SGE easy to learn.")
                            version ".tar.gz"))
        (sha256
         (base32
-         "1is107sx3lr09dqjiyn10xqhyv5x54c2ryhys9mb9j3mxjbm227l"))))
+         "073q0prg1nzlkga2b45vhscz374206qh4x68ccg00mxxwagn64z0"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-six" ,python-six)))
@@ -353,7 +353,7 @@ support.")
 (define-public tiled
   (package
     (name "tiled")
-    (version "1.0.2")
+    (version "1.0.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/bjorn/tiled/archive/v"
@@ -361,7 +361,7 @@ support.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "134xi74xajh38rj1qhmc4x1zmncfdmqb01axnkxh6zs3qz0rxp93"))))
+                "1qj7l34y5zv2iazmwbix8wdpp88zv7fswbc4arqpp1wak2yna1ix"))))
     (build-system gnu-build-system)
     (inputs
      `(("qtbase" ,qtbase)
diff --git a/gnu/packages/games.scm b/gnu/packages/games.scm
index 9e7b579907..7bfd05cc7f 100644
--- a/gnu/packages/games.scm
+++ b/gnu/packages/games.scm
@@ -19,7 +19,7 @@
 ;;; Copyright © 2016 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
 ;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
 ;;; Copyright © 2016 Albin Söderqvist <albin@fripost.org>
-;;; Copyright © 2016, 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016, 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2016 Alex Griffin <a@ajgrf.com>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
@@ -522,7 +522,7 @@ watch your CPU playing while enjoying a cup of tea!")
 (define-public retux
   (package
     (name "retux")
-    (version "1.3.4")
+    (version "1.3.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://savannah/retux/"
@@ -530,7 +530,7 @@ watch your CPU playing while enjoying a cup of tea!")
                                   version "-src.tar.gz"))
               (sha256
                (base32
-                "1wgvh3q96kfgymb2jpd58xsms9hmckhhc4fq7v2k61gh2l11cvdj"))))
+                "1pcrh3z16fl412r3k7xccrgika19ahb1xh90jihgl8yy7zza2i6p"))))
     (build-system python-build-system)
     (arguments
      `(#:tests? #f ; no check target
@@ -3632,7 +3632,7 @@ throwing people around in pseudo-randomly generated buildings.")
 (define-public hyperrogue
   (package
     (name "hyperrogue")
-    (version "10.0e")
+    (version "10.0g")
     ;; When updating this package, be sure to update the "hyperrogue-data"
     ;; origin in native-inputs.
     (source (origin
@@ -3643,7 +3643,7 @@ throwing people around in pseudo-randomly generated buildings.")
                     "-src.tgz"))
               (sha256
                (base32
-                "1p6fam73khhys54098qsgmp52d0rnqc3k5hknjig0znvfb2kwi38"))))
+                "0f68pcnsgl406dhm91ckn3f364bar9m9i5njp9vrmvhvv9p2icy0"))))
     (build-system gnu-build-system)
     (arguments
      `(#:tests? #f ; no check target
@@ -3718,7 +3718,7 @@ throwing people around in pseudo-randomly generated buildings.")
              "-win.zip"))
            (sha256
             (base32
-             "1z9w3nd57ybnf4w7ckhhp5vfws2hwd8x26fx6h496f6160fgcj6m"))))
+             "0bnp077qvlmxjlz1jjd6kpghlv9flxc19ac1xq3m3wyq1w9p3pab"))))
        ("unzip" ,unzip)))
     (inputs
      `(("font-dejavu" ,font-dejavu)
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index b4e6ce435b..169f040ee4 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -37,12 +38,11 @@
 (define-public gd
   (package
     (name "gd")
-
+    (replacement gd-2.2.5)
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
     ;; missing.
     (version "2.2.4")
-
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -93,6 +93,22 @@ most common applications of GD involve website development.")
                            "See COPYING file in the distribution."))
     (properties '((cpe-name . "libgd")))))
 
+;; For CVE-2017-6362 and CVE-2017-7890.
+(define-public gd-2.2.5
+  (package
+    (inherit gd)
+    (version "2.2.5")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://github.com/libgd/libgd/releases/download/gd-"
+                    version "/libgd-" version ".tar.xz"))
+              (patches (search-patches "gd-fix-tests-on-i686.patch"
+                                       "gd-freetype-test-failure.patch"))
+              (sha256
+               (base32
+                "0lfy5f241sbv8s3splm2zqiaxv7lxrcshh875xryryk7yk5jqc4c"))))))
+
 (define-public perl-gd
   (package
     (name "perl-gd")
diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm
index 13d2a68dba..c820818687 100644
--- a/gnu/packages/gimp.scm
+++ b/gnu/packages/gimp.scm
@@ -43,7 +43,7 @@
 (define-public babl
   (package
     (name "babl")
-    (version "0.1.28")
+    (version "0.1.30")
     (source (origin
               (method url-fetch)
               (uri (list (string-append "https://download.gimp.org/pub/babl/"
@@ -54,7 +54,7 @@
                                         version ".tar.bz2")))
               (sha256
                (base32
-                "00w6xfcv960c98qvxv81gcbj8l1jiab9sggmdl77m19awwiyvwv3"))))
+                "1k2k3phh9ybma2snw6hm8inx2dw1jq6cf7w2aqvi4rfr0rxjrha5"))))
     (build-system gnu-build-system)
     (home-page "http://gegl.org/babl/")
     (synopsis "Image pixel format conversion library")
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 4d12ab4d59..43547961bf 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -14,7 +14,7 @@
 ;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016, 2017 Rene Saavedra <rennes@openmailbox.org>
 ;;; Copyright © 2016 Jochem Raat <jchmrt@riseup.net>
-;;; Copyright © 2016, 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016, 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
@@ -3646,7 +3646,9 @@ for application developers.")
                   (grl-plugin-path (getenv "GRL_PLUGIN_PATH")))
               (wrap-program (string-append out "/bin/totem")
                 `("GST_PLUGIN_SYSTEM_PATH" ":" prefix (,gst-plugin-path))
-                `("GRL_PLUGIN_PATH"        ":" prefix (,grl-plugin-path))))
+                `("GRL_PLUGIN_PATH"        ":" prefix (,grl-plugin-path)))
+              (wrap-program (string-append out "/bin/totem-video-thumbnailer")
+                `("GST_PLUGIN_SYSTEM_PATH" ":" prefix (,gst-plugin-path))))
             #t)))))
     (home-page "https://wiki.gnome.org/Apps/Videos")
     (synopsis "Simple media player for GNOME based on GStreamer")
@@ -5848,6 +5850,8 @@ associations for GNOME.")
        ("gnome-system-monitor"      ,gnome-system-monitor)
        ("gnome-terminal"            ,gnome-terminal)
        ("gnome-themes-standard"     ,gnome-themes-standard)
+       ("gst-plugins-base"          ,gst-plugins-base)
+       ("gst-plugins-good"          ,gst-plugins-good)
        ("gucharmap"                 ,gucharmap)
        ("gvfs"                      ,gvfs)
        ("hicolor-icon-theme"        ,hicolor-icon-theme)
@@ -5878,7 +5882,7 @@ documents and diagrams, playing media, scanning, and much more.")
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
-                      (url "git://git.gnome.org/byzanz")
+                      (url "https://git.gnome.org/browse/byzanz")
                       (commit commit)))
                 (file-name (string-append name "-" version "-checkout"))
                 (sha256
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index f3fe637b13..837f9a21b6 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -336,7 +336,7 @@ kinds of basic applications for the foundation of a GNU internet.")
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
-                      (url "git://git.sv.gnu.org/guix/gnunet.git")
+                      (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
                       (commit commit)))
                 (file-name (string-append name "-" version "-checkout"))
                 (sha256
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index fd850c0469..d6f0722f6e 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -81,6 +81,7 @@ Daemon and possibly more in the future.")
 
 (define-public libgcrypt
   (package
+    (replacement libgcrypt/fixed)
     (name "libgcrypt")
     (version "1.7.8")
     (source (origin
@@ -115,6 +116,18 @@ generation.")
     (properties '((ftp-server . "ftp.gnupg.org")
                   (ftp-directory . "/gcrypt/libgcrypt")))))
 
+(define libgcrypt/fixed
+  (package
+    (inherit libgcrypt)
+    (version "1.8.1")
+    (source (origin
+             (method url-fetch)
+             (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
+                                 version ".tar.bz2"))
+             (sha256
+              (base32
+               "1cvqd9jk5qshbh48yh3ixw4zyr4n5k50r3475rrh20xfn7w7aa3s"))))))
+
 (define-public libassuan
   (package
     (name "libassuan")
@@ -203,14 +216,14 @@ compatible to GNU Pth.")
 (define-public gnupg
   (package
     (name "gnupg")
-    (version "2.1.23")
+    (version "2.2.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnupg/gnupg/gnupg-" version
                                   ".tar.bz2"))
               (sha256
                (base32
-                "0xqd5nm4j3w9lwk35vg57gl2i8bfkmx7d24i44gkbscm2lwpci59"))))
+                "1rj538kp3wsdq7rhl8sy1wpwhlsbxcch0cwk64kgz8gpw05lllfl"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
@@ -232,7 +245,8 @@ compatible to GNU Pth.")
     `(#:configure-flags '(;; Otherwise, the test suite looks for the `gpg`
                           ;; executable in its installation directory in
                           ;; /gnu/store before it has been installed.
-                          "--enable-gnupg-builddir-envvar")
+                          "--enable-gnupg-builddir-envvar"
+                          "--enable-all-tests")
       #:phases
       (modify-phases %standard-phases
         (add-before 'configure 'patch-paths
@@ -249,26 +263,18 @@ compatible to GNU Pth.")
                (string-append (getcwd) "/tests/gpgscm/gpgscm")))
             #t))
         (add-before 'build 'patch-test-paths
-          (lambda* (#:key inputs #:allow-other-keys)
-            (let* ((coreutils (assoc-ref inputs "coreutils"))
-                   (cat (string-append coreutils "/bin/cat"))
-                   (pwd (string-append coreutils "/bin/pwd"))
-                   (true (string-append coreutils "/bin/true"))
-                   (false (string-append coreutils "/bin/false")))
-              (substitute* '("tests/inittests"
-                             "tests/pkits/inittests"
-                             "tests/Makefile"
-                             "tests/pkits/common.sh"
-                             "tests/pkits/Makefile"
-                            )
-               (("/bin/pwd") pwd))
-              (substitute* "common/t-exectool.c"
-                (("/bin/cat") cat))
-              (substitute* "common/t-exectool.c"
-                (("/bin/true") true))
-              (substitute* "common/t-exectool.c"
-                (("/bin/false") false))
-              #t))))))
+          (lambda _
+            (substitute* '("tests/inittests"
+                           "tests/pkits/inittests"
+                           "tests/Makefile"
+                           "tests/pkits/common.sh"
+                           "tests/pkits/Makefile")
+             (("/bin/pwd") (which "pwd")))
+            (substitute* "common/t-exectool.c"
+              (("/bin/cat") (which "cat"))
+              (("/bin/true") (which "true"))
+              (("/bin/false") (which "false")))
+            #t)))))
     (home-page "https://gnupg.org/")
     (synopsis "GNU Privacy Guard")
     (description
diff --git a/gnu/packages/gnustep.scm b/gnu/packages/gnustep.scm
index 51541170ae..195249c435 100644
--- a/gnu/packages/gnustep.scm
+++ b/gnu/packages/gnustep.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2014 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2016, 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016, 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 70ad9993b6..af27ae3253 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -11,7 +11,7 @@
 ;;; Coypright © 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Fabian Harfert <fhmgufs@web.de>
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2016 Patrick Hetu <patrick.hetu@auf.org>
 ;;; Coypright © 2016 ng0 <ng0@we.make.ritual.n0.is>
 ;;; Coypright © 2017 Roel Janssen <roel@gnu.org>
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 53304bd1a4..6dacc472a8 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -293,6 +293,7 @@ without requiring the source code to be rewritten.")
               (uri (git-reference
                     (url "git://git.hcoop.net/git/bpt/guile.git")
                     (commit "d8d9a8da05ec876acba81a559798eb5eeceb5a17")))
+              (file-name (string-append name "-" version "-checkout"))
               (sha256
                (base32
                 "00sprsshy16y8pxjy126hr2adqcvvzzz96hjyjwgg8swva1qh6b0"))))
@@ -1912,6 +1913,7 @@ manipulate repositories of the Git version control system.")
                 (uri (git-reference
                       (url "git://dthompson.us/guile-syntax-highlight.git")
                       (commit commit)))
+                (file-name (string-append name "-" version "-checkout"))
                 (sha256
                  (base32
                   "1zjr6sg3n7xbdsliy45i39dqanxvcms58ayx36wxrz72zpq58vq3"))))
diff --git a/gnu/packages/hexedit.scm b/gnu/packages/hexedit.scm
index 8ddc0ffd4f..88dbfb234d 100644
--- a/gnu/packages/hexedit.scm
+++ b/gnu/packages/hexedit.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2017 Gábor Boskovits <boskovits@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 94c683aa9e..503a249a91 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2016 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2016 Arun Isaac <arunisaac@systemreboot.net>
-;;; Copyright © 2016, 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016, 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2017 ng0 <ng0@infotropique.org>
 ;;; Copyright © 2017 Hartmut Goebel <h.goebel@crazy-compilers.com>
 ;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu>
@@ -868,7 +868,7 @@ channels.")
                                        version ".tar.gz")))
              (sha256
               (base32
-               "1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc"))))
+               "1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7"))))
     (build-system gnu-build-system)
     (arguments '(#:tests? #f))                    ; no `check' target
     (propagated-inputs
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 4056d486fb..57ac7fda97 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -179,7 +180,9 @@ script.")
               (patches
                (search-patches "graphicsmagick-CVE-2017-12935.patch"
                                "graphicsmagick-CVE-2017-12936.patch"
-                               "graphicsmagick-CVE-2017-12937.patch"))))
+                               "graphicsmagick-CVE-2017-12937.patch"
+                               "graphicsmagick-CVE-2017-13775.patch"
+                               "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index da68487b01..fe43d01332 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -651,8 +651,9 @@ the standard javac executable.  The tool runs on JamVM instead of SableVM.")))
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
-                      (url "git://git.savannah.gnu.org/classpath.git")
+                      (url "https://git.savannah.gnu.org/git/classpath.git")
                       (commit commit)))
+                (file-name (string-append "classpath-" version "-checkout"))
                 (sha256
                  (base32
                   "1v2rww76ww322mpg3s12a1kkc6gkp31bm9gcxs532h0wq285fiw4"))))
@@ -4170,12 +4171,26 @@ more efficient storage-wise than an uncompressed bitmap (as implemented in the
                   #t))))
     (build-system ant-build-system)
     (arguments
-     ;; FIXME: org.slf4j.NoBindingTest fails with the ominous "This code
-     ;; should have never made it into slf4j-api.jar".
-     `(#:tests? #f
-       #:jar-name "slf4j-api.jar"
+     `(#:jar-name "slf4j-api.jar"
        #:source-dir "slf4j-api/src/main"
-       #:test-dir "slf4j-api/src/test"))
+       #:test-dir "slf4j-api/src/test"
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'build 'regenerate-jar
+           (lambda _
+             ;; pom.xml ignores these files in the jar creation process. If we don't,
+             ;; we get the error "This code should have never made it into slf4j-api.jar"
+             (delete-file-recursively "build/classes/org/slf4j/impl")
+             (zero? (system* "jar" "-cf" "build/jar/slf4j-api.jar" "-C"
+                             "build/classes" "."))))
+         (add-before 'check 'dont-test-abstract-classes
+           (lambda _
+             ;; abstract classes are not meant to be run with junit
+             (substitute* "build.xml"
+               (("<include name=\"\\*\\*/\\*Test.java\" />")
+                (string-append "<include name=\"**/*Test.java\" />"
+                               "<exclude name=\"**/MultithreadedInitializationTest"
+                               ".java\" />"))))))))
     (inputs
      `(("java-junit" ,java-junit)
        ("java-hamcrest-core" ,java-hamcrest-core)))
diff --git a/gnu/packages/javascript.scm b/gnu/packages/javascript.scm
index 85017453ff..2d1f6acfb9 100644
--- a/gnu/packages/javascript.scm
+++ b/gnu/packages/javascript.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -32,7 +33,7 @@
 (define-public font-mathjax
   (package
     (name "font-mathjax")
-    (version "2.7.1")
+    (version "2.7.2")
     (source
      (origin
        (method url-fetch)
@@ -42,7 +43,7 @@
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "0sbib5lk0jrvbq6s72ag6ss3wjlz5wnk07ddxij1kp96yg3c1d1b"))))
+         "1r72di4pg4i6pfhcskkxqmf1158m81ki6a7lbw6nz4zh7xw23hy4"))))
     (build-system trivial-build-system)
     (arguments
      `(#:modules ((guix build utils))
@@ -59,7 +60,8 @@
            (mkdir-p install-directory)
            (zero? (system* "tar" "-C" install-directory "-xvf"
                            (assoc-ref %build-inputs "source")
-                           "MathJax-2.7.1/fonts" "--strip" "2"))))))
+                           ,(string-append "MathJax-" version "/fonts")
+                           "--strip" "2"))))))
     (native-inputs
      `(("gzip" ,gzip)
        ("tar" ,tar)))
@@ -91,7 +93,9 @@
          (setenv "LANG" "en_US.UTF-8")
          (let ((install-directory (string-append %output "/share/javascript/mathjax")))
            (system* "tar" "xvf" (assoc-ref %build-inputs "source")
-                    "MathJax-2.7.1/unpacked" "--strip" "2")
+                    ,(string-append "MathJax-" (package-version font-mathjax)
+                                    "/unpacked")
+                    "--strip" "2")
            (mkdir-p install-directory)
            (symlink (string-append (assoc-ref %build-inputs "font-mathjax")
                                    "/share/fonts/mathjax")
diff --git a/gnu/packages/jemalloc.scm b/gnu/packages/jemalloc.scm
index 27fb46e59d..a3bd2c93a4 100644
--- a/gnu/packages/jemalloc.scm
+++ b/gnu/packages/jemalloc.scm
@@ -23,14 +23,13 @@
   #:use-module ((guix licenses) #:select (bsd-2))
   #:use-module (guix packages)
   #:use-module (guix download)
-  #:use-module (gnu packages base)
-  #:use-module (gnu packages gcc)
+  #:use-module (gnu packages perl)
   #:use-module (guix build-system gnu))
 
 (define-public jemalloc
   (package
     (name "jemalloc")
-    (version "4.5.0")
+    (version "5.0.1")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -38,7 +37,7 @@
                     version "/jemalloc-" version ".tar.bz2"))
               (sha256
                (base32
-                "10373xhpc10pgmai9fkc1z0rs029qlcb3c0qfnvkbwdlcibdh2cl"))))
+                "1sf3lzgb0y8nnyzmp4zrca3sngdxw3kfh20sna9z03jv74fph528"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
@@ -56,6 +55,7 @@
            ;; Transparent huge pages are only enabled by default on Intel processors
            '()
            '(#:configure-flags (list "--disable-thp")))))
+    (inputs `(("perl" ,perl)))
     (home-page "http://jemalloc.net/")
     (synopsis "General-purpose scalable concurrent malloc implementation")
     (description
diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm
index 292b537a12..58bc742365 100644
--- a/gnu/packages/kde-frameworks.scm
+++ b/gnu/packages/kde-frameworks.scm
@@ -29,6 +29,7 @@
   #:use-module (gnu packages)
   #:use-module (gnu packages acl)
   #:use-module (gnu packages admin)
+  #:use-module (gnu packages aidc)
   #:use-module (gnu packages attr)
   #:use-module (gnu packages base)
   #:use-module (gnu packages boost)
@@ -1209,6 +1210,31 @@ querying and interacting with hardware independently of the underlying operating
 system.")
     (license license:lgpl2.1+)))
 
+(define-public prison
+  (package
+    (name "prison")
+    (version "5.34.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "mirror://kde/stable/frameworks/"
+                           (version-major+minor version) "/"
+                           name "-" version ".tar.xz"))
+       (sha256
+        (base32 "00wj4yyfhhcq9b54civ5hy1grz70mmi676x50y12crcbbgkxm1lx"))))
+    (build-system cmake-build-system)
+    (native-inputs
+     `(("extra-cmake-modules" ,extra-cmake-modules)))
+    (inputs
+     `(("libdmtx", libdmtx)
+       ("qrencode" ,qrencode)
+       ("qtbase" ,qtbase))) ;; TODO: rethink: nix propagates this
+    (home-page "https://api.kde.org/frameworks/prison/html/index.html")
+    (synopsis "Barcode generation abstraction layer")
+    (description "Prison is a Qt-based barcode abstraction layer/library and
+provides uniform access to generation of barcodes with data.")
+    (license license:lgpl2.1+)))
+
 (define-public sonnet
   (package
     (name "sonnet")
diff --git a/gnu/packages/kde.scm b/gnu/packages/kde.scm
index 2e46a3c924..91a7b6208c 100644
--- a/gnu/packages/kde.scm
+++ b/gnu/packages/kde.scm
@@ -39,7 +39,7 @@
 (define-public kdevelop
   (package
     (name "kdevelop")
-    (version "5.1.1")
+    (version "5.1.2")
     (source
       (origin
         (method url-fetch)
@@ -48,7 +48,7 @@
                             version ".tar.xz"))
         (sha256
          (base32
-          "0m6pnmylp1gij5cr75waz8hjry5894qillj5977h467hnbzs808a"))))
+          "1iqaq0ilijjigqb34v5wq9in6bnjs0p9cmgbygjmy53xhh3yhm5g"))))
     (build-system cmake-build-system)
     (native-inputs
      `(("extra-cmake-modules" ,extra-cmake-modules)
@@ -151,7 +151,7 @@ for some KDevelop language plugins (Ruby, PHP, CSS...).")
 (define-public kdevplatform
   (package
     (name "kdevplatform")
-    (version "5.1.1")
+    (version "5.1.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://kde/stable/kdevelop"
@@ -159,7 +159,7 @@ for some KDevelop language plugins (Ruby, PHP, CSS...).")
                                   version ".tar.xz"))
               (sha256
                (base32
-                "09p7lvniw55g6x8v8wl3azlps8c13yx03x1m9cd3qdxi282l8n9i"))))
+                "0jk6g1kiqpyjy8pca0236b9944gxqnymqv8ny6m8nrraannxs8p6"))))
     (build-system cmake-build-system)
     (native-inputs
      `(("extra-cmake-modules" ,extra-cmake-modules)
diff --git a/gnu/packages/ldc.scm b/gnu/packages/ldc.scm
index 25fcb514d0..d2aee9c7c0 100644
--- a/gnu/packages/ldc.scm
+++ b/gnu/packages/ldc.scm
@@ -279,7 +279,7 @@ latest DMD frontend and uses LLVM as backend.")
 (define-public dub
   (package
     (name "dub")
-    (version "1.4.1")
+    (version "1.5.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/dlang/dub/archive/"
@@ -287,7 +287,7 @@ latest DMD frontend and uses LLVM as backend.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "0hpl5srbrzwzv8abc96j4cgbmvm1zhr109ljbl7hrphzzc39zyan"))))
+                "1p9pmzjsmd7v3jpilv0z0c8ar1ykvri6nn5fv95f8d2vriczj29m"))))
    (build-system gnu-build-system)
     (arguments
      `(#:tests? #f ; it would have tested itself by installing some packages (vibe etc)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 82d8fe3e5f..20441667e4 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -367,8 +367,8 @@ It has been modified to remove all non-free binary blobs.")
 
 (define %intel-compatible-systems '("x86_64-linux" "i686-linux"))
 
-(define %linux-libre-version "4.12.9")
-(define %linux-libre-hash "1wpsqhaab91l1wdbsxq8pdwrdx3a603zr5zjxbzdsx99pr6iypra")
+(define %linux-libre-version "4.12.10")
+(define %linux-libre-hash "06rnmz7jrj4asmarq3f77lzmyk8w6k71qr2rhcvm087g1mxlaahj")
 
 (define-public linux-libre
   (make-linux-libre %linux-libre-version
@@ -377,14 +377,14 @@ It has been modified to remove all non-free binary blobs.")
                     #:configuration-file kernel-config))
 
 (define-public linux-libre-4.9
-  (make-linux-libre "4.9.45"
-                    "0qdwn2m3iynbjyszkq4hlx891s1b83p9nr1v7vdb20fs4n2cbl9s"
+  (make-linux-libre "4.9.46"
+                    "1wx7lrd3xlcdwdfy23gflklqqq0qlps36r5fm2z5d656xgwb149k"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
 (define-public linux-libre-4.4
-  (make-linux-libre "4.4.84"
-                    "00lp3471mvwpq5062cynaakjn7bjpylmg1d1wwmhh6fdknd2h1kz"
+  (make-linux-libre "4.4.85"
+                    "1ahcgz2531c0zmyyw54w5z2fzwlqqn68hl7dyy4hxdns4yx3irmz"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 3b0f12b764..fe040a1180 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -896,7 +896,7 @@ compresses it.")
 (define-public claws-mail
   (package
     (name "claws-mail")
-    (version "3.15.0")
+    (version "3.15.1")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -904,7 +904,7 @@ compresses it.")
                     ".tar.xz"))
               (sha256
                (base32
-                "0bnwd3l04y6j1nw3h861rdy6k6lyjzsi51j04d33vbpq8c6jskaf"))))
+                "0hlm2jipyr4z6izlrpvabpz4ivh49i13avnm848kr1nv68pkq2cd"))))
     (build-system gnu-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)))
     (inputs `(("bogofilter" ,bogofilter)
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index c3c2191a94..bebed14b52 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -11,7 +11,7 @@
 ;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2015 Fabian Harfert <fhmgufs@web.de>
 ;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016 Thomas Danckaert <post@thomasdanckaert.be>
@@ -149,14 +149,14 @@ interactive dialogs to guide them.")
 (define-public coda
   (package
     (name "coda")
-    (version "2.18")
+    (version "2.18.2")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "https://github.com/stcorp/coda/releases/download/"
                            version "/coda-" version ".tar.gz"))
        (sha256
-        (base32 "11asla1ap8vd73farqjlpb179sfiy0biydcwxjfcakrp9sf8v9bs"))
+        (base32 "01fnqcby9jijvf3jxr1fk4bny059lvvq5wbqm7ns60ilykfdnm6a"))
        (patches (search-patches "coda-use-system-libs.patch"))
        (modules '((guix build utils)))
        (snippet
@@ -605,7 +605,18 @@ computations.")
                (("@HDF_BUILD_SHARED_TRUE@AM_LDFLAGS = \
 -R\\$\\(abs_top_builddir\\)/mfhdf/libsrc/\\.libs \
 -R\\$\\(abs_top_builddir\\)/hdf/src/\\.libs \\$\\(XDR_ADD\\)") ""))
-             #t)))))
+             #t))
+         (add-after 'configure 'patch-settings
+           (lambda _
+             ;; libhdf4.settings contains the full path of the
+             ;; compilers used, and its contents are included in
+             ;; .so-files.  We truncate the hashes to avoid
+             ;; unnecessary store references to those compilers:
+             (substitute* "libhdf4.settings"
+               (("(/gnu/store/)([a-Z0-9]*)" all prefix hash)
+                (string-append prefix (string-take hash 10) "...")))
+             #t))
+         )))
     (home-page "https://www.hdfgroup.org/products/hdf4/")
     (synopsis
      "Library and multi-object file format for storing and managing data")
@@ -648,16 +659,40 @@ incompatible with HDF5.")
     (build-system gnu-build-system)
     (inputs
      `(("zlib" ,zlib)))
+    (native-inputs
+     `(("gfortran" ,gfortran)))
+    (outputs '("out"       ; core library
+               "fortran")) ; fortran interface
     (arguments
      `(;; Some of the users, notably Flann, need the C++ interface.
-       #:configure-flags '("--enable-cxx")
+       #:configure-flags '("--enable-cxx"
+                           "--enable-fortran"
+                           "--enable-fortran2003")
 
