aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2018-06-18 15:29:38 +0200
committerMarius Bakke <mbakke@fastmail.com>2018-06-18 15:29:38 +0200
commit6969c4de445a390eaa05de22bc5a537a76a76169 (patch)
tree9df3bdde497fdce705ae4eb66972f93a9ae111d9 /gnu/packages/patches
parent73d18915b597f2a386d6ae42930b49a13c8813b0 (diff)
parent32eb44240db23b2320a68a3ab17370531945587f (diff)
downloadgnu-guix-6969c4de445a390eaa05de22bc5a537a76a76169.tar
gnu-guix-6969c4de445a390eaa05de22bc5a537a76a76169.tar.gz
Merge branch 'master' into staging
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/bind-CVE-2018-5738.patch100
-rw-r--r--gnu/packages/patches/binutils-aarch64-symbol-relocation.patch36
-rw-r--r--gnu/packages/patches/elixir-disable-failing-tests.patch284
-rw-r--r--gnu/packages/patches/flann-cmake-3.11.patch84
-rw-r--r--gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch50
-rw-r--r--gnu/packages/patches/password-store-gnupg-compat.patch28
-rw-r--r--gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch36
-rw-r--r--gnu/packages/patches/python-nose-timer-drop-ordereddict.patch44
-rw-r--r--gnu/packages/patches/strace-kernel-4.16.patch92
-rw-r--r--gnu/packages/patches/upx-fix-CVE-2017-15056.patch96
10 files changed, 352 insertions, 498 deletions
diff --git a/gnu/packages/patches/bind-CVE-2018-5738.patch b/gnu/packages/patches/bind-CVE-2018-5738.patch
new file mode 100644
index 0000000000..ddef014651
--- /dev/null
+++ b/gnu/packages/patches/bind-CVE-2018-5738.patch
@@ -0,0 +1,100 @@
+Fix CVE-2018-5738:
+
+https://kb.isc.org/article/AA-01616/0/CVE-2018-5738
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index f63554e..847c4ff 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ CHECKM(named_config_getport(config, &port), "port");
+ dns_view_setdstport(view, port);
+
+- CHECK(configure_view_acl(vconfig, config, named_g_config,
+- "allow-query", NULL, actx,
+- named_g_mctx, &view->queryacl));
+-
+ /*
+ * Make the list of response policy zone names for a view that
+ * is used for real lookups and so cares about hints.
+@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ "allow-query-cache-on", NULL, actx,
+ named_g_mctx, &view->cacheonacl));
+ /*
+- * Set "allow-query-cache", "allow-recursion", and
+- * "allow-recursion-on" acls if configured in named.conf.
+- * (Ignore the global defaults for now, because these ACLs
+- * can inherit from each other when only some of them set at
+- * the options/view level.)
++ * Set the "allow-query", "allow-query-cache", "allow-recursion",
++ * and "allow-recursion-on" ACLs if configured in named.conf, but
++ * NOT from the global defaults. This is done by leaving the third
++ * argument to configure_view_acl() NULL.
++ *
++ * We ignore the global defaults here because these ACLs
++ * can inherit from each other. If any are still unset after
++ * applying the inheritance rules, we'll look up the defaults at
++ * that time.
+ */
+- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
+- NULL, actx, named_g_mctx, &view->cacheacl));
++
++ /* named.conf only */
++ CHECK(configure_view_acl(vconfig, config, NULL,
++ "allow-query", NULL, actx,
++ named_g_mctx, &view->queryacl));
++
++ /* named.conf only */
++ CHECK(configure_view_acl(vconfig, config, NULL,
++ "allow-query-cache", NULL, actx,
++ named_g_mctx, &view->cacheacl));
+
+ if (strcmp(view->name, "_bind") != 0 &&
+ view->rdclass != dns_rdataclass_chaos)
+ {
++ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-recursion", NULL, actx,
+ named_g_mctx, &view->recursionacl));
++ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-recursion-on", NULL, actx,
+ named_g_mctx, &view->recursiononacl));
+@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ * the global config.
