aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2017-10-05 00:45:38 +0200
committerMarius Bakke <mbakke@fastmail.com>2017-10-05 00:45:38 +0200
commit7716ccd59c0c17f9399d73abec05001b775d100b (patch)
tree17a3f8cc7201f9deed0b3de8d5d597b892aaede3 /gnu/packages/patches
parent86edcc53382c66be06165c62a3934d60ae7aabd8 (diff)
parenta35532f52df3ba3bc360346938aa90806cad493e (diff)
downloadgnu-guix-7716ccd59c0c17f9399d73abec05001b775d100b.tar
gnu-guix-7716ccd59c0c17f9399d73abec05001b775d100b.tar.gz
Merge branch 'master' into staging
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/clisp-remove-failing-test.patch43
-rw-r--r--gnu/packages/patches/cube-nocheck.patch16
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch210
-rw-r--r--gnu/packages/patches/ocaml-graph-honor-source-date-epoch.patch34
-rw-r--r--gnu/packages/patches/openocd-nrf52.patch64
-rw-r--r--gnu/packages/patches/python-nose-timer-drop-ordereddict.patch44
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-13711.patch89
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-14167.patch69
-rw-r--r--gnu/packages/patches/xorg-server-CVE-2017-10971.patch153
-rw-r--r--gnu/packages/patches/xorg-server-CVE-2017-10972.patch35
10 files changed, 371 insertions, 386 deletions
diff --git a/gnu/packages/patches/clisp-remove-failing-test.patch b/gnu/packages/patches/clisp-remove-failing-test.patch
new file mode 100644
index 0000000000..e44ce80f74
--- /dev/null
+++ b/gnu/packages/patches/clisp-remove-failing-test.patch
@@ -0,0 +1,43 @@
+This test doesn't ever complete or timeout
+
+---
+ tests/socket.tst | 24 ------------------------
+ 1 file changed, 24 deletions(-)
+
+diff --git a/tests/socket.tst b/tests/socket.tst
+index 93c6310..1d976ff 100644
+--- a/tests/socket.tst
++++ b/tests/socket.tst
+@@ -551,30 +551,6 @@ T
+ interfaces))
+ ("0.0.0.0" "127.0.0.1" "0.0.0.0" "127.0.0.1")
+
+-(multiple-value-bind (run args) (cmd-args)
+- (let ((se (socket:socket-server)))
+- (ext:run-program run :arguments (append args (list "-q" "-q" "-x" (format nil "(close (socket:socket-connect ~D))" (socket:socket-server-port se))))
+- :wait nil :input nil :output nil)
+- (unwind-protect
+- (with-open-stream (so (socket:socket-accept se))
+- (list
+- (socket:socket-status so)
+- (write-line "foo" so)
+- (socket:socket-status so)
+- #+macos (handler-case (read-char so)
+- (end-of-file (c)
+- (princ 'read-char) (princ-error c) t))
+- #-macos (check-os-error (read-char so) (:ECONNRESET 104))
+- (null (member (socket:socket-status so) '(:EOF :APPEND)))
+- #+macos (string= (write-line "bar" so) "bar")
+- #-macos (check-os-error (write-line "bar" so) (:EPIPE 32))
+- (null (member (socket:socket-status so) '(:EOF :APPEND)))
+- (handler-case (read-char so)
+- (end-of-file (c)
+- (princ 'read-char) (princ-error c) 'end-of-file))))
+- (socket:socket-server-close se))))
+-(:OUTPUT "foo" :OUTPUT T NIL T NIL END-OF-FILE)
+-
+ ;; https://sourceforge.net/p/clisp/feature-requests/46/
+ (check-os-error (socket:socket-connect 0)
+ #-(or win32 macos) (:ECONNREFUSED 111)
+--
+
diff --git a/gnu/packages/patches/cube-nocheck.patch b/gnu/packages/patches/cube-nocheck.patch
new file mode 100644
index 0000000000..576044e622
--- /dev/null
+++ b/gnu/packages/patches/cube-nocheck.patch
@@ -0,0 +1,16 @@
+Unconditionally disable network check for new versions (from Fedora).