        #:phases
        (modify-phases %standard-phases
          (add-before 'configure 'patch-configure
-           (lambda _
+           (lambda* (#:key outputs #:allow-other-keys)
              (substitute* "configure"
                (("/bin/mv") "mv"))
+             (substitute* "fortran/src/Makefile.in"
+               (("libhdf5_fortran_la_LDFLAGS =")
+                (string-append "libhdf5_fortran_la_LDFLAGS = -Wl-rpath="
+                               (assoc-ref outputs "fortran") "/lib")))
+             (substitute* "hl/fortran/src/Makefile.in"
+               (("libhdf5hl_fortran_la_LDFLAGS =")
+                (string-append "libhdf5hl_fortran_la_LDFLAGS = -Wl,-rpath="
+                               (assoc-ref outputs "fortran") "/lib")))
+             #t))
+         (add-after 'configure 'patch-settings
+           (lambda _
+             ;; libhdf5.settings contains the full path of the
+             ;; compilers used, and its contents are included in
+             ;; libhdf5.so.  We truncate the hashes to avoid
+             ;; unnecessary store references to those compilers:
+             (substitute* "src/libhdf5.settings"
+              (("(/gnu/store/)([a-Z0-9]*)" all prefix hash)
+               (string-append prefix (string-take hash 10) "...")))
              #t))
          (add-after 'install 'patch-references
            (lambda* (#:key inputs outputs #:allow-other-keys)
@@ -666,7 +701,40 @@ incompatible with HDF5.")
                (substitute* (find-files bin "h5p?cc")
                  (("-lz" lib)
                   (string-append "-L" zlib "/lib " lib)))
-               #t))))))
+               #t)))
+         (add-after 'install 'split
+            (lambda* (#:key inputs outputs #:allow-other-keys)
+              ;; Move all fortran-related files
+              (let* ((out (assoc-ref outputs "out"))
+                     (bin (string-append out "/bin"))
+                     (lib (string-append out "/lib"))
+                     (inc (string-append out "/include"))
+                     (ex (string-append out "/share/hdf5_examples/fortran"))
+                     (fort (assoc-ref outputs "fortran"))
+                     (fbin (string-append fort "/bin"))
+                     (flib (string-append fort "/lib"))
+                     (finc (string-append fort "/include"))
+                     (fex (string-append fort "/share/hdf5_examples/fortran")))
+                (mkdir-p fbin)
+                (mkdir-p flib)
+                (mkdir-p finc)
+                (mkdir-p fex)
+                (rename-file (string-append bin "/h5fc")
+                             (string-append fbin "/h5fc"))
+                (for-each (lambda (file)
+                            (rename-file file
+                                         (string-append flib "/" (basename file))))
+                          (find-files lib ".*fortran.*"))
+                (for-each (lambda (file)
+                            (rename-file file
+                                         (string-append finc "/" (basename file))))
+                          (find-files inc ".*mod"))
+                (for-each (lambda (file)
+                            (rename-file file
+                                         (string-append fex "/" (basename file))))
+                          (find-files ex ".*"))
+                (delete-file-recursively ex))
+              #t)))))
     (home-page "http://www.hdfgroup.org")
     (synopsis "Management suite for extremely large and complex data")
     (description "HDF5 is a suite that makes possible the management of
@@ -850,6 +918,29 @@ similar to MATLAB, GNU Octave or SciPy.")
        ("libjpeg" ,libjpeg)))
     (arguments
      `(#:configure-flags '("--enable-doxygen" "--enable-dot" "--enable-hdf4")
+
+       #:phases (modify-phases %standard-phases
+         (add-before 'configure 'fix-source-date
+           (lambda _
+             ;; As we ${SOURCE_DATE_EPOCH} evaluates to "1" in the build
+             ;; environment, `date -u -d ${SOURCE_DATE_EPOCH}` will evaluate
+             ;; to '1st hour of the current day', and therefore makes the
+             ;; package not reproducible.
+             (substitute* "./configure"
+               (("date -u -d \"\\$\\{SOURCE_DATE_EPOCH\\}\"")
+                "date --date='@0'"))
+             #t))
+         (add-after 'configure 'patch-settings
+           (lambda _
+             ;; libnetcdf.settings contains the full filename of the compilers
+             ;; used to build the library.  We truncate the hashes of those
+             ;; filenames to avoid unnecessary references to the corresponding
+             ;; store items.
+             (substitute* "libnetcdf.settings"
+               (("(/gnu/store/)([a-Z0-9]*)" all prefix hash)
+                (string-append prefix (string-take hash 10) "...")))
+             #t)))
+
        #:parallel-tests? #f))           ;various race conditions
     (home-page "http://www.unidata.ucar.edu/software/netcdf/")
     (synopsis "Library for scientific data")
@@ -1946,6 +2037,55 @@ bio-chemistry.")
     ;; See LICENSE_en.txt
     (license license:cecill-c)))
 
+(define-public scotch32
+  ;; This is the 'INTSIZE32' variant, which uses 32-bit integers, as needed by
+  ;; some applications.
+  (package (inherit scotch)
+    (name "scotch32")
+    (arguments
+     (substitute-keyword-arguments (package-arguments scotch)
+       ((#:phases scotch-phases)
+        `(modify-phases ,scotch-phases
+          (replace
+           'configure
+           (lambda _
+             (call-with-output-file "Makefile.inc"
+               (lambda (port)
+                 (format port "
+EXE =
+LIB = .a
+OBJ = .o
+MAKE = make
+AR = ar
+ARFLAGS = -ruv
+CAT = cat
+CCS = gcc
+CCP = mpicc
+CCD = gcc
+CPPFLAGS =~{ -D~a~}
+CFLAGS = -O2 -g -fPIC $(CPPFLAGS)
+LDFLAGS = -lz -lm -lrt -lpthread
+CP = cp
+LEX = flex -Pscotchyy -olex.yy.c
+LN = ln
+MKDIR = mkdir
+MV = mv
+RANLIB = ranlib
+YACC = bison -pscotchyy -y -b y
+"
+                        '("COMMON_FILE_COMPRESS_GZ"
+                          "COMMON_PTHREAD"
+                          "COMMON_RANDOM_FIXED_SEED"
+                          "INTSIZE32"   ;use 32-bit integers.  See INSTALL.txt
+                          ;; Prevents symbolc clashes with libesmumps
+                          "SCOTCH_RENAME"
+                          ;; XXX: Causes invalid frees in superlu-dist tests
+                          ;; "SCOTCH_PTHREAD"
+                          ;; "SCOTCH_PTHREAD_NUMBER=2"
+                          "restrict=__restrict"))))))))))
+    (synopsis
+     "Programs and libraries for graph algorithms (32-bit integers)")))
+
 (define-public pt-scotch
   (package (inherit scotch)
     (name "pt-scotch")
@@ -1969,6 +2109,29 @@ bio-chemistry.")
             (lambda _ (zero? (system* "make" "ptcheck"))))))))
     (synopsis "Programs and libraries for graph algorithms (with MPI)")))
 
+(define-public pt-scotch32
+  (package (inherit scotch32)
+    (name "pt-scotch32")
+    (propagated-inputs
+     `(("openmpi" ,openmpi)))                     ;headers include MPI headers
+    (arguments
+     (substitute-keyword-arguments (package-arguments scotch)
+       ((#:phases scotch-phases)
+        `(modify-phases ,scotch-phases
+           (replace 'build
+             (lambda _
+               (and
+                (zero? (system* "make"
+                                (format #f "-j~a" (parallel-job-count))
+                                "ptscotch" "ptesmumps"))
+                ;; Install the serial metis compatibility library
+                (zero? (system* "make" "-C" "libscotchmetis" "install")))))
+           (replace 'check
+             (lambda _
+               (zero? (system* "make" "ptcheck"))))))))
+    (synopsis
+     "Programs and libraries for graph algorithms (with MPI and 32-bit integers)")))
+
 (define-public metis
   (package
     (name "metis")
diff --git a/gnu/packages/messaging.scm b/gnu/packages/messaging.scm
index eb9e869152..c69bd8b101 100644
--- a/gnu/packages/messaging.scm
+++ b/gnu/packages/messaging.scm
@@ -747,14 +747,14 @@ instant messenger with audio and video chat capabilities.")
 (define-public qtox
   (package
     (name "qtox")
-    (version "1.10.1")
+    (version "1.11.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/qTox/qTox/archive/v"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0b37an611i2jdri59vsspyl3yf6cn4h0bn9d2jdrkw8d2rfqc8qy"))
+                "1m1ca1ybgj4yfm6a61yyj21f5jpip8dsbliwkfypswhmv5y52f5y"))
               (file-name (string-append name "-" version ".tar.gz"))))
     (build-system cmake-build-system)
     (arguments
diff --git a/gnu/packages/microcom.scm b/gnu/packages/microcom.scm
index cfa2518f18..aa42e99213 100644
--- a/gnu/packages/microcom.scm
+++ b/gnu/packages/microcom.scm
@@ -32,7 +32,7 @@
     (source (origin
               (method git-fetch)
               (uri (git-reference
-                    (url "git://git.pengutronix.de/git/tools/microcom.git")
+                    (url "https://git.pengutronix.de/git/tools/microcom.git")
                     (commit "v2016.01.0")))
               (file-name (string-append name "-" version "-checkout"))
               (sha256
diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 56e6d26493..88d8793631 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -5,7 +5,7 @@
 ;;; Copyright © 2016 Al McElrath <hello@yrns.org>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
-;;; Copyright © 2016, 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016, 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2016 John J. Foerch <jjfoerch@earthlink.net>
 ;;; Copyright © 2016 Alex Griffin <a@ajgrf.com>
 ;;; Copyright © 2017 ng0 <contact.ng0@cryptolab.net>
@@ -3198,3 +3198,97 @@ specification and header.")
     ;; The DSSI interface is LGPL2.1+, some tests and examples are GPL2+.
     ;; The vast majority of examples are in the public domain.
     (license (list license:lgpl2.1+ license:gpl2+))))
+
+(define-public rosegarden
+  (package
+    (name "rosegarden")
+    (version "17.04")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "mirror://sourceforge/rosegarden/rosegarden/"
+                    version "/rosegarden-" version ".tar.bz2"))
+              (sha256
+               (base32
+                "1khfcj22asdhjh0jvhkqsz200wgmigkhsrcz09ffia5hqm0n32lq"))))
+    (build-system cmake-build-system)
+    (arguments
+     `(#:configure-flags '("-DUSE_QT5=1") ; "-DCMAKE_BUILD_TYPE=Release"
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'patch-tests
+           (lambda _
+             (substitute* "CMakeLists.txt"
+               (("BUILD_TESTING OFF") "BUILD_TESTING ON")
+               ;; Make tests work.
+               ((" -fvisibility=hidden") ""))
+             #t))
+         (add-after 'unpack 'fix-references
+           (lambda* (#:key inputs #:allow-other-keys)
+             (substitute* "src/gui/general/ProjectPackager.cpp"
+               (("\"flac\\>")
+                (string-append "\"" (assoc-ref inputs "flac") "/bin/flac"))
+               (("\"wavpack\\>")
+                (string-append "\"" (assoc-ref inputs "wavpack") "/bin/wavpack"))
+               (("\"wvunpack\\>")
+                (string-append "\"" (assoc-ref inputs "wavpack") "/bin/wvunpack"))
+               (("\"bash\\>")
+                (string-append "\"" (assoc-ref inputs "bash") "/bin/bash"))
+               (("\"tar\\>")
+                (string-append "\"" (assoc-ref inputs "tar") "/bin/tar")))
+             (substitute* "src/gui/general/LilyPondProcessor.cpp"
+               (("\"convert-ly\\>")
+                (string-append "\"" (assoc-ref inputs "lilypond") "/bin/convert-ly"))
+               (("\"lilypond\\>")
+                (string-append "\"" (assoc-ref inputs "lilypond") "/bin/lilypond")))
+             #t))
+         (add-after 'unpack 'make-reproducible
+           (lambda _
+             ;; Prevent Last-Modified from being written.
+             ;; The "*.qm" files that are used in locale.qrc would have a new
+             ;; mtime otherwise that is written into qrc_locale.cpp in the
+             ;; end - except when we disable it.
+             (substitute* "src/CMakeLists.txt"
+               (("COMMAND [$][{]QT_RCC_EXECUTABLE[}]")
+                "COMMAND ${QT_RCC_EXECUTABLE} --format-version 1")
+               ;; Extraneous.
+               ;(("qt5_add_resources[(]rg_SOURCES ../data/data.qrc[)]")
+               ; "qt5_add_resources(rg_SOURCES ../data/data.qrc OPTIONS --format-version 1)")
+                )
+             ;; Make hashtable traversal order predicable.
+             (setenv "QT_RCC_TEST" "1") ; important
+             #t))
+         (add-before 'check 'prepare-check
+           (lambda _
+             (setenv "QT_QPA_PLATFORM" "offscreen")
+             ;; Tests create files in $HOME/.local/share/rosegarden .
+             (mkdir-p "/tmp/foo")
+             (setenv "HOME" "/tmp/foo")
+             #t)))))
+    (inputs
+     `(("alsa-lib" ,alsa-lib)
+       ("bash" ,bash)
+       ("dssi" ,dssi)
+       ("flac" ,flac)
+       ("fftwf" ,fftwf)
+       ("jack-2" ,jack-2)
+       ("ladspa" ,ladspa)
+       ("liblo" ,liblo)
+       ("libsamplerate" ,libsamplerate)
+       ("lilypond" ,lilypond)
+       ("lrdf" ,lrdf)
+       ("qtbase" ,qtbase)
+       ("tar" ,tar)
+       ("lirc" ,lirc)
+       ("wavpack" ,wavpack)
+       ("zlib" ,zlib)))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)
+       ("qtlinguist" ,qttools)))
+    (synopsis "Music composition and editing environment based around a MIDI
+sequencer")
+    (description "Rosegarden is a music composition and editing environment
+based around a MIDI sequencer that features a rich understanding of music
+notation and includes basic support for digital audio.")
+    (home-page "http://www.rosegardenmusic.com/")
+    (license license:gpl2)))
diff --git a/gnu/packages/nano.scm b/gnu/packages/nano.scm
index 4d0f89996e..230fa99bac 100644
--- a/gnu/packages/nano.scm
+++ b/gnu/packages/nano.scm
@@ -29,7 +29,7 @@
 (define-public nano
   (package
     (name "nano")
-    (version "2.8.6")
+    (version "2.8.7")
     (source
      (origin
       (method url-fetch)
@@ -37,7 +37,7 @@
                           version ".tar.xz"))
       (sha256
        (base32
-        "0xjpm2ka56x5ycrgjh06v110na13xlbm42bs8qibk7g578m9cils"))))
+        "0nhns59smd43mad2w6lnaxqnj4h6ifnlivi6cwydg646jm31gqzv"))))
     (build-system gnu-build-system)
     (inputs
      `(("gettext" ,gettext-minimal)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index b786b63c20..2730f0c02e 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -417,7 +417,7 @@ and min/max network usage.")
            (lambda* (#:key inputs #:allow-other-keys)
              (substitute* "src/tun.c"
                (("PATH=[^ ]* ")
-                (string-append (assoc-ref inputs "net-tools") "/sbin/")))))
+                (string-append (assoc-ref inputs "net-tools") "/bin/")))))
          (add-before 'check 'delete-failing-tests
            ;; Avoid https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802105.
            (lambda _
diff --git a/gnu/packages/ocaml.scm b/gnu/packages/ocaml.scm
index 43bbdcd6e2..2597775bf7 100644
--- a/gnu/packages/ocaml.scm
+++ b/gnu/packages/ocaml.scm
@@ -575,6 +575,46 @@ assistant to write formal mathematical proofs using a variety of theorem
 provers.")
     (license license:gpl2+)))
 
+(define-public emacs-tuareg
+  (package
+    (name "emacs-tuareg")
+    (version "2.0.10")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/ocaml/tuareg/archive/"
+                                  version ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1r2smclcs63n74lcyckbp90j09wyjdngn816cqzfkw54iwh3hd7q"))))
+    (build-system gnu-build-system)
+    (native-inputs `(("emacs" ,emacs-minimal)
+                     ("opam" ,opam)))
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (delete 'configure)
+         (add-before 'install 'fix-install-path
+           (lambda* (#:key outputs #:allow-other-keys)
+             (substitute* "Makefile"
+               (("/emacs/site-lisp")
+                (string-append (assoc-ref %outputs "out")
+                               "/share/emacs/site-lisp/")))
+             #t))
+         (add-after 'install 'post-install
+           (lambda* (#:key outputs #:allow-other-keys)
+             (symlink "tuareg.el"
+                      (string-append (assoc-ref outputs "out")
+                                     "/share/emacs/site-lisp/"
+                                     "tuareg-autoloads.el"))
+             #t)))))
+    (home-page "https://github.com/ocaml/tuareg")
+    (synopsis "OCaml programming mode, REPL, debugger for Emacs")
+    (description "Tuareg helps editing OCaml code, to highlight important
+parts of the code, to run an OCaml REPL, and to run the OCaml debugger within
+Emacs.")
+    (license license:gpl2+)))
+
 (define-public ocaml-menhir
   (package
     (name "ocaml-menhir")
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 9b31f905e4..a6c97e618e 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015, 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Muriithi Frederick Muriuki <fredmanglis@gmail.com>
+;;; Copyright © 2017 Oleg Pykhalov <go.wigust@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -26,6 +27,7 @@
   #:use-module (guix utils)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system python)
+  #:use-module (guix build-system emacs)
   #:use-module ((guix licenses) #:select (gpl2+ gpl3+ lgpl2.1+ asl2.0 bsd-3))
   #:use-module (gnu packages)
   #:use-module (gnu packages guile)
@@ -310,10 +312,11 @@ generated file."
      #t)))
 
 (define-public current-guix
-  (let ((select? (delay (or (git-predicate
-                             (string-append (current-source-directory)
-                                            "/../.."))
-                            source-file?))))
+  (let* ((repository-root (canonicalize-path
+                           (string-append (current-source-directory)
+                                          "/../..")))
+         (select? (delay (or (git-predicate repository-root)
+                             source-file?))))
     (lambda ()
       "Return a package representing Guix built from the current source tree.
 This works by adding the current source tree to the store (after filtering it
@@ -321,7 +324,7 @@ out) and returning a package that uses that as its 'source'."
       (package
         (inherit guix)
         (version (string-append (package-version guix) "+"))
-        (source (local-file "../.." "guix-current"
+        (source (local-file repository-root "guix-current"
                             #:recursive? #t
                             #:select? (force select?)))))))
 
@@ -379,6 +382,23 @@ store, usually the directory /nix/store, where each package has its own unique
 sub-directory.")
     (license lgpl2.1+)))
 