+ */
+ if (view->recursionacl == NULL) {
++ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ "allow-recursion", NULL,
+ actx, named_g_mctx,
+ &view->recursionacl));
+ }
+ if (view->recursiononacl == NULL) {
++ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ "allow-recursion-on", NULL,
+ actx, named_g_mctx,
+ &view->recursiononacl));
+ }
+ if (view->cacheacl == NULL) {
++ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ "allow-query-cache", NULL,
+ actx, named_g_mctx,
+@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ CHECK(dns_acl_none(mctx, &view->cacheacl));
+ }
+
++ if (view->queryacl == NULL) {
++ /* global default only */
++ CHECK(configure_view_acl(NULL, NULL, named_g_config,
++ "allow-query", NULL,
++ actx, named_g_mctx,
++ &view->queryacl));
++ }
++
+ /*
+ * Ignore case when compressing responses to the specified
+ * clients. This causes case not always to be preserved,
diff --git a/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch b/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch
new file mode 100644
index 0000000000..fbd596862b
--- /dev/null
+++ b/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch
@@ -0,0 +1,36 @@
+Fix a regression in Binutils 2.30 where some symbols are incorrectly assumed
+to be addresses:
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=22764
+
+Patch taken from upstream (with ChangeLog entries and tests omitted):
+
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=279b2f94168ee91e02ccd070d27c983fc001fe12
+
+diff --git a/bfd/elfnn-aarch64.c b/bfd/elfnn-aarch64.c
+index af448f9..2737773 100644
+--- a/bfd/elfnn-aarch64.c
++++ b/bfd/elfnn-aarch64.c
+@@ -7189,10 +7189,19 @@ elfNN_aarch64_check_relocs (bfd *abfd, struct bfd_link_info *info,
+ #if ARCH_SIZE == 64
+ case BFD_RELOC_AARCH64_32:
+ #endif
+- if (bfd_link_pic (info)
+- && (sec->flags & SEC_ALLOC) != 0
+- && (sec->flags & SEC_READONLY) != 0)
++ if (bfd_link_pic (info) && (sec->flags & SEC_ALLOC) != 0)
+ {
++ if (h != NULL
++ /* This is an absolute symbol. It represents a value instead
++ of an address. */
++ && ((h->root.type == bfd_link_hash_defined
++ && bfd_is_abs_section (h->root.u.def.section))
++ /* This is an undefined symbol. */
++ || h->root.type == bfd_link_hash_undefined))
++ break;
++
++ /* For local symbols, defined global symbols in a non-ABS section,
++ it is assumed that the value is an address. */
+ int howto_index = bfd_r_type - BFD_RELOC_AARCH64_RELOC_START;
+ _bfd_error_handler
+ /* xgettext:c-format */
diff --git a/gnu/packages/patches/elixir-disable-failing-tests.patch b/gnu/packages/patches/elixir-disable-failing-tests.patch
deleted file mode 100644
index 547598b292..0000000000
--- a/gnu/packages/patches/elixir-disable-failing-tests.patch
+++ /dev/null
@@ -1,284 +0,0 @@
-Most of these tests fail for unknown reasons when run in the chroot
-environment of a Guix build process.
-
-Common failures are:
-
- * Mix.Shell.cmd() fails with error 130
- * The git_repo fixture cannot be found
- * Communication with spawned processes fails with EPIPE
- * Failure to copy files
-
-
-diff --git a/lib/elixir/test/elixir/kernel/cli_test.exs b/lib/elixir/test/elixir/kernel/cli_test.exs
-index 3ffd56c..1232d19 100644
---- a/lib/elixir/test/elixir/kernel/cli_test.exs
-+++ b/lib/elixir/test/elixir/kernel/cli_test.exs
-@@ -39,6 +39,7 @@ end
- defmodule Kernel.CLI.OptionParsingTest do
- use ExUnit.Case, async: true
-
-+ @tag :skip
- test "properly parses paths" do
- root = fixture_path("../../..") |> to_charlist