+
+diff -u /home/dlove/rpmbuild/BUILD/cube-4.3.4/src/GUI-qt/display/VersionCheckWidget.cpp\~ /home/dlove/rpmbuild/BUILD/cube-4.3.4/src/GUI-qt/display/VersionCheckWidget.cpp
+--- cube-4.3.4/src/GUI-qt/display/VersionCheckWidget.cpp~ 2016-04-03 00:05:37.942066948 +0100
++++ cube-4.3.4/src/GUI-qt/display/VersionCheckWidget.cpp 2016-05-06 17:16:31.648143908 +0100
+@@ -52,7 +52,8 @@
+ url = QUrl( UPDATE_CHECK_URL );
+ download = NULL;
+ update_Available = false;
+- bool no_http = env_str2bool( getenv( "CUBE_DISABLE_HTTP_DOCS" ) );
++ // bool no_http = env_str2bool( getenv( "CUBE_DISABLE_HTTP_DOCS" ) );
++ bool no_http = true;
+ if ( !no_http )
+ {
+ updateDescription = tr( "Check for update is not performed yet." );
+
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch
new file mode 100644
index 0000000000..8e1166ba7a
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch
@@ -0,0 +1,210 @@
+http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a
+http://www.openwall.com/lists/oss-security/2017/09/22/2
+
+Some changes were made to make the patch apply.
+
+Notably, the DestroyJNG() function in the upstream diff has been replaced by
+its equivalent, a series of calls to MagickFreeMemory(), DestroyImageInfo(),
+and DestroyImage(). See
+http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5.
+
+# HG changeset patch
+# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
+# Date 1504014487 14400
+# Node ID 358608a46f0a9c55e9bb8b37d09bf1ac9bc87f06
+# Parent 38c362f0ae5e7a914c3fe822284c6953f8e6eee2
+Fix Issue 439
+
+diff -ru a/coders/png.c b/coders/png.c
+--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
++++ b/coders/png.c 2017-09-30 08:20:16.218944991 -0400
+@@ -1176,15 +1176,15 @@
+ /* allocate space */
+ if (length == 0)
+ {
+- (void) ThrowException2(&image->exception,CoderWarning,
+- "invalid profile length",(char *) NULL);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "invalid profile length");
+ return (MagickFail);
+ }
+ info=MagickAllocateMemory(unsigned char *,length);
+ if (info == (unsigned char *) NULL)
+ {
+- (void) ThrowException2(&image->exception,CoderWarning,
+- "unable to copy profile",(char *) NULL);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "Unable to copy profile");
+ return (MagickFail);
+ }
+ /* copy profile, skipping white space and column 1 "=" signs */
+@@ -1197,8 +1197,8 @@
+ if (*sp == '\0')
+ {
+ MagickFreeMemory(info);
+- (void) ThrowException2(&image->exception,CoderWarning,
+- "ran out of profile data",(char *) NULL);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "ran out of profile data");
+ return (MagickFail);
+ }
+ sp++;
+@@ -1234,8 +1234,9 @@
+ if(SetImageProfile(image,profile_name,info,length) == MagickFail)
+ {
+ MagickFreeMemory(info);
+- (void) ThrowException(&image->exception,ResourceLimitError,
+- MemoryAllocationFailed,"unable to copy profile");
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "unable to copy profile");
++ return MagickFail;
+ }
+ MagickFreeMemory(info);
+ return MagickTrue;
+@@ -3285,7 +3286,6 @@
+ if (status == MagickFalse)
+ {
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+- DestroyImage(alpha_image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not allocate alpha_image blob");
+ return ((Image *)NULL);
+@@ -3534,7 +3534,7 @@
+ CloseBlob(color_image);
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+- " Reading jng_image from color_blob.");
++ " Reading jng_image from color_blob.");