+(define-public emacs-nix-mode
+  (package
+    (inherit nix)
+    (name "emacs-nix-mode")
+    (build-system emacs-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'chdir-elisp
+           ;; Elisp directory is not in root of the source.
+           (lambda _
+             (chdir "misc/emacs"))))))
+    (synopsis "Emacs major mode for editing Nix expressions")
+    (description "@code{nixos-mode} provides an Emacs major mode for editing
+Nix expressions.  It supports syntax highlighting, indenting and refilling of
+comments.")))
+
 (define-public stow
   (package
     (name "stow")
diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch b/gnu/packages/patches/gd-CVE-2017-7890.patch
deleted file mode 100644
index 66034c5703..0000000000
--- a/gnu/packages/patches/gd-CVE-2017-7890.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001
-From: LEPILLER Julien <julien@lepiller.eu>
-Date: Thu, 3 Aug 2017 17:04:17 +0200
-Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory.
-
-The stack allocated color map buffers were not zeroed before usage, and
-so undefined palette indexes could cause information leakage.
-
-This is CVE-2017-7890.
----
- src/gd_gif_in.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
-index 008d1ec..c195448 100644
---- a/src/gd_gif_in.c
-+++ b/src/gd_gif_in.c
-@@ -216,6 +216,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
- 
- 	gdImagePtr im = 0;
- 
-+	memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
-+	memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
-+
- 	if(!ReadOK(fd, buf, 6)) {
- 		return 0;
- 	}
--- 
-2.13.3
-
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch
new file mode 100644
index 0000000000..83478c13b3
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch
@@ -0,0 +1,195 @@
+http://openwall.com/lists/oss-security/2017/08/31/3
+http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/b037d79b6ccd
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1503774853 18000
+# Node ID b037d79b6ccd0cfba7ba9ce09b454ed46d688036
+# Parent  198ea602ea7cc767dc3022bbcf887bcd4534158d
+JNX: Fix DOS issues
+
+diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c
+--- a/coders/jnx.c	Tue Aug 22 08:08:30 2017 -0500
++++ b/coders/jnx.c	Sat Aug 26 14:14:13 2017 -0500
+@@ -1,5 +1,5 @@
+ /*
+-% Copyright (C) 2012-2015 GraphicsMagick Group
++% Copyright (C) 2012-2017 GraphicsMagick Group
+ %
+ % This program is covered by multiple licenses, which are described in
+ % Copyright.txt. You should have received a copy of Copyright.txt with this
+@@ -100,6 +100,7 @@
+ 
+   char img_label_str[MaxTextExtent];
+ 
++
+   alloc_size = TileInfo->PicSize + 2;
+ 
+   if (image->logging)
+@@ -242,6 +243,9 @@
+     total_tiles,
+     current_tile;
+ 
++  magick_off_t
++    file_size;
++
+   /* Open image file. */
+   assert(image_info != (const ImageInfo *) NULL);
+   assert(image_info->signature == MagickSignature);
+@@ -254,9 +258,8 @@
+   if (status == False)
+     ThrowReaderException(FileOpenError, UnableToOpenFile, image);
+ 
+-  memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
+-
+   /* Read JNX image header. */
++  (void) memset(&JNXHeader, 0, sizeof(JNXHeader));
+   JNXHeader.Version = ReadBlobLSBLong(image);
+   if (JNXHeader.Version > 4)
+     ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
+@@ -266,8 +269,6 @@
+   JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image);
+   JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image);
+   JNXHeader.Levels = ReadBlobLSBLong(image);
+-  if (JNXHeader.Levels > 20)
+-    ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
+   JNXHeader.Expiration = ReadBlobLSBLong(image);
+   JNXHeader.ProductID = ReadBlobLSBLong(image);
+   JNXHeader.CRC = ReadBlobLSBLong(image);
+@@ -279,7 +280,41 @@
+   if (EOFBlob(image))
+     ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ 
++  file_size = GetBlobSize(image);
++
++  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                        "JNX Header:\n"
++                        "    Version:    %u\n"
++                        "    DeviceSN:   %u\n"
++                        "    MapBounds:\n"
++                        "      NorthEast: lat = %u, lon = %u\n"
++                        "      SouthWest: lat = %u, lon = %u\n"
++                        "    Levels:     %u\n"
++                        "    Expiration: %u\n"
++                        "    ProductID:  %u\n"
++                        "    CRC:        %u\n"
++                        "    SigVersion: %u\n"
++                        "    SigOffset:  %u\n"
++                        "    ZOrder:     %u",
++                        JNXHeader.Version,
++                        JNXHeader.DeviceSN,
++                        JNXHeader.MapBounds.NorthEast.lat,
++                        JNXHeader.MapBounds.NorthEast.lon,
++                        JNXHeader.MapBounds.SouthWest.lat,
++                        JNXHeader.MapBounds.SouthWest.lon,
++                        JNXHeader.Levels,
++                        JNXHeader.Expiration,
++                        JNXHeader.ProductID,
++                        JNXHeader.CRC,
++                        JNXHeader.SigVersion,
++                        JNXHeader.SigOffset,
++                        JNXHeader.ZOrder);
++
++  if (JNXHeader.Levels > 20)
++    ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
++
+   /* Read JNX image level info. */
++  memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
+   total_tiles = 0;
+   current_tile = 0;
+   for (i = 0; i < JNXHeader.Levels; i++)
+@@ -302,11 +337,23 @@
+         {
+           JNXLevelInfo[i].Copyright = NULL;
+         }
++
++      if (EOFBlob(image))
++        ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
++
++      if (image->logging)
++        (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                              "Level[%u] Info:"
++                              "  TileCount: %4u"
++                              "  TilesOffset: %6u"
++                              "  Scale: %04u",
++                              i,
++                              JNXLevelInfo[i].TileCount,
++                              JNXLevelInfo[i].TilesOffset,
++                              JNXLevelInfo[i].Scale
++                              );
+     }
+ 
+-  if (EOFBlob(image))
+-    ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+-
+   /* Get the current limit */
+   SaveLimit = GetMagickResourceLimit(MapResource);
+ 
+@@ -316,11 +363,32 @@
+   /* Read JNX image data. */
+   for (i = 0; i < JNXHeader.Levels; i++)
+     {
++      /*
++        Validate TileCount against remaining file data
++      */
++      const magick_off_t current_offset = TellBlob(image);
++      const size_t pos_list_entry_size =
++        sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) +
++        sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) +
++        sizeof(magick_uint32_t) + sizeof(magick_uint32_t);
++      const magick_off_t remaining = file_size-current_offset;
++      const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount);
++
++      if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed))
++        {
++          (void) SetMagickResourceLimit(MapResource, SaveLimit);
++          ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
++        }
++
+       PositionList = MagickAllocateArray(TJNXTileInfo *,
+                                          JNXLevelInfo[i].TileCount,
+                                          sizeof(TJNXTileInfo));
+       if (PositionList == NULL)
+-        continue;
++        {
++          (void) SetMagickResourceLimit(MapResource, SaveLimit);
++          ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
++                               image);
++        }
+ 
+       (void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET);
+       for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
+@@ -333,12 +401,15 @@
+           PositionList[j].PicHeight = ReadBlobLSBShort(image);
+           PositionList[j].PicSize = ReadBlobLSBLong(image);
+           PositionList[j].PicOffset = ReadBlobLSBLong(image);
+-        }
+ 
+-      if (EOFBlob(image))
+-        {
+-          MagickFreeMemory(PositionList);
+-          ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
++          if (EOFBlob(image) ||
++              ((magick_off_t) PositionList[j].PicOffset +
++               PositionList[j].PicSize > file_size))
++            {
++              (void) SetMagickResourceLimit(MapResource, SaveLimit);
++              MagickFreeMemory(PositionList);
++              ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
++            }
+         }
+ 
+       for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
+@@ -351,6 +422,9 @@
+           image = ExtractTileJPG(image, image_info, PositionList+j, exception);
+           (void) SetMonitorHandler(previous_handler);
+ 
++          if (exception->severity >= ErrorException)
++            break;
++
+           current_tile++;
+           if (QuantumTick(current_tile,total_tiles))
+             if (!MagickMonitorFormatted(current_tile,total_tiles,exception,
+
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch
new file mode 100644
index 0000000000..e129fd58fc
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch
@@ -0,0 +1,179 @@
+http://openwall.com/lists/oss-security/2017/08/31/1
+http://openwall.com/lists/oss-security/2017/08/31/2
+http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/233a720bfd5e
+
+some changes were made to make the patch apply
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1503779175 18000
+# Node ID 233a720bfd5efd378f133a776507ed41230da617
+# Parent  b037d79b6ccd0cfba7ba9ce09b454ed46d688036
+XBM: Fix DOS issues.
+
+diff -r b037d79b6ccd -r 233a720bfd5e coders/xbm.c
+--- a/coders/xbm.c	Sat Aug 26 14:14:13 2017 -0500
++++ b/coders/xbm.c	Sat Aug 26 15:26:15 2017 -0500
+@@ -1,5 +1,5 @@
+ /*
+-% Copyright (C) 2003 -2012 GraphicsMagick Group
++% Copyright (C) 2003-2017 GraphicsMagick Group
+ % Copyright (C) 2002 ImageMagick Studio
+ % Copyright 1991-1999 E. I. du Pont de Nemours and Company
+ %
+@@ -121,13 +121,15 @@
+ 
+ static int XBMInteger(Image *image,short int *hex_digits)
+ {
++  unsigned int
++    flag;
++
+   int
+     c,
+-    flag,
+     value;
+ 
+   value=0;
+-  flag=0;
++  flag=0U;
+   for ( ; ; )
+   {
+     c=ReadBlobByte(image);
+@@ -158,18 +160,14 @@
+   Image
+     *image;
+ 
+-  int
+-    bit;
+-
+-  long
+-    y;
+-
+   register IndexPacket
+     *indexes;
+ 
+-  register long
++  register size_t
++    bytes_per_line,
+     i,
+-    x;
++    x,
++    y;
+ 
+   register PixelPacket
+     *q;
+@@ -177,22 +175,24 @@
+   register unsigned char
+     *p;
+ 
+-  short int
+-    hex_digits[256];
+-
+   unsigned char
+     *data;
+ 
+   unsigned int
++    bit,
++    byte,
++    padding,
++    version;
++
++  int
++    value;
++
++  short int
++    hex_digits[256];
++
++  MagickPassFail
+     status;
+ 
+-  unsigned long
+-    byte,
+-    bytes_per_line,
+-    padding,
+-    value,
+-    version;
+-
+   /*
+     Open image file.
+   */
+@@ -207,6 +207,8 @@
+   /*
+     Read X bitmap header.
+   */
++  (void) memset(buffer,0,sizeof(buffer));
++  name[0]='\0';
+   while (ReadBlobString(image,buffer) != (char *) NULL)
+     if (sscanf(buffer,"#define %s %lu",name,&image->columns) == 2)
+       if ((strlen(name) >= 6) &&
+@@ -278,6 +280,8 @@
+   /*
+     Initialize hex values.
+   */
++  for (i = 0; i < sizeof(hex_digits)/sizeof(hex_digits[0]); i++)
++    hex_digits[i]=(-1);
+   hex_digits['0']=0;
+   hex_digits['1']=1;
+   hex_digits['2']=2;
+@@ -311,40 +315,50 @@
+   */
+   p=data;
+   if (version == 10)
+-    for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2))
++    for (i=0; i < (bytes_per_line*image->rows); (i+=2))
+     {
+       value=XBMInteger(image,hex_digits);
++      if (value < 0)
++        {
++          MagickFreeMemory(data);
++          ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
++        }
+       *p++=(unsigned char) value;
+       if (!padding || ((i+2) % bytes_per_line))
+         *p++=(unsigned char) (value >> 8);
+     }
+   else
+-    for (i=0; i < (long) (bytes_per_line*image->rows); i++)
++    for (i=0; i < (bytes_per_line*image->rows); i++)
+     {
+       value=XBMInteger(image,hex_digits);
++      if (value < 0)
++        {
++          MagickFreeMemory(data);
++          ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
++        }
+       *p++=(unsigned char) value;
+     }
+   /*
+     Convert X bitmap image to pixel packets.
+   */
+   p=data;
+-  for (y=0; y < (long) image->rows; y++)
++  for (y=0; y < image->rows; y++)
+   {
+     q=SetImagePixels(image,0,y,image->columns,1);
+     if (q == (PixelPacket *) NULL)
+       break;
+     indexes=AccessMutableIndexes(image);
+-    bit=0;
+-    byte=0;
+-    for (x=0; x < (long) image->columns; x++)
++    bit=0U;
++    byte=0U;
++    for (x=0; x < image->columns; x++)
+     {
+-      if (bit == 0)
++      if (bit == 0U)
+         byte=(*p++);
+       indexes[x]=byte & 0x01 ? 0x01 : 0x00;
+       bit++;
+-      byte>>=1;
+-      if (bit == 8)
+-        bit=0;
++      byte>>=1U;
++      if (bit == 8U)
++        bit=0U;
+     }
+     if (!SyncImagePixels(image))
+       break;
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-0663.patch b/gnu/packages/patches/libxml2-CVE-2017-0663.patch
new file mode 100644
index 0000000000..b0277a2d23
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-0663.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-0663:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=780228 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663
+https://security-tracker.debian.org/tracker/CVE-2017-0663
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66
+
+From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 6 Jun 2017 12:56:28 +0200
+Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace
+
+Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
+namespace declarations make no practical sense anyway.
+
+Fixes bug 780228.
+
+Found with libFuzzer and ASan.
+---
+ valid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/valid.c b/valid.c
+index 8075d3a0..c51ea290 100644
+--- a/valid.c
++++ b/valid.c
+@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ 	}
+     }
+ 
++    /*
++     * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
++     * xmlAddID and xmlAddRef for namespace declarations, but it makes
++     * no practical sense to use ID types anyway.
++     */
++#if 0
+     /* Validity Constraint: ID uniqueness */
+     if (attrDecl->atype == XML_ATTRIBUTE_ID) {
+         if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+         if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+ 	    ret = 0;
+     }
++#endif
+ 
+     /* Validity Constraint: Notation Attributes */
+     if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
+-- 
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7375.patch b/gnu/packages/patches/libxml2-CVE-2017-7375.patch
new file mode 100644
index 0000000000..32af1ff6ba
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-7375.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-7375:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=780691 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375
+https://security-tracker.debian.org/tracker/CVE-2017-7375
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e
+
+From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
+From: Neel Mehta <nmehta@google.com>
+Date: Fri, 7 Apr 2017 17:43:02 +0200
+Subject: [PATCH] Prevent unwanted external entity reference
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=780691
+
+* parser.c: add a specific check to avoid PE reference
+---
+ parser.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 609a2703..c2c812de 100644
+--- a/parser.c
++++ b/parser.c
+@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ 	    if (xmlPushInput(ctxt, input) < 0)
+ 		return;
+ 	} else {
++	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
++	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
++		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
++		((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
++		((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
++		(ctxt->replaceEntities == 0) &&
++		(ctxt->validate == 0))
++		return;
++
+ 	    /*
+ 	     * TODO !!!
+ 	     * handle the extra spaces added before and after
+-- 
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7376.patch b/gnu/packages/patches/libxml2-CVE-2017-7376.patch
new file mode 100644
index 0000000000..5b9e45bd83
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-7376.patch
@@ -0,0 +1,41 @@
+Fix CVE-2017-7376:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=780690 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7376
+https://security-tracker.debian.org/tracker/CVE-2017-7376
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e
+
+From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 7 Apr 2017 17:13:28 +0200
+Subject: [PATCH] Increase buffer space for port in HTTP redirect support
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=780690
+
+nanohttp.c: the code wrongly assumed a short int port value.
+---
+ nanohttp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nanohttp.c b/nanohttp.c
+index e109ad75..373425de 100644
+--- a/nanohttp.c
++++ b/nanohttp.c
+@@ -1423,9 +1423,9 @@ retry:
+     if (ctxt->port != 80) {
+ 	/* reserve space for ':xxxxx', incl. potential proxy */
+ 	if (proxy)
+-	    blen += 12;
++	    blen += 17;
+ 	else
+-	    blen += 6;
++	    blen += 11;
+     }
+     bp = (char*)xmlMallocAtomic(blen);
+     if ( bp == NULL ) {
+-- 
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
new file mode 100644
index 0000000000..0a0e6d34cf
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
@@ -0,0 +1,130 @@
+Fix CVE-2017-{9047,9048}:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=781333 (not yet public)
+https://bugzilla.gnome.org/show_bug.cgi?id=781701 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048
+http://www.openwall.com/lists/oss-security/2017/05/15/1
+https://security-tracker.debian.org/tracker/CVE-2017-9047
+https://security-tracker.debian.org/tracker/CVE-2017-9048
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
+
+From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 3 Jun 2017 02:01:29 +0200
+Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+xmlSnprintfElementContent failed to correctly check the available
+buffer space in two locations.
+
+Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
+
+Thanks to Marcel Böhme and Thuan Pham for the report.
+---
+ result/valid/781333.xml         |  5 +++++
+ result/valid/781333.xml.err     |  3 +++
+ result/valid/781333.xml.err.rdr |  6 ++++++
+ test/valid/781333.xml           |  4 ++++
+ valid.c                         | 20 +++++++++++---------
+ 5 files changed, 29 insertions(+), 9 deletions(-)
+ create mode 100644 result/valid/781333.xml
+ create mode 100644 result/valid/781333.xml.err
+ create mode 100644 result/valid/781333.xml.err.rdr
+ create mode 100644 test/valid/781333.xml
+
+diff --git a/result/valid/781333.xml b/result/valid/781333.xml
+new file mode 100644
+index 00000000..45dc451d
+--- /dev/null
++++ b/result/valid/781333.xml
+@@ -0,0 +1,5 @@
++<?xml version="1.0"?>
++<!DOCTYPE a [
++<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
++]>
++<a/>
+diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err
+new file mode 100644
+index 00000000..b401b49a
+--- /dev/null
++++ b/result/valid/781333.xml.err
+@@ -0,0 +1,3 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got 
++<a/>
++    ^
+diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr
+new file mode 100644
+index 00000000..5ff56992
+--- /dev/null
++++ b/result/valid/781333.xml.err.rdr
+@@ -0,0 +1,6 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got 
++<a/>
++    ^
++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child
++
++^
+diff --git a/test/valid/781333.xml b/test/valid/781333.xml
+new file mode 100644
+index 00000000..b29e5a68
+--- /dev/null
++++ b/test/valid/781333.xml
+@@ -0,0 +1,4 @@
++<!DOCTYPE a [
++    <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
++]>
++<a/>
+diff --git a/valid.c b/valid.c
+index 19f84b82..9b2df56a 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
+         case XML_ELEMENT_CONTENT_PCDATA:
+             strcat(buf, "#PCDATA");
+ 	    break;
+-	case XML_ELEMENT_CONTENT_ELEMENT:
++	case XML_ELEMENT_CONTENT_ELEMENT: {
++            int qnameLen = xmlStrlen(content->name);
++
++	    if (content->prefix != NULL)
++                qnameLen += xmlStrlen(content->prefix) + 1;
++	    if (size - len < qnameLen + 10) {
++		strcat(buf, " ...");
++		return;
++	    }
+ 	    if (content->prefix != NULL) {
+-		if (size - len < xmlStrlen(content->prefix) + 10) {
+-		    strcat(buf, " ...");
+-		    return;
+-		}
+ 		strcat(buf, (char *) content->prefix);
+ 		strcat(buf, ":");
+ 	    }
+-	    if (size - len < xmlStrlen(content->name) + 10) {
+-		strcat(buf, " ...");
+-		return;
+-	    }
+ 	    if (content->name != NULL)
+ 		strcat(buf, (char *) content->name);
+ 	    break;
++        }
+ 	case XML_ELEMENT_CONTENT_SEQ:
+ 	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ 	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
+ 		xmlSnprintfElementContent(buf, size, content->c2, 0);
+ 	    break;
+     }
++    if (size - strlen(buf) <= 2) return;
+     if (englob)
+         strcat(buf, ")");
+     switch (content->ocur) {
+-- 
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
new file mode 100644
index 0000000000..890e9c2284
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
@@ -0,0 +1,319 @@
+Fix CVE-2017-{9049,9050}:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=781205 (not yet public)
+https://bugzilla.gnome.org/show_bug.cgi?id=781361 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050
+http://www.openwall.com/lists/oss-security/2017/05/15/1
+https://security-tracker.debian.org/tracker/CVE-2017-9049
+https://security-tracker.debian.org/tracker/CVE-2017-9050
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
+
+Changes to 'runtest.c' are removed since they introduce test failure
+when applying to libxml2 2.9.4 release tarball.
+
+From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 5 Jun 2017 15:37:17 +0200
+Subject: [PATCH] Fix handling of parameter-entity references
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+Percent sign in DTD Names
+=========================
+
+The NEXTL macro used to call xmlParserHandlePEReference. When parsing
+"complex" names inside the DTD, this could result in entity expansion
+which created a new input buffer. The fix is to simply remove the call
+to xmlParserHandlePEReference from the NEXTL macro. This is safe because
+no users of the macro require expansion of parameter entities.
+
+- xmlParseNameComplex
+- xmlParseNCNameComplex
+- xmlParseNmtoken
+
+The percent sign is not allowed in names, which are grammatical tokens.
+
+- xmlParseEntityValue
+
+Parameter-entity references in entity values are expanded but this
+happens in a separate step in this function.
+
+- xmlParseSystemLiteral
+
+Parameter-entity references are ignored in the system literal.
+
+- xmlParseAttValueComplex
+- xmlParseCharDataComplex
+- xmlParseCommentComplex
+- xmlParsePI
+- xmlParseCDSect
+
+Parameter-entity references are ignored outside the DTD.
+
+- xmlLoadEntityContent
+
+This function is only called from xmlStringLenDecodeEntities and
+entities are replaced in a separate step immediately after the function
+call.
+
+This bug could also be triggered with an internal subset and double
+entity expansion.
+
+This fixes bug 766956 initially reported by Wei Lei and independently by
+Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
+involved.
+
+xmlParseNameComplex with XML_PARSE_OLD10
+========================================
+
+When parsing Names inside an expanded parameter entity with the
+XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
+GROW macro if the input buffer was exhausted. At the end of the
+parameter entity's replacement text, this function would then call
+xmlPopInput which invalidated the input buffer.
+
+There should be no need to invoke GROW in this situation because the
+buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
+at least for UTF-8, in xmlCurrentChar. This also matches the code path
+executed when XML_PARSE_OLD10 is not set.
+
+This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
+Thanks to Marcel Böhme and Thuan Pham for the report.
+
+Additional hardening
+====================
+
+A separate check was added in xmlParseNameComplex to validate the
+buffer size.
+---
+ Makefile.am                     | 18 ++++++++++++++++++
+ parser.c                        | 18 ++++++++++--------
+ result/errors10/781205.xml      |  0
+ result/errors10/781205.xml.err  | 21 +++++++++++++++++++++
+ result/errors10/781361.xml      |  0
+ result/errors10/781361.xml.err  | 13 +++++++++++++
+ result/valid/766956.xml         |  0
+ result/valid/766956.xml.err     |  9 +++++++++
+ result/valid/766956.xml.err.rdr | 10 ++++++++++
+ runtest.c                       |  3 +++
+ test/errors10/781205.xml        |  3 +++
+ test/errors10/781361.xml        |  3 +++
+ test/valid/766956.xml           |  2 ++
+ test/valid/dtds/766956.dtd      |  2 ++
+ 14 files changed, 94 insertions(+), 8 deletions(-)
+ create mode 100644 result/errors10/781205.xml
+ create mode 100644 result/errors10/781205.xml.err
+ create mode 100644 result/errors10/781361.xml
+ create mode 100644 result/errors10/781361.xml.err
+ create mode 100644 result/valid/766956.xml
+ create mode 100644 result/valid/766956.xml.err
+ create mode 100644 result/valid/766956.xml.err.rdr
+ create mode 100644 test/errors10/781205.xml
+ create mode 100644 test/errors10/781361.xml
+ create mode 100644 test/valid/766956.xml
+ create mode 100644 test/valid/dtds/766956.dtd
+
+diff --git a/Makefile.am b/Makefile.am
+index 6fc8ffa9..10e716a5 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT)
+ 	      if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
+ 	      rm result.$$name error.$$name ; \
+ 	  fi ; fi ; done)
++	@echo "## Error cases regression tests (old 1.0)"
++	-@(for i in $(srcdir)/test/errors10/*.xml ; do \
++	  name=`basename $$i`; \
++	  if [ ! -d $$i ] ; then \
++	  if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
++	      echo New test file $$name ; \
++	      $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
++	         2> $(srcdir)/result/errors10/$$name.err \
++		 > $(srcdir)/result/errors10/$$name ; \
++	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
++	  else \
++	      log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
++	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
++	      diff $(srcdir)/result/errors10/$$name result.$$name ; \
++	      diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
++	      if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
++	      rm result.$$name error.$$name ; \
++	  fi ; fi ; done)
+ 	@echo "## Error cases stream regression tests"
+ 	-@(for i in $(srcdir)/test/errors/*.xml ; do \
+ 	  name=`basename $$i`; \
+diff --git a/parser.c b/parser.c
+index df2efa55..a175ac4e 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ 	ctxt->input->line++; ctxt->input->col = 1;			\
+     } else ctxt->input->col++;						\
+     ctxt->input->cur += l;				\
+-    if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);	\
+   } while (0)
+ 
+ #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
+@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ 	    len += l;
+ 	    NEXTL(l);
+ 	    c = CUR_CHAR(l);
+-	    if (c == 0) {
+-		count = 0;
+-		GROW;
+-                if (ctxt->instate == XML_PARSER_EOF)
+-                    return(NULL);
+-		c = CUR_CHAR(l);
+-	    }
+ 	}
+     }
+     if ((len > XML_MAX_NAME_LENGTH) &&
+@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+         return(NULL);
+     }
++    if (ctxt->input->cur - ctxt->input->base < len) {
++        /*
++         * There were a couple of bugs where PERefs lead to to a change
++         * of the buffer. Check the buffer size to avoid passing an invalid
++         * pointer to xmlDictLookup.
++         */
++        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
++                    "unexpected change of input buffer");
++        return (NULL);
++    }
+     if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
+new file mode 100644
+index 00000000..da15c3f7
+--- /dev/null
++++ b/result/errors10/781205.xml.err
+@@ -0,0 +1,21 @@
++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++ %a; 
++    ^
++Entity: line 1: 
++<:0000
++^
++Entity: line 1: parser error : DOCTYPE improperly terminated
++ %a; 
++    ^
++Entity: line 1: 
++<:0000
++^
++namespace error : Failed to parse QName ':0000'
++ %a; 
++    ^
++<:0000
++      ^
++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
++
++^
+diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
+new file mode 100644
+index 00000000..655f41a2
+--- /dev/null
++++ b/result/errors10/781361.xml.err
+@@ -0,0 +1,13 @@
++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
++
++^
++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++
++^
++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
++
++^
++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
++
++^
+diff --git a/result/valid/766956.xml b/result/valid/766956.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
+new file mode 100644
+index 00000000..34b1dae6
+--- /dev/null
++++ b/result/valid/766956.xml.err
+@@ -0,0 +1,9 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%ä%ent;
++   ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent; 
++      ^
++Entity: line 1: 
++value
++^
+diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
+new file mode 100644
+index 00000000..77603462
+--- /dev/null
++++ b/result/valid/766956.xml.err.rdr
+@@ -0,0 +1,10 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%ä%ent;
++   ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent; 
++      ^
++Entity: line 1: 
++value
++^
++./test/valid/766956.xml : failed to parse
+diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
+new file mode 100644
+index 00000000..d9e9e839
+--- /dev/null
++++ b/test/errors10/781205.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE D [
++  <!ENTITY % a "<:0000">
++  %a;
+diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
+new file mode 100644
+index 00000000..67476bcb
+--- /dev/null
++++ b/test/errors10/781361.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE doc [
++  <!ENTITY % elem "<!ELEMENT e0000000000">
++  %elem;
+diff --git a/test/valid/766956.xml b/test/valid/766956.xml
+new file mode 100644
+index 00000000..19a95a0e
+--- /dev/null
++++ b/test/valid/766956.xml
+@@ -0,0 +1,2 @@
++<!DOCTYPE test SYSTEM "dtds/766956.dtd">
++<test/>
+diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
+new file mode 100644
+index 00000000..dddde68b
+--- /dev/null
++++ b/test/valid/dtds/766956.dtd
+@@ -0,0 +1,2 @@
++<!ENTITY % ent "value">
++%ä%ent;
+-- 
+2.14.1
+
diff --git a/gnu/packages/patches/libzip-CVE-2017-12858.patch b/gnu/packages/patches/libzip-CVE-2017-12858.patch
new file mode 100644
index 0000000000..8125173f95
--- /dev/null
+++ b/gnu/packages/patches/libzip-CVE-2017-12858.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-12858:
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12858
+
+Patch copied from upstream source repository:
+
+https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796
+
+From 2217022b7d1142738656d891e00b3d2d9179b796 Mon Sep 17 00:00:00 2001
+From: Thomas Klausner <tk@giga.or.at>
+Date: Mon, 14 Aug 2017 10:55:44 +0200
+Subject: [PATCH] Fix double free().
+
+Found by Brian 'geeknik' Carpenter using AFL.
+---
+ THANKS           | 1 +
+ lib/zip_dirent.c | 3 ---
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/THANKS b/THANKS
+index be0cca9..a80ee1d 100644
+--- a/THANKS
++++ b/THANKS
+@@ -12,6 +12,7 @@ BALATON Zoltan <balaton@eik.bme.hu>
+ Benjamin Gilbert <bgilbert@backtick.net>
+ Boaz Stolk <bstolk@aweta.nl>
+ Bogdan <bogiebog@gmail.com>
++Brian 'geeknik' Carpenter <geeknik@protonmail.ch>
+ Chris Nehren <cnehren+libzip@pobox.com>
+ Coverity <info@coverity.com>
+ Dane Springmeyer <dane.springmeyer@gmail.com>
+diff --git a/lib/zip_dirent.c b/lib/zip_dirent.c
+index a369900..e5a7cc9 100644
+--- a/lib/zip_dirent.c
++++ b/lib/zip_dirent.c
+@@ -579,9 +579,6 @@ _zip_dirent_read(zip_dirent_t *zde, zip_source_t *src, zip_buffer_t *buffer, boo
+     }
+ 
+     if (!_zip_dirent_process_winzip_aes(zde, error)) {
+-	if (!from_buffer) {
+-	    _zip_buffer_free(buffer);
+-	}
+ 	return -1;
+     }
+ 
diff --git a/gnu/packages/patches/metabat-fix-boost-issue.patch b/gnu/packages/patches/metabat-fix-boost-issue.patch
deleted file mode 100644
index 3382d84d66..0000000000
--- a/gnu/packages/patches/metabat-fix-boost-issue.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-This patch fixes the issue described at
-https://bitbucket.org/berkeleylab/metabat/issues/28/compilation-fail-with-boost-164
-
-diff --git a/src/metabat.h b/src/metabat.h
-index 32ae94c..2292c04 100644
---- a/src/metabat.h
-+++ b/src/metabat.h
-@@ -35,6 +35,7 @@ KSEQ_INIT(gzFile, gzread)
- 
- #include <boost/program_options.hpp>
- #include <boost/algorithm/string.hpp>
-+#include <boost/serialization/array_wrapper.hpp>
- #include <boost/numeric/ublas/matrix.hpp>
- #include <boost/math/distributions.hpp>
- #include <boost/serialization/serialization.hpp>
-diff --git a/src/metabat2.h b/src/metabat2.h
-index 60a9998..19fa815 100644
---- a/src/metabat2.h
-+++ b/src/metabat2.h
-@@ -41,6 +41,7 @@ KSEQ_INIT(gzFile, gzread)
- 
- #include <boost/program_options.hpp>
- #include <boost/algorithm/string.hpp>
-+#include <boost/serialization/array_wrapper.hpp>
- #include <boost/numeric/ublas/matrix.hpp>
- #include <boost/numeric/ublas/matrix_sparse.hpp>
- #include <boost/numeric/ublas/matrix_proxy.hpp>
diff --git a/gnu/packages/patches/metabat-remove-compilation-date.patch b/gnu/packages/patches/metabat-remove-compilation-date.patch
deleted file mode 100644
index 7672205b22..0000000000
--- a/gnu/packages/patches/metabat-remove-compilation-date.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Remove the reference to the compilation date so that the build is
-reproducible.
-
-diff --git a/src/metabat.cpp b/src/metabat.cpp
-index 88e06de..c95cb1a 100644
---- a/src/metabat.cpp
-+++ b/src/metabat.cpp
-@@ -49,7 +49,7 @@ int main(int ac, char* av[]) {
- 	po::notify(vm);
- 
- 	if (vm.count("help") || inFile.length() == 0 || outFile.length() == 0) {
--		cerr << "\nMetaBAT: Metagenome Binning based on Abundance and Tetranucleotide frequency (version " << version << "; " << __DATE__ << " " << __TIME__ << ")" << endl;
-+		cerr << "\nMetaBAT: Metagenome Binning based on Abundance and Tetranucleotide frequency (version " << version << "; unknown compilation date)" << endl;
- 		cerr << "by Don Kang (ddkang@lbl.gov), Jeff Froula, Rob Egan, and Zhong Wang (zhongwang@lbl.gov) \n" << endl;
- 		cerr << desc << endl << endl;
- 
diff --git a/gnu/packages/patches/multiqc-fix-git-subprocess-error.patch b/gnu/packages/patches/multiqc-fix-git-subprocess-error.patch
deleted file mode 100644
index 87be6142f4..0000000000
--- a/gnu/packages/patches/multiqc-fix-git-subprocess-error.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Without this patch, the incorrect exception is caught when 'git' is not in
-PATH.  See https://github.com/ewels/MultiQC/pull/377.
-
-diff --git a/multiqc/utils/config.py b/multiqc/utils/config.py
-index 01fa554..4a11793 100755
---- a/multiqc/utils/config.py
-+++ b/multiqc/utils/config.py
-@@ -28,7 +28,7 @@ try:
-     git_hash = subprocess.check_output(['git', 'rev-parse', 'HEAD'], stderr=subprocess.STDOUT)
-     git_hash_short = git_hash[:7]
-     version = '{} ({})'.format(version, git_hash_short)
--except subprocess.CalledProcessError:
-+except (subprocess.CalledProcessError, FileNotFoundError):
-     pass
- os.chdir(cwd)
- 
diff --git a/gnu/packages/patches/python2-larch-coverage-4.0a6-compatibility.patch b/gnu/packages/patches/python2-larch-coverage-4.0a6-compatibility.patch
new file mode 100644
index 0000000000..f1db5d7c3b
--- /dev/null
+++ b/gnu/packages/patches/python2-larch-coverage-4.0a6-compatibility.patch
@@ -0,0 +1,29 @@
+From ca548da9ba78ddee90779051210e3e89185e4f7d Mon Sep 17 00:00:00 2001
+From: Michel Alexandre Salim <michel@michel-slm.name>
+Date: Mon, 15 Feb 2016 23:03:42 +0700
+Subject: coverage-4.0a6 compatibility
+
+coverage 4.0a6 no longer generates .coverage file, so use -f when
+deleting .coverage to ensure deletion does not fail.
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+(limited to 'Makefile')
+
+diff --git a/Makefile b/Makefile
+index 7818f57..362c07f 100644
+--- a/Makefile
++++ b/Makefile
+@@ -23,7 +23,7 @@ fsck-larch.1: fsck-larch.1.in fsck-larch
+ 
+ check:
+ 	python -m CoverageTestRunner --ignore-missing-from=without-tests
+-	rm .coverage
++	rm -f .coverage
+ 	./insert-remove-test tempdir 100
+ 	rm -r tempdir larch.log
+ 	cmdtest tests
+-- 
+cgit v1.1
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-10664.patch b/gnu/packages/patches/qemu-CVE-2017-10664.patch
deleted file mode 100644
index 2b60de3dca..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-10664.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Fix CVE-2017-10664:
-
-https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html
-https://bugzilla.redhat.com/show_bug.cgi?id=1466190
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10664
-https://security-tracker.debian.org/tracker/CVE-2017-10664
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1
-
-diff --git a/qemu-nbd.c b/qemu-nbd.c
-index 9464a0461c..4dd3fd4732 100644
---- a/qemu-nbd.c
-+++ b/qemu-nbd.c
-@@ -581,6 +581,10 @@ int main(int argc, char **argv)
-     sa_sigterm.sa_handler = termsig_handler;
-     sigaction(SIGTERM, &sa_sigterm, NULL);
- 
-+#ifdef CONFIG_POSIX
-+    signal(SIGPIPE, SIG_IGN);
-+#endif
-+
-     module_call_init(MODULE_INIT_TRACE);
-     qcrypto_init(&error_fatal);
- 
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-10806.patch b/gnu/packages/patches/qemu-CVE-2017-10806.patch
deleted file mode 100644
index ebf782fe7b..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-10806.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Fix CVE-2017-10806:
-
-https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html
-https://bugzilla.redhat.com/show_bug.cgi?id=1468496
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10806
-https://security-tracker.debian.org/tracker/CVE-2017-10806
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bd4a683505b27adc1ac809f71e918e58573d851d
-
-diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
-index b001a27f05..ad5ef783a6 100644
---- a/hw/usb/redirect.c
-+++ b/hw/usb/redirect.c
-@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg)
- static void usbredir_log_data(USBRedirDevice *dev, const char *desc,
-     const uint8_t *data, int len)
- {
--    int i, j, n;
--
-     if (dev->debug < usbredirparser_debug_data) {
-         return;
-     }
--
--    for (i = 0; i < len; i += j) {
--        char buf[128];
--
--        n = sprintf(buf, "%s", desc);
--        for (j = 0; j < 8 && i + j < len; j++) {
--            n += sprintf(buf + n, " %02X", data[i + j]);
--        }
--        error_report("%s", buf);
--    }
-+    qemu_hexdump((char *)data, stderr, desc, len);
- }
- 
- /*
diff --git a/gnu/packages/patches/qemu-CVE-2017-10911.patch b/gnu/packages/patches/qemu-CVE-2017-10911.patch
deleted file mode 100644
index 1dcb860a2d..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-10911.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-Fix CVE-2017-10911:
-
-https://xenbits.xen.org/xsa/advisory-216.html
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911
-https://security-tracker.debian.org/tracker/CVE-2017-10911
-
-Patch copied from Xen Security Advisory:
-
-https://xenbits.xen.org/xsa/xsa216-qemuu.patch
-
---- a/hw/block/xen_blkif.h
-+++ b/hw/block/xen_blkif.h
-@@ -14,9 +14,6 @@
- struct blkif_common_request {
-     char dummy;
- };
--struct blkif_common_response {
--    char dummy;
--};
- 
- /* i386 protocol version */
- #pragma pack(push, 4)
-@@ -36,13 +33,7 @@ struct blkif_x86_32_request_discard {
-     blkif_sector_t sector_number;    /* start sector idx on disk (r/w only)  */
-     uint64_t       nr_sectors;       /* # of contiguous sectors to discard   */
- };
--struct blkif_x86_32_response {
--    uint64_t        id;              /* copied from request */
--    uint8_t         operation;       /* copied from request */
--    int16_t         status;          /* BLKIF_RSP_???       */
--};
- typedef struct blkif_x86_32_request blkif_x86_32_request_t;
--typedef struct blkif_x86_32_response blkif_x86_32_response_t;
- #pragma pack(pop)
- 
- /* x86_64 protocol version */
-@@ -62,20 +53,14 @@ struct blkif_x86_64_request_discard {
-     blkif_sector_t sector_number;    /* start sector idx on disk (r/w only)  */
-     uint64_t       nr_sectors;       /* # of contiguous sectors to discard   */
- };
--struct blkif_x86_64_response {
--    uint64_t       __attribute__((__aligned__(8))) id;
--    uint8_t         operation;       /* copied from request */
--    int16_t         status;          /* BLKIF_RSP_???       */
--};
- typedef struct blkif_x86_64_request blkif_x86_64_request_t;
--typedef struct blkif_x86_64_response blkif_x86_64_response_t;
- 
- DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
--                  struct blkif_common_response);
-+                  struct blkif_response);
- DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
--                  struct blkif_x86_32_response);
-+                  struct blkif_response QEMU_PACKED);
- DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
--                  struct blkif_x86_64_response);
-+                  struct blkif_response);
- 
- union blkif_back_rings {
-     blkif_back_ring_t        native;
---- a/hw/block/xen_disk.c
-+++ b/hw/block/xen_disk.c
-@@ -769,31 +769,30 @@ static int blk_send_response_one(struct
-     struct XenBlkDev  *blkdev = ioreq->blkdev;
-     int               send_notify   = 0;
-     int               have_requests = 0;
--    blkif_response_t  resp;
--    void              *dst;
--
--    resp.id        = ioreq->req.id;
--    resp.operation = ioreq->req.operation;
--    resp.status    = ioreq->status;
-+    blkif_response_t  *resp;
- 
-     /* Place on the response ring for the relevant domain. */
-     switch (blkdev->protocol) {
-     case BLKIF_PROTOCOL_NATIVE:
--        dst = RING_GET_RESPONSE(&blkdev->rings.native, blkdev->rings.native.rsp_prod_pvt);
-+        resp = RING_GET_RESPONSE(&blkdev->rings.native,
-+                                 blkdev->rings.native.rsp_prod_pvt);
-         break;
-     case BLKIF_PROTOCOL_X86_32:
--        dst = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
--                                blkdev->rings.x86_32_part.rsp_prod_pvt);
-+        resp = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
-+                                 blkdev->rings.x86_32_part.rsp_prod_pvt);
-         break;
-     case BLKIF_PROTOCOL_X86_64:
--        dst = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
--                                blkdev->rings.x86_64_part.rsp_prod_pvt);
-+        resp = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
-+                                 blkdev->rings.x86_64_part.rsp_prod_pvt);
-         break;
-     default:
--        dst = NULL;
-         return 0;
-     }
--    memcpy(dst, &resp, sizeof(resp));
-+
-+    resp->id        = ioreq->req.id;
-+    resp->operation = ioreq->req.operation;
-+    resp->status    = ioreq->status;
-+
-     blkdev->rings.common.rsp_prod_pvt++;
- 
-     RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_notify);
diff --git a/gnu/packages/patches/qemu-CVE-2017-11334.patch b/gnu/packages/patches/qemu-CVE-2017-11334.patch
deleted file mode 100644
index cb68c803aa..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-11334.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-Fix CVE-2017-11334:
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1471638
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11334
-
-Patch copied from upstream source repository:
-
-http://git.qemu.org/?p=qemu.git;a=commitdiff;h=04bf2526ce87f21b32c9acba1c5518708c243ad0
-
-From 04bf2526ce87f21b32c9acba1c5518708c243ad0 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 12 Jul 2017 18:08:40 +0530
-Subject: [PATCH] exec: use qemu_ram_ptr_length to access guest ram
-
-When accessing guest's ram block during DMA operation, use
-'qemu_ram_ptr_length' to get ram block pointer. It ensures
-that DMA operation of given length is possible; And avoids
-any OOB memory access situations.
-
-Reported-by: Alex <broscutamaker@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <20170712123840.29328-1-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- exec.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/exec.c b/exec.c
-index a083ff89ad..ad103ce483 100644
---- a/exec.c
-+++ b/exec.c
-@@ -2929,7 +2929,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr,
-             }
-         } else {
-             /* RAM case */
--            ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
-+            ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
-             memcpy(ptr, buf, l);
-             invalidate_and_set_dirty(mr, addr1, l);
-         }
-@@ -3020,7 +3020,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr,
-             }
-         } else {
-             /* RAM case */
--            ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
-+            ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
-             memcpy(buf, ptr, l);
-         }
- 
--- 
-2.13.3
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-11434.patch b/gnu/packages/patches/qemu-CVE-2017-11434.patch
deleted file mode 100644
index 4da701a73d..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-11434.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Fix CVE-2017-11434:
-
-https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html
-https://bugzilla.redhat.com/show_bug.cgi?id=1472611
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11434
-https://security-tracker.debian.org/tracker/CVE-2017-11434
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=413d463f43fbc4dd3a601e80a5724aa384a265a0
-
-diff --git a/slirp/bootp.c b/slirp/bootp.c
-index 5a4646c182..5dd1a415b5 100644
---- a/slirp/bootp.c
-+++ b/slirp/bootp.c
-@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
-             if (p >= p_end)
-                 break;
-             len = *p++;
-+            if (p + len > p_end) {
-+                break;
-+            }
-             DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
- 
-             switch(tag) {
diff --git a/gnu/packages/patches/qemu-CVE-2017-12809.patch b/gnu/packages/patches/qemu-CVE-2017-12809.patch
deleted file mode 100644
index e40a14b4e0..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-12809.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-http://openwall.com/lists/oss-security/2017/08/21/2
-https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg01850.html
-
-The block backend changed in a way that flushing empty CDROM drives now
-crashes.  Amend IDE to avoid doing so until the root problem can be
-addressed for 2.11.
-
-Original patch by John Snow <address@hidden>.
-
-Reported-by: Kieron Shorrock <address@hidden>
-Signed-off-by: Stefan Hajnoczi <address@hidden>
----
- hw/ide/core.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 0b48b64d3a..bea39536b0 100644
---- a/hw/ide/core.c
-+++ b/hw/ide/core.c
-@@ -1063,7 +1063,15 @@ static void ide_flush_cache(IDEState *s)
-     s->status |= BUSY_STAT;
-     ide_set_retry(s);
-     block_acct_start(blk_get_stats(s->blk), &s->acct, 0, BLOCK_ACCT_FLUSH);
--    s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s);
-+
-+    if (blk_bs(s->blk)) {
-+        s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s);
-+    } else {
-+        /* XXX blk_aio_flush() crashes when blk_bs(blk) is NULL, remove this
-+         * temporary workaround when blk_aio_*() functions handle NULL blk_bs.
-+         */
-+        ide_flush_cb(s, 0);
-+    }
- }
-      
- static void ide_cfata_metadata_inquiry(IDEState *s)
--- 
-2.13.3
diff --git a/gnu/packages/patches/qemu-CVE-2017-7493.patch b/gnu/packages/patches/qemu-CVE-2017-7493.patch
deleted file mode 100644
index 67b26fad81..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-7493.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-Fix CVE-2017-7493:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7493
-
-Patch copied from upstream source repository:
-
-http://git.qemu.org/?p=qemu.git;a=commit;h=7a95434e0ca8a037fd8aa1a2e2461f92585eb77b
-
-From 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug@kaod.org>
-Date: Fri, 5 May 2017 14:48:08 +0200
-Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493)
-
-When using the mapped-file security mode, we shouldn't let the client mess
-with the metadata. The current code already tries to hide the metadata dir
-from the client by skipping it in local_readdir(). But the client can still
-access or modify it through several other operations. This can be used to
-escalate privileges in the guest.
-
-Affected backend operations are:
-- local_mknod()
-- local_mkdir()
-- local_open2()
-- local_symlink()
-- local_link()
-- local_unlinkat()
-- local_renameat()
-- local_rename()
-- local_name_to_path()
-
-Other operations are safe because they are only passed a fid path, which
-is computed internally in local_name_to_path().
-
-This patch converts all the functions listed above to fail and return
-EINVAL when being passed the name of the metadata dir. This may look
-like a poor choice for errno, but there's no such thing as an illegal
-path name on Linux and I could not think of anything better.
-
-This fixes CVE-2017-7493.
-
-Reported-by: Leo Gaspard <leo@gaspard.io>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Eric Blake <eblake@redhat.com>
----
- hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 56 insertions(+), 2 deletions(-)
-
-diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
-index f3ebca4f7a..a2486566af 100644
---- a/hw/9pfs/9p-local.c
-+++ b/hw/9pfs/9p-local.c
-@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs)
-     return telldir(fs->dir.stream);
- }
- 
-+static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name)
-+{
-+    return !strcmp(name, VIRTFS_META_DIR);
-+}
-+
- static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs)
- {
-     struct dirent *entry;
-@@ -465,8 +470,8 @@ again:
-     if (ctx->export_flags & V9FS_SM_MAPPED) {
-         entry->d_type = DT_UNKNOWN;
-     } else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
--        if (!strcmp(entry->d_name, VIRTFS_META_DIR)) {
--            /* skp the meta data directory */
-+        if (local_is_mapped_file_metadata(ctx, entry->d_name)) {
-+            /* skip the meta data directory */
-             goto again;
-         }
-         entry->d_type = DT_UNKNOWN;
-@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path,
-     int err = -1;
-     int dirfd;
- 
-+    if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(fs_ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
-     if (dirfd == -1) {
-         return -1;
-@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path,
-     int err = -1;
-     int dirfd;
- 
-+    if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(fs_ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
-     if (dirfd == -1) {
-         return -1;
-@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name,
-     int err = -1;
-     int dirfd;
- 
-+    if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(fs_ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     /*
-      * Mark all the open to not follow symlinks
-      */
-@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath,
-     int err = -1;
-     int dirfd;
- 
-+    if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(fs_ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
-     if (dirfd == -1) {
-         return -1;
-@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
-     int ret = -1;
-     int odirfd, ndirfd;
- 
-+    if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     odirfd = local_opendir_nofollow(ctx, odirpath);
-     if (odirfd == -1) {
-         goto out;
-@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path,
- static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
-                               const char *name, V9fsPath *target)
- {
-+    if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     if (dir_path) {
-         v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
-     } else if (strcmp(name, "/")) {
-@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir,
-     int ret;
-     int odirfd, ndirfd;
- 
-+    if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        (local_is_mapped_file_metadata(ctx, old_name) ||
-+         local_is_mapped_file_metadata(ctx, new_name))) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     odirfd = local_opendir_nofollow(ctx, olddir->data);
-     if (odirfd == -1) {
-         return -1;
-@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir,
-     int ret;
-     int dirfd;
- 
-+    if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     dirfd = local_opendir_nofollow(ctx, dir->data);
-     if (dirfd == -1) {
-         return -1;
--- 
-2.13.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-8112.patch b/gnu/packages/patches/qemu-CVE-2017-8112.patch
deleted file mode 100644
index 88b33aa2f0..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-8112.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Fix CVE-2017-8112:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8112
-
-Patch copied from upstream source repository:
-
-http://git.qemu.org/?p=qemu.git;a=commitdiff;h=f68826989cd4d1217797251339579c57b3c0934e
-
-From f68826989cd4d1217797251339579c57b3c0934e Mon Sep 17 00:00:00 2001
-From: P J P <ppandit@redhat.com>
-Date: Tue, 25 Apr 2017 18:36:23 +0530
-Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation
-
-A guest could set the message ring page count to zero, resulting in
-infinite loop. Add check to avoid it.
-
-Reported-by: YY Z <bigbird475958471@gmail.com>
-Signed-off-by: P J P <ppandit@redhat.com>
-Message-Id: <20170425130623.3649-1-ppandit@redhat.com>
-Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/scsi/vmw_pvscsi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index 75575461e2..4a106da856 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
-     uint32_t len_log2;
-     uint32_t ring_size;
- 
--    if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
-+    if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
-         return -1;
-     }
-     ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
--- 
-2.13.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-8309.patch b/gnu/packages/patches/qemu-CVE-2017-8309.patch
deleted file mode 100644
index dc4b4006b7..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-8309.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-Fix CVE-2017-8309:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8309
-
-Patch copied from upstream source repository:
-
-http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3268a845f41253fb55852a8429c32b50f36f349a
-
-From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Fri, 28 Apr 2017 09:56:12 +0200
-Subject: [PATCH] audio: release capture buffers
-
-AUD_add_capture() allocates two buffers which are never released.
-Add the missing calls to AUD_del_capture().
-
-Impact: Allows vnc clients to exhaust host memory by repeatedly
-starting and stopping audio capture.
-
-Fixes: CVE-2017-8309
-Cc: P J P <ppandit@redhat.com>
-Cc: Huawei PSIRT <PSIRT@huawei.com>
-Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20170428075612.9997-1-kraxel@redhat.com
----
- audio/audio.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/audio/audio.c b/audio/audio.c
-index c8898d8422..beafed209b 100644
---- a/audio/audio.c
-+++ b/audio/audio.c
-@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
-                     sw = sw1;
-                 }
-                 QLIST_REMOVE (cap, entries);
-+                g_free (cap->hw.mix_buf);
-+                g_free (cap->buf);
-                 g_free (cap);
-             }
-             return;
--- 
-2.13.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-8379.patch b/gnu/packages/patches/qemu-CVE-2017-8379.patch
deleted file mode 100644
index 200b133d3e..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-8379.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-Fix CVE-2017-8379:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8379
-
-Patch copied from upstream source repository:
-
-http://git.qemu.org/?p=qemu.git;a=commitdiff;h=fa18f36a461984eae50ab957e47ec78dae3c14fc
-
-From fa18f36a461984eae50ab957e47ec78dae3c14fc Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Fri, 28 Apr 2017 10:42:37 +0200
-Subject: [PATCH] input: limit kbd queue depth
-
-Apply a limit to the number of items we accept into the keyboard queue.
-
-Impact: Without this limit vnc clients can exhaust host memory by
-sending keyboard events faster than qemu feeds them to the guest.
-
-Fixes: CVE-2017-8379
-Cc: P J P <ppandit@redhat.com>
-Cc: Huawei PSIRT <PSIRT@huawei.com>
-Reported-by: jiangxin1@huawei.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 20170428084237.23960-1-kraxel@redhat.com
----
- ui/input.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/ui/input.c b/ui/input.c
-index ed88cda6d6..fb1f404095 100644
---- a/ui/input.c
-+++ b/ui/input.c
-@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
-     QTAILQ_HEAD_INITIALIZER(kbd_queue);
- static QEMUTimer *kbd_timer;
- static uint32_t kbd_default_delay_ms = 10;
-+static uint32_t queue_count;
-+static uint32_t queue_limit = 1024;
- 
- QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
-                                                    QemuInputHandler *handler)
-@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
-             break;
-         }
-         QTAILQ_REMOVE(queue, item, node);
-+        queue_count--;
-         g_free(item);
-     }
- }
-@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
-     item->delay_ms = delay_ms;
-     item->timer = timer;
-     QTAILQ_INSERT_TAIL(queue, item, node);
-+    queue_count++;
- 
-     if (start_timer) {
-         timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
-@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
-     item->src = src;
-     item->evt = evt;
-     QTAILQ_INSERT_TAIL(queue, item, node);
-+    queue_count++;
- }
- 
- static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
-@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
- 
-     item->type = QEMU_INPUT_QUEUE_SYNC;
-     QTAILQ_INSERT_TAIL(queue, item, node);
-+    queue_count++;
- }
- 
- void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
-@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
-         qemu_input_event_send(src, evt);
-         qemu_input_event_sync();
-         qapi_free_InputEvent(evt);
--    } else {
-+    } else if (queue_count < queue_limit) {
-         qemu_input_queue_event(&kbd_queue, src, evt);
-         qemu_input_queue_sync(&kbd_queue);
-     }
-@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
-         kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
-                                  &kbd_queue);
-     }
--    qemu_input_queue_delay(&kbd_queue, kbd_timer,
--                           delay_ms ? delay_ms : kbd_default_delay_ms);
-+    if (queue_count < queue_limit) {
-+        qemu_input_queue_delay(&kbd_queue, kbd_timer,
-+                               delay_ms ? delay_ms : kbd_default_delay_ms);
-+    }
- }
- 
- InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
--- 
-2.13.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-8380.patch b/gnu/packages/patches/qemu-CVE-2017-8380.patch
deleted file mode 100644
index 65e49fc885..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-8380.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-Fix CVE-2017-8380:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8380
-
-Patch copied from upstream source repository:
-
-http://git.qemu.org/?p=qemu.git;a=commitdiff;h=24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f
-
-From 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 24 Apr 2017 17:36:34 +0530
-Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write
-
-While reading magic sequence(MFI_SEQ) in megasas_mmio_write,
-an off-by-one error could occur as 's->adp_reset' index is not
-reset after reading the last sequence.
-
