17 files changed, 232 insertions, 76 deletions

diff --git a/LICENSES/CC0-1.0.txt b/LICENSES/CC0-1.0.txt
new file mode 100644
index 0000000..0e259d4
--- /dev/null
+++ b/LICENSES/CC0-1.0.txt
@@ -0,0 +1,121 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display,
+     communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+     likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+     subject to the limitations in paragraph 4(a), below;
+  v. rights protecting the extraction, dissemination, use and reuse of data
+     in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+     European Parliament and of the Council of 11 March 1996 on the legal
+     protection of databases, and under any national implementation
+     thereof, including any amended or successor version of such
+     directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+     world based on applicable law or treaty, and any national
+     implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+    surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+    warranties of any kind concerning the Work, express, implied,
+    statutory or otherwise, including without limitation warranties of
+    title, merchantability, fitness for a particular purpose, non
+    infringement, or the absence of latent or other defects, accuracy, or
+    the present or absence of errors, whether or not discoverable, all to
+    the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+    that may apply to the Work or any use thereof, including without
+    limitation any person's Copyright and Related Rights in the Work.
+    Further, Affirmer disclaims responsibility for obtaining any necessary
+    consents, permissions or other rights required for any use of the
+    Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+    party to this document and has no duty or obligation with respect to
+    this CC0 or use of the Work.
diff --git a/COPYING b/LICENSES/GPL-3.0-or-later.txt
index 94a9ed0..94a9ed0 100644
--- a/COPYING
+++ b/LICENSES/GPL-3.0-or-later.txt
diff --git a/README.md b/README.md
index 44e5f04..316e633 100644
--- a/README.md
+++ b/README.md
@@ -42,45 +42,49 @@ Then run `guix pull`.
 
 [potrace: possible heap overflow][redhat-955808]
 
-    guix shell potrace@1.11 -- potrace bugs/cve-2013-7437/1.bmp
-    guix shell potrace@1.11 -- potrace bugs/cve-2013-7437/2.bmp
-    guix shell potrace@1.11 -- potrace bugs/cve-2013-7437/3.bmp
+    guix shell potrace@1.11
+    potrace bugs/cve/2013/7437/1.bmp
+    potrace bugs/cve/2013/7437/2.bmp
 
 ### CVE-2016-9557
 
 [JasPer: signed integer overflow][jasper-d42b238]
 
-    guix shell jasper@1.900.19 -- imginfo -f bugs/cve-2016-9557/reproducer
+    guix shell jasper@1.900.19
+    imginfo -f bugs/cve/2016/9557/signed-int-overflow.jp2
 
 ### CVE-2017-5969
 
 [libxml2: null pointer derefence][oss-sec-20161105-3]
 
-    guix shell libxml2@2.9.4 --\
-      xmllint --recover bugs/cve-2017-5969/reproducer.xml
+    guix shell libxml2@2.9.4
+    xmllint --recover bugs/cve/2017/5969/crash-libxml2-recover.xml
 
 ### CVE-2017-14745
 
 [binutils: integer overflow][sourceware-22148]
 
-    guix shell binutils@2.29 -- objdump -d bugs/cve-2017-14745/crash_1
+    guix shell binutils@2.29
+    objdump -d bugs/cve/2017/14745/crash_1
 
 ### CVE-2017-15025
 
 [binutils: divide-by-zero][sourceware-22186]
 
-    guix shell binutils@2.29 -- nm -l bugs/cve-2017-15025/3899.crashes.bin
+    guix shell binutils@2.29
+    nm -l bugs/cve/2017/15025/3899.crashes.bin
+    nm -l bugs/cve/2017/15025/floatexception.elf
+    objdump -S bugs/cve/2017/15025/floatexception.elf
 
 ### CVE-2017-15232
 
 [libjpeg-turbo: NULL pointer dereference][mozjpeg-268]
 
-    guix shell libjpeg-turbo@1.5.2 --\
-      djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8\
-        -targa -grayscale -outfile o bugs/cve-2017-15232/1.jpg
-    guix shell libjpeg-turbo@1.5.2 --\
-      djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8\
-        -targa -grayscale -outfile o bugs/cve-2017-15232/2.jpg
+    guix shell libjpeg-turbo@1.5.2
+    djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8\
+      -targa -grayscale -outfile o bugs/cve/2017/15232/1.jpg
+    djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8\
+      -targa -grayscale -outfile o bugs/cve/2017/15232/2.jpg
 