+
+ FormatString(color_image_info->filename,"%.1024s",color_image->filename);
+
+@@ -3558,13 +3558,18 @@
+
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+- " Copying jng_image pixels to main image.");
++ " Copying jng_image pixels to main image.");
+ image->rows=jng_height;
+ image->columns=jng_width;
+ length=image->columns*sizeof(PixelPacket);
++ if ((jng_height == 0 || jng_width == 0) && logging)
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " jng_width=%lu jng_height=%lu",
++ (unsigned long)jng_width,(unsigned long)jng_height);
+ for (y=0; y < (long) image->rows; y++)
+ {
+- s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception);
++ s=AcquireImagePixels(jng_image,0,y,image->columns,1,
++ &image->exception);
+ q=SetImagePixels(image,0,y,image->columns,1);
+ (void) memcpy(q,s,length);
+ if (!SyncImagePixels(image))
+@@ -3589,45 +3594,79 @@
+ CloseBlob(alpha_image);
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+- " Reading opacity from alpha_blob.");
++ " Reading opacity from alpha_blob.");
+
+ FormatString(alpha_image_info->filename,"%.1024s",
+ alpha_image->filename);
+
+ jng_image=ReadImage(alpha_image_info,exception);
+
+- for (y=0; y < (long) image->rows; y++)
++ if (jng_image == (Image *)NULL)
+ {
+- s=AcquireImagePixels(jng_image,0,y,image->columns,1,
+- &image->exception);
+- if (image->matte)
+- {
+- q=SetImagePixels(image,0,y,image->columns,1);
+- for (x=(long) image->columns; x > 0; x--,q++,s++)
+- q->opacity=(Quantum) MaxRGB-s->red;
+- }
+- else
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " jng_image is NULL.");
++ if (color_image_info)
++ DestroyImageInfo(color_image_info);
++ if (alpha_image_info)
++ DestroyImageInfo(alpha_image_info);
++ if (color_image)
++ DestroyImage(color_image);
++ if (alpha_image)
++ DestroyImage(alpha_image);
++ }
++ else
++ {
++
++ if (logging)
+ {
+- q=SetImagePixels(image,0,y,image->columns,1);
+- for (x=(long) image->columns; x > 0; x--,q++,s++)
+- {
+- q->opacity=(Quantum) MaxRGB-s->red;
+- if (q->opacity != OpaqueOpacity)
+- image->matte=MagickTrue;
+- }
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " Read jng_image.");
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " jng_image->width=%lu, jng_image->height=%lu",
++ (unsigned long)jng_width,(unsigned long)jng_height);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " image->rows=%lu, image->columns=%lu",
++ (unsigned long)image->rows,
++ (unsigned long)image->columns);
+ }
+- if (!SyncImagePixels(image))
+- break;
+- }
+- (void) LiberateUniqueFileResource(alpha_image->filename);
+- DestroyImage(alpha_image);
+- alpha_image = (Image *)NULL;
+- DestroyImageInfo(alpha_image_info);
+- alpha_image_info = (ImageInfo *)NULL;
+- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+- " Destroy the JNG image");
+- DestroyImage(jng_image);
+- jng_image = (Image *)NULL;
++
++ for (y=0; y < (long) image->rows; y++)
++ {
++ s=AcquireImagePixels(jng_image,0,y,image->columns,1,
++ &image->exception);
++ if (image->matte)
++ {
++ q=SetImagePixels(image,0,y,image->columns,1);
++ for (x=(long) image->columns; x > 0; x--,q++,s++)
++ q->opacity=(Quantum) MaxRGB-s->red;
++ }
++ else
++ {
++ q=SetImagePixels(image,0,y,image->columns,1);
++ for (x=(long) image->columns; x > 0; x--,q++,s++)
++ {
++ q->opacity=(Quantum) MaxRGB-s->red;
++ if (q->opacity != OpaqueOpacity)
++ image->matte=MagickTrue;
++ }
++ }
++ if (!SyncImagePixels(image))