-Reported-by: YY Z <bigbird475958471@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <20170424120634.12268-1-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/scsi/megasas.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 84b8caf901..804122ab05 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr,
-     case MFI_SEQ:
-         trace_megasas_mmio_writel("MFI_SEQ", val);
-         /* Magic sequence to start ADP reset */
--        if (adp_reset_seq[s->adp_reset] == val) {
--            s->adp_reset++;
-+        if (adp_reset_seq[s->adp_reset++] == val) {
-+            if (s->adp_reset == 6) {
-+                s->adp_reset = 0;
-+                s->diag = MFI_DIAG_WRITE_ENABLE;
-+            }
-         } else {
-             s->adp_reset = 0;
-             s->diag = 0;
-         }
--        if (s->adp_reset == 6) {
--            s->diag = MFI_DIAG_WRITE_ENABLE;
--        }
-         break;
-     case MFI_DIAG:
-         trace_megasas_mmio_writel("MFI_DIAG", val);
--- 
-2.13.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-9524.patch b/gnu/packages/patches/qemu-CVE-2017-9524.patch
deleted file mode 100644
index 57160055e3..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-9524.patch
+++ /dev/null
@@ -1,287 +0,0 @@
-Fix CVE-2017-9524:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9524
-http://seclists.org/oss-sec/2017/q2/454
-
-Patches copied from upstream source repository:
-
-http://git.qemu.org/?p=qemu.git;a=commitdiff;h=df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af
-http://git.qemu.org/?p=qemu.git;a=commitdiff;h=0c9390d978cbf61e8f16c9f580fa96b305c43568
-
-From df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af Mon Sep 17 00:00:00 2001
-From: Eric Blake <eblake@redhat.com>
-Date: Fri, 26 May 2017 22:04:21 -0500
-Subject: [PATCH] nbd: Fully initialize client in case of failed negotiation
-
-If a non-NBD client connects to qemu-nbd, we would end up with
-a SIGSEGV in nbd_client_put() because we were trying to
-unregister the client's association to the export, even though
-we skipped inserting the client into that list.  Easy trigger
-in two terminals:
-
-$ qemu-nbd -p 30001 --format=raw file
-$ nmap 127.0.0.1 -p 30001
-
-nmap claims that it thinks it connected to a pago-services1
-server (which probably means nmap could be updated to learn the
-NBD protocol and give a more accurate diagnosis of the open
-port - but that's not our problem), then terminates immediately,
-so our call to nbd_negotiate() fails.  The fix is to reorder
-nbd_co_client_start() to ensure that all initialization occurs
-before we ever try talking to a client in nbd_negotiate(), so
-that the teardown sequence on negotiation failure doesn't fault
-while dereferencing a half-initialized object.
-
-While debugging this, I also noticed that nbd_update_server_watch()
-called by nbd_client_closed() was still adding a channel to accept
-the next client, even when the state was no longer RUNNING.  That
-is fixed by making nbd_can_accept() pay attention to the current
-state.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
-
-Signed-off-by: Eric Blake <eblake@redhat.com>
-Message-Id: <20170527030421.28366-1-eblake@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- nbd/server.c | 8 +++-----
- qemu-nbd.c   | 2 +-
- 2 files changed, 4 insertions(+), 6 deletions(-)
-
-diff --git a/nbd/server.c b/nbd/server.c
-index ee59e5d234..49b55f6ede 100644
---- a/nbd/server.c
-+++ b/nbd/server.c
-@@ -1358,16 +1358,14 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
- 
-     if (exp) {
-         nbd_export_get(exp);
-+        QTAILQ_INSERT_TAIL(&exp->clients, client, next);
-     }
-+    qemu_co_mutex_init(&client->send_lock);
-+
-     if (nbd_negotiate(data)) {
-         client_close(client);
-         goto out;
-     }
--    qemu_co_mutex_init(&client->send_lock);
--
--    if (exp) {
--        QTAILQ_INSERT_TAIL(&exp->clients, client, next);
--    }
- 
-     nbd_client_receive_next_request(client);
- 
-diff --git a/qemu-nbd.c b/qemu-nbd.c
-index f60842fd86..651f85ecc1 100644
---- a/qemu-nbd.c
-+++ b/qemu-nbd.c
-@@ -325,7 +325,7 @@ out:
- 
- static int nbd_can_accept(void)
- {
--    return nb_fds < shared;
-+    return state == RUNNING && nb_fds < shared;
- }
- 
- static void nbd_export_closed(NBDExport *exp)
--- 
-2.13.1
-
-From 0c9390d978cbf61e8f16c9f580fa96b305c43568 Mon Sep 17 00:00:00 2001
-From: Eric Blake <eblake@redhat.com>
-Date: Thu, 8 Jun 2017 17:26:17 -0500
-Subject: [PATCH] nbd: Fix regression on resiliency to port scan
-
-Back in qemu 2.5, qemu-nbd was immune to port probes (a transient
-server would not quit, regardless of how many probe connections
-came and went, until a connection actually negotiated).  But we
-broke that in commit ee7d7aa when removing the return value to
-nbd_client_new(), although that patch also introduced a bug causing
-an assertion failure on a client that fails negotiation.  We then
-made it worse during refactoring in commit 1a6245a (a segfault
-before we could even assert); the (masked) assertion was cleaned
-up in d3780c2 (still in 2.6), and just recently we finally fixed
-the segfault ("nbd: Fully intialize client in case of failed
-negotiation").  But that still means that ever since we added
-TLS support to qemu-nbd, we have been vulnerable to an ill-timed
-port-scan being able to cause a denial of service by taking down
-qemu-nbd before a real client has a chance to connect.
-
-Since negotiation is now handled asynchronously via coroutines,
-we no longer have a synchronous point of return by re-adding a
-return value to nbd_client_new().  So this patch instead wires
-things up to pass the negotiation status through the close_fn
-callback function.
-
-Simple test across two terminals:
-$ qemu-nbd -f raw -p 30001 file
-$ nmap 127.0.0.1 -p 30001 && \
-  qemu-io -c 'r 0 512' -f raw nbd://localhost:30001
-
-Note that this patch does not change what constitutes successful
-negotiation (thus, a client must enter transmission phase before
-that client can be considered as a reason to terminate the server
-when the connection ends).  Perhaps we may want to tweak things
-in a later patch to also treat a client that uses NBD_OPT_ABORT
-as being a 'successful' negotiation (the client correctly talked
-the NBD protocol, and informed us it was not going to use our
-export after all), but that's a discussion for another day.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
-
-Signed-off-by: Eric Blake <eblake@redhat.com>
-Message-Id: <20170608222617.20376-1-eblake@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- blockdev-nbd.c      |  6 +++++-
- include/block/nbd.h |  2 +-
- nbd/server.c        | 24 +++++++++++++++---------
- qemu-nbd.c          |  4 ++--
- 4 files changed, 23 insertions(+), 13 deletions(-)
-
-diff --git a/blockdev-nbd.c b/blockdev-nbd.c
-index dd0860f4a6..28f551a7b0 100644
---- a/blockdev-nbd.c
-+++ b/blockdev-nbd.c
-@@ -27,6 +27,10 @@ typedef struct NBDServerData {
- 
- static NBDServerData *nbd_server;
- 
-+static void nbd_blockdev_client_closed(NBDClient *client, bool ignored)
-+{
-+    nbd_client_put(client);
-+}
- 
- static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition,
-                            gpointer opaque)
-@@ -46,7 +50,7 @@ static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition,
-     qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
-     nbd_client_new(NULL, cioc,
-                    nbd_server->tlscreds, NULL,
--                   nbd_client_put);
-+                   nbd_blockdev_client_closed);
-     object_unref(OBJECT(cioc));
-     return TRUE;
- }
-diff --git a/include/block/nbd.h b/include/block/nbd.h
-index 416257abca..8fa5ce51f3 100644
---- a/include/block/nbd.h
-+++ b/include/block/nbd.h
-@@ -162,7 +162,7 @@ void nbd_client_new(NBDExport *exp,
-                     QIOChannelSocket *sioc,
-                     QCryptoTLSCreds *tlscreds,
-                     const char *tlsaclname,
--                    void (*close)(NBDClient *));
-+                    void (*close_fn)(NBDClient *, bool));
- void nbd_client_get(NBDClient *client);
- void nbd_client_put(NBDClient *client);
- 
-diff --git a/nbd/server.c b/nbd/server.c
-index 49b55f6ede..f2b1aa47ce 100644
---- a/nbd/server.c
-+++ b/nbd/server.c
-@@ -81,7 +81,7 @@ static QTAILQ_HEAD(, NBDExport) exports = QTAILQ_HEAD_INITIALIZER(exports);
- 
- struct NBDClient {
-     int refcount;
--    void (*close)(NBDClient *client);
-+    void (*close_fn)(NBDClient *client, bool negotiated);
- 
-     bool no_zeroes;
-     NBDExport *exp;
-@@ -778,7 +778,7 @@ void nbd_client_put(NBDClient *client)
-     }
- }
- 
--static void client_close(NBDClient *client)
-+static void client_close(NBDClient *client, bool negotiated)
- {
-     if (client->closing) {
-         return;
-@@ -793,8 +793,8 @@ static void client_close(NBDClient *client)
-                          NULL);
- 
-     /* Also tell the client, so that they release their reference.  */
--    if (client->close) {
--        client->close(client);
-+    if (client->close_fn) {
-+        client->close_fn(client, negotiated);
-     }
- }
- 
-@@ -975,7 +975,7 @@ void nbd_export_close(NBDExport *exp)
- 
-     nbd_export_get(exp);
-     QTAILQ_FOREACH_SAFE(client, &exp->clients, next, next) {
--        client_close(client);
-+        client_close(client, true);
-     }
-     nbd_export_set_name(exp, NULL);
-     nbd_export_set_description(exp, NULL);
-@@ -1337,7 +1337,7 @@ done:
- 
- out:
-     nbd_request_put(req);
--    client_close(client);
-+    client_close(client, true);
-     nbd_client_put(client);
- }
- 
-@@ -1363,7 +1363,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
-     qemu_co_mutex_init(&client->send_lock);
- 
-     if (nbd_negotiate(data)) {
--        client_close(client);
-+        client_close(client, false);
-         goto out;
-     }
- 
-@@ -1373,11 +1373,17 @@ out:
-     g_free(data);
- }
- 
-+/*
-+ * Create a new client listener on the given export @exp, using the
-+ * given channel @sioc.  Begin servicing it in a coroutine.  When the
-+ * connection closes, call @close_fn with an indication of whether the
-+ * client completed negotiation.
-+ */
- void nbd_client_new(NBDExport *exp,
-                     QIOChannelSocket *sioc,
-                     QCryptoTLSCreds *tlscreds,
-                     const char *tlsaclname,
--                    void (*close_fn)(NBDClient *))
-+                    void (*close_fn)(NBDClient *, bool))
- {
-     NBDClient *client;
-     NBDClientNewData *data = g_new(NBDClientNewData, 1);
-@@ -1394,7 +1400,7 @@ void nbd_client_new(NBDExport *exp,
-     object_ref(OBJECT(client->sioc));
-     client->ioc = QIO_CHANNEL(sioc);
-     object_ref(OBJECT(client->ioc));
--    client->close = close_fn;
-+    client->close_fn = close_fn;
- 
-     data->client = client;
-     data->co = qemu_coroutine_create(nbd_co_client_start, data);
-diff --git a/qemu-nbd.c b/qemu-nbd.c
-index 651f85ecc1..9464a0461c 100644
---- a/qemu-nbd.c
-+++ b/qemu-nbd.c
-@@ -336,10 +336,10 @@ static void nbd_export_closed(NBDExport *exp)
- 
- static void nbd_update_server_watch(void);
- 
--static void nbd_client_closed(NBDClient *client)
-+static void nbd_client_closed(NBDClient *client, bool negotiated)
- {
-     nb_fds--;
--    if (nb_fds == 0 && !persistent && state == RUNNING) {
-+    if (negotiated && nb_fds == 0 && !persistent && state == RUNNING) {
-         state = TERMINATE;
-     }
-     nbd_update_server_watch();
--- 
-2.13.1
-
diff --git a/gnu/packages/patches/ruby-2.2.7-rubygems-2613-ruby22.patch b/gnu/packages/patches/ruby-2.2.7-rubygems-2613-ruby22.patch
new file mode 100644
index 0000000000..d68b836c71
--- /dev/null
+++ b/gnu/packages/patches/ruby-2.2.7-rubygems-2613-ruby22.patch
@@ -0,0 +1,355 @@
+diff --git lib/rubygems.rb lib/rubygems.rb
+index f48496aa31..0e1855b148 100644
+--- ruby-2.2.7/lib/rubygems.rb
++++ ruby-2.2.7/lib/rubygems.rb
+@@ -9,7 +9,7 @@ require 'rbconfig'
+ require 'thread'
+ 
+ module Gem
+-  VERSION = '2.4.5.2'
++  VERSION = '2.4.5.3'
+ end
+ 
+ # Must be first since it unloads the prelude from 1.9.2
+diff --git lib/rubygems/commands/query_command.rb lib/rubygems/commands/query_command.rb
+index 432250e033..44364cfab2 100644
+--- ruby-2.2.7/lib/rubygems/commands/query_command.rb
++++ ruby-2.2.7/lib/rubygems/commands/query_command.rb
+@@ -218,7 +218,7 @@ is too hard to use.
+         end
+       end
+ 
+-      output << make_entry(matching_tuples, platforms)
++      output << clean_text(make_entry(matching_tuples, platforms))
+     end
+   end
+ 
+@@ -336,7 +336,8 @@ is too hard to use.
+   end
+ 
+   def spec_summary entry, spec
+-    entry << "\n\n" << format_text(spec.summary, 68, 4)
++    summary = truncate_text(spec.summary, "the summary for #{spec.full_name}")
++    entry << "\n\n" << format_text(summary, 68, 4)
+   end
+ 
+ end
+diff --git lib/rubygems/installer.rb lib/rubygems/installer.rb
+index 10fc1a34a5..a27569fe2e 100644
+--- ruby-2.2.7/lib/rubygems/installer.rb
++++ ruby-2.2.7/lib/rubygems/installer.rb
+@@ -646,6 +646,11 @@ class Gem::Installer
+       unpack or File.writable?(gem_home)
+   end
+ 
++  def verify_spec_name
++    return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
++    raise Gem::InstallError, "#{spec} has an invalid name"
++  end
++
+   ##
+   # Return the text for an application file.
+ 
+@@ -771,6 +776,8 @@ TEXT
+ 
+     ensure_loadable_spec
+ 
++    verify_spec_name
++
+     if options[:install_as_default]
+       Gem.ensure_default_gem_subdirectories gem_home
+     else
+diff --git lib/rubygems/remote_fetcher.rb lib/rubygems/remote_fetcher.rb
+index b1f6dd17fc..2b9d61c0a1 100644
+--- ruby-2.2.7/lib/rubygems/remote_fetcher.rb
++++ ruby-2.2.7/lib/rubygems/remote_fetcher.rb
+@@ -96,7 +96,7 @@ class Gem::RemoteFetcher
+     else
+       target = res.target.to_s.strip
+ 
+-      if /\.#{Regexp.quote(host)}\z/ =~ target
++      if URI("http://" + target).host.end_with?(".#{host}")
+         return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
+       end
+ 
+diff --git lib/rubygems/specification.rb lib/rubygems/specification.rb
+index ab1cd92270..faca837128 100644
+--- ruby-2.2.7/lib/rubygems/specification.rb
++++ ruby-2.2.7/lib/rubygems/specification.rb
+@@ -106,6 +106,8 @@ class Gem::Specification < Gem::BasicSpecification
+ 
+   private_constant :LOAD_CACHE if defined? private_constant
+ 
++  VALID_NAME_PATTERN = /\A[a-zA-Z0-9\.\-\_]+\z/ # :nodoc:
++
+   # :startdoc:
+ 
+   ##
+@@ -2477,9 +2479,15 @@ class Gem::Specification < Gem::BasicSpecification
+       end
+     end
+ 
+-    unless String === name then
++    if !name.is_a?(String) then
+       raise Gem::InvalidSpecificationException,
+-            "invalid value for attribute name: \"#{name.inspect}\""
++            "invalid value for attribute name: \"#{name.inspect}\" must be a string"
++    elsif name !~ /[a-zA-Z]/ then
++      raise Gem::InvalidSpecificationException,
++            "invalid value for attribute name: #{name.dump} must include at least one letter"
++    elsif name !~ VALID_NAME_PATTERN then
++      raise Gem::InvalidSpecificationException,
++            "invalid value for attribute name: #{name.dump} can only include letters, numbers, dashes, and underscores"
+     end
+ 
+     if raw_require_paths.empty? then
+diff --git lib/rubygems/text.rb lib/rubygems/text.rb
+index 5c9287ad2e..86a722ffc0 100644
+--- ruby-2.2.7/lib/rubygems/text.rb
++++ ruby-2.2.7/lib/rubygems/text.rb
+@@ -5,13 +5,26 @@ require 'rubygems'
+ 
+ module Gem::Text
+ 
++  ##
++  # Remove any non-printable characters and make the text suitable for
++  # printing.
++  def clean_text(text)
++    text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".".freeze)
++  end
++
++  def truncate_text(text, description, max_length = 100_000)
++    raise ArgumentError, "max_length must be positive" unless max_length > 0
++    return text if text.size <= max_length
++    "Truncating #{description} to #{max_length.to_s.reverse.gsub(/...(?=.)/,'\&,').reverse} characters:\n" + text[0, max_length]
++  end
++
+   ##
+   # Wraps +text+ to +wrap+ characters and optionally indents by +indent+
+   # characters
+ 
+   def format_text(text, wrap, indent=0)
+     result = []
+-    work = text.dup
++    work = clean_text(text)
+ 
+     while work.length > wrap do
+       if work =~ /^(.{0,#{wrap}})[ \n]/ then
+diff --git test/rubygems/test_gem_commands_query_command.rb test/rubygems/test_gem_commands_query_command.rb
+index 43fa82571d..ccd2621874 100644
+--- ruby-2.2.7/test/rubygems/test_gem_commands_query_command.rb
++++ ruby-2.2.7/test/rubygems/test_gem_commands_query_command.rb
+@@ -147,6 +147,86 @@ a (2)
+     This is a lot of text. This is a lot of text. This is a lot of text.
+     This is a lot of text.
+ 
++pl (1)
++    Platform: i386-linux
++    Author: A User
++    Homepage: http://example.com
++
++    this is a summary
++    EOF
++
++    assert_equal expected, @ui.output
++    assert_equal '', @ui.error
++  end
++
++  def test_execute_details_cleans_text
++    spec_fetcher do |fetcher|
++      fetcher.spec 'a', 2 do |s|
++        s.summary = 'This is a lot of text. ' * 4
++        s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"]
++        s.homepage = "http://a.example.com/\x03"
++      end
++
++      fetcher.legacy_platform
++    end
++
++    @cmd.handle_options %w[-r -d]
++
++    use_ui @ui do
++      @cmd.execute
++    end
++
++    expected = <<-EOF
++
++*** REMOTE GEMS ***
++
++a (2)
++    Authors: Abraham Lincoln ., . Hirohito
++    Homepage: http://a.example.com/.
++
++    This is a lot of text. This is a lot of text. This is a lot of text.
++    This is a lot of text.
++
++pl (1)
++    Platform: i386-linux
++    Author: A User
++    Homepage: http://example.com
++
++    this is a summary
++    EOF
++
++    assert_equal expected, @ui.output
++    assert_equal '', @ui.error
++  end
++
++  def test_execute_details_truncates_summary
++    spec_fetcher do |fetcher|
++      fetcher.spec 'a', 2 do |s|
++        s.summary = 'This is a lot of text. ' * 10_000
++        s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"]
++        s.homepage = "http://a.example.com/\x03"
++      end
++
++      fetcher.legacy_platform
++    end
++
++    @cmd.handle_options %w[-r -d]
++
++    use_ui @ui do
++      @cmd.execute
++    end
++
++    expected = <<-EOF
++
++*** REMOTE GEMS ***
++
++a (2)
++    Authors: Abraham Lincoln ., . Hirohito
++    Homepage: http://a.example.com/.
++
++    Truncating the summary for a-2 to 100,000 characters:
++#{"    This is a lot of text. This is a lot of text. This is a lot of text.\n" * 1449}    This is a lot of te
++
+ pl (1)
+     Platform: i386-linux
+     Author: A User
+diff --git test/rubygems/test_gem_installer.rb test/rubygems/test_gem_installer.rb
+index 6f8012feb8..aba73af181 100644
+--- ruby-2.2.7/test/rubygems/test_gem_installer.rb
++++ ruby-2.2.7/test/rubygems/test_gem_installer.rb
+@@ -1214,6 +1214,26 @@ gem 'other', version
+     end
+   end
+ 
++  def test_pre_install_checks_malicious_name
++    spec = util_spec '../malicious', '1'
++    def spec.full_name # so the spec is buildable
++      "malicious-1"
++    end
++    def spec.validate; end
++
++    util_build_gem spec
++
++    gem = File.join(@gemhome, 'cache', spec.file_name)
++
++    use_ui @ui do
++      @installer = Gem::Installer.at gem
++      e = assert_raises Gem::InstallError do
++        @installer.pre_install_checks
++      end
++      assert_equal '#<Gem::Specification name=../malicious version=1> has an invalid name', e.message
++    end
++  end
++
+   def test_shebang
+     util_make_exec @spec, "#!/usr/bin/ruby"
+ 
+diff --git test/rubygems/test_gem_remote_fetcher.rb test/rubygems/test_gem_remote_fetcher.rb
+index 63dd8feb38..ca4627810b 100644
+--- ruby-2.2.7/test/rubygems/test_gem_remote_fetcher.rb
++++ ruby-2.2.7/test/rubygems/test_gem_remote_fetcher.rb
+@@ -181,6 +181,21 @@ gems:
+     dns.verify
+   end
+ 
++  def test_api_endpoint_ignores_trans_domain_values_that_end_with_original_in_path
++    uri = URI.parse "http://example.com/foo"
++    target = MiniTest::Mock.new
++    target.expect :target, "evil.com/a.example.com"
++
++    dns = MiniTest::Mock.new
++    dns.expect :getresource, target, [String, Object]
++
++    fetch = Gem::RemoteFetcher.new nil, dns
++    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
++
++    target.verify
++    dns.verify
++  end
++
+   def test_api_endpoint_ignores_trans_domain_values
+     uri = URI.parse "http://gems.example.com/foo"
+     target = MiniTest::Mock.new
+diff --git test/rubygems/test_gem_specification.rb test/rubygems/test_gem_specification.rb
+index 3cadc55d5d..4f7076a03a 100644
+--- ruby-2.2.7/test/rubygems/test_gem_specification.rb
++++ ruby-2.2.7/test/rubygems/test_gem_specification.rb
+@@ -2610,7 +2610,37 @@ http://opensource.org/licenses/alphabetical
+       @a1.validate
+     end
+ 
+-    assert_equal 'invalid value for attribute name: ":json"', e.message
++    assert_equal 'invalid value for attribute name: ":json" must be a string', e.message
++
++    @a1.name = []
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"[]\" must be a string", e.message
++
++    @a1.name = ""
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"\" must include at least one letter", e.message
++
++    @a1.name = "12345"
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"12345\" must include at least one letter", e.message
++
++    @a1.name = "../malicious"
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"../malicious\" can only include letters, numbers, dashes, and underscores", e.message
++
++    @a1.name = "\ba\t"
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"\\ba\\t\" can only include letters, numbers, dashes, and underscores", e.message
+   end
+ 
+   def test_validate_non_nil
+diff --git test/rubygems/test_gem_text.rb test/rubygems/test_gem_text.rb
+index e5cfc41e61..9b270b481b 100644
+--- ruby-2.2.7/test/rubygems/test_gem_text.rb
++++ ruby-2.2.7/test/rubygems/test_gem_text.rb
+@@ -35,6 +35,10 @@ Without the wrapping, the text might not look good in the RSS feed.
+     assert_equal expected, format_text(text, 78)
+   end
+ 
++  def test_format_removes_nonprintable_characters
++    assert_equal "text with weird .. stuff .", format_text("text with weird \x1b\x02 stuff \x7f", 40)
++  end
++
+   def test_min3
+     assert_equal 1, min3(1, 1, 1)
+     assert_equal 1, min3(1, 1, 2)
+@@ -71,4 +75,11 @@ Without the wrapping, the text might not look good in the RSS feed.
+     assert_equal 7, levenshtein_distance("xxxxxxx", "ZenTest")
+     assert_equal 7, levenshtein_distance("zentest", "xxxxxxx")
+   end
++
++  def test_truncate_text
++    assert_equal "abc", truncate_text("abc", "desc")
++    assert_equal "Truncating desc to 2 characters:\nab", truncate_text("abc", "desc", 2)
++    s = "ab" * 500_001
++    assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000)
++  end
+ end
diff --git a/gnu/packages/patches/ruby-2.3.4-rubygems-2613-ruby23.patch b/gnu/packages/patches/ruby-2.3.4-rubygems-2613-ruby23.patch
new file mode 100644
index 0000000000..8f4758293e
--- /dev/null
+++ b/gnu/packages/patches/ruby-2.3.4-rubygems-2613-ruby23.patch
@@ -0,0 +1,355 @@
+diff --git lib/rubygems.rb lib/rubygems.rb
+index 04031c765c..9c0219ce06 100644
+--- ruby-2.3.4/lib/rubygems.rb
++++ ruby-2.3.4/lib/rubygems.rb
+@@ -10,7 +10,7 @@
+ require 'thread'
+ 
+ module Gem
+-  VERSION = '2.5.2'
++  VERSION = '2.5.2.1'
+ end
+ 
+ # Must be first since it unloads the prelude from 1.9.2
+diff --git lib/rubygems/commands/query_command.rb lib/rubygems/commands/query_command.rb
+index d6196b44ed..61e9808860 100644
+--- ruby-2.3.4/lib/rubygems/commands/query_command.rb
++++ ruby-2.3.4/lib/rubygems/commands/query_command.rb
+@@ -226,7 +226,7 @@ def output_versions output, versions
+         end
+       end
+ 
+-      output << make_entry(matching_tuples, platforms)
++      output << clean_text(make_entry(matching_tuples, platforms))
+     end
+   end
+ 
+@@ -344,7 +344,8 @@ def spec_platforms entry, platforms
+   end
+ 
+   def spec_summary entry, spec
+-    entry << "\n\n" << format_text(spec.summary, 68, 4)
++    summary = truncate_text(spec.summary, "the summary for #{spec.full_name}")
++    entry << "\n\n" << format_text(summary, 68, 4)
+   end
+ 
+ end
+diff --git lib/rubygems/installer.rb lib/rubygems/installer.rb
+index 85358e0d1a..709b77d126 100644
+--- ruby-2.3.4/lib/rubygems/installer.rb
++++ ruby-2.3.4/lib/rubygems/installer.rb
+@@ -693,6 +693,11 @@ def verify_gem_home(unpack = false) # :nodoc:
+       unpack or File.writable?(gem_home)
+   end
+ 
++  def verify_spec_name
++    return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
++    raise Gem::InstallError, "#{spec} has an invalid name"
++  end
++
+   ##
+   # Return the text for an application file.
+ 
+@@ -812,6 +817,8 @@ def pre_install_checks
+ 
+     ensure_loadable_spec
+ 
++    verify_spec_name
++
+     if options[:install_as_default]
+       Gem.ensure_default_gem_subdirectories gem_home
+     else
+diff --git lib/rubygems/remote_fetcher.rb lib/rubygems/remote_fetcher.rb
+index fda1e067ef..254bebfadf 100644
+--- ruby-2.3.4/lib/rubygems/remote_fetcher.rb
++++ ruby-2.3.4/lib/rubygems/remote_fetcher.rb
+@@ -104,7 +104,7 @@ def api_endpoint(uri)
+     else
+       target = res.target.to_s.strip
+ 
+-      if /\.#{Regexp.quote(host)}\z/ =~ target
++      if URI("http://" + target).host.end_with?(".#{host}")
+         return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
+       end
+ 
+diff --git lib/rubygems/specification.rb lib/rubygems/specification.rb
+index 8e2557cdb2..dd4fde1776 100644
+--- ruby-2.3.4/lib/rubygems/specification.rb
++++ ruby-2.3.4/lib/rubygems/specification.rb
+@@ -108,6 +108,8 @@ class Gem::Specification < Gem::BasicSpecification
+ 
+   private_constant :LOAD_CACHE if defined? private_constant
+ 
++  VALID_NAME_PATTERN = /\A[a-zA-Z0-9\.\-\_]+\z/ # :nodoc:
++
+   # :startdoc:
+ 
+   ##
+@@ -2665,9 +2667,15 @@ def validate packaging = true
+       end
+     end
+ 
+-    unless String === name then
++    if !name.is_a?(String) then
+       raise Gem::InvalidSpecificationException,
+-            "invalid value for attribute name: \"#{name.inspect}\""
++            "invalid value for attribute name: \"#{name.inspect}\" must be a string"
++    elsif name !~ /[a-zA-Z]/ then
++      raise Gem::InvalidSpecificationException,
++            "invalid value for attribute name: #{name.dump} must include at least one letter"
++    elsif name !~ VALID_NAME_PATTERN then
++      raise Gem::InvalidSpecificationException,
++            "invalid value for attribute name: #{name.dump} can only include letters, numbers, dashes, and underscores"
+     end
+ 
+     if raw_require_paths.empty? then
+diff --git lib/rubygems/text.rb lib/rubygems/text.rb
+index 732f1b99f2..b944b62c27 100644
+--- ruby-2.3.4/lib/rubygems/text.rb
++++ ruby-2.3.4/lib/rubygems/text.rb
+@@ -6,13 +6,26 @@
+ 
+ module Gem::Text
+ 
++  ##
++  # Remove any non-printable characters and make the text suitable for
++  # printing.
++  def clean_text(text)
++    text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".".freeze)
++  end
++
++  def truncate_text(text, description, max_length = 100_000)
++    raise ArgumentError, "max_length must be positive" unless max_length > 0
++    return text if text.size <= max_length
++    "Truncating #{description} to #{max_length.to_s.reverse.gsub(/...(?=.)/,'\&,').reverse} characters:\n" + text[0, max_length]
++  end
++
+   ##
+   # Wraps +text+ to +wrap+ characters and optionally indents by +indent+
+   # characters
+ 
+   def format_text(text, wrap, indent=0)
+     result = []
+-    work = text.dup
++    work = clean_text(text)
+ 
+     while work.length > wrap do
+       if work =~ /^(.{0,#{wrap}})[ \n]/ then
+diff --git test/rubygems/test_gem_commands_query_command.rb test/rubygems/test_gem_commands_query_command.rb
+index 78c15a1770..9ec715492f 100644
+--- ruby-2.3.4/test/rubygems/test_gem_commands_query_command.rb
++++ ruby-2.3.4/test/rubygems/test_gem_commands_query_command.rb
+@@ -116,6 +116,86 @@ def test_execute_details
+     This is a lot of text. This is a lot of text. This is a lot of text.
+     This is a lot of text.
+ 
++pl (1)
++    Platform: i386-linux
++    Author: A User
++    Homepage: http://example.com
++
++    this is a summary
++    EOF
++
++    assert_equal expected, @ui.output
++    assert_equal '', @ui.error
++  end
++
++  def test_execute_details_cleans_text
++    spec_fetcher do |fetcher|
++      fetcher.spec 'a', 2 do |s|
++        s.summary = 'This is a lot of text. ' * 4
++        s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"]
++        s.homepage = "http://a.example.com/\x03"
++      end
++
++      fetcher.legacy_platform
++    end
++
++    @cmd.handle_options %w[-r -d]
++
++    use_ui @ui do
++      @cmd.execute
++    end
++
++    expected = <<-EOF
++
++*** REMOTE GEMS ***
++
++a (2)
++    Authors: Abraham Lincoln ., . Hirohito
++    Homepage: http://a.example.com/.
++
++    This is a lot of text. This is a lot of text. This is a lot of text.
++    This is a lot of text.
++
++pl (1)
++    Platform: i386-linux
++    Author: A User
++    Homepage: http://example.com
++
++    this is a summary
++    EOF
++
++    assert_equal expected, @ui.output
++    assert_equal '', @ui.error
++  end
++
++  def test_execute_details_truncates_summary
++    spec_fetcher do |fetcher|
++      fetcher.spec 'a', 2 do |s|
++        s.summary = 'This is a lot of text. ' * 10_000
++        s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"]
++        s.homepage = "http://a.example.com/\x03"
++      end
++
++      fetcher.legacy_platform
++    end
++
++    @cmd.handle_options %w[-r -d]
++
++    use_ui @ui do
++      @cmd.execute
++    end
++
++    expected = <<-EOF
++
++*** REMOTE GEMS ***
++
++a (2)
++    Authors: Abraham Lincoln ., . Hirohito
++    Homepage: http://a.example.com/.
++
++    Truncating the summary for a-2 to 100,000 characters:
++#{"    This is a lot of text. This is a lot of text. This is a lot of text.\n" * 1449}    This is a lot of te
++
+ pl (1)
+     Platform: i386-linux
+     Author: A User
+diff --git test/rubygems/test_gem_installer.rb test/rubygems/test_gem_installer.rb
+index 5ec71d0a01..1092a0c68f 100644
+--- ruby-2.3.4/test/rubygems/test_gem_installer.rb
++++ ruby-2.3.4/test/rubygems/test_gem_installer.rb
+@@ -1227,6 +1227,26 @@ def test_pre_install_checks_wrong_rubygems_version
+     end
+   end
+ 
++  def test_pre_install_checks_malicious_name
++    spec = util_spec '../malicious', '1'
++    def spec.full_name # so the spec is buildable
++      "malicious-1"
++    end
++    def spec.validate; end
++
++    util_build_gem spec
++
++    gem = File.join(@gemhome, 'cache', spec.file_name)
++
++    use_ui @ui do
++      @installer = Gem::Installer.at gem
++      e = assert_raises Gem::InstallError do
++        @installer.pre_install_checks
++      end
++      assert_equal '#<Gem::Specification name=../malicious version=1> has an invalid name', e.message
++    end
++  end
++
+   def test_shebang
+     util_make_exec @spec, "#!/usr/bin/ruby"
+ 
+diff --git test/rubygems/test_gem_remote_fetcher.rb test/rubygems/test_gem_remote_fetcher.rb
+index 49b6b6656c..a3919c8ef2 100644
+--- ruby-2.3.4/test/rubygems/test_gem_remote_fetcher.rb
++++ ruby-2.3.4/test/rubygems/test_gem_remote_fetcher.rb
+@@ -253,6 +253,21 @@ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
+     dns.verify
+   end
+ 
++  def test_api_endpoint_ignores_trans_domain_values_that_end_with_original_in_path
++    uri = URI.parse "http://example.com/foo"
++    target = MiniTest::Mock.new
++    target.expect :target, "evil.com/a.example.com"
++
++    dns = MiniTest::Mock.new
++    dns.expect :getresource, target, [String, Object]
++
++    fetch = Gem::RemoteFetcher.new nil, dns
++    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
++
++    target.verify
++    dns.verify
++  end
++
+   def test_api_endpoint_timeout_warning
+     uri = URI.parse "http://gems.example.com/foo"
+ 
+diff --git test/rubygems/test_gem_specification.rb test/rubygems/test_gem_specification.rb
+index bc1c8d2ca7..9a49bbbf59 100644
+--- ruby-2.3.4/test/rubygems/test_gem_specification.rb
++++ ruby-2.3.4/test/rubygems/test_gem_specification.rb
+@@ -2974,7 +2974,37 @@ def test_validate_name
+       @a1.validate
+     end
+ 
+-    assert_equal 'invalid value for attribute name: ":json"', e.message
++    assert_equal 'invalid value for attribute name: ":json" must be a string', e.message
++
++    @a1.name = []
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"[]\" must be a string", e.message
++
++    @a1.name = ""
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"\" must include at least one letter", e.message
++
++    @a1.name = "12345"
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"12345\" must include at least one letter", e.message
++
++    @a1.name = "../malicious"
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"../malicious\" can only include letters, numbers, dashes, and underscores", e.message
++
++    @a1.name = "\ba\t"
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"\\ba\\t\" can only include letters, numbers, dashes, and underscores", e.message
+   end
+ 
+   def test_validate_non_nil
+diff --git test/rubygems/test_gem_text.rb test/rubygems/test_gem_text.rb
+index a6e22e04da..04f3f605e8 100644
+--- ruby-2.3.4/test/rubygems/test_gem_text.rb
++++ ruby-2.3.4/test/rubygems/test_gem_text.rb
+@@ -36,6 +36,10 @@ def test_format_text_trailing # for two spaces after .
+     assert_equal expected, format_text(text, 78)
+   end
+ 
++  def test_format_removes_nonprintable_characters
++    assert_equal "text with weird .. stuff .", format_text("text with weird \x1b\x02 stuff \x7f", 40)
++  end
++
+   def test_min3
+     assert_equal 1, min3(1, 1, 1)
+     assert_equal 1, min3(1, 1, 2)
+@@ -74,4 +78,11 @@ def test_levenshtein_distance_replace
+     assert_equal 7, levenshtein_distance("xxxxxxx", "ZenTest")
+     assert_equal 7, levenshtein_distance("zentest", "xxxxxxx")
+   end
++
++  def test_truncate_text
++    assert_equal "abc", truncate_text("abc", "desc")
++    assert_equal "Truncating desc to 2 characters:\nab", truncate_text("abc", "desc", 2)
++    s = "ab" * 500_001
++    assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000)
++  end
+ end
diff --git a/gnu/packages/patches/ruby-rubygems-2612-ruby24.patch b/gnu/packages/patches/ruby-rubygems-2612-ruby24.patch
new file mode 100644
index 0000000000..8ee32c0c6e
--- /dev/null
+++ b/gnu/packages/patches/ruby-rubygems-2612-ruby24.patch
@@ -0,0 +1,437 @@
+diff --git lib/rubygems.rb lib/rubygems.rb
+index 5cd1a4c47a..bc5bf9b4c2 100644
+--- ruby-2.4.1/lib/rubygems.rb
++++ ruby-2.4.1/lib/rubygems.rb
+@@ -10,7 +10,7 @@
+ require 'thread'
+ 
+ module Gem
+-  VERSION = "2.6.11"
++  VERSION = "2.6.12"
+ end
+ 
+ # Must be first since it unloads the prelude from 1.9.2
+@@ -234,6 +234,7 @@ def self.needs
+ 
+   def self.finish_resolve(request_set=Gem::RequestSet.new)
+     request_set.import Gem::Specification.unresolved_deps.values
++    request_set.import Gem.loaded_specs.values.map {|s| Gem::Dependency.new(s.name, s.version) }
+ 
+     request_set.resolve_current.each do |s|
+       s.full_spec.activate
+diff --git lib/rubygems/commands/open_command.rb lib/rubygems/commands/open_command.rb
+index a89b7421e3..059635e835 100644
+--- ruby-2.4.1/lib/rubygems/commands/open_command.rb
++++ ruby-2.4.1/lib/rubygems/commands/open_command.rb
+@@ -72,7 +72,7 @@ def open_editor path
+   end
+ 
+   def spec_for name
+-    spec = Gem::Specification.find_all_by_name(name, @version).last
++    spec = Gem::Specification.find_all_by_name(name, @version).first
+ 
+     return spec if spec
+ 
+diff --git lib/rubygems/commands/query_command.rb lib/rubygems/commands/query_command.rb
+index f25d120b88..70f8127292 100644
+--- ruby-2.4.1/lib/rubygems/commands/query_command.rb
++++ ruby-2.4.1/lib/rubygems/commands/query_command.rb
+@@ -86,7 +86,7 @@ def execute
+       name = Array(options[:name])
+     else
+       args = options[:args].to_a
+-      name = options[:exact] ? args : args.map{|arg| /#{arg}/i }
++      name = options[:exact] ? args.map{|arg| /\A#{Regexp.escape(arg)}\Z/ } : args.map{|arg| /#{arg}/i }
+     end
+ 
+     prerelease = options[:prerelease]
+diff --git lib/rubygems/commands/sources_command.rb lib/rubygems/commands/sources_command.rb
+index 9832afd214..7e46963a4c 100644
+--- ruby-2.4.1/lib/rubygems/commands/sources_command.rb
++++ ruby-2.4.1/lib/rubygems/commands/sources_command.rb
+@@ -44,7 +44,7 @@ def add_source source_uri # :nodoc:
+     source = Gem::Source.new source_uri
+ 
+     begin
+-      if Gem.sources.include? source_uri then
++      if Gem.sources.include? source then
+         say "source #{source_uri} already present in the cache"
+       else
+         source.load_specs :released
+diff --git lib/rubygems/dependency_list.rb lib/rubygems/dependency_list.rb
+index 35fe7c4c1a..d8314eaf60 100644
+--- ruby-2.4.1/lib/rubygems/dependency_list.rb
++++ ruby-2.4.1/lib/rubygems/dependency_list.rb
+@@ -104,7 +104,7 @@ def find_name(full_name)
+   end
+ 
+   def inspect # :nodoc:
+-    "#<%s:0x%x %p>" % [self.class, object_id, map { |s| s.full_name }]
++    "%s %p>" % [super[0..-2], map { |s| s.full_name }]
+   end
+ 
+   ##
+diff --git lib/rubygems/installer.rb lib/rubygems/installer.rb
+index f4d3e728de..967543c2d1 100644
+--- ruby-2.4.1/lib/rubygems/installer.rb
++++ ruby-2.4.1/lib/rubygems/installer.rb
+@@ -214,7 +214,7 @@ def check_executable_overwrite filename # :nodoc:
+ 
+       ruby_executable = true
+       existing = io.read.slice(%r{
+-          ^(
++          ^\s*(
+             gem \s |
+             load \s Gem\.bin_path\( |
+             load \s Gem\.activate_bin_path\(
+@@ -701,6 +701,8 @@ def verify_gem_home(unpack = false) # :nodoc:
+   # Return the text for an application file.
+ 
+   def app_script_text(bin_file_name)
++    # note that the `load` lines cannot be indented, as old RG versions match
++    # against the beginning of the line
+     return <<-TEXT
+ #{shebang bin_file_name}
+ #
+@@ -723,7 +725,12 @@ def app_script_text(bin_file_name)
+   end
+ end
+ 
++if Gem.respond_to?(:activate_bin_path)
+ load Gem.activate_bin_path('#{spec.name}', '#{bin_file_name}', version)
++else
++gem #{spec.name.dump}, version
++load Gem.bin_path(#{spec.name.dump}, #{bin_file_name.dump}, version)
++end
+ TEXT
+   end
+ 
+diff --git lib/rubygems/platform.rb lib/rubygems/platform.rb
+index d22d91ae54..2dd9ed5782 100644
+--- ruby-2.4.1/lib/rubygems/platform.rb
++++ ruby-2.4.1/lib/rubygems/platform.rb
+@@ -112,7 +112,7 @@ def initialize(arch)
+   end
+ 
+   def inspect
+-    "#<%s:0x%x @cpu=%p, @os=%p, @version=%p>" % [self.class, object_id, *to_a]
++    "%s @cpu=%p, @os=%p, @version=%p>" % [super[0..-2], *to_a]
+   end
+ 
+   def to_a
+diff --git lib/rubygems/security.rb lib/rubygems/security.rb
+index 119d6d56f7..6963ca156f 100644
+--- ruby-2.4.1/lib/rubygems/security.rb
++++ ruby-2.4.1/lib/rubygems/security.rb
+@@ -455,7 +455,7 @@ def self.create_cert_self_signed subject, key, age = ONE_YEAR,
+ 
+   ##
+   # Creates a new key pair of the specified +length+ and +algorithm+.  The
+-  # default is a 2048 bit RSA key.
++  # default is a 3072 bit RSA key.
+ 
+   def self.create_key length = KEY_LENGTH, algorithm = KEY_ALGORITHM
+     algorithm.new length
+diff --git lib/rubygems/server.rb lib/rubygems/server.rb
+index 81df0e608e..df4eb566d3 100644
+--- ruby-2.4.1/lib/rubygems/server.rb
++++ ruby-2.4.1/lib/rubygems/server.rb
+@@ -657,7 +657,7 @@ def root(req, res)
+       "only_one_executable" => true,
+       "full_name" => "rubygems-#{Gem::VERSION}",
+       "has_deps" => false,
+-      "homepage" => "http://docs.rubygems.org/",
++      "homepage" => "http://guides.rubygems.org/",
+       "name" => 'rubygems',
+       "ri_installed" => true,
+       "summary" => "RubyGems itself",
+diff --git lib/rubygems/specification.rb lib/rubygems/specification.rb
+index a2f289d162..500f0af768 100644
+--- ruby-2.4.1/lib/rubygems/specification.rb
++++ ruby-2.4.1/lib/rubygems/specification.rb
+@@ -2105,7 +2105,7 @@ def inspect # :nodoc:
+     if $DEBUG
+       super
+     else
+-      "#<#{self.class}:0x#{__id__.to_s(16)} #{full_name}>"
++      "#{super[0..-2]} #{full_name}>"
+     end
+   end
+ 
+diff --git lib/rubygems/test_case.rb lib/rubygems/test_case.rb
+index 86b68e1efb..4e48f1eb4c 100644
+--- ruby-2.4.1/lib/rubygems/test_case.rb
++++ ruby-2.4.1/lib/rubygems/test_case.rb
+@@ -484,7 +484,7 @@ def git_gem name = 'a', version = 1
+ 
+       system @git, 'add', gemspec
+       system @git, 'commit', '-a', '-m', 'a non-empty commit message', '--quiet'
+-      head = Gem::Util.popen('git', 'rev-parse', 'master').strip
++      head = Gem::Util.popen(@git, 'rev-parse', 'master').strip
+     end
+ 
+     return name, git_spec.version, directory, head
+@@ -1498,6 +1498,8 @@ def self.key_path key_name
+ begin
+   gem 'rdoc'
+   require 'rdoc'
++
++  require 'rubygems/rdoc'
+ rescue LoadError, Gem::LoadError
+ end
+ 
+@@ -1514,3 +1516,4 @@ def self.key_path key_name
+ pid = $$
+ END {tmpdirs.each {|dir| Dir.rmdir(dir)} if $$ == pid}
+ Gem.clear_paths
++Gem.loaded_specs.clear
+diff --git test/rubygems/test_gem.rb test/rubygems/test_gem.rb
+index a605f9cdfe..62b36dfd41 100644
+--- ruby-2.4.1/test/rubygems/test_gem.rb
++++ ruby-2.4.1/test/rubygems/test_gem.rb
+@@ -75,6 +75,29 @@ def test_self_finish_resolve_wtf
+     end
+   end
+ 
++  def test_self_finish_resolve_respects_loaded_specs
++    save_loaded_features do
++      a1 = new_spec "a", "1", "b" => "> 0"
++      b1 = new_spec "b", "1", "c" => ">= 1"
++      b2 = new_spec "b", "2", "c" => ">= 2"
++      c1 = new_spec "c", "1"
++      c2 = new_spec "c", "2"
++
++      install_specs c1, c2, b1, b2, a1
++
++      a1.activate
++      c1.activate
++
++      assert_equal %w(a-1 c-1), loaded_spec_names
++      assert_equal ["b (> 0)"], unresolved_names
++
++      Gem.finish_resolve
++
++      assert_equal %w(a-1 b-1 c-1), loaded_spec_names
++      assert_equal [], unresolved_names
++    end
++  end
++
+   def test_self_install
+     spec_fetcher do |f|
+       f.gem  'a', 1
+@@ -492,7 +515,7 @@ def test_self_find_files_with_gemfile
+     skip if RUBY_VERSION <= "1.8.7"
+ 
+     cwd = File.expand_path("test/rubygems", @@project_dir)
+-    $LOAD_PATH.unshift cwd
++    actual_load_path = $LOAD_PATH.unshift(cwd).dup
+ 
+     discover_path = File.join 'lib', 'sff', 'discover.rb'
+ 
+@@ -518,12 +541,12 @@ def test_self_find_files_with_gemfile
+     expected = [
+       File.expand_path('test/rubygems/sff/discover.rb', @@project_dir),
+       File.join(foo1.full_gem_path, discover_path)
+-    ]
++    ].sort
+ 
+-    assert_equal expected, Gem.find_files('sff/discover')
+-    assert_equal expected, Gem.find_files('sff/**.rb'), '[ruby-core:31730]'
++    assert_equal expected, Gem.find_files('sff/discover').sort
++    assert_equal expected, Gem.find_files('sff/**.rb').sort, '[ruby-core:31730]'
+   ensure
+-    assert_equal cwd, $LOAD_PATH.shift unless RUBY_VERSION <= "1.8.7"
++    assert_equal cwd, actual_load_path.shift unless RUBY_VERSION <= "1.8.7"
+   end
+ 
+   def test_self_find_latest_files
+diff --git test/rubygems/test_gem_commands_open_command.rb test/rubygems/test_gem_commands_open_command.rb
+index 3ec38972e6..a96fa6ea23 100644
+--- ruby-2.4.1/test/rubygems/test_gem_commands_open_command.rb
++++ ruby-2.4.1/test/rubygems/test_gem_commands_open_command.rb
+@@ -24,7 +24,8 @@ def test_execute
+     @cmd.options[:args] = %w[foo]
+     @cmd.options[:editor] = "#{Gem.ruby} -e0 --"
+ 
+-    spec = gem 'foo'
++    gem 'foo', '1.0.0'
++    spec = gem 'foo', '1.0.1'
+     mock = MiniTest::Mock.new
+     mock.expect(:call, true, [spec.full_gem_path])
+ 
+diff --git test/rubygems/test_gem_commands_query_command.rb test/rubygems/test_gem_commands_query_command.rb
+index 223f205b2d..d8d682b136 100644
+--- ruby-2.4.1/test/rubygems/test_gem_commands_query_command.rb
++++ ruby-2.4.1/test/rubygems/test_gem_commands_query_command.rb
+@@ -642,7 +642,7 @@ def test_execute_local_details
+     assert_equal expected, @ui.output
+   end
+ 
+-  def test_execute_exact
++  def test_execute_exact_remote
+     spec_fetcher do |fetcher|
+       fetcher.spec 'coolgem-omg', 3
+       fetcher.spec 'coolgem', '4.2.1'
+@@ -665,6 +665,60 @@ def test_execute_exact
+     assert_equal expected, @ui.output
+   end
+ 
++  def test_execute_exact_local
++    spec_fetcher do |fetcher|
++      fetcher.spec 'coolgem-omg', 3
++      fetcher.spec 'coolgem', '4.2.1'
++      fetcher.spec 'wow_coolgem', 1
++    end
++
++    @cmd.handle_options %w[--exact coolgem]
++
++    use_ui @ui do
++      @cmd.execute
++    end
++
++    expected = <<-EOF
++
++*** LOCAL GEMS ***
++
++coolgem (4.2.1)
++    EOF
++
++    assert_equal expected, @ui.output
++  end
++
++  def test_execute_exact_multiple
++    spec_fetcher do |fetcher|
++      fetcher.spec 'coolgem-omg', 3
++      fetcher.spec 'coolgem', '4.2.1'
++      fetcher.spec 'wow_coolgem', 1
++
++      fetcher.spec 'othergem-omg', 3
++      fetcher.spec 'othergem', '1.2.3'
++      fetcher.spec 'wow_othergem', 1
++    end
++
++    @cmd.handle_options %w[--exact coolgem othergem]
++
++    use_ui @ui do
++      @cmd.execute
++    end
++
++    expected = <<-EOF
++
++*** LOCAL GEMS ***
++
++coolgem (4.2.1)
++
++*** LOCAL GEMS ***
++
++othergem (1.2.3)
++    EOF
++
++    assert_equal expected, @ui.output
++  end
++
+   private
+ 
+   def add_gems_to_fetcher
+diff --git test/rubygems/test_gem_commands_sources_command.rb test/rubygems/test_gem_commands_sources_command.rb
+index 014b4b4c12..d5b6d99419 100644
+--- ruby-2.4.1/test/rubygems/test_gem_commands_sources_command.rb
++++ ruby-2.4.1/test/rubygems/test_gem_commands_sources_command.rb
+@@ -108,6 +108,58 @@ def test_execute_add_redundant_source
+     assert_equal '', @ui.error
+   end
+ 
++  def test_execute_add_redundant_source_trailing_slash
++    # Remove pre-existing gem source (w/ slash)
++    repo_with_slash = "http://gems.example.com/"
++    @cmd.handle_options %W[--remove #{repo_with_slash}]
++    use_ui @ui do
++      @cmd.execute
++    end
++    source = Gem::Source.new repo_with_slash
++    assert_equal false, Gem.sources.include?(source)
++
++    expected = <<-EOF
++#{repo_with_slash} removed from sources
++    EOF
++
++    assert_equal expected, @ui.output
++    assert_equal '', @ui.error
++
++    # Re-add pre-existing gem source (w/o slash)
++    repo_without_slash = "http://gems.example.com"
++    @cmd.handle_options %W[--add #{repo_without_slash}]
++    use_ui @ui do
++      @cmd.execute
++    end
++    source = Gem::Source.new repo_without_slash
++    assert_equal true, Gem.sources.include?(source)
++
++    expected = <<-EOF
++http://gems.example.com/ removed from sources
++http://gems.example.com added to sources
++    EOF
++
++    assert_equal expected, @ui.output
++    assert_equal '', @ui.error
++
++    # Re-add original gem source (w/ slash)
++    @cmd.handle_options %W[--add #{repo_with_slash}]
++    use_ui @ui do
++      @cmd.execute
++    end
++    source = Gem::Source.new repo_with_slash
++    assert_equal true, Gem.sources.include?(source)
++
++    expected = <<-EOF
++http://gems.example.com/ removed from sources
++http://gems.example.com added to sources
++source http://gems.example.com/ already present in the cache
++    EOF
++
++    assert_equal expected, @ui.output
++    assert_equal '', @ui.error 
++  end
++
+   def test_execute_add_http_rubygems_org
+     http_rubygems_org = 'http://rubygems.org'
+ 
+diff --git test/rubygems/test_gem_installer.rb test/rubygems/test_gem_installer.rb
+index 6ceb2c6dfc..882981d344 100644
+--- ruby-2.4.1/test/rubygems/test_gem_installer.rb
++++ ruby-2.4.1/test/rubygems/test_gem_installer.rb
+@@ -62,7 +62,12 @@ def test_app_script_text
+   end
+ end
+ 
++if Gem.respond_to?(:activate_bin_path)
+ load Gem.activate_bin_path('a', 'executable', version)
++else
++gem "a", version
++load Gem.bin_path("a", "executable", version)
++end
+     EOF
+ 
+     wrapper = @installer.app_script_text 'executable'
+diff --git test/rubygems/test_require.rb test/rubygems/test_require.rb
+index dd606e44d4..936f78fb2a 100644
+--- ruby-2.4.1/test/rubygems/test_require.rb
++++ ruby-2.4.1/test/rubygems/test_require.rb
+@@ -301,6 +301,17 @@ def test_default_gem_only
+     assert_equal %w(default-2.0.0.0), loaded_spec_names
+   end
+ 
++  def test_realworld_default_gem
++    skip "no default gems on ruby < 2.0" unless RUBY_VERSION >= "2"
++    cmd = <<-RUBY
++      $stderr = $stdout
++      require "json"
++      puts Gem.loaded_specs["json"].default_gem?
++    RUBY
++    output = Gem::Util.popen(Gem.ruby, "-e", cmd).strip
++    assert_equal "true", output
++  end
++
+   def test_default_gem_and_normal_gem
+     default_gem_spec = new_default_spec("default", "2.0.0.0",
+                                         nil, "default/gem.rb")
diff --git a/gnu/packages/patches/ruby-rubygems-2613-ruby24.patch b/gnu/packages/patches/ruby-rubygems-2613-ruby24.patch
new file mode 100644
index 0000000000..c253cc912d
--- /dev/null
+++ b/gnu/packages/patches/ruby-rubygems-2613-ruby24.patch
@@ -0,0 +1,355 @@
+diff --git lib/rubygems.rb lib/rubygems.rb
+index bc5bf9b4c2..55aa85b8b2 100644
+--- ruby-2.4.1/lib/rubygems.rb
++++ ruby-2.4.1/lib/rubygems.rb
+@@ -10,7 +10,7 @@
+ require 'thread'
+ 
+ module Gem
+-  VERSION = "2.6.12"
++  VERSION = "2.6.13"
+ end
+ 
+ # Must be first since it unloads the prelude from 1.9.2
+diff --git lib/rubygems/commands/query_command.rb lib/rubygems/commands/query_command.rb
+index 70f8127292..44144203e0 100644
+--- ruby-2.4.1/lib/rubygems/commands/query_command.rb
++++ ruby-2.4.1/lib/rubygems/commands/query_command.rb
+@@ -226,7 +226,7 @@ def output_versions output, versions
+         end
+       end
+ 
+-      output << make_entry(matching_tuples, platforms)
++      output << clean_text(make_entry(matching_tuples, platforms))
+     end
+   end
+ 
+@@ -353,7 +353,8 @@ def spec_platforms entry, platforms
+   end
+ 
+   def spec_summary entry, spec
+-    entry << "\n\n" << format_text(spec.summary, 68, 4)
++    summary = truncate_text(spec.summary, "the summary for #{spec.full_name}")
++    entry << "\n\n" << format_text(summary, 68, 4)
+   end
+ 
+ end
+diff --git lib/rubygems/installer.rb lib/rubygems/installer.rb
+index 967543c2d1..6fd3399dd4 100644
+--- ruby-2.4.1/lib/rubygems/installer.rb
++++ ruby-2.4.1/lib/rubygems/installer.rb
+@@ -697,6 +697,11 @@ def verify_gem_home(unpack = false) # :nodoc:
+       unpack or File.writable?(gem_home)
+   end
+ 
++  def verify_spec_name
++    return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
++    raise Gem::InstallError, "#{spec} has an invalid name"
++  end
++
+   ##
+   # Return the text for an application file.
+ 
+@@ -823,6 +828,8 @@ def pre_install_checks
+ 
+     ensure_loadable_spec
+ 
++    verify_spec_name
++
+     if options[:install_as_default]
+       Gem.ensure_default_gem_subdirectories gem_home
+     else
+diff --git lib/rubygems/remote_fetcher.rb lib/rubygems/remote_fetcher.rb
+index e6a13d4b8c..8f0cf0b402 100644
+--- ruby-2.4.1/lib/rubygems/remote_fetcher.rb
++++ ruby-2.4.1/lib/rubygems/remote_fetcher.rb
+@@ -110,7 +110,7 @@ def api_endpoint(uri)
+     else
+       target = res.target.to_s.strip
+ 
+-      if /\.#{Regexp.quote(host)}\z/ =~ target
++      if URI("http://" + target).host.end_with?(".#{host}")
+         return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
+       end
+ 
+diff --git lib/rubygems/specification.rb lib/rubygems/specification.rb
+index 500f0af768..88e320c05a 100644
+--- ruby-2.4.1/lib/rubygems/specification.rb
++++ ruby-2.4.1/lib/rubygems/specification.rb
+@@ -108,6 +108,8 @@ class Gem::Specification < Gem::BasicSpecification
+ 
+   private_constant :LOAD_CACHE if defined? private_constant
+ 
++  VALID_NAME_PATTERN = /\A[a-zA-Z0-9\.\-\_]+\z/ # :nodoc:
++
+   # :startdoc:
+ 
+   ##
+@@ -2671,9 +2673,15 @@ def validate packaging = true
+       end
+     end
+ 
+-    unless String === name then
++    if !name.is_a?(String) then
+       raise Gem::InvalidSpecificationException,
+-            "invalid value for attribute name: \"#{name.inspect}\""
++            "invalid value for attribute name: \"#{name.inspect}\" must be a string"
++    elsif name !~ /[a-zA-Z]/ then
++      raise Gem::InvalidSpecificationException,
++            "invalid value for attribute name: #{name.dump} must include at least one letter"
++    elsif name !~ VALID_NAME_PATTERN then
++      raise Gem::InvalidSpecificationException,
++            "invalid value for attribute name: #{name.dump} can only include letters, numbers, dashes, and underscores"
+     end
+ 
+     if raw_require_paths.empty? then
+diff --git lib/rubygems/text.rb lib/rubygems/text.rb
+index 732f1b99f2..b944b62c27 100644
+--- ruby-2.4.1/lib/rubygems/text.rb
++++ ruby-2.4.1/lib/rubygems/text.rb
+@@ -6,13 +6,26 @@
+ 
+ module Gem::Text
+ 
++  ##
++  # Remove any non-printable characters and make the text suitable for
++  # printing.
++  def clean_text(text)
++    text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".".freeze)
++  end
++
++  def truncate_text(text, description, max_length = 100_000)
++    raise ArgumentError, "max_length must be positive" unless max_length > 0
++    return text if text.size <= max_length
++    "Truncating #{description} to #{max_length.to_s.reverse.gsub(/...(?=.)/,'\&,').reverse} characters:\n" + text[0, max_length]
++  end
++
+   ##
+   # Wraps +text+ to +wrap+ characters and optionally indents by +indent+
+   # characters
+ 
+   def format_text(text, wrap, indent=0)
+     result = []
+-    work = text.dup
++    work = clean_text(text)
+ 
+     while work.length > wrap do
+       if work =~ /^(.{0,#{wrap}})[ \n]/ then
+diff --git test/rubygems/test_gem_commands_query_command.rb test/rubygems/test_gem_commands_query_command.rb
+index d8d682b136..469223c6c0 100644
+--- ruby-2.4.1/test/rubygems/test_gem_commands_query_command.rb
++++ ruby-2.4.1/test/rubygems/test_gem_commands_query_command.rb
+@@ -116,6 +116,86 @@ def test_execute_details
+     This is a lot of text. This is a lot of text. This is a lot of text.
+     This is a lot of text.
+ 
++pl (1)
++    Platform: i386-linux
++    Author: A User
++    Homepage: http://example.com
++
++    this is a summary
++    EOF
++
++    assert_equal expected, @ui.output
++    assert_equal '', @ui.error
++  end
++
++  def test_execute_details_cleans_text
++    spec_fetcher do |fetcher|
++      fetcher.spec 'a', 2 do |s|
++        s.summary = 'This is a lot of text. ' * 4
++        s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"]
++        s.homepage = "http://a.example.com/\x03"
++      end
++
++      fetcher.legacy_platform
++    end
++
++    @cmd.handle_options %w[-r -d]
++
++    use_ui @ui do
++      @cmd.execute
++    end
++
++    expected = <<-EOF
++
++*** REMOTE GEMS ***
++
++a (2)
++    Authors: Abraham Lincoln ., . Hirohito
++    Homepage: http://a.example.com/.
++
++    This is a lot of text. This is a lot of text. This is a lot of text.
++    This is a lot of text.
++
++pl (1)
++    Platform: i386-linux
++    Author: A User
++    Homepage: http://example.com
++
++    this is a summary
++    EOF
++
++    assert_equal expected, @ui.output
++    assert_equal '', @ui.error
++  end
++
++  def test_execute_details_truncates_summary
++    spec_fetcher do |fetcher|
++      fetcher.spec 'a', 2 do |s|
++        s.summary = 'This is a lot of text. ' * 10_000
++        s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"]
++        s.homepage = "http://a.example.com/\x03"
++      end
++
++      fetcher.legacy_platform
++    end
++
++    @cmd.handle_options %w[-r -d]
++
++    use_ui @ui do
++      @cmd.execute
++    end
++
++    expected = <<-EOF
++
++*** REMOTE GEMS ***
++
++a (2)
++    Authors: Abraham Lincoln ., . Hirohito
++    Homepage: http://a.example.com/.
++
++    Truncating the summary for a-2 to 100,000 characters:
++#{"    This is a lot of text. This is a lot of text. This is a lot of text.\n" * 1449}    This is a lot of te
++
+ pl (1)
+     Platform: i386-linux
+     Author: A User
+diff --git test/rubygems/test_gem_installer.rb test/rubygems/test_gem_installer.rb
+index 882981d344..dd049214fb 100644
+--- ruby-2.4.1/test/rubygems/test_gem_installer.rb
++++ ruby-2.4.1/test/rubygems/test_gem_installer.rb
+@@ -1448,6 +1448,26 @@ def test_pre_install_checks_wrong_rubygems_version
+     end
+   end
+ 
++  def test_pre_install_checks_malicious_name
++    spec = util_spec '../malicious', '1'
++    def spec.full_name # so the spec is buildable
++      "malicious-1"
++    end
++    def spec.validate; end
++
++    util_build_gem spec
++
++    gem = File.join(@gemhome, 'cache', spec.file_name)
++
++    use_ui @ui do
++      @installer = Gem::Installer.at gem
++      e = assert_raises Gem::InstallError do
++        @installer.pre_install_checks
++      end
++      assert_equal '#<Gem::Specification name=../malicious version=1> has an invalid name', e.message
++    end
++  end
++
+   def test_shebang
+     util_make_exec @spec, "#!/usr/bin/ruby"
+ 
+diff --git test/rubygems/test_gem_remote_fetcher.rb test/rubygems/test_gem_remote_fetcher.rb
+index cb994462cd..fbb7d89019 100644
+--- ruby-2.4.1/test/rubygems/test_gem_remote_fetcher.rb
++++ ruby-2.4.1/test/rubygems/test_gem_remote_fetcher.rb
+@@ -241,6 +241,21 @@ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
+     dns.verify
+   end
+ 
++  def test_api_endpoint_ignores_trans_domain_values_that_end_with_original_in_path
++    uri = URI.parse "http://example.com/foo"
++    target = MiniTest::Mock.new
++    target.expect :target, "evil.com/a.example.com"
++
++    dns = MiniTest::Mock.new
++    dns.expect :getresource, target, [String, Object]
++
++    fetch = Gem::RemoteFetcher.new nil, dns
++    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
++
++    target.verify
++    dns.verify
++  end
++
+   def test_api_endpoint_timeout_warning
+     uri = URI.parse "http://gems.example.com/foo"
+ 
+diff --git test/rubygems/test_gem_specification.rb test/rubygems/test_gem_specification.rb
+index d43289d745..0fcc11e78f 100644
+--- ruby-2.4.1/test/rubygems/test_gem_specification.rb
++++ ruby-2.4.1/test/rubygems/test_gem_specification.rb
+@@ -2985,7 +2985,37 @@ def test_validate_name
+       @a1.validate
+     end
+ 
+-    assert_equal 'invalid value for attribute name: ":json"', e.message
++    assert_equal 'invalid value for attribute name: ":json" must be a string', e.message
++
++    @a1.name = []
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"[]\" must be a string", e.message
++
++    @a1.name = ""
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"\" must include at least one letter", e.message
++
++    @a1.name = "12345"
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"12345\" must include at least one letter", e.message
++
++    @a1.name = "../malicious"
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"../malicious\" can only include letters, numbers, dashes, and underscores", e.message
++
++    @a1.name = "\ba\t"
++    e = assert_raises Gem::InvalidSpecificationException do
++      @a1.validate
++    end
++    assert_equal "invalid value for attribute name: \"\\ba\\t\" can only include letters, numbers, dashes, and underscores", e.message
+   end
+ 
+   def test_validate_non_nil
+diff --git test/rubygems/test_gem_text.rb test/rubygems/test_gem_text.rb
+index a6e22e04da..04f3f605e8 100644
+--- ruby-2.4.1/test/rubygems/test_gem_text.rb
++++ ruby-2.4.1/test/rubygems/test_gem_text.rb
+@@ -36,6 +36,10 @@ def test_format_text_trailing # for two spaces after .
+     assert_equal expected, format_text(text, 78)
+   end
+ 
++  def test_format_removes_nonprintable_characters
++    assert_equal "text with weird .. stuff .", format_text("text with weird \x1b\x02 stuff \x7f", 40)
++  end
++
+   def test_min3
+     assert_equal 1, min3(1, 1, 1)
+     assert_equal 1, min3(1, 1, 2)
+@@ -74,4 +78,11 @@ def test_levenshtein_distance_replace
+     assert_equal 7, levenshtein_distance("xxxxxxx", "ZenTest")
+     assert_equal 7, levenshtein_distance("zentest", "xxxxxxx")
+   end
++
++  def test_truncate_text
++    assert_equal "abc", truncate_text("abc", "desc")
++    assert_equal "Truncating desc to 2 characters:\nab", truncate_text("abc", "desc", 2)
++    s = "ab" * 500_001
++    assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000)
++  end
+ end
diff --git a/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch b/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch
index 51d6c3e791..fd12ba4ce1 100644
--- a/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch
+++ b/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch
@@ -1,4 +1,4 @@
-This patch comes from Debian and was modified by Kei Kebreau <kei@openmailbox.org>.
+This patch comes from Debian and was modified by Kei Kebreau <kkebreau@posteo.net>.
 Link: https://anonscm.debian.org/cgit/pkg-wmaker/wmfire.git/plain/debian/patches/gdk_updates.patch?h=debian/1.2.4-2&id=a272234fc5eecdbfc469adb12133196bc62f3059
 