- list = elixir('-pa "#{root}/*" -pz "#{root}/lib/*" -e "IO.inspect(:code.get_path, limit: :infinity)"')
-@@ -57,6 +58,7 @@ end
- defmodule Kernel.CLI.AtExitTest do
- use ExUnit.Case, async: true
-
-+ @tag :skip
- test "invokes at_exit callbacks" do
- assert elixir(fixture_path("at_exit.exs") |> to_charlist) ==
- 'goodbye cruel world with status 1\n'
-@@ -66,6 +68,7 @@ end
- defmodule Kernel.CLI.ErrorTest do
- use ExUnit.Case, async: true
-
-+ @tag :skip
- test "properly format errors" do
- assert :string.str('** (throw) 1', elixir('-e "throw 1"')) == 0
- assert :string.str('** (ErlangError) erlang error: 1', elixir('-e "error 1"')) == 0
-@@ -86,6 +89,7 @@ defmodule Kernel.CLI.CompileTest do
- {:ok, [tmp_dir_path: tmp_dir_path, beam_file_path: beam_file_path, fixture: fixture]}
- end
-
-+ @tag :skip
- test "compiles code", context do
- assert elixirc('#{context[:fixture]} -o #{context[:tmp_dir_path]}') == ''
- assert File.regular?(context[:beam_file_path])
-@@ -96,6 +100,7 @@ defmodule Kernel.CLI.CompileTest do
- Code.delete_path context[:tmp_dir_path]
- end
-
-+ @tag :skip
- test "fails on missing patterns", context do
- output = elixirc('#{context[:fixture]} non_existing.ex -o #{context[:tmp_dir_path]}')
- assert :string.str(output, 'non_existing.ex') > 0, "expected non_existing.ex to be mentioned"
-@@ -103,6 +108,7 @@ defmodule Kernel.CLI.CompileTest do
- refute File.exists?(context[:beam_file_path]), "expected the sample to not be compiled"
- end
-
-+ @tag :skip
- test "fails on missing write access to .beam file", context do
- compilation_args = '#{context[:fixture]} -o #{context[:tmp_dir_path]}'
-
-diff --git a/lib/elixir/test/elixir/kernel/dialyzer_test.exs b/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-index 801d852..40fc5bc 100644
---- a/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-+++ b/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-@@ -60,16 +60,19 @@ defmodule Kernel.DialyzerTest do
- assert_dialyze_no_warnings! context
- end
-
-+ @tag :skip
- test "no warnings on rewrites", context do
- copy_beam! context, Dialyzer.Rewrite
- assert_dialyze_no_warnings! context
- end
-
-+ @tag :skip
- test "no warnings on raise", context do
- copy_beam! context, Dialyzer.Raise
- assert_dialyze_no_warnings! context
- end
-
-+ @tag :skip
- test "no warnings on macrocallback", context do
- copy_beam! context, Dialyzer.Macrocallback
- copy_beam! context, Dialyzer.Macrocallback.Impl
-diff --git a/lib/elixir/test/elixir/system_test.exs b/lib/elixir/test/elixir/system_test.exs
-index aafa559..0f9c178 100644
---- a/lib/elixir/test/elixir/system_test.exs
-+++ b/lib/elixir/test/elixir/system_test.exs
-@@ -53,7 +53,8 @@ defmodule SystemTest do
- assert System.endianness in [:little, :big]
- assert System.endianness == System.compiled_endianness
- end
--
-+
-+ @tag :skip
- test "argv/0" do
- list = elixir('-e "IO.inspect System.argv" -- -o opt arg1 arg2 --long-opt 10')
- {args, _} = Code.eval_string list, []
-diff --git a/lib/mix/test/mix/dep_test.exs b/lib/mix/test/mix/dep_test.exs
-index fff3351..d6ed1b3 100644
---- a/lib/mix/test/mix/dep_test.exs
-+++ b/lib/mix/test/mix/dep_test.exs
-@@ -244,6 +244,7 @@ defmodule Mix.DepTest do
- end
- end
-
-+ @tag :skip
- test "remote converger" do
- deps = [{:deps_repo, "0.1.0", path: "custom/deps_repo"},
- {:git_repo, "0.2.0", git: MixTest.Case.fixture_path("git_repo")}]
-@@ -301,6 +302,7 @@ defmodule Mix.DepTest do
- end
- end
-
-+ @tag :skip
- test "remote converger is not invoked if deps diverge" do