++ break;
++ }
++ (void) LiberateUniqueFileResource(alpha_image->filename);
++ if (color_image_info)
++ DestroyImageInfo(color_image_info);
++ if (alpha_image_info)
++ DestroyImageInfo(alpha_image_info);
++ if (color_image)
++ DestroyImage(color_image);
++ if (alpha_image)
++ DestroyImage(alpha_image);
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ " Destroy the JNG image");
++ DestroyImage(jng_image);
++ jng_image = (Image *)NULL;
++ }
+ }
+ }
diff --git a/gnu/packages/patches/ocaml-graph-honor-source-date-epoch.patch b/gnu/packages/patches/ocaml-graph-honor-source-date-epoch.patch
new file mode 100644
index 0000000000..9f8713e3d3
--- /dev/null
+++ b/gnu/packages/patches/ocaml-graph-honor-source-date-epoch.patch
@@ -0,0 +1,34 @@
+From 354ef78aac0b887fae3c10b28eb2b0d83f66bdfe Mon Sep 17 00:00:00 2001
+From: Julien Lepiller <julien@lepiller.eu>
+Date: Mon, 2 Jan 2017 17:05:24 +0100
+Subject: [PATCH] Honor SOURCE_DATE_EPOCH
+
+---
+ Makefile.in | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index a32b4b8..ef4c174 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -113,11 +113,16 @@ graph.cmx: $(CMI) $(CMX)
+ $(OCAMLOPT) $(INCLUDES) -pack -o $@ $^
+
+ VERSION=1.8.7
++ifdef SOURCE_DATE_EPOCH
++BUILD_DATE=$(shell date -u -d "@$(SOURCE_DATE_EPOCH)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" 2>/dev/null || date)
++else
++BUILD_DATE=$(shell date)
++endif
+
+ src/version.ml: Makefile
+ rm -f $@
+ echo "let version = \""$(VERSION)"\"" > $@
+- echo "let date = \""`date`"\"" >> $@
++ echo "let date = \""$(BUILD_DATE)"\"" >> $@
+
+ # gtk2 graph editor
+ ###################
+--
+2.11.0
+
diff --git a/gnu/packages/patches/openocd-nrf52.patch b/gnu/packages/patches/openocd-nrf52.patch
index 792575df78..0ec4348cb4 100644
--- a/gnu/packages/patches/openocd-nrf52.patch
+++ b/gnu/packages/patches/openocd-nrf52.patch
@@ -21,19 +21,19 @@ Signed-off-by: Michael Dietz <mjdietzx@gmail.com>
---
diff --git a/src/flash/nor/Makefile.am b/src/flash/nor/Makefile.am
-index c167e8f..b6a2be3 100644
+index 727e4f2..839667c 100644
--- a/src/flash/nor/Makefile.am
+++ b/src/flash/nor/Makefile.am
-@@ -37,6 +37,7 @@ NOR_DRIVERS = \
- niietcm4.c \
- non_cfi.c \
- nrf51.c \
-+ nrf52.c \
- numicro.c \
- ocl.c \
- pic32mx.c \
+@@ -36,6 +36,7 @@ NOR_DRIVERS = \
+ %D%/niietcm4.c \
+ %D%/non_cfi.c \
+ %D%/nrf51.c \
++ %D%/nrf52.c \
+ %D%/numicro.c \
+ %D%/ocl.c \
+ %D%/pic32mx.c \
diff --git a/src/flash/nor/drivers.c b/src/flash/nor/drivers.c
-index 56a5cb2..3e071bd 100644
+index 56a5cb2..071273e 100644
--- a/src/flash/nor/drivers.c
+++ b/src/flash/nor/drivers.c
@@ -48,6 +48,7 @@ extern struct flash_driver mdr_flash;
@@ -48,7 +48,7 @@ index 56a5cb2..3e071bd 100644
&mrvlqspi_flash,
&niietcm4_flash,
&nrf51_flash,
-+ &nrf52_flash,
++ &nrf52_flash,
&numicro_flash,
&ocl_flash,
&pic32mx_flash,
@@ -792,47 +792,31 @@ index 0000000..7f2bd35
+ .protect_check = nrf52_protect_check,
+};
diff --git a/tcl/target/nrf52.cfg b/tcl/target/nrf52.cfg
-index c1cbf1a..a2567ff 100644
+index c1cbf1a..41a22ff 100644
--- a/tcl/target/nrf52.cfg
+++ b/tcl/target/nrf52.cfg
-@@ -5,15 +5,22 @@
- source [find target/swj-dp.tcl]
+@@ -10,6 +10,13 @@ if { [info exists CHIPNAME] } {
+ set _CHIPNAME nrf52
+ }
- if { [info exists CHIPNAME] } {
-- set _CHIPNAME $CHIPNAME
-+ set _CHIPNAME $CHIPNAME
- } else {
-- set _CHIPNAME nrf52
-+ set _CHIPNAME nrf52
-+}
-+
+# Work-area is a space in RAM used for flash programming, by default use 16kB.