 Description: Update for newer versions of GDK.
diff --git a/gnu/packages/patches/wxwidgets-fix-windowGTK.patch b/gnu/packages/patches/wxwidgets-fix-windowGTK.patch
deleted file mode 100644
index 1255835d01..0000000000
--- a/gnu/packages/patches/wxwidgets-fix-windowGTK.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-This patch allow Filezilla client to resize window.
-The patch was adapted from upstream source repository:
-'<http://trac.wxwidgets.org/changeset/4793e5b0a4e189e492287305859b278fed780080/git-wxWidgets>'
-
---- a/src/gtk/toplevel.cpp	2014-10-06 16:33:44.000000000 -0500
-+++ b/src/gtk/toplevel.cpp	2017-02-16 21:33:27.779907810 -0600
-@@ -1216,8 +1216,9 @@
-     int hints_mask = GDK_HINT_MIN_SIZE | GDK_HINT_MAX_SIZE;
-     hints.min_width = 1;
-     hints.min_height = 1;
--    hints.max_width = INT_MAX;
--    hints.max_height = INT_MAX;
-+    // using INT_MAX for size will lead to integer overflow with HiDPI scaling
-+    hints.max_width = INT_MAX / 16;
-+    hints.max_height = INT_MAX / 16;    
-     const int decorSize_x = m_decorSize.left + m_decorSize.right;
-     const int decorSize_y = m_decorSize.top + m_decorSize.bottom;
-     if (minSize.x > decorSize_x)
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 1a96ee237b..249f478f96 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -1295,7 +1295,7 @@ and writing of @code{.ini}-style configuration files.")
     (source
      (origin
        (method url-fetch)
-       (uri (string-append "mirror://cpan/authors/id/J/JR/JROCKWAY/"
+       (uri (string-append "mirror://cpan/authors/id/E/ET/ETHER/"
                            "Context-Preserve-" version ".tar.gz"))
        (sha256
         (base32
@@ -3514,7 +3514,7 @@ that may contain multiple values per key, inspired by MultiDict of WebOb.")
 consume exports.  It is feature-compatible with Exporter, plus some much needed
 extras.  You can use this to import symbols from any exporter that follows
 Exporters specification.  The exporter modules themselves do not need to use or
-inherit from the Exporter module, they just need to set @EXPORT and/or other
+inherit from the Exporter module, they just need to set @@EXPORT and/or other
 variables.")
     (license (package-license perl))))
 