 [Guix channel]: https://guix.gnu.org/manual/devel/en/html_node/Channels.html
 [AFLRun]: https://trong.loang.net/~cnx/afl++/log?h=run
diff --git a/REUSE.toml b/REUSE.toml
new file mode 100644
index 0000000..221088c
--- /dev/null
+++ b/REUSE.toml
@@ -0,0 +1,49 @@
+version = 1
+
+[[annotations]]
+path = '.guix-*'
+SPDX-FileCopyrightText = 'None'
+SPDX-License-Identifier = 'CC0-1.0'
+
+[[annotations]]
+path = 'bugs/cve/2013/7437/1.bmp'
+SPDX-FileCopyrightText = '2013 Murray McAllister'
+
+[[annotations]]
+path = 'bugs/cve/2013/7437/2.bmp'
+SPDX-FileCopyrightText = '2013 Stefan Cornelius'
+
+[[annotations]]
+path = 'bugs/cve/2016/9557/signed-int-overflow.jp2'
+SPDX-FileCopyrightText = '2016 Agostino Sarubbo'
+
+[[annotations]]
+path = 'bugs/cve/2017/5969/crash-libxml2-recover.xml'
+SPDX-FileCopyrightText = '2016 Gustavo Grieco'
+SPDX-License-Identifier = 'CC0-1.0'
+
+[[annotations]]
+path = 'bugs/cve/2017/14745/crash_1'
+SPDX-FileCopyrightText = '2017 Junchao Luan'
+
+[[annotations]]
+path = 'bugs/cve/2017/15025/3899.crashes.bin'
+SPDX-FileCopyrightText = '2017 Agostino Sarubbo'
+
+[[annotations]]
+path = 'bugs/cve/2017/15025/floatexception.elf'
+SPDX-FileCopyrightText = '2017 Junchao Luan'
+
+[[annotations]]
+path = 'bugs/cve/2017/15232/*.jpg'
+SPDX-FileCopyrightText = '2017 Zhao Liang'
+
+[[annotations]]
+path = 'patches/*.patch'
+SPDX-FileCopyrightText = '2024 Nguyá»…n Gia Phong'
+SPDX-License-Identifier = 'GPL-3.0-or-later'
+
+[[annotations]]
+path = 'README.md'
+SPDX-FileCopyrightText = 'None'
+SPDX-License-Identifier = 'CC0-1.0'
diff --git a/bugs/cve/2013/7437/1.bmp b/bugs/cve/2013/7437/1.bmp
new file mode 100644
index 0000000..ae46ede
--- /dev/null
+++ b/bugs/cve/2013/7437/1.bmp
Binary files differdiff --git a/bugs/cve/2013/7437/2.bmp b/bugs/cve/2013/7437/2.bmp
new file mode 100644
index 0000000..9346749
--- /dev/null
+++ b/bugs/cve/2013/7437/2.bmp
Binary files differdiff --git a/bugs/cve-2016-9557/reproducer b/bugs/cve/2016/9557/signed-int-overflow.jp2
index db0b961..db0b961 100644
--- a/bugs/cve-2016-9557/reproducer
+++ b/bugs/cve/2016/9557/signed-int-overflow.jp2
Binary files differdiff --git a/bugs/cve-2017-14745/crash_1 b/bugs/cve/2017/14745/crash_1
index 7a88735..7a88735 100644
--- a/bugs/cve-2017-14745/crash_1
+++ b/bugs/cve/2017/14745/crash_1
Binary files differdiff --git a/bugs/cve-2017-15025/3899.crashes.bin b/bugs/cve/2017/15025/3899.crashes.bin
index 1feda50..1feda50 100644
--- a/bugs/cve-2017-15025/3899.crashes.bin
+++ b/bugs/cve/2017/15025/3899.crashes.bin
Binary files differdiff --git a/bugs/cve/2017/15025/floatexception.elf b/bugs/cve/2017/15025/floatexception.elf
new file mode 100644
index 0000000..8d0112a
--- /dev/null
+++ b/bugs/cve/2017/15025/floatexception.elf
Binary files differdiff --git a/bugs/cve-2017-15232/1.jpg b/bugs/cve/2017/15232/1.jpg
index b04eae5..b04eae5 100644
--- a/bugs/cve-2017-15232/1.jpg
+++ b/bugs/cve/2017/15232/1.jpg
Binary files differdiff --git a/bugs/cve-2017-15232/2.jpg b/bugs/cve/2017/15232/2.jpg
index 8ec86d7..8ec86d7 100644
--- a/bugs/cve-2017-15232/2.jpg
+++ b/bugs/cve/2017/15232/2.jpg
Binary files differdiff --git a/bugs/cve/2017/5969/crash-libxml2-recover.xml b/bugs/cve/2017/5969/crash-libxml2-recover.xml
new file mode 100644
index 0000000..40ed2ac
--- /dev/null
+++ b/bugs/cve/2017/5969/crash-libxml2-recover.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0"?>