+if { [info exists WORKAREASIZE] } {
-+ set _WORKAREASIZE $WORKAREASIZE
++ set _WORKAREASIZE $WORKAREASIZE
+} else {
-+ set _WORKAREASIZE 0x4000
- }
-
++ set _WORKAREASIZE 0x4000
++}
++
if { [info exists CPUTAPID] } {
-- set _CPUTAPID $CPUTAPID
-+ set _CPUTAPID $CPUTAPID
+ set _CPUTAPID $CPUTAPID
} else {
-- set _CPUTAPID 0x2ba01477
-+ set _CPUTAPID 0x2ba01477
- }
-
- swj_newdap $_CHIPNAME cpu -expected-id $_CPUTAPID
-@@ -21,8 +28,15 @@ swj_newdap $_CHIPNAME cpu -expected-id $_CPUTAPID
- set _TARGETNAME $_CHIPNAME.cpu
+@@ -22,7 +29,15 @@ set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME cortex_m -chain-position $_TARGETNAME
--adapter_khz 10000
+ adapter_khz 10000
+$_TARGETNAME configure -work-area-phys 0x20000000 -work-area-size $_WORKAREASIZE -work-area-backup 0
--if { ![using_hla] } {
-- cortex_m reset_config sysresetreq
-+if {![using_hla]} {
-+ cortex_m reset_config sysresetreq
+ if { ![using_hla] } {
+ cortex_m reset_config sysresetreq
}
+
+flash bank $_CHIPNAME.flash nrf52 0x00000000 0 1 1 $_TARGETNAME
diff --git a/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch b/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch
new file mode 100644
index 0000000000..e1e71a332a
--- /dev/null
+++ b/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch
@@ -0,0 +1,44 @@
+From 700076019b5aff72aac7651cc830aaef21ee9a47 Mon Sep 17 00:00:00 2001
+From: jakirkham <jakirkham@gmail.com>
+Date: Fri, 7 Jul 2017 05:57:56 -0400
+Subject: [PATCH] Drop ordereddict requirement (#84)
+
+* Drop ordereddict requirement
+
+As Python 2.7 is the minimum Python supported, every version of Python
+should have `ordereddict` preincluded in the standard library one way or
+another. So we can drop this dependency and just handle the differences
+between Python 2 and Python 3.
+---
+ nosetimer/plugin.py | 5 +----
+ setup.py | 1 -
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/nosetimer/plugin.py b/nosetimer/plugin.py
+index ef28e11..d093a51 100644
+--- a/nosetimer/plugin.py
++++ b/nosetimer/plugin.py
+@@ -12,10 +12,7 @@
+ except ImportError:
+ import queue as Queue
+
+-try:
+- from collections import OrderedDict
+-except ImportError:
+- from ordereddict import OrderedDict
++from collections import OrderedDict
+
+
+ # define constants
+diff --git a/setup.py b/setup.py
+index 6a55b82..d249325 100755
+--- a/setup.py
++++ b/setup.py
+@@ -27,7 +27,6 @@
+ install_requires=[
+ 'nose',
+ 'termcolor',
+- 'ordereddict',
+ ],
+ license='MIT',
+ entry_points={
diff --git a/gnu/packages/patches/qemu-CVE-2017-13711.patch b/gnu/packages/patches/qemu-CVE-2017-13711.patch
deleted file mode 100644
index 4070115419..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-13711.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-Fix CVE-2017-13711:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13711
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=1201d308519f1e915866d7583d5136d03cc1d384
-
-From 1201d308519f1e915866d7583d5136d03cc1d384 Mon Sep 17 00:00:00 2001
-From: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Date: Fri, 25 Aug 2017 01:35:53 +0200
-Subject: [PATCH] slirp: fix clearing ifq_so from pending packets
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The if_fastq and if_batchq contain not only packets, but queues of packets
-for the same socket. When sofree frees a socket, it thus has to clear ifq_so
-from all the packets from the queues, not only the first.
-
-Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- slirp/socket.c | 39 +++++++++++++++++++++++----------------
- 1 file changed, 23 insertions(+), 16 deletions(-)
-
-diff --git a/slirp/socket.c b/slirp/socket.c
-index ecec0295a9..cb7b5b608d 100644
---- a/slirp/socket.c
-+++ b/slirp/socket.c
-@@ -59,6 +59,27 @@ socreate(Slirp *slirp)
- return(so);
- }
-
-+/*
-+ * Remove references to so from the given message queue.