@@ -8165,6 +8165,16 @@ common serialisation formats such as JSON or CBOR.")
         (base32
          "1lq4p3mqqljhhy8wyiyahris33j4m5qfzpi6iacmcqjzw5g4afbm"))))
     (build-system perl-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-before 'configure 'set-perl-search-path
+           (lambda _
+             ;; Work around "dotless @INC" build failure.
+             (setenv "PERL5LIB"
+                     (string-append (getcwd) ":"
+                                    (getenv "PERL5LIB")))
+             #t)))))
     (propagated-inputs
      `(("perl-unicode-normalize" ,perl-unicode-normalize)))
     (home-page "http://search.cpan.org/dist/Unicode-Collate")
diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm
index d0afab0931..bcf1d00829 100644
--- a/gnu/packages/php.scm
+++ b/gnu/packages/php.scm
@@ -49,21 +49,10 @@
   #:use-module (guix build-system gnu)
   #:use-module ((guix licenses) #:prefix license:))
 
-(define gd-for-php
-  (package
-    (inherit gd)
-    (source (origin
-             (inherit (package-source gd))
-             (patches 
-               (append
-                 (origin-patches (package-source gd))
-                 (search-patches "gd-CVE-2017-7890.patch")))))))
-
-
 (define-public php
   (package
     (name "php")
-    (version "7.1.8")
+    (version "7.1.9")
     (home-page "https://secure.php.net/")
     (source (origin
               (method url-fetch)
@@ -71,7 +60,7 @@
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1aramb6dm57pr2iz61id9vzfy7h5qkb6bf7dxhrwnjk0723qahw9"))
+                "130y50nawipd12nbs10661vzk8gvy7zsqcsxvj29mwaivm4a777c"))
               (modules '((guix build utils)))
               (snippet
                '(with-directory-excursion "ext"
@@ -293,7 +282,7 @@
        ("curl" ,curl)
        ("cyrus-sasl" ,cyrus-sasl)
        ("freetype" ,freetype)
-       ("gd" ,gd-for-php)
+       ("gd" ,gd-2.2.5)
        ("gdbm" ,gdbm)
        ("glibc" ,glibc)
        ("gmp" ,gmp)
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 6fe83b2a8b..346faf434c 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -41,7 +41,7 @@
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
 ;;; Copyright © 2017 José Miguel Sánchez García <jmi2k@openmailbox.org>
 ;;; Copyright © 2017 Roel Janssen <roel@gnu.org>
-;;; Copyright © 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
 ;;; Copyright © 2017 Muriithi Frederick Muriuki <fredmanglis@gmail.com>
 ;;;
@@ -68,6 +68,7 @@
   #:use-module (gnu packages attr)
   #:use-module (gnu packages backup)
   #:use-module (gnu packages bash)
+  #:use-module (gnu packages check)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages crypto)
   #:use-module (gnu packages databases)
@@ -2835,17 +2836,23 @@ somewhat intelligeble.")
 (define-public python-pyjwt
   (package
     (name "python-pyjwt")
-    (version "1.4.0")
+    (version "1.5.2")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "PyJWT" version))
        (sha256
         (base32
-         "1556v2jppd8mjkkj66pxb5rcazm35jq81r233mdl8hfmz9n3icp1"))))
+         "0pvr3iymab7v2qz74ann760z7qahqgqszxz5iqqbaqv4z2zz0y8i"))
+       (modules '((guix build utils)))
+       (snippet
+        '(begin
+           (for-each delete-file-recursively
+                     (find-files "." "\\.pyc$"))
+           #t))))
     (build-system python-build-system)
     (native-inputs
-     `(("python-pytest" ,python-pytest)
+     `(("python-pytest" ,python-pytest-3.0)
        ("python-pytest-cov" ,python-pytest-cov)
        ("python-pytest-runner" ,python-pytest-runner)))
     (home-page "https://github.com/progrium/pyjwt")
@@ -3030,15 +3037,27 @@ for Python.")
 (define-public python-jinja2
   (package
     (name "python-jinja2")
-    (version "2.8")
+    (version "2.9.6")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "Jinja2" version))
        (sha256
         (base32
-         "1x0v41lp5m1pjix3l46zx02b7lqp2hflgpnxwkywxynvi3zz47xw"))))
+         "1zzrkywhziqffrzks14kzixz7nd4yh2vc0fb04a68vfd2ai03anx"))))
     (build-system python-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         ;; These files cannot be built with Python < 3.6.  See
+         ;; https://github.com/pallets/jinja/issues/655
+         ;; FIXME: Remove this when the "python" package is upgraded.
+         (add-after 'unpack 'delete-incompatible-files
+           (lambda _
+             (for-each delete-file
+                       '("jinja2/asyncsupport.py"
+                         "jinja2/asyncfilters.py"))
+             #t)))))
     (propagated-inputs
      `(("python-markupsafe" ,python-markupsafe)))
     (home-page "http://jinja.pocoo.org/")
@@ -3762,6 +3781,71 @@ objects.")
 (define-public python2-munch
   (package-with-python2 python-munch))
 