- deps = [{:deps_repo, "0.1.0", path: "custom/deps_repo"},
- {:git_repo, "0.2.0", git: MixTest.Case.fixture_path("git_repo"), only: :test}]
-
-diff --git a/lib/mix/test/mix/shell/io_test.exs b/lib/mix/test/mix/shell/io_test.exs
-index 9bfb6b4..d982ef3 100644
---- a/lib/mix/test/mix/shell/io_test.exs
-+++ b/lib/mix/test/mix/shell/io_test.exs
-@@ -29,6 +29,7 @@ defmodule Mix.Shell.IOTest do
- assert capture_io("", fn -> refute yes?("Ok?") end)
- end
-
-+ @tag :skip
- test "runs a given command" do
- assert capture_io("", fn -> assert cmd("echo hello") == 0 end) == "hello\n"
-
-diff --git a/lib/mix/test/mix/shell/quiet_test.exs b/lib/mix/test/mix/shell/quiet_test.exs
-index 626429b..99fab35 100644
---- a/lib/mix/test/mix/shell/quiet_test.exs
-+++ b/lib/mix/test/mix/shell/quiet_test.exs
-@@ -29,6 +29,7 @@ defmodule Mix.Shell.QuietTest do
- assert capture_io("", fn -> refute yes?("Ok?") end)
- end
-
-+ @tag :skip
- test "runs a given command" do
- assert capture_io("", fn -> assert cmd("echo hello") == 0 end) == ""
-
-diff --git a/lib/mix/test/mix/tasks/cmd_test.exs b/lib/mix/test/mix/tasks/cmd_test.exs
-index db4bf06..4d441f7 100644
---- a/lib/mix/test/mix/tasks/cmd_test.exs
-+++ b/lib/mix/test/mix/tasks/cmd_test.exs
-@@ -3,6 +3,7 @@ Code.require_file "../../test_helper.exs", __DIR__
- defmodule Mix.Tasks.CmdTest do
- use MixTest.Case
-
-+ @tag :skip
- test "runs the command for each app" do
- in_fixture "umbrella_dep/deps/umbrella", fn ->
- Mix.Project.in_project(:umbrella, ".", fn _ ->
-diff --git a/lib/mix/test/mix/tasks/deps.tree_test.exs b/lib/mix/test/mix/tasks/deps.tree_test.exs
-index 4f09ff3..c371997 100644
---- a/lib/mix/test/mix/tasks/deps.tree_test.exs
-+++ b/lib/mix/test/mix/tasks/deps.tree_test.exs
-@@ -29,6 +29,7 @@ defmodule Mix.Tasks.Deps.TreeTest do
- end
- end
-
-+ @tag :skip
- test "shows the dependency tree", context do
- Mix.Project.push ConvergedDepsApp
-
-@@ -109,6 +110,7 @@ defmodule Mix.Tasks.Deps.TreeTest do
- end
- end
-
-+ @tag :skip
- test "shows the dependency tree in DOT graph format", context do
- Mix.Project.push ConvergedDepsApp
-
-diff --git a/lib/mix/test/mix/tasks/deps_test.exs b/lib/mix/test/mix/tasks/deps_test.exs
-index b061777..cc45cf8 100644
---- a/lib/mix/test/mix/tasks/deps_test.exs
-+++ b/lib/mix/test/mix/tasks/deps_test.exs
-@@ -96,6 +96,7 @@
- end
- end
-
-+ @tag :skip
- test "prints list of dependencies and their lock status" do
- Mix.Project.push DepsApp
-
-@@ -409,6 +409,7 @@ defmodule Mix.Tasks.DepsTest do
- end
- end
-
-+ @tag :skip
- test "fails on diverged dependencies by requirement" do
- Mix.Project.push ConvergedDepsApp
-
-@@ -440,6 +441,7 @@ defmodule Mix.Tasks.DepsTest do
- end
- end
-
-+ @tag :skip
- test "fails on diverged dependencies even when optional" do
- Mix.Project.push ConvergedDepsApp
-
-@@ -469,6 +471,7 @@ defmodule Mix.Tasks.DepsTest do
- end
- end
-
-+ @tag :skip
- test "works with converged dependencies" do
- Mix.Project.push ConvergedDepsApp
-
-@@ -491,6 +494,7 @@ defmodule Mix.Tasks.DepsTest do
- purge [GitRepo, GitRepo.Mixfile]
- end
-
-+ @tag :skip
- test "works with overridden dependencies" do
- Mix.Project.push OverriddenDepsApp
-
-diff --git a/lib/mix/test/mix/umbrella_test.exs b/lib/mix/test/mix/umbrella_test.exs
-index 69f9428..406668a 100644
---- a/lib/mix/test/mix/umbrella_test.exs
-+++ b/lib/mix/test/mix/umbrella_test.exs
-@@ -98,6 +98,7 @@ defmodule Mix.UmbrellaTest do
- end
- end
-
-+ @tag :skip
- test "loads umbrella child dependencies in all environments" do