+<!DOCTYPE root [

+  <!ELEMENT root (a,b)>

+  <!ELEMENT a EMPTY>

+  <!ELEMENT b (#PCDATA|c)* >

+  <!ELEMENT c ANY>

+  <!ELEMENT d ANY>

+  <!ELEMENT e ANY>

+  <!ELEMENT f ANY>

+  <!--* test all pble children,cp,choice,seq patterns in P47,P48,P49,P-->

+  <!ELEMENT child0 (a)>

+  <!ELEMENT child1 (a|b|c)>

+  <!ELEMENT child2 (a ,b,b?,a*,c,c,a,a,b+,c ) >

+  <!ELEMENT child3 (a+|b)? >

+  <!ELEMENT child4 (a, (b|cp+, (a|d)?, (e|f)* )?>

+  <!ELEMENT child5 ( (a,b) | c? | ((d|e),b,c) )* >

+  <!ELEMENT child5_1 ( (a¥b)* | (c,b)? | (d,a)+ | ((e|f),b,c) )* >

+  <!ELEMENT child6 (a,b,c)*>

+  <!ELEMENT child7 ((a,b)|c*|((d|e),b,c) )+ >

+  <!ELEMENT child8 ( a, (bb), b)+>  

+]>

+<root><a/><b>

+   <c></c >

+   content of b element

+</b></root>

+<!--* test: tests P47,P48,P49,P50*-->

+

diff --git a/loftix/bugs.scm b/loftix/bugs.scm
index ee61288..57f484a 100644
--- a/loftix/bugs.scm
+++ b/loftix/bugs.scm
@@ -1,20 +1,14 @@
 ;;; Packages with bugs
-;;; Copyright © 2024 Nguyễn Gia Phong
 ;;;
-;;; This file is part of Loftix.
-;;;
-;;; Loftix is free software; you can redistribute it and/or modify it
-;;; under the terms of the GNU General Public License as published by
-;;; the Free Software Foundation; either version 3 of the License, or (at
-;;; your option) any later version.
-;;;
-;;; Loftix is distributed in the hope that it will be useful, but
-;;; WITHOUT ANY WARRANTY; without even the implied warranty of
-;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-;;; GNU General Public License for more details.
-;;;
-;;; You should have received a copy of the GNU General Public License
-;;; along with Loftix.  If not, see <http://www.gnu.org/licenses/>.
+;;; SPDX-FileCopyrightText: 2012, 2014-2015 Ludovic Courtès
+;;; SPDX-FileCopyrightText: 2013 Andreas Enge
+;;; SPDX-FileCopyrightText: 2014 Eric Bavier
+;;; SPDX-FileCopyrightText: 2015 David Thompson
+;;; SPDX-FileCopyrightText: 2016 Efraim Flashner
+;;; SPDX-FileCopyrightText: 2016 Tobias Geerinckx-Rice
+;;; SPDX-FileCopyrightText: 2017, 2019 Marius Bakke
+;;; SPDX-FileCopyrightText: 2024-2025 Nguyá»…n Gia Phong
+;;; SPDX-License-Identifier: GPL-3.0-or-later
 