+(define-public python-colormath
+  (package
+    (name "python-colormath")
+    (version "2.1.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (pypi-uri "colormath" version))
+       (sha256
+        (base32
+         "01wp5xwm0a89wdm1dc9rr1ij90idzdiiipxdj1yslhqzkhnjnfh0"))))
+    (build-system python-build-system)
+    (propagated-inputs
+     `(("python-networkx" ,python-networkx)
+       ("python-numpy" ,python-numpy)))
+    (home-page "https://github.com/gtaylor/python-colormath")
+    (synopsis "Color math and conversion library")
+    (description
+     "This is a Python library for color math and conversions.")
+    (license license:bsd-3)))
+
+(define-public python2-colormath
+  (package-with-python2 python-colormath))
+
+(define-public python-spectra
+  (package
+    (name "python-spectra")
+    (version "0.0.8")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (pypi-uri "spectra" version))
+       (sha256
+        (base32
+         "0n87kzhpkml2s2q91rdkl8wz2kkv5b0bkrgww45lxa5vq34qh6w5"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (replace 'check
+           (lambda _
+             (zero? (system* "nosetests" "-v")))))))
+    (propagated-inputs
+     `(("python-colormath" ,python-colormath)))
+    (native-inputs
+     `(("python-nose" ,python-nose)))
+    (home-page "http://github.com/jsvine/spectra")
+    (synopsis "Color scales and color conversion")
+    (description
+     "This package provides a Python library intended to make color math,
+color scales, and color space conversion easy.  It has support for:
+
+@enumerate
+@item Color scales
+@item Color ranges
+@item Color blending
+@item Brightening/darkening colors
+@item Saturating/desaturating colors
+@item Conversion to/from multiple color spaces.
+@end enumerate\n")
+    (license license:expat)))
+
+(define-public python2-spectra
+  (package-with-python2 python-spectra))
+
 (define-public python2-fastlmm
   (package
     (name "python2-fastlmm")
@@ -4313,33 +4397,56 @@ operators such as union, intersection, and difference.")
 (define-public python-rpy2
   (package
     (name "python-rpy2")
-    (version "2.7.6")
+    (version "2.9.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "rpy2" version))
        (sha256
         (base32
-         "0nhan2qvrw7b7gg5zddwa22kybdv3x1g26vkd7q8lvnkgzrs4dga"))))
+         "0bqihjrdqwj5r1h86shvfb1p5hfr4a6klv1v54bzfr9r144w3rni"))))
     (build-system python-build-system)
     (arguments
-     '(#:phases
+     '(#:modules ((ice-9 ftw)
+                  (srfi srfi-1)
+                  (srfi srfi-26)
+                  (guix build utils)
+                  (guix build python-build-system))
+       #:phases
        (modify-phases %standard-phases
-         (delete 'check)
-         (add-after 'install 'check
+         ;; Without this phase the test loader cannot find the directories, in
+         ;; which it is supposed to look for test files.
+         (add-after 'unpack 'fix-tests
+           (lambda* (#:key outputs #:allow-other-keys)
+             (substitute* "rpy/tests.py"
+               (("loader.discover\\(")
+                "loader.discover(rpy_root + '/' +"))
+             #t))
+         (replace 'check
            (lambda* (#:key outputs inputs #:allow-other-keys)
-             ;; It's easier to run tests after install.
-             ;; Make installed package available for running the tests
-             (add-installed-pythonpath inputs outputs)
+             (let ((cwd (getcwd)))
+               (setenv "PYTHONPATH"
+                       (string-append cwd "/build/"
+                                      (find (cut string-prefix? "lib" <>)
+                                            (scandir (string-append cwd "/build")))
+                                      ":"
+                                      (getenv "PYTHONPATH"))))
              (zero? (system* "python" "-m" "rpy2.tests" "-v")))))))
     (propagated-inputs
-     `(("python-six" ,python-six)))
+     `(("python-six" ,python-six)
+       ("python-jinja2" ,python-jinja2)
+       ("python-pytz" ,python-pytz)))
     (inputs
      `(("readline" ,readline)
        ("icu4c" ,icu4c)
        ("pcre" ,pcre)
        ("r-minimal" ,r-minimal)
-       ("r-survival" ,r-survival)))
+       ("r-survival" ,r-survival)
+       ("r-ggplot2" ,r-ggplot2)
+       ("r-rsqlite" ,r-rsqlite)
+       ("r-dplyr" ,r-dplyr)
+       ("r-dbplyr" ,r-dbplyr)
+       ("python-numpy" ,python-numpy)))
     (native-inputs
      `(("zlib" ,zlib)))
     (home-page "http://rpy.sourceforge.net/")
@@ -4348,14 +4455,10 @@ operators such as union, intersection, and difference.")
 low-level interface to R from Python, a proposed high-level interface,
 including wrappers to graphical libraries, as well as R-like structures and
 functions.")
-    (license license:gpl3+)))
-
-(define-public python2-rpy2
-  (let ((rpy2 (package-with-python2 python-rpy2)))
-    (package (inherit rpy2)
-      (propagated-inputs
-       `(("python2-singledispatch" ,python2-singledispatch)
-         ,@(package-propagated-inputs rpy2))))))
+    ;; Any of these licenses can be picked for the R interface.  The whole
+    ;; project is released under GPLv2+ according to the license declaration
+    ;; in "setup.py".
+    (license (list license:mpl2.0 license:gpl2+ license:lgpl2.1+))))
 
 (define-public python-scipy
   (package
@@ -9095,16 +9198,13 @@ with python-requests.")
 (define-public python-click-threading
   (package
     (name "python-click-threading")
-    (version "0.2.0")
+    (version "0.4.3")
     (source (origin
              (method url-fetch)
-             (uri (string-append
-                    "https://pypi.python.org/packages/"
-                    "fe/b7/e7f609d18a2a351cb71616adcf54df1acd82f83cb9b5936935a4d20e2c23/"
-                    "click-threading-" version ".tar.gz"))
+             (uri (pypi-uri "click-threading" version))
              (sha256
               (base32
-               "18bcqikxwb3drb8rf60cclxkxw52521b38ax3byah6j8cn8y9p4j"))))
+               "0xs4bg2ws0zgyiplk312l049hi23c2zqf1g771rjhh5vr2msk4cg"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-click" ,python-click)))
@@ -9117,13 +9217,13 @@ applications.")
 (define-public python-click-log
   (package
     (name "python-click-log")
-    (version "0.1.8")
+    (version "0.2.0")
     (source (origin
              (method url-fetch)
              (uri (pypi-uri "click-log" version))
              (sha256
               (base32
-               "14ikfjfgnzf21mjniq9lfk2igzykgzfvwwrk85nw2b9fq44109sp"))))
+               "1bjrfxji1yv4fj0g78ri2yfgn2wbivn8g69fxfinxvxpmighhshp"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-click" ,python-click)))
@@ -9328,13 +9428,13 @@ processes across test runs.")
 (define-public python-icalendar
   (package
     (name "python-icalendar")
-    (version "3.11.6")
+    (version "3.11.7")
     (source (origin
              (method url-fetch)
              (uri (pypi-uri "icalendar" version))
              (sha256
               (base32
-               "1ny9mbm9zgghl612b8wc4ap52bz3kgl486d7f307gxjmlqgz3i64"))))
+               "0ahf1i98wjizhld2qd7v2vmvzsmdw08mmins82bf3fpbnp2sxbgc"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-dateutil" ,python-dateutil)
@@ -13376,7 +13476,7 @@ PNG, JPEG, JPEG2000 and GIF files in pure Python.")
      (origin
        (method git-fetch)
        (uri (git-reference
-             (url "git://github.com/tgalal/python-axolotl-curve25519")
+             (url "https://github.com/tgalal/python-axolotl-curve25519")
              (commit "e4a9c4de0eae27223200579c58d1f8f6d20637e2")))
        (file-name (string-append name "-" version "-checkout"))
        (sha256
@@ -13991,7 +14091,22 @@ parse many formal languages.")
          "1i9gik0xrj6jmi95s5w988jl1y265baz5xm5pbqdyvsh8h9ln6yq"))))
     (build-system python-build-system)
     (arguments
-     `(#:python ,python-2))
+     `(#:python ,python-2
+       #:phases
+       (modify-phases %standard-phases
+         ;; check phase needs to be run before the build phase. If not,
+         ;; coverage-test-runner looks for tests for the built source files,
+         ;; and fails.
+         (delete 'check)
+         (add-before 'build 'check
+           (lambda _
+             ;; Disable python3 tests
+             (substitute* "check"
+               (("python3") "# python3"))
+             (zero? (system* "./check")))))))
+    (native-inputs
+     `(("python2-coverage-test-runner" ,python2-coverage-test-runner)
+       ("python2-pep8" ,python2-pep8)))
     (propagated-inputs
      `(("python2-pyaml" ,python2-pyaml)))
     (home-page "https://liw.fi/cliapp/")
@@ -14016,8 +14131,20 @@ iterating over input files.")
         (base32
          "0vivqbw7ddhsq1zj3g9cvvv4f0phl0pis2smsnwcr2szz2fk3hl6"))))
     (build-system python-build-system)
+    (native-inputs
+     `(("python2-coverage-test-runner" ,python2-coverage-test-runner)
+       ("python2-pep8" ,python2-pep8)))
     (arguments
-     `(#:python ,python-2))
+     `(#:python ,python-2
+       #:phases
+       (modify-phases %standard-phases
+         ;; check phase needs to be run before the build phase. If not,
+         ;; coverage-test-runner looks for tests for the built source files,
+         ;; and fails.
+         (delete 'check)
+         (add-before 'build 'check
+           (lambda _
+             (zero? (system* "make" "check")))))))
     (home-page "https://liw.fi/ttystatus/")
     (synopsis "Python library for showing progress reporting and
 status updates on terminals")
@@ -14064,12 +14191,26 @@ happens using the @code{logging} library.")
        (uri (string-append
              "http://git.liw.fi/cgi-bin/cgit/cgit.cgi/larch/snapshot/larch-"
              version ".tar.gz"))
+       (patches (search-patches
+                 "python2-larch-coverage-4.0a6-compatibility.patch"))
        (sha256
         (base32
          "1p4knkkavlqymgciz2wbcnfrdgdbafhg14maplnk4vbw0q8xs663"))))
     (build-system python-build-system)
     (arguments
-     `(#:python ,python-2))
+     `(#:python ,python-2
+       #:phases
+       (modify-phases %standard-phases
+         ;; check phase needs to be run before the build phase. If not,
+         ;; coverage-test-runner looks for tests for the built source files,
+         ;; and fails.
+         (delete 'check)
+         (add-before 'build 'check
+           (lambda _
+             (zero? (system* "make" "check")))))))
+    (native-inputs
+     `(("cmdtest" ,cmdtest)
+       ("python2-coverage-test-runner" ,python2-coverage-test-runner)))
     (propagated-inputs
      `(("python2-tracing" ,python2-tracing)))
     (home-page "https://liw.fi/larch/")
@@ -15916,6 +16057,51 @@ pure Python module.")
 (define-public python2-rencode
   (package-with-python2 python-rencode))
 
+(define-public python-xenon
+  (package
+    (name "python-xenon")
+    (version "0.5.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (pypi-uri "xenon" version))
+       (sha256
+        (base32
+         "14kby2y48vp3sgwxqlm5d5789yibqwb1qli5fwcmdqg3iayrbklc"))))
+    (build-system python-build-system)
+    (native-inputs
+     `(("python-pyyaml" ,python-pyyaml)
+       ("python-radon" ,python-radon)
+       ("python-requests" ,python-requests)
+       ("python-flake8" ,python-flake8)
+       ("python-tox" ,python-tox)))
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-before 'build 'patch-test-requirements
+           (lambda* (#:key inputs #:allow-other-keys)
+             ;; Update requirements from dependency==version to
+             ;; dependency>=version.
+             (substitute* "requirements.txt"
+               (("==") ">=")
+               ((",<1.5.0") ""))
+             ;; Remove httpretty dependency for tests.
+             (substitute* "setup.py"
+               (("httpretty") ""))
+             #t)))))
+    (home-page "https://xenon.readthedocs.org/")
+    (synopsis "Monitor code metrics for Python on your CI server")
+    (description
+     "Xenon is a monitoring tool based on Radon.  It monitors code complexity.
+Ideally, @code{xenon} is run every time code is committed.  Through command
+line options, various thresholds can be set for the complexity of code.  It
+will fail (i.e.  it will exit with a non-zero exit code) when any of these
+requirements is not met.")
+    (license license:expat)))
+
+(define-public python2-xenon
+  (package-with-python2 python-xenon))
+
 (define-public python-flask-principal
   (package
     (name "python-flask-principal")
@@ -15965,3 +16151,47 @@ authentication for Flask routes.")
 
 (define-public python2-flask-httpauth
   (package-with-python2 python-flask-httpauth))
+
+(define-public python-pysocks
+  (package
+    (name "python-pysocks")
+    (version "1.6.7")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (pypi-uri "PySocks" version))
+       (sha256
+        (base32
+         "1krkiss578zqwcg4c8iqz1hwscwhsvy2djp3xyvps5gsgvr2j0yh"))))
+    (build-system python-build-system)
+    (arguments `(#:tests? #f))
+    (home-page "https://github.com/Anorov/PySocks")
+    (synopsis "SOCKS client module")
+    (description "@code{pysocks} is an updated and semi-actively maintained
+version of @code{SocksiPy} with bug fixes and extra features.")
+    (license license:bsd-3)))
+
+(define-public python2-pysocks
+  (package-with-python2 python-pysocks))
+
+(define-public python-pyaes
+  (package
+    (name "python-pyaes")
+    (version "1.6.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (pypi-uri "pyaes" version))
+       (sha256
+        (base32
+         "0bp9bjqy1n6ij1zb86wz9lqa1dhla8qr1d7w2kxyn7jbj56sbmcw"))))
+    (build-system python-build-system)
+    (home-page "https://github.com/ricmoo/pyaes")
+    (synopsis "Implementation of AES in Python")
+    (description "This package contains a pure-Python implementation of the
+AES block cipher algorithm and the common modes of operation (CBC, CFB, CTR,
+ECB and OFB).")
+    (license license:expat)))
+
+(define-public python2-pyaes
+  (package-with-python2 python-pyaes))
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 243ff9e5db..6251145f09 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -121,7 +121,10 @@ a focus on simplicity and productivity.")
        (snippet `(begin
                    ;; Remove bundled libffi
                    (delete-file-recursively "ext/fiddle/libffi-3.2.1")
-                   #t))))))
+                   #t))
+       (patches
+        (search-patches "ruby-rubygems-2612-ruby24.patch"
+                        "ruby-rubygems-2613-ruby24.patch"))))))
 
 (define-public ruby-2.3
   (package
@@ -137,6 +140,7 @@ a focus on simplicity and productivity.")
         (base32
          "132p5kc1sx97svbx04g40pz5pr7p8f6jlmnq5r2prlcz5q1xj71l"))
        (modules '((guix build utils)))
+       (patches (search-patches "ruby-2.3.4-rubygems-2613-ruby23.patch"))
        (snippet `(begin
                    ;; Remove bundled libffi
                    (delete-file-recursively "ext/fiddle/libffi-3.2.1")
@@ -151,6 +155,7 @@ a focus on simplicity and productivity.")
        (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
                            (version-major+minor version)
                            "/ruby-" version ".tar.xz"))
+       (patches (search-patches "ruby-2.2.7-rubygems-2613-ruby22.patch"))
        (sha256
         (base32
          "0lyb7gnbbhs3a3v9grsjgbaixm20wxz6x3h0czyrxnj3cpp8lk13"))))))
diff --git a/gnu/packages/screen.scm b/gnu/packages/screen.scm
index ef67595a89..0a92b73e34 100644
--- a/gnu/packages/screen.scm
+++ b/gnu/packages/screen.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Alex Griffin <a@ajgrf.com>
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
+;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -85,7 +86,8 @@ view to show two terminals at once.")
          (replace 'install
            (lambda* (#:key outputs #:allow-other-keys)
              (let ((out (assoc-ref outputs "out")))
-               (install-file "dtach" (string-append out "/bin"))))))
+               (install-file "dtach" (string-append out "/bin"))
+               (install-file "dtach.1" (string-append out "/share/man/man1"))))))
        ;; No check target.
        #:tests? #f))
     (home-page "http://dtach.sourceforge.net/")
diff --git a/gnu/packages/search.scm b/gnu/packages/search.scm
index cc8c0630bb..62da3be0fd 100644
--- a/gnu/packages/search.scm
+++ b/gnu/packages/search.scm
@@ -264,15 +264,17 @@ conflict with slocate compatibility.")
     ;; building: xpdf, catdoc, MP3::Tag, Spreadsheet::ParseExcel,
     ;; HTML::Entities.
     (inputs
-     `(("libxml" ,libxml2)
-       ("zlib" ,zlib)
-       ("perl" ,perl)
+     `(("perl" ,perl)
        ("perl-uri" ,perl-uri)
        ("perl-html-parser" ,perl-html-parser)
        ("perl-html-tagset" ,perl-html-tagset)
        ("perl-mime-types" ,perl-mime-types)))
     (arguments
-     `(#:phases (modify-phases %standard-phases
+     `(;; XXX: This fails to build with zlib (API mismatch) and tests fail
+       ;; with libxml2, so disable both.
+       #:configure-flags (list (string-append "--without-zlib")
+                               (string-append "--without-libxml2"))
+       #:phases (modify-phases %standard-phases
                   (add-after 'install 'wrap-programs
                     (lambda* (#:key inputs outputs #:allow-other-keys)
                       (let* ((out (assoc-ref outputs "out")))
diff --git a/gnu/packages/serialization.scm b/gnu/packages/serialization.scm
index 8032e3181d..54ccbf7c79 100644
--- a/gnu/packages/serialization.scm
+++ b/gnu/packages/serialization.scm
@@ -263,7 +263,7 @@ that implements both the msgpack and msgpack-rpc specifications.")
 (define-public jsoncpp
   (package
     (name "jsoncpp")
-    (version "1.8.0")
+    (version "1.8.2")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -272,7 +272,7 @@ that implements both the msgpack and msgpack-rpc specifications.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "1g35ci93s03wph4kabi46iz42wgyfbn2763cklf15h7hrdi29ssx"))))
+                "1vwf0yrv5540ygfnxikirbs63awsdzn7dabkia3g0bnz43p5l7w1"))))
     (build-system cmake-build-system)
     (home-page "https://github.com/open-source-parsers/jsoncpp")
     (arguments
@@ -359,14 +359,14 @@ However, “Memory efficiency” and “Speed” have not been primary goals.")
 (define-public python-ruamel.yaml
   (package
     (name "python-ruamel.yaml")
-    (version "0.15.19")
+    (version "0.15.33")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "ruamel.yaml" version))
        (sha256
         (base32
-         "0qx779avw8d1vsjqyi7z21h1g5ykp8paqavgj0lzbp8h7bw9vpgv"))))
+         "1s4b0zwn9pkk4xxjhx77giyfddc738drd6vgraw6n2syvj03s31d"))))
     (build-system python-build-system)
     (native-inputs
      `(("python-pytest" ,python-pytest)))
diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm
index f1b408982c..09a6c3a03f 100644
--- a/gnu/packages/shells.scm
+++ b/gnu/packages/shells.scm
@@ -174,7 +174,7 @@ highlighting.")
     (source (origin
               (method git-fetch)
               (uri (git-reference
-                    (url "git://github.com/rakitzis/rc.git")
+                    (url "https://github.com/rakitzis/rc.git")
                     ;; commit name 'release: rc-1.7.4'
                     (commit "c884da53a7c885d46ace2b92de78946855b18e92")))
               (sha256
diff --git a/gnu/packages/shellutils.scm b/gnu/packages/shellutils.scm
index 3ecc1ee8ba..2d515ec7a5 100644
--- a/gnu/packages/shellutils.scm
+++ b/gnu/packages/shellutils.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2016 Matthew Jordan <matthewjordandevops@yandex.com>
 ;;; Copyright © 2016, 2017 Alex Griffin <a@ajgrf.com>
 ;;; Copyright © 2016 Christopher Baines <mail@cbaines.net>
+;;; Copyright © 2017 Stefan Reichör <stefan@xsteve.at>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -122,3 +123,37 @@ Before each prompt, direnv checks for the existence of a .envrc file in the
 current and parent directories.  This file is then used to alter the
 environmental variables of the current shell.")
     (license expat)))
+
+(define-public fzy
+  (package
+    (name "fzy")
+    (version "0.9")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/jhawthorn/fzy/archive/"
+                           version ".tar.gz"))
+       (file-name (string-append name "-" version ".tar.gz"))
+       (sha256
+        (base32
+         "1xfgxqbkcpi2n4381kj3fq4026qs6by7xhl5gn0fgp3dh232c63j"))))
+    (build-system gnu-build-system)
+    (arguments
+     '(#:make-flags (list "CC=gcc"
+                          (string-append "PREFIX=" (assoc-ref %outputs "out")))
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure))))
+    (home-page "https://github.com/jhawthorn/fzy")
+    (synopsis "Fast fuzzy text selector for the terminal with an advanced
+scoring algorithm")
+    (description
+     "Most other fuzzy matchers sort based on the length of a match.  fzy tries
+to find the result the user intended.  It does this by favouring matches on
+consecutive letters and starts of words.  This allows matching using acronyms
+or different parts of the path.
+
+fzy is designed to be used both as an editor plugin and on the command
+line.  Rather than clearing the screen, fzy displays its interface directly
+below the current cursor position, scrolling the screen if necessary.")
+    (license expat)))
diff --git a/gnu/packages/statistics.scm b/gnu/packages/statistics.scm
index ad3032e2ec..df2d56212e 100644
--- a/gnu/packages/statistics.scm
+++ b/gnu/packages/statistics.scm
@@ -65,7 +65,7 @@
 (define-public pspp
   (package
     (name "pspp")
-    (version "1.0.0")
+    (version "1.0.1")
     (source
      (origin
       (method url-fetch)
@@ -73,7 +73,7 @@
                           version ".tar.gz"))
       (sha256
        (base32
-        "10yb8nknh33c1y2ji3gww5dcnx9n3nqgsj6yfb4wibdjypa1m68v"))))
+        "1r8smr5057993h90nx0mdnff8nxw9x546zzh6qpy4h3xblp1la5s"))))
     (build-system gnu-build-system)
     (inputs
      `(("cairo" ,cairo)
@@ -106,7 +106,7 @@ be output in text, PostScript, PDF or HTML.")
 (define-public r-minimal
   (package
     (name "r-minimal")
-    (version "3.4.0")
+    (version "3.4.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://cran/src/base/R-"
@@ -114,7 +114,7 @@ be output in text, PostScript, PDF or HTML.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "14cb8bwi3akvdb6934kqic2862f2qgav6cq4g0h7gi2p4ka9x3i8"))))
+                "0y7wlfk3cn1dxn2mpnxwvsk31s0599crbsyah8srm5pa2mfi7c82"))))
     (build-system gnu-build-system)
     (arguments
      `(#:disallowed-references (,tzdata-2017a)
@@ -185,6 +185,14 @@ be output in text, PostScript, PDF or HTML.")
              (substitute* "src/library/tools/Makefile.in"
                (("(install_package_description\\(.*\"')\\)\"" line prefix)
                 (string-append prefix ", builtStamp='1970-01-01')\"")))
+
+             ;; R bundles an older version of help2man, which does not respect
+             ;; SOURCE_DATE_EPOCH.  We cannot just use the latest help2man,
+             ;; because that breaks a test.
+             (with-fluids ((%default-port-encoding "ISO-8859-1"))
+               (substitute* "tools/help2man.pl"
+                 (("my \\$date = strftime \"%B %Y\", localtime" line)
+                  (string-append line " 1"))))
              #t))
          (add-before 'configure 'set-default-pager
           ;; Set default pager to "cat", because otherwise it is "false",
@@ -447,14 +455,14 @@ also flexible enough to handle most nonstandard requirements.")
 (define-public r-matrix
   (package
     (name "r-matrix")
-    (version "1.2-10")
+    (version "1.2-11")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "Matrix" version))
        (sha256
         (base32
-         "0r3qjcz92xwgdzrfz444mqzwnja5sv9abaf252fh6k48qbyahahh"))))
+         "1yvd6fx3n99j4gvzrng43ji38pr5h8y03kijccgjdalym2hcp36g"))))
     (properties `((upstream-name . "Matrix")))
     (build-system r-build-system)
     (propagated-inputs
@@ -492,14 +500,14 @@ nonlinear mixed-effects models.")
 (define-public r-mgcv
   (package
    (name "r-mgcv")
-   (version "1.8-18")
+   (version "1.8-19")
    (source
     (origin
      (method url-fetch)
      (uri (cran-uri "mgcv" version))
      (sha256
       (base32
-       "011mgcypr56xvm9nizsfsb2285kzql93x0d3lzg849g39vbpp4s2"))))
+       "18zpnqilc2586764j7smwbixxz5gzpkpz2gq8nwgidfkyqwrkc45"))))
    (build-system r-build-system)
    (propagated-inputs
     `(("r-matrix" ,r-matrix)
@@ -992,13 +1000,13 @@ using just two functions: melt and dcast (or acast).")
 (define-public r-scales
   (package
     (name "r-scales")
-    (version "0.4.1")
+    (version "0.5.0")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "scales" version))
        (sha256
-        (base32 "1lqccfmqdwrw0cjyqvw2zvgpk2jvnqrfb303l1raqyyf3zxqhav4"))))
+        (base32 "0zg9wfzmsdjxpbld0nzv7hcpq5r0wazqxmn7grvvif2agj0w1z6v"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-dichromat" ,r-dichromat)
@@ -1006,7 +1014,9 @@ using just two functions: melt and dcast (or acast).")
        ("r-munsell" ,r-munsell)
        ("r-plyr" ,r-plyr)
        ("r-rcolorbrewer" ,r-rcolorbrewer)
-       ("r-rcpp" ,r-rcpp)))
+       ("r-rcpp" ,r-rcpp)
+       ("r-r6" ,r-r6)
+       ("r-viridislite" ,r-viridislite)))
     (home-page "https://github.com/hadley/scales")
     (synopsis "Scale functions for visualization")
     (description
@@ -1159,13 +1169,13 @@ R/DBMS implementations.")
 (define-public r-bh
   (package
     (name "r-bh")
-    (version "1.62.0-1")
+    (version "1.65.0-1")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "BH" version))
               (sha256
                (base32
-                "01vfdpfznd4ynqql33z238xr262mvy3i80lyi8l3a3p3hi0a262p"))))
+                "0n6byzrvl1w4hjdxz479q4a7w1118f9ckqc4gqydq7lgzs5agfl2"))))
     (build-system r-build-system)
     (home-page "https://github.com/eddelbuettel/bh")
     (synopsis "R package providing subset of Boost headers")
@@ -1300,13 +1310,13 @@ emitter (http://pyyaml.org/wiki/LibYAML) for R.")
 (define-public r-knitr
   (package
     (name "r-knitr")
-    (version "1.16")
+    (version "1.17")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "knitr" version))
               (sha256
                (base32
-                "02balmhvc955rkqv4v0wkxbw4vjphydajgcpy4ml0s3b4sziyj0h"))))
+                "00gljbz57n9lkvbd6az4n37gpbs8vg3fxx5p9biamhmhqyra514l"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-evaluate" ,r-evaluate)
@@ -1502,13 +1512,13 @@ defined in different packages.")
 (define-public r-rlang
   (package
     (name "r-rlang")
-    (version "0.1.1")
+    (version "0.1.2")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "rlang" version))
               (sha256
                (base32
-                "0grwqy3zkvz96mvpwfbfyqid4jkfrqh3ldy2n6dpv2kjd1fzj0ar"))))
+                "1yc5qyq6h0nrya7m2fqnfv19zh5xwsl28jx6zi2g1zz6ra4cvkwh"))))
     (build-system r-build-system)
     (home-page "http://rlang.tidyverse.org")
     (synopsis "Functions for base types, core R and Tidyverse features")
@@ -1520,14 +1530,14 @@ like tidy evaluation.")
 (define-public r-tibble
   (package
     (name "r-tibble")
-    (version "1.3.3")
+    (version "1.3.4")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "tibble" version))
        (sha256
         (base32
-         "1bhq4pm56l7l6s1k44ajrcr7hz56h37m9ck4zji9f8xfdqschbl0"))))
+         "02vn6yqzcvmazy5jaqar3wwbrmh83a1bfgsqgk0hgz38i80zgvm7"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-rlang" ,r-rlang)
@@ -1575,6 +1585,36 @@ matter where it is stored, whether in a data frame, a data table or
 database.")
     (license license:expat)))
 