- in_fixture "umbrella_dep/deps/umbrella", fn ->
- Mix.Project.in_project :umbrella, ".", fn _ ->
-
-diff --git a/lib/elixir/test/elixir/kernel/dialyzer_test.exs b/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-index 792222c..e90beb9 100644
---- a/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-+++ b/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-@@ -54,6 +54,7 @@ defmodule Kernel.DialyzerTest do
- {:ok, [outdir: dir, dialyzer: dialyzer]}
- end
-
-+ @tag :skip
- test "no warnings on valid remote calls", context do
- copy_beam! context, Dialyzer.RemoteCall
- assert_dialyze_no_warnings! context
-@@ -78,11 +79,13 @@ defmodule Kernel.DialyzerTest do
- assert_dialyze_no_warnings! context
- end
-
-+ @tag :skip
- test "no warnings on struct update", context do
- copy_beam! context, Dialyzer.StructUpdate
- assert_dialyze_no_warnings! context
- end
-
-+ @tag :skip
- test "no warnings on protocol calls with opaque types", context do
- copy_beam! context, Dialyzer.ProtocolOpaque
- copy_beam! context, Dialyzer.ProtocolOpaque.Entity
-@@ -90,6 +93,7 @@ defmodule Kernel.DialyzerTest do
- assert_dialyze_no_warnings! context
- end
-
-+ @tag :skip
- test "no warnings on and/2 and or/2", context do
- copy_beam! context, Dialyzer.BooleanCheck
- assert_dialyze_no_warnings! context
-
-diff --git a/Makefile b/Makefile
-index 2fc4f9a..aef8366 100644
---- a/Makefile
-+++ b/Makefile
-@@ -201,7 +201,7 @@ $(TEST_EBIN)/%.beam: $(TEST_ERL)/%.erl
- $(Q) mkdir -p $(TEST_EBIN)
- $(Q) $(ERLC) -o $(TEST_EBIN) $<
-
--test_elixir: test_stdlib test_ex_unit test_logger test_mix test_eex test_iex
-+test_elixir: test_stdlib test_ex_unit test_logger test_eex test_iex
-
- test_stdlib: compile
- @ echo "==> elixir (exunit)"
-
diff --git a/gnu/packages/patches/flann-cmake-3.11.patch b/gnu/packages/patches/flann-cmake-3.11.patch
new file mode 100644
index 0000000000..1fb76eca0a
--- /dev/null
+++ b/gnu/packages/patches/flann-cmake-3.11.patch
@@ -0,0 +1,84 @@
+Fixes this issue:
+ <https://github.com/mariusmuja/flann/issues/369>.
+Patch from Buildroot:
+ <https://github.com/buildroot/buildroot/commit/45a39b3e2ba42b72d19bfcef30db1b8da9ead51a>.
+
+From fa5ec96a94646492a3f908e12905b3e48a8e800b Mon Sep 17 00:00:00 2001
+From: Romain Naour <romain.naour@gmail.com>
+Date: Wed, 18 Apr 2018 20:24:13 +0200
+Subject: [PATCH] src/cpp: fix cmake >= 3.11 build
+
+CMake < 3.11 doesn't support add_library() without any source file
+(i.e add_library(foo SHARED)). But flann CMake use a trick that use
+an empty string "" as source list (i.e add_library(foo SHARED "")).
+This look like a bug in CMake < 3.11.
+
+With CMake >= 3.11, the new behaviour of add_library() break the
+existing flann CMake code.
+
+From CMake Changelog [1]:
+"add_library() and add_executable() commands can now be called without
+ any sources and will not complain as long as sources are added later
+ via the target_sources() command."
+
+Note: flann CMake code doesn't use target_sources() since no source file
+are provided intentionally since the flann shared library is created by
+linking with the flann_cpp_s static library with this line:
+
+target_link_libraries(flann_cpp -Wl,-whole-archive flann_cpp_s -Wl,-no-whole-archive)
+
+If you try to use "add_library(flann_cpp SHARED ${CPP_SOURCES})" (as it should
+be normally done), the link fail due to already defined symbol.
+
+They are building the shared version using the static library "to speedup the
+build time" [3]
+
+This issue is already reported upstream [2] with a proposed solution.