-+ */
-+static void
-+soqfree(struct socket *so, struct quehead *qh)
-+{
-+ struct mbuf *ifq;
-+
-+ for (ifq = (struct mbuf *) qh->qh_link;
-+ (struct quehead *) ifq != qh;
-+ ifq = ifq->ifq_next) {
-+ if (ifq->ifq_so == so) {
-+ struct mbuf *ifm;
-+ ifq->ifq_so = NULL;
-+ for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) {
-+ ifm->ifq_so = NULL;
-+ }
-+ }
-+ }
-+}
-+
- /*
- * remque and free a socket, clobber cache
- */
-@@ -66,23 +87,9 @@ void
- sofree(struct socket *so)
- {
- Slirp *slirp = so->slirp;
-- struct mbuf *ifm;
-
-- for (ifm = (struct mbuf *) slirp->if_fastq.qh_link;
-- (struct quehead *) ifm != &slirp->if_fastq;
-- ifm = ifm->ifq_next) {
-- if (ifm->ifq_so == so) {
-- ifm->ifq_so = NULL;
-- }
-- }
--
-- for (ifm = (struct mbuf *) slirp->if_batchq.qh_link;
-- (struct quehead *) ifm != &slirp->if_batchq;
-- ifm = ifm->ifq_next) {
-- if (ifm->ifq_so == so) {
-- ifm->ifq_so = NULL;
-- }
-- }
-+ soqfree(so, &slirp->if_fastq);
-+ soqfree(so, &slirp->if_batchq);
-
- if (so->so_emu==EMU_RSH && so->extra) {
- sofree(so->extra);
---
-2.14.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-14167.patch b/gnu/packages/patches/qemu-CVE-2017-14167.patch
deleted file mode 100644
index a6007ac082..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-14167.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-Fix CVE-2017-14167:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14167
-http://seclists.org/oss-sec/2017/q3/407
-
-Patch copied from upstream development mailing list:
-
-https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html
-
-From: Prasad J Pandit <address@hidden>
-
-While loading kernel via multiboot-v1 image, (flags & 0x00010000)
-indicates that multiboot header contains valid addresses to load
-the kernel image. These addresses are used to compute kernel
-size and kernel text offset in the OS image. Validate these
-address values to avoid an OOB access issue.
-
-This is CVE-2017-14167.
-
-Reported-by: Thomas Garnier <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- hw/i386/multiboot.c | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-Update: add CVE-ID to the commit message.
-
-diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
-index 6001f4caa2..c7b70c91d5 100644
---- a/hw/i386/multiboot.c
-+++ b/hw/i386/multiboot.c
-@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg,
- uint32_t mh_header_addr = ldl_p(header+i+12);
- uint32_t mh_load_end_addr = ldl_p(header+i+20);
- uint32_t mh_bss_end_addr = ldl_p(header+i+24);
-+
- mh_load_addr = ldl_p(header+i+16);
-+ if (mh_header_addr < mh_load_addr) {
-+ fprintf(stderr, "invalid mh_load_addr address\n");
-+ exit(1);
-+ }
-+
- uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);
- uint32_t mb_load_size = 0;
- mh_entry_addr = ldl_p(header+i+28);
-
- if (mh_load_end_addr) {
-+ if (mh_bss_end_addr < mh_load_addr) {
-+ fprintf(stderr, "invalid mh_bss_end_addr address\n");
-+ exit(1);
-+ }
- mb_kernel_size = mh_bss_end_addr - mh_load_addr;
-+
-+ if (mh_load_end_addr < mh_load_addr) {
-+ fprintf(stderr, "invalid mh_load_end_addr address\n");
-+ exit(1);
-+ }
- mb_load_size = mh_load_end_addr - mh_load_addr;
- } else {
-+ if (kernel_file_size < mb_kernel_text_offset) {
-+ fprintf(stderr, "invalid kernel_file_size\n");
-+ exit(1);
-+ }
- mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
- mb_load_size = mb_kernel_size;
- }
---
-2.13.5
-
diff --git a/gnu/packages/patches/xorg-server-CVE-2017-10971.patch b/gnu/packages/patches/xorg-server-CVE-2017-10971.patch
deleted file mode 100644
index 2696033e58..0000000000
--- a/gnu/packages/patches/xorg-server-CVE-2017-10971.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:40 +0300
-Subject: dix: Disallow GenericEvent in SendEvent request.
-
-The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
-no less. Both ProcSendEvent and SProcSendEvent verify that the received data
-exactly match the request size. However nothing stops the client from passing
-in event with xEvent::type = GenericEvent and any value of
-xGenericEvent::length.
-
-In the case of ProcSendEvent, the event will be eventually passed to
-WriteEventsToClient which will see that it is Generic event and copy the
-arbitrary length from the receive buffer (and possibly past it) and send it to
-the other client. This allows clients to copy unitialized heap memory out of X
-server or to crash it.