+(define-public r-dbplyr
+  (package
+    (name "r-dbplyr")
+    (version "1.1.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "dbplyr" version))
+       (sha256
+        (base32
+         "17gn8vr4a6m9ynarjbm9xsrhcvgn5lnxhb2qhiiglmhh5mm4a7kv"))))
+    (build-system r-build-system)
+    (propagated-inputs
+     `(("r-assertthat" ,r-assertthat)
+       ("r-dbi" ,r-dbi)
+       ("r-dplyr" ,r-dplyr)
+       ("r-glue" ,r-glue)
+       ("r-purrr" ,r-purrr)
+       ("r-r6" ,r-r6)
+       ("r-rlang" ,r-rlang)
+       ("r-tibble" ,r-tibble)))
+    (home-page "https://github.com/tidyverse/dbplyr")
+    (synopsis "Dplyr back end for databases")
+    (description
+     "This package provides a dplyr back end for databases that allows you to
+work with remote database tables as if they are in-memory data frames.  Basic
+features works with any database that has a @code{DBI} back end; more advanced
+features require SQL translation to be provided by the package author.")
+    (license license:expat)))
+
 (define-public r-acepack
   (package
     (name "r-acepack")
@@ -1844,14 +1884,14 @@ chain.")
 (define-public r-ade4
   (package
     (name "r-ade4")
-    (version "1.7-6")
+    (version "1.7-8")
     (source
       (origin
         (method url-fetch)
         (uri (cran-uri "ade4" version))
         (sha256
           (base32
-            "0lnc37d6waajmagy8qvw206pyc4vgrpzl3hk3j9frh6wa0b8x140"))))
+            "1a5p3wf8l9cp1bjp57b1pc5bqs39kw1v21i4waj9j18wawzlmpb6"))))
     (build-system r-build-system)
     (home-page "http://pbil.univ-lyon1.fr/ADE-4")
     (synopsis "Multivariate data analysis and graphical display")
@@ -2117,16 +2157,15 @@ other packages.")
 (define-public r-commonmark
   (package
     (name "r-commonmark")
-    (version "1.2")
+    (version "1.4")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "commonmark" version))
        (sha256
         (base32
-         "12q5mncxvkwdxc35is6y5idx8a1h99hyz5x6ri0arni6k25krchk"))))
+         "1vb8r9khpvcf0q7acv8rsplfjjwcll302bg5kp596cvn6aacypl6"))))
     (build-system r-build-system)
-    ;;(inputs `(("zlib" ,zlib)))
     (home-page "http://cran.r-project.org/web/packages/commonmark")
     (synopsis "CommonMark and Github Markdown Rendering in R")
     (description
@@ -2198,22 +2237,20 @@ integers.")
 (define-public r-httr
   (package
     (name "r-httr")
-    (version "1.2.1")
+    (version "1.3.1")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "httr" version))
               (sha256
                (base32
-                "03kkjlhyvvi5znwaxfm6cmdsg3q7ivwsvkzgabhjdj2jxs80pfg7"))))
+                "0n7jz2digbgv48rbr9vmzv4vmf4rahl9jjy31izs7sxj4rs4s4r2"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-curl" ,r-curl)
-       ("r-digest" ,r-digest)
        ("r-jsonlite" ,r-jsonlite)
        ("r-openssl" ,r-openssl)
        ("r-mime" ,r-mime)
-       ("r-r6" ,r-r6)
-       ("r-stringr" ,r-stringr)))
+       ("r-r6" ,r-r6)))
     (home-page "https://github.com/hadley/httr")
     (synopsis "Tools for working with URLs and HTTP")
     (description
@@ -2358,13 +2395,13 @@ disk (or a connection).")
 (define-public r-plotrix
   (package
     (name "r-plotrix")
-    (version "3.6-5")
+    (version "3.6-6")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "plotrix" version))
               (sha256
                (base32
-                "01655y3qzy0283ppc85bi0g42g20zrqzcl0qb30cl6rcbflhymlb"))))
+                "07hywp3ym0gbpqdj3f4vhr0bhmynhby8vh6p1b9cm2hv26pzs9q4"))))
     (build-system r-build-system)
     (home-page "http://cran.r-project.org/web/packages/plotrix")
     (synopsis "Various plotting functions")
@@ -2417,13 +2454,13 @@ well as additional utilities such as panel and axis annotation functions.")
 (define-public r-rcpparmadillo
   (package
     (name "r-rcpparmadillo")
-    (version "0.7.900.2.0")
+    (version "0.7.960.1.2")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "RcppArmadillo" version))
               (sha256
                (base32
-                "01qsff2p1fp5i9lq7rsykrskgr6smz24ddspbl5ad9a8rkmczwyv"))))
+                "0kg8vbamaz3413h283f23hzgqkmfpf6fs0vbklmpj0l3ricvp9cc"))))
     (properties `((upstream-name . "RcppArmadillo")))
     (build-system r-build-system)
     (propagated-inputs
@@ -3520,22 +3557,51 @@ perceived by readers with the most common form of color blindness.  This is
 the 'lite' version of the more complete @code{viridis} package.")
     (license license:expat)))
 
+(define-public r-tidyselect
+  (package
+    (name "r-tidyselect")
+    (version "0.2.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "tidyselect" version))
+       (sha256
+        (base32
+         "1h10qc5bxk5v0zhmip3gwnzy50fs2gbdvcg2163is0k9a8rifq9r"))))
+    (build-system r-build-system)
+    (propagated-inputs
+     `(("r-glue" ,r-glue)
+       ("r-purrr" ,r-purrr)
+       ("r-rcpp" ,r-rcpp)
+       ("r-rlang" ,r-rlang)))
+    (home-page "http://cran.r-project.org/web/packages/tidyselect")
+    (synopsis "Select from a set of strings")
+    (description
+     "This package provides a backend for the selecting functions of the
+tidyverse.  It makes it easy to implement select-like functions in your own
+packages in a way that is consistent with other tidyverse interfaces for
+selection.")
+    (license license:gpl3)))
+
 (define-public r-tidyr
   (package
     (name "r-tidyr")
-    (version "0.6.3")
+    (version "0.7.0")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "tidyr" version))
        (sha256
         (base32
-         "14s57zrjm2phiy600z9ivq4az71z0ggmp6nj0js7yrybxf0dlah6"))))
+         "1lg0amx5hs37ajwjxz7ya50q4s28jcdj51kzl10s1x4l1akp7xls"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-dplyr" ,r-dplyr)
-       ("r-lazyeval" ,r-lazyeval)
        ("r-magrittr" ,r-magrittr)
+       ("r-glue" ,r-glue)
+       ("r-purrr" ,r-purrr)
+       ("r-rlang" ,r-rlang)
+       ("r-tidyselect" ,r-tidyselect)
        ("r-rcpp" ,r-rcpp)
        ("r-stringi" ,r-stringi)
        ("r-tibble" ,r-tibble)))
@@ -3906,14 +3972,14 @@ routines.")
 (define-public r-fastcluster
   (package
     (name "r-fastcluster")
-    (version "1.1.22")
+    (version "1.1.24")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "fastcluster" version))
        (sha256
         (base32
-         "006k9isra5biyavqwci61avladw19mhp6kmkjj3777rl1r4r8b9z"))))
+         "15drhl22wm8whsy6b3vv754skfddiydb068zn1whrw5sknvkkjc2"))))
     (build-system r-build-system)
     (home-page "http://danifold.net/fastcluster.html")
     (synopsis "Fast hierarchical clustering routines")
@@ -5194,14 +5260,14 @@ multivariate case.")
 (define-public r-tclust
   (package
     (name "r-tclust")
-    (version "1.2-7")
+    (version "1.3-1")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "tclust" version))
        (sha256
         (base32
-         "1mvqr280c6kwpg98byd0r1y0qf238xn2x15y8npqch6lpcszlb3x"))))
+         "1li62wynv81kb17fx7nk63a26qlb78l8fdf63in8yzcl7fkpji7y"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-cluster" ,r-cluster)
diff --git a/gnu/packages/tcl.scm b/gnu/packages/tcl.scm
index de888891c4..e0ce6df421 100644
--- a/gnu/packages/tcl.scm
+++ b/gnu/packages/tcl.scm
@@ -4,7 +4,7 @@
 ;;; Copyright © 2014 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
-;;; Copyright © 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -190,7 +190,7 @@ interfaces (GUIs) in the Tcl language.")
 (define-public perl-tk
   (package
     (name "perl-tk")
-    (version "804.033")
+    (version "804.034")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -198,7 +198,7 @@ interfaces (GUIs) in the Tcl language.")
                    version ".tar.gz"))
              (sha256
               (base32
-               "1bc8bacsf95598yimrxijymb3advrgan73pqxj75qmd20ydnwxc4"))))
+               "1qiz55dmw7hm1wgpjdzf2jffwcj0hisr3kf80qi8lli3qx2b39py"))))
     (build-system perl-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)))
     (inputs `(("libx11" ,libx11)
diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm
index f12746c83f..a38b2afc0c 100644
--- a/gnu/packages/tex.scm
+++ b/gnu/packages/tex.scm
@@ -3589,6 +3589,26 @@ technical illustrations.  Its output is scalable PostScript or SVG, rather
 than the bitmaps Metafont creates.")
     (license license:lppl)))
 
+(define-public texlive-latex-acmart
+  (package
+    (name "texlive-latex-acmart")
+    (version "1.45")
+    (source (origin
+              (method svn-fetch)
+              (uri (texlive-ref "latex" "acmart"))
+              (sha256
+               (base32
+                "10zs8ga88ksypv1v4p6mynmfa7749q2hgxlr4shnwfjd9wrb421q"))
+              (file-name (string-append name "-" version "-checkout"))))
+    (build-system texlive-build-system)
+    (arguments '(#:tex-directory "latex/acmart"))
+    (home-page "http://www.ctan.org/pkg/acmart")
+    (synopsis "Class for typesetting publications of ACM")
+    (description
+     "This package provides a class for typesetting publications of the
+Association for Computing Machinery (ACM).")
+    (license license:lppl1.3+)))
+
 (define-public texlive-latex-varwidth
   (package
     (name "texlive-latex-varwidth")
diff --git a/gnu/packages/textutils.scm b/gnu/packages/textutils.scm
index 537d013345..70b057ffd3 100644
--- a/gnu/packages/textutils.scm
+++ b/gnu/packages/textutils.scm
@@ -11,7 +11,7 @@
 ;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2017 Rene Saavedra <rennes@openmailbox.org>
 ;;; Copyright © 2017 Hartmut Goebel <h.goebel@crazy-compilers.com>
-;;; Copyright © 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 111a1c3734..4183dda3c6 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -763,7 +763,7 @@ then ported to the GNU / Linux environment.")
 (define-public mbedtls-apache
   (package
     (name "mbedtls-apache")
-    (version "2.5.1")
+    (version "2.6.0")
     (source
      (origin
        (method url-fetch)
@@ -773,7 +773,7 @@ then ported to the GNU / Linux environment.")
                            version "-apache.tgz"))
        (sha256
         (base32
-         "1yc1rj0izjihj9hbzvskpa4gjzqf4dm2i84nmmm2s9j1i66fp6jm"))))
+         "11wnj34rfqxjggmdgf042i49lr6civgbqwv2p7p8bn6k2919vg4r"))))
     (build-system cmake-build-system)
     (native-inputs
      `(("perl" ,perl)))
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 0ab6442d43..7a673a89fb 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -8,7 +8,7 @@
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015, 2016, 2017 Alex Vong <alexvong1995@gmail.com>
 ;;; Copyright © 2016, 2017 Alex Griffin <a@ajgrf.com>
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2016 Dmitry Nikolaev <cameltheman@gmail.com>
 ;;; Copyright © 2016 Andy Patterson <ajpatter@uwaterloo.ca>
 ;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
@@ -753,14 +753,14 @@ audio/video codec library.")
 (define-public ffmpeg-2.8
   (package
     (inherit ffmpeg)
-    (version "2.8.12")
+    (version "2.8.13")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "1gc32akvdms3rywphnap94lqqici8l5898a09ir1ad5rif5g24v2"))))
+               "0hyqr391pika4vgynv90bacz11wdpqcqfgj5h7g5jrmgvz6hgj68"))))
     (arguments
      (substitute-keyword-arguments (package-arguments ffmpeg)
        ((#:configure-flags flags)
@@ -784,10 +784,7 @@ audio/video codec library.")
                "1a22b913p2227ljz89c4fgjlyln5gcz8z58w32r0wh4srnnd60y4"))))
     (build-system gnu-build-system)
     (native-inputs
-     `(("autoconf" ,autoconf)
-       ("automake" ,automake)
-       ("git" ,git) ; needed for a test
-       ("libtool" ,libtool)
+     `(("git" ,git) ; needed for a test
        ("pkg-config" ,pkg-config)))
     ;; FIXME: Add optional inputs once available.
     (inputs
@@ -823,9 +820,8 @@ audio/video codec library.")
        ("perl" ,perl)
        ("pulseaudio" ,pulseaudio)
        ("python" ,python-wrapper)
-       ("qt" ,qt) ; FIXME: reenable modular qt after update - requires building
-       ;("qtbase" ,qtbase) with -std=gnu++11.
-       ;("qtx11extras" ,qtx11extras)
+       ("qtbase" ,qtbase)
+       ("qtx11extras" ,qtx11extras)
        ("sdl" ,sdl)
        ("sdl-image" ,sdl-image)
        ("speex" ,speex)
@@ -833,33 +829,27 @@ audio/video codec library.")
        ("xcb-util-keysyms" ,xcb-util-keysyms)))
     (arguments
      `(#:configure-flags
-       `(;; Gross workaround for <https://trac.videolan.org/vlc/ticket/16907>.
-         ;; In our case, this led to a test failure:
-         ;;   test_libvlc_equalizer: libvlc/equalizer.c:122: test_equalizer: Assertion `isnan(libvlc_audio_equalizer_get_amp_at_index (equalizer, u_bands))' failed.
-         "ac_cv_c_fast_math=no"
-
+       `("CXXFLAGS=-std=gnu++11"
          ,(string-append "LDFLAGS=-Wl,-rpath -Wl,"
                          (assoc-ref %build-inputs "ffmpeg")
                          "/lib"))                 ;needed for the tests
 
        #:phases
        (modify-phases %standard-phases
-         (add-before 'configure 'bootstrap
-           (lambda _ (zero? (system* "sh" "bootstrap"))))
-         (add-before 'bootstrap 'fix-livemedia-utils-prefix
+         (add-after 'unpack 'patch-source
            (lambda* (#:key inputs #:allow-other-keys)
              (let ((livemedia-utils (assoc-ref inputs "livemedia-utils")))
-               (substitute* "configure.ac"
+               (substitute* "configure"
                  (("LIVE555_PREFIX=\\$\\{LIVE555_PREFIX-\"/usr\"\\}")
                   (string-append "LIVE555_PREFIX=" livemedia-utils)))
+               ;; Some of the tests require using the display to test out VLC,
+               ;; which fails in our sandboxed build system
+               (substitute* "test/run_vlc.sh"
+                 (("./vlc --ignore-config") "echo"))
+               ;; XXX Likely not needed for >2.2.6.
+               (substitute* "modules/gui/qt4/components/interface_widgets.cpp"
+                 (("<qx11info_x11.h>") "<QtX11Extras/qx11info_x11.h>"))
                #t)))
-         (add-before 'configure 'remove-visual-tests
-           ;; Some of the tests require using the display to test out VLC,
-           ;; which fails in our sandboxed build system
-           (lambda _
-             (substitute* "test/run_vlc.sh"
-                          (("./vlc --ignore-config") "echo"))
-             #t))
          (add-after 'install 'regenerate-plugin-cache
            (lambda* (#:key outputs #:allow-other-keys)
              ;; The 'install-exec-hook' rule in the top-level Makefile.am
@@ -1125,7 +1115,7 @@ access to mpv's powerful playback capabilities.")
 (define-public youtube-dl
   (package
     (name "youtube-dl")
-    (version "2017.08.23")
+    (version "2017.09.02")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://yt-dl.org/downloads/"
@@ -1133,7 +1123,7 @@ access to mpv's powerful playback capabilities.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1vq0r37ynnj2hx0ssh3hycg4wzhwch5pphq76swfz76r1klnrich"))))
+                "1sfra8rfb7hkbgmw2n2s42fpkh0y7j9lyars7qda3rj34ai7r6k9"))))
     (build-system python-build-system)
     (arguments
      ;; The problem here is that the directory for the man page and completion
@@ -1442,7 +1432,7 @@ device without having to bother about the decryption.")
     (source (origin
               (method url-fetch)
               (uri (string-append
-                    "http://dthompson.us/releases/srt2vtt/srt2vtt-"
+                    "https://files.dthompson.us/srt2vtt/srt2vtt-"
                     version ".tar.gz"))
               (sha256
                (base32
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index d06c55bd57..32d10dcf82 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -72,26 +72,14 @@
 (define-public qemu
   (package
     (name "qemu")
-    (version "2.9.0")
+    (version "2.10.0")
     (source (origin
              (method url-fetch)
-             (uri (string-append "http://wiki.qemu-project.org/download/qemu-"
+             (uri (string-append "https://download.qemu.org/qemu-"
                                  version ".tar.xz"))
-             (patches (search-patches "qemu-CVE-2017-7493.patch"
-                                      "qemu-CVE-2017-8112.patch"
-                                      "qemu-CVE-2017-8309.patch"
-                                      "qemu-CVE-2017-8379.patch"
-                                      "qemu-CVE-2017-8380.patch"
-                                      "qemu-CVE-2017-9524.patch"
-                                      "qemu-CVE-2017-10664.patch"
-                                      "qemu-CVE-2017-10806.patch"
-                                      "qemu-CVE-2017-10911.patch"
-                                      "qemu-CVE-2017-11334.patch"
-                                      "qemu-CVE-2017-11434.patch"
-                                      "qemu-CVE-2017-12809.patch"))
              (sha256
               (base32
-               "08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h"))))
+               "0dgk7zcni41nf1jp84y0m6dk2nb4frnh571m8hkiv0m4hz4imn2m"))))
     (build-system gnu-build-system)
     (arguments
      '(;; Running tests in parallel can occasionally lead to failures, like:
diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm
index 0489212197..a758f2920b 100644
--- a/gnu/packages/w3m.scm
+++ b/gnu/packages/w3m.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
diff --git a/gnu/packages/web-browsers.scm b/gnu/packages/web-browsers.scm
index b5fb39b95a..8de0cf1d56 100644
--- a/gnu/packages/web-browsers.scm
+++ b/gnu/packages/web-browsers.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2014 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
 ;;;
 ;;; This file is part of GNU Guix.
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 64d6874001..ac65a85365 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -19,7 +19,7 @@
 ;;; Copyright © 2016 Bake Timmons <b3timmons@speedymail.org>
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
-;;; Copyright © 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -157,6 +157,7 @@ and its related documentation.")
                (("/bin/sh") (which "sh")))
              #t))
          (replace 'configure
+           ;; The configure script is hand-written, not from GNU autotools.
            (lambda* (#:key outputs #:allow-other-keys)
              (let ((flags
                     (list (string-append "--prefix=" (assoc-ref outputs "out"))
@@ -185,6 +186,12 @@ and its related documentation.")
                (format #t "environment variable `CC' set to `gcc'~%")
                (format #t "configure flags: ~s~%" flags)
                (zero? (apply system* "./configure" flags)))))
+         (add-after 'install 'install-man-page
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                    (man (string-append out "/share/man")))
+               (install-file "objs/nginx.8" (string-append man "/man8"))
+               #t)))
          (add-after 'install 'fix-root-dirs
            (lambda* (#:key outputs #:allow-other-keys)
              ;; 'make install' puts things in strange places, so we need to
@@ -546,7 +553,7 @@ parser written in ANSI C and a small validating JSON generator.")
               ;; things from Git.
               (method git-fetch)
               (uri (git-reference
-                    (url "git://git.libwebsockets.org/libwebsockets")
+                    (url "https://github.com/warmcat/libwebsockets.git")
                     (commit (string-append "v" version
                                            "-chrome37-firefox30"))))
               (sha256
@@ -2226,7 +2233,7 @@ in tables within an HTML document, either as text or encoded element trees.")
 (define-public perl-html-tree
   (package
     (name "perl-html-tree")
-    (version "5.06")
+    (version "5.07")
     (source
      (origin
        (method url-fetch)
@@ -2234,7 +2241,7 @@ in tables within an HTML document, either as text or encoded element trees.")
                            "HTML-Tree-" version ".tar.gz"))
        (sha256
         (base32
-         "0vjk4xrybjqs511qrh9cymhpbg9m3jjqr52qr035k6nzrccyndlw"))))
+         "1gyvm4qlwm9y6hczkpnrdfl303ggbybr0nqxdjw09hii8yw4sdzh"))))
     (build-system perl-build-system)
     (native-inputs
      `(("perl-module-build" ,perl-module-build)
@@ -3380,8 +3387,18 @@ web browsing, used for automating interaction with websites.")
                (base32
                 "1yxplx1q1qk2fvnzqrbk01lz26fy1lyhay51a3ky7q3jgh9p01rb"))))
     (build-system perl-build-system)
-    (arguments
-     `(#:tests? #f)) ; Tests require further modules to be packaged
+    (native-inputs
+     `(("perl-class-errorhandler" ,perl-class-errorhandler)
+       ("perl-datetime" ,perl-datetime)
+       ("perl-datetime-format-mail" ,perl-datetime-format-mail)
+       ("perl-datetime-format-w3cdtf" ,perl-datetime-format-w3cdtf)
+       ("perl-feed-find" ,perl-feed-find)
+       ("perl-module-install" ,perl-module-install)
+       ("perl-module-pluggable" ,perl-module-pluggable)
+       ("perl-uri-fetch" ,perl-uri-fetch)
+       ("perl-test-simple" ,perl-test-simple)
+       ("perl-xml-atom" ,perl-xml-atom)
+       ("perl-xml-rss" ,perl-xml-rss)))
     (inputs
      `(("perl-data-page" ,perl-data-page)
        ("perl-libwww" ,perl-libwww)
@@ -3498,13 +3515,13 @@ in systems and applications.")
 (define-public r-servr
   (package
     (name "r-servr")
-    (version "0.6")
+    (version "0.7")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "servr" version))
               (sha256
                (base32
-                "0sqz3wssxa19g9mpmf9s4gx2a5rvzl8nrd11qkgpz5v3iqsc6ysr"))))
+                "0rxh89csqlpyf9wv5wlymya9kbddj79mlmxz2x0xmls12gbrxaaa"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-httpuv" ,r-httpuv)
@@ -5045,3 +5062,46 @@ websites lacking feeds.  Supported websites include Facebook, Twitter,
 Instagram and YouTube.")
     (license (list l:public-domain
                    l:expat)))) ;; vendor/simplehtmldom/simple_html_dom.php
+
+(define-public linkchecker
+  (package
+    (name "linkchecker")
+    (version "9.3")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (pypi-uri "LinkChecker" version))
+       (sha256
+        (base32
+         "0v8pavf0bx33xnz1kwflv0r7lxxwj7vg3syxhy2wzza0wh6sc2pf"))))
+    (build-system python-build-system)
+    (inputs
+     `(("python2-requests" ,python2-requests)))
+    (arguments
+     `(#:python ,python-2
+       #:phases
+       (modify-phases %standard-phases
+         ;; Remove faulty python-requests version check. This has been fixed
+         ;; upstream, and can be removed in version 9.4.
+         (add-after 'unpack 'remove-python-requests-version
+           (lambda _
+             (substitute* "linkcheck/__init__.py"
+               (("requests.__version__ <= '2.2.0'") "False"))
+             #t)))))
+    (home-page "https://linkcheck.github.io/linkchecker")
+    (synopsis "Check websites for broken links")
+    (description "LinkChecker is a website validator.  It checks for broken
+links in websites.  It is recursive and multithreaded providing output in
+colored or normal text, HTML, SQL, CSV, XML or as a sitemap graph.  It
+supports checking HTTP/1.1, HTTPS, FTP, mailto, news, nntp, telnet and local
+file links.")
+    (license (list l:gpl2+
+                   l:bsd-2 ; linkcheck/better_exchook2.py
+                   l:bsd-3 ; linkcheck/colorama.py
+                   l:psfl  ; linkcheck/gzip2.py
+                   l:expat ; linkcheck/mem.py
+                   ;; FIXME: Unbundle dnspython and miniboa
+                   ;; This issue has been raised upstream
+                   ;; https://github.com/wummel/linkchecker/issues/729
+                   l:isc   ; third_party/dnspython
+                   l:asl2.0)))) ; third_party/miniboa
diff --git a/gnu/packages/wine.scm b/gnu/packages/wine.scm
index 513b0eb999..a1637b9d78 100644
--- a/gnu/packages/wine.scm
+++ b/gnu/packages/wine.scm
@@ -55,14 +55,14 @@
 (define-public wine
   (package
     (name "wine")
-    (version "2.0.1")
+    (version "2.0.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://dl.winehq.org/wine/source/2.0"
                                   "/wine-" version ".tar.xz"))
               (sha256
                (base32
-                "10qm0xxqzvl4y3mhvaxcaacrcs8d5kdz5wf0gbxpmp36wnm4xyvc"))))
+                "16iwf48cfi39aqyy8131jz4x7lr551c9yc0mnks7g24j77sq867p"))))
     (build-system gnu-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)
                      ("gettext" ,gettext-minimal)
diff --git a/gnu/packages/wxwidgets.scm b/gnu/packages/wxwidgets.scm
index 5610a0f3b2..30a963728a 100644
--- a/gnu/packages/wxwidgets.scm
+++ b/gnu/packages/wxwidgets.scm
@@ -48,7 +48,7 @@
 (define-public wxwidgets
   (package
     (name "wxwidgets")
-    (version "3.0.2")
+    (version "3.0.3")
     (source
      (origin
        (method url-fetch)
@@ -56,9 +56,7 @@
                            "releases/download/v" version
                            "/wxWidgets-" version ".tar.bz2"))
        (sha256
-        (base32 "0paq27brw4lv8kspxh9iklpa415mxi8zc117vbbbhfjgapf7js1l"))
-       (patches (search-patches
-                 "wxwidgets-fix-windowGTK.patch"))))
+        (base32 "0yrhp5cs2g33cpbdwdzicmm5m4mfnlvxwv031x9266zc90zh7j08"))))
     (build-system glib-or-gtk-build-system)
     (inputs
      `(("glu" ,glu)
diff --git a/gnu/packages/xfce.scm b/gnu/packages/xfce.scm
index 35c425a89c..b936dc45d9 100644
--- a/gnu/packages/xfce.scm
+++ b/gnu/packages/xfce.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2016 Florian Paul Schmidt <mista.tapas@gmx.net>
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Petter <petter@mykolab.ch>
 ;;;
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 44fa48af8c..96553c97b2 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -16,6 +16,7 @@
 ;;; Copyright © 2016, 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -110,6 +111,7 @@ hierarchical form with variable field lengths.")
   (package
     (name "libxml2")
     (version "2.9.4")
+    (replacement libxml2/fixed)
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
@@ -138,6 +140,20 @@ hierarchical form with variable field lengths.")
 project (but it is usable outside of the Gnome platform).")
     (license license:x11)))
 
+(define libxml2/fixed
+  (package
+    (inherit libxml2)
+    (source
+     (origin
+       (inherit (package-source libxml2))
+       (patches
+        (append (origin-patches (package-source libxml2))
+        (search-patches "libxml2-CVE-2017-0663.patch"
+                        "libxml2-CVE-2017-7375.patch"
+                        "libxml2-CVE-2017-7376.patch"
+                        "libxml2-CVE-2017-9047+CVE-2017-9048.patch"
+                        "libxml2-CVE-2017-9049+CVE-2017-9050.patch")))))))
+
 (define-public python-libxml2
   (package (inherit libxml2)
     (name "python-libxml2")
@@ -227,18 +243,29 @@ the @code{Graph} class and write it out in a specific file format.")
 (define-public perl-xml-atom
   (package
     (name "perl-xml-atom")
-    (version "0.41")
+    (version "0.42")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://cpan/authors/id/M/MI/MIYAGAWA/"
                                   "XML-Atom-" version ".tar.gz"))
               (sha256
                (base32
-                "17lnkb9ymrhk2z642bhj5i2bv3q1da3kpp2lvsl0yhqshk3wdjj8"))))
+                "1wa8kfy1w4mg7kzxim4whyprkn48a2il6fap0b947zywknw4c6y6"))))
     (build-system perl-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-before 'check 'set-perl-search-path
+           (lambda _
+             (setenv "PERL5LIB"
+                     (string-append (getcwd) ":"
+                                    (getenv "PERL5LIB")))
+             #t)))))
     (native-inputs
      `(("perl-datetime" ,perl-datetime)
        ;; TODO package: perl-datetime-format-atom
+       ("perl-html-tagset" ,perl-html-tagset)
+       ("perl-module-build-tiny" ,perl-module-build-tiny)
        ("perl-module-install" ,perl-module-install)
        ("perl-xml-xpath" ,perl-xml-xpath)))
     (inputs
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 2ae87a60b7..b72153894a 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -41,6 +41,7 @@
   #:use-module (gnu packages)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages bison)
+  #:use-module (gnu packages check)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages flex)
   #:use-module (gnu packages fontutils)
@@ -1979,11 +1980,8 @@ server.")
         ("libxau" ,libxau)
         ("libx11" ,libx11)))
     (native-inputs
-      `(("pkg-config" ,pkg-config)))
-
-    ;; FIXME: The test suite needs http://liw.fi/cmdtest/
-    (arguments `(#:tests? #f))
-
+     `(("cmdtest" ,cmdtest)
+       ("pkg-config" ,pkg-config)))
     (home-page "https://www.x.org/wiki/")
     (synopsis "X authority file utility")
     (description
@@ -2749,7 +2747,8 @@ framebuffer device.")
        `(("libdrm" ,libdrm)
          ("mesa" ,mesa)
          ("udev" ,eudev)
-         ("xorg-server" ,xorg-server)))
+         ("xorg-server" ,xorg-server)
+         ("zlib" ,zlib)))
       (native-inputs
        `(("pkg-config" ,pkg-config)
          ("autoconf" ,autoconf)
@@ -5766,6 +5765,12 @@ programs that cannot use the window system directly.")
        #:parallel-build? #f
        #:phases
        (modify-phases %standard-phases
+         (add-before 'configure 'set-perl-search-path
+           (lambda _
+             (setenv "PERL5LIB"
+                     (string-append (getcwd) ":"
+                                    (getenv "PERL5LIB")))
+             #t))
          (add-before 'build 'patch-Makefile
            (lambda* (#:key inputs #:allow-other-keys)
              (substitute* "Makefile"