+
+Upstream status: Pending
+
+Fixes:
+http://autobuild.buildroot.net/results/b2f/b2febfaf8c44ce477b3e4a5b9b976fd25e8d7454
+
+[1] https://cmake.org/cmake/help/v3.11/release/3.11.html
+[2] https://github.com/mariusmuja/flann/issues/369
+[3] https://github.com/mariusmuja/flann/commit/0fd62b43be2fbb0b8d791ee36290791224dc030c
+
+Signed-off-by: Romain Naour <romain.naour@gmail.com>
+---
+ src/cpp/CMakeLists.txt | 4 ++--
+ src/cpp/empty.cpp | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+ create mode 100644 src/cpp/empty.cpp
+
+diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt
+index b44a735..a816863 100644
+--- a/src/cpp/CMakeLists.txt
++++ b/src/cpp/CMakeLists.txt
+@@ -29,7 +29,7 @@ if (BUILD_CUDA_LIB)
+ endif()
+
+ if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_COMPILER_IS_GNUCC)
+- add_library(flann_cpp SHARED "")
++ add_library(flann_cpp SHARED "empty.cpp")
+ set_target_properties(flann_cpp PROPERTIES LINKER_LANGUAGE CXX)
+ target_link_libraries(flann_cpp -Wl,-whole-archive flann_cpp_s -Wl,-no-whole-archive)
+
+@@ -85,7 +85,7 @@ if (BUILD_C_BINDINGS)
+ set_property(TARGET flann_s PROPERTY COMPILE_DEFINITIONS FLANN_STATIC)
+
+ if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_COMPILER_IS_GNUCC)
+- add_library(flann SHARED "")
++ add_library(flann SHARED "empty.cpp")
+ set_target_properties(flann PROPERTIES LINKER_LANGUAGE CXX)
+ target_link_libraries(flann -Wl,-whole-archive flann_s -Wl,-no-whole-archive)
+ else()
+diff --git a/src/cpp/empty.cpp b/src/cpp/empty.cpp
+new file mode 100644
+index 0000000..40a8c17
+--- /dev/null
++++ b/src/cpp/empty.cpp
+@@ -0,0 +1 @@
++/* empty */
+--
+2.14.3
diff --git a/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch b/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch
deleted file mode 100644
index 306d4d348b..0000000000
--- a/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-Fix CVE-2018-12020:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
-https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
-
-Patch copied from upstream source repository:
-
-https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2326851c60793653069494379b16d84e4c10a0ac
-
-From 2326851c60793653069494379b16d84e4c10a0ac Mon Sep 17 00:00:00 2001
-From: Werner Koch <wk@gnupg.org>
-Date: Fri, 8 Jun 2018 10:45:21 +0200
-Subject: [PATCH] gpg: Sanitize diagnostic with the original file name.
-
-* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
---
-
-This fixes a forgotten sanitation of user supplied data in a verbose
-mode diagnostic. The mention CVE is about using this to inject
-status-fd lines into the stderr output. Other harm good as well be
-done. Note that GPGME based applications are not affected because
-GPGME does not fold status output into stderr.
-
-CVE-id: CVE-2018-12020
-GnuPG-bug-id: 4012
-(cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b)
----
- g10/mainproc.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/g10/mainproc.c b/g10/mainproc.c
-index 33a654b34..ffa7ef6d8 100644
---- a/g10/mainproc.c
-+++ b/g10/mainproc.c
-@@ -638,7 +638,11 @@ proc_plaintext( CTX c, PACKET *pkt )
- if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) )
- log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n"));
- else if( opt.verbose )
-- log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name);
-+ {
-+ char *tmp = make_printable_string (pt->name, pt->namelen, 0);
-+ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
-+ xfree (tmp);
-+ }
- free_md_filter_context( &c->mfx );
- c->mfx.md = md_open( 0, 0);
- /* fixme: we may need to push the textfilter if we have sigclass 1
---
-2.17.1
-
diff --git a/gnu/packages/patches/password-store-gnupg-compat.patch b/gnu/packages/patches/password-store-gnupg-compat.patch
deleted file mode 100644
index 75c6362021..0000000000
--- a/gnu/packages/patches/password-store-gnupg-compat.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Copied from upstream mailing list:
-https://lists.zx2c4.com/pipermail/password-store/2018-February/003216.html.