-
-In case of SProcSendEvent, it will attempt to swap the incoming event by
-calling a swapping function from the EventSwapVector array. The swapped event
-is written to target buffer, which in this case is local xEvent variable. The
-xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
-expect that the target buffer has size matching the size of the source
-GenericEvent. This allows clients to cause stack buffer overflows.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/dix/events.c b/dix/events.c
-index 3e3a01e..d3a33ea 100644
---- a/dix/events.c
-+++ b/dix/events.c
-@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
- client->errorValue = stuff->event.u.u.type;
- return BadValue;
- }
-+ /* Generic events can have variable size, but SendEvent request holds
-+ exactly 32B of event data. */
-+ if (stuff->event.u.u.type == GenericEvent) {
-+ client->errorValue = stuff->event.u.u.type;
-+ return BadValue;
-+ }
- if (stuff->event.u.u.type == ClientMessage &&
- stuff->event.u.u.detail != 8 &&
- stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
-diff --git a/dix/swapreq.c b/dix/swapreq.c
-index 719e9b8..6785059 100644
---- a/dix/swapreq.c
-+++ b/dix/swapreq.c
-@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
- swapl(&stuff->destination);
- swapl(&stuff->eventMask);
-
-+ /* Generic events can have variable size, but SendEvent request holds
-+ exactly 32B of event data. */
-+ if (stuff->event.u.u.type == GenericEvent) {
-+ client->errorValue = stuff->event.u.u.type;
-+ return BadValue;
-+ }
-+
- /* Swap event */
- proc = EventSwapVector[stuff->event.u.u.type & 0177];
- if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */
---
-cgit v0.10.2
-
-From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:41 +0300
-Subject: Xi: Verify all events in ProcXSendExtensionEvent.
-
-The requirement is that events have type in range
-EXTENSION_EVENT_BASE..lastEvent, but it was tested
-only for first event of all.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 1cf118a..5e63bfc 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
- int
- ProcXSendExtensionEvent(ClientPtr client)
- {
-- int ret;
-+ int ret, i;
- DeviceIntPtr dev;
- xEvent *first;
- XEventClass *list;
-@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
- /* The client's event type must be one defined by an extension. */
-
- first = ((xEvent *) &stuff[1]);
-- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
-- (first->u.u.type < lastEvent))) {
-- client->errorValue = first->u.u.type;
-- return BadValue;
-+ for (i = 0; i < stuff->num_events; i++) {
-+ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
-+ (first[i].u.u.type < lastEvent))) {
-+ client->errorValue = first[i].u.u.type;
-+ return BadValue;
-+ }
- }
-
- list = (XEventClass *) (first + stuff->num_events);
---
-cgit v0.10.2
-
-From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:42 +0300
-Subject: Xi: Do not try to swap GenericEvent.
-
-The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
-it is assuming that the event has fixed size and gives the swapping function
-xEvent-sized buffer.
-
-A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 5e63bfc..5c2e0fc 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
-
- eventP = (xEvent *) &stuff[1];
- for (i = 0; i < stuff->num_events; i++, eventP++) {
-+ if (eventP->u.u.type == GenericEvent) {
-+ client->errorValue = eventP->u.u.type;
-+ return BadValue;
-+ }
-+
- proc = EventSwapVector[eventP->u.u.type & 0177];
-- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
-+ /* no swapping proc; invalid event type? */
-+ if (proc == NotImplemented) {
-+ client->errorValue = eventP->u.u.type;
- return BadValue;
-+ }
- (*proc) (eventP, &eventT);
- *eventP = eventT;
- }
---
-cgit v0.10.2
-
diff --git a/gnu/packages/patches/xorg-server-CVE-2017-10972.patch b/gnu/packages/patches/xorg-server-CVE-2017-10972.patch
deleted file mode 100644
index f24e9c0ae6..0000000000
--- a/gnu/packages/patches/xorg-server-CVE-2017-10972.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:39 +0300
-Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
-
-Make sure that the xEvent eventT is initialized with zeros, the same way as
-in SProcSendEvent.
-
-Some event swapping functions do not overwrite all 32 bytes of xEvent
-structure, for example XSecurityAuthorizationRevoked. Two cooperating
-clients, one swapped and the other not, can send
-XSecurityAuthorizationRevoked event to each other to retrieve old stack data
-from X server. This can be potentialy misused to go around ASLR or
-stack-protector.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 11d8202..1cf118a 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
- {
- CARD32 *p;
- int i;
-- xEvent eventT;
-+ xEvent eventT = { .u.u.type = 0 };
- xEvent *eventP;
- EventSwapPtr proc;
-
---
-cgit v0.10.2
-