 (define-module (loftix bugs)
   #:use-module (gnu packages base)
@@ -59,8 +53,8 @@
     (version "1.5.2")
     (source (origin
               (method url-fetch)
-              (uri (string-append "mirror://sourceforge/" name "/" version "/"
-                                  name "-" version ".tar.gz"))
+              (uri (string-append "mirror://sourceforge/libjpeg-turbo/"
+                                  version "/libjpeg-turbo-" version ".tar.gz"))
               (sha256
                (base32
                 "0a5m0psfp5952y5vrcs0nbdz1y9wqzg2ms0xwrx752034wxr964h"))))
diff --git a/loftix/fuzzing.scm b/loftix/fuzzing.scm
index 6979827..c06d118 100644
--- a/loftix/fuzzing.scm
+++ b/loftix/fuzzing.scm
@@ -1,20 +1,7 @@
 ;;; Packages for software fuzzing
-;;; Copyright © 2024 Nguyễn Gia Phong
 ;;;
-;;; This file is part of Loftix.
-;;;
-;;; Loftix is free software; you can redistribute it and/or modify it
-;;; under the terms of the GNU General Public License as published by
-;;; the Free Software Foundation; either version 3 of the License, or (at
-;;; your option) any later version.
-;;;
-;;; Loftix is distributed in the hope that it will be useful, but
-;;; WITHOUT ANY WARRANTY; without even the implied warranty of
-;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-;;; GNU General Public License for more details.
-;;;
-;;; You should have received a copy of the GNU General Public License
-;;; along with Loftix.  If not, see <http://www.gnu.org/licenses/>.
+;;; SPDX-FileCopyrightText: 2024 Nguyá»…n Gia Phong
+;;; SPDX-License-Identifier: GPL-3.0-or-later
 
 (define-module (loftix fuzzing)
   #:use-module (gnu packages)
diff --git a/loftix/patching.scm b/loftix/patching.scm
index ba46c82..e665fb8 100644
--- a/loftix/patching.scm
+++ b/loftix/patching.scm
@@ -1,20 +1,7 @@
 ;;; Packages for software patching
-;;; Copyright © 2024 Nguyễn Gia Phong
 ;;;
-;;; This file is part of Loftix.
-;;;
-;;; Loftix is free software; you can redistribute it and/or modify it
-;;; under the terms of the GNU General Public License as published by
-;;; the Free Software Foundation; either version 3 of the License, or (at
-;;; your option) any later version.
-;;;
-;;; Loftix is distributed in the hope that it will be useful, but
-;;; WITHOUT ANY WARRANTY; without even the implied warranty of
-;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-;;; GNU General Public License for more details.
-;;;
-;;; You should have received a copy of the GNU General Public License
-;;; along with Loftix.  If not, see <http://www.gnu.org/licenses/>.
+;;; SPDX-FileCopyrightText: 2024 Nguyá»…n Gia Phong
+;;; SPDX-License-Identifier: GPL-3.0-or-later
 
 (define-module (loftix patching)
   #:use-module (gnu packages)
diff --git a/loftix/synthesis.scm b/loftix/synthesis.scm
index 6912372..592d48c 100644
--- a/loftix/synthesis.scm
+++ b/loftix/synthesis.scm
@@ -1,20 +1,7 @@
 ;;; Packages for software systhesis
-;;; Copyright © 2024 Nguyễn Gia Phong
 ;;;
-;;; This file is part of Loftix.
-;;;
-;;; Loftix is free software; you can redistribute it and/or modify it
-;;; under the terms of the GNU General Public License as published by
-;;; the Free Software Foundation; either version 3 of the License, or (at
-;;; your option) any later version.
-;;;
-;;; Loftix is distributed in the hope that it will be useful, but
-;;; WITHOUT ANY WARRANTY; without even the implied warranty of
-;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-;;; GNU General Public License for more details.
-;;;
-;;; You should have received a copy of the GNU General Public License
-;;; along with Loftix.  If not, see <http://www.gnu.org/licenses/>.
+;;; SPDX-FileCopyrightText: 2024-2025 Nguyá»…n Gia Phong
+;;; SPDX-License-Identifier: GPL-3.0-or-later
 
 (define-module (loftix synthesis)
   #:use-module (gnu packages debug)