-
-From 9b0c86159d754cc88dd3642564eed527153dfb7f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= <clement@lassieur.org>
-Date: Sat, 24 Feb 2018 12:05:46 +0100
-Subject: [PATCH] tests: fix compatibility with GnuPG 2.2.5
-
----
- tests/t0300-reencryption.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/t0300-reencryption.sh b/tests/t0300-reencryption.sh
-index 6d5811d..6d15364 100755
---- a/tests/t0300-reencryption.sh
-+++ b/tests/t0300-reencryption.sh
-@@ -10,7 +10,7 @@ canonicalize_gpg_keys() {
- $GPG --list-keys --with-colons "$@" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u
- }
- gpg_keys_from_encrypted_file() {
-- $GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u
-+ $GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | grep "public key is" | cut -d ' ' -f 5 | LC_ALL=C sort -u
- }
- gpg_keys_from_group() {
- local output="$($GPG --list-config --with-colons | sed -n "s/^cfg:group:$1:\\(.*\\)/\\1/p" | head -n 1)"
---
-2.16.2
-
diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
new file mode 100644
index 0000000000..6460cf5855
--- /dev/null
+++ b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
@@ -0,0 +1,36 @@
+Fix CVE-2018-12015:
+
+https://security-tracker.debian.org/tracker/CVE-2018-12015
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
+https://rt.cpan.org/Ticket/Display.html?id=125523
+
+Patch taken from this upstream commit and adapted to apply to
+the bundled copy in the Perl distribution:
+
+https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
+
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
+index 6244369..a83975f 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -845,6 +845,20 @@ sub _extract_file {
+ return;
+ }
+
++ ### If a file system already contains a block device with the same name as
++ ### the being extracted regular file, we would write the file's content
++ ### to the block device. So remove the existing file (block device) now.
++ ### If an archive contains multiple same-named entries, the last one
++ ### should replace the previous ones. So remove the old file now.
++ ### If the old entry is a symlink to a file outside of the CWD, the new
++ ### entry would create a file there. This is CVE-2018-12015
++ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
++ if (-l $full || -e _) {
++ if (!unlink $full) {
++ $self->_error( qq[Could not remove old file '$full': $!] );
++ return;
++ }
++ }
+ if( length $entry->type && $entry->is_file ) {
+ my $fh = IO::File->new;
+ $fh->open( $full, '>' ) or (
diff --git a/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch b/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch
deleted file mode 100644
index e1e71a332a..0000000000
--- a/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 700076019b5aff72aac7651cc830aaef21ee9a47 Mon Sep 17 00:00:00 2001
-From: jakirkham <jakirkham@gmail.com>
-Date: Fri, 7 Jul 2017 05:57:56 -0400
-Subject: [PATCH] Drop ordereddict requirement (#84)
-
-* Drop ordereddict requirement
-
-As Python 2.7 is the minimum Python supported, every version of Python
-should have `ordereddict` preincluded in the standard library one way or
-another. So we can drop this dependency and just handle the differences
-between Python 2 and Python 3.
----
- nosetimer/plugin.py | 5 +----
- setup.py | 1 -
- 2 files changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/nosetimer/plugin.py b/nosetimer/plugin.py
-index ef28e11..d093a51 100644
---- a/nosetimer/plugin.py
-+++ b/nosetimer/plugin.py
-@@ -12,10 +12,7 @@
- except ImportError:
- import queue as Queue
-
--try:
-- from collections import OrderedDict
--except ImportError:
-- from ordereddict import OrderedDict
-+from collections import OrderedDict
-
-
- # define constants
-diff --git a/setup.py b/setup.py
-index 6a55b82..d249325 100755
---- a/setup.py
-+++ b/setup.py
-@@ -27,7 +27,6 @@
- install_requires=[
- 'nose',
- 'termcolor',
-- 'ordereddict',
- ],
- license='MIT',
- entry_points={
diff --git a/gnu/packages/patches/strace-kernel-4.16.patch b/gnu/packages/patches/strace-kernel-4.16.patch
deleted file mode 100644
index e86d3be439..0000000000
--- a/gnu/packages/patches/strace-kernel-4.16.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-Fix test failure when using Linux-Libre >= 4.16.
-
-Taken from upstream:
-https://github.com/strace/strace/commit/bcff87c31c0f27c678a43d6b7f67dab363a974fa
-
-From bcff87c31c0f27c678a43d6b7f67dab363a974fa Mon Sep 17 00:00:00 2001
-From: Masatake YAMATO <yamato@redhat.com>
-Date: Wed, 2 May 2018 17:11:07 +0900
-Subject: [PATCH] tests/ioctl_kvm_run.c: handle cpuid at the end of vcpu dentry
-
-Since Linux 4.16, kernel appends the cpuid as suffix to the entry
-for a kvm vcpu in /proc/$pid/fd like:
-
- anon_inode:kvm-vcpu:0
-
-That was
-
- anon_inode:kvm-vcpu
-
-This kernel change causes the test case failure on newer kernels.
-Update the test to deal with the new name as well as the old one.
-
-* tests/ioctl_kvm_run.c: Include unistd.h for using readlink(2).
-(vcpu_dev_should_have_cpuid): New function for detecting whether
-a proc entry for given fd has the cpuid suffix or not.
-(main): Trim vcpu_dev to remove the cpuid suffix if needed.
-(vcpu_dev): Remove const modifier.
----
- tests/ioctl_kvm_run.c | 29 ++++++++++++++++++++++++++++-
- 1 file changed, 28 insertions(+), 1 deletion(-)
-
-diff --git a/tests/ioctl_kvm_run.c b/tests/ioctl_kvm_run.c
-index 179461430..e1bef5796 100644
---- a/tests/ioctl_kvm_run.c
-+++ b/tests/ioctl_kvm_run.c
-@@ -40,6 +40,7 @@
- # include <string.h>
- # include <sys/ioctl.h>
- # include <sys/mman.h>
-+# include <unistd.h>
- # include <linux/kvm.h>
-
- static int
-@@ -56,7 +57,7 @@ kvm_ioctl(int fd, unsigned long cmd, const char *cmd_str, void *arg)
-
- static const char dev[] = "/dev/kvm";
- static const char vm_dev[] = "anon_inode:kvm-vm";
--static const char vcpu_dev[] = "anon_inode:kvm-vcpu";
-+static char vcpu_dev[] = "anon_inode:kvm-vcpu:0";
- static size_t page_size;
-
- extern const char code[];
-@@ -165,6 +166,23 @@ run_kvm(const int vcpu_fd, struct kvm_run *const run, const size_t mmap_size,
- }
- }
-
-+static int
-+vcpu_dev_should_have_cpuid(int fd)
-+{
-+ int r = 0;
-+ char *filename = NULL;
-+ char buf[sizeof(vcpu_dev)];
-+
-+ if (asprintf(&filename, "/proc/%d/fd/%d", getpid(), fd) < 0)
-+ error_msg_and_fail("asprintf");
-+
-+ if (readlink(filename, buf, sizeof(buf)) == sizeof(buf) - 1
-+ && (memcmp(buf, vcpu_dev, sizeof(buf) - 1) == 0))
-+ r = 1;
-+ free(filename);
-+ return r;
-+}
-+
- int
- main(void)
- {
-@@ -208,6 +226,15 @@ main(void)
- (unsigned long) page_size, (unsigned long) page_size, mem);
-
- int vcpu_fd = KVM_IOCTL(vm_fd, KVM_CREATE_VCPU, NULL);
-+ if (!vcpu_dev_should_have_cpuid(vcpu_fd))
-+ /*
-+ * This is an older kernel that doesn't place a cpuid
-+ * at the end of the dentry associated with vcpu_fd.
-+ * Trim the cpuid part of vcpu_dev like:
-+ * "anon_inode:kvm-vcpu:0" -> "anon_inode:kvm-vcpu"
-+ */
-+ vcpu_dev[strlen (vcpu_dev) - 2] = '\0';
-+
- printf("ioctl(%d<%s>, KVM_CREATE_VCPU, 0) = %d<%s>\n",
- vm_fd, vm_dev, vcpu_fd, vcpu_dev);
-
diff --git a/gnu/packages/patches/upx-fix-CVE-2017-15056.patch b/gnu/packages/patches/upx-fix-CVE-2017-15056.patch
new file mode 100644
index 0000000000..525980e73e
--- /dev/null
+++ b/gnu/packages/patches/upx-fix-CVE-2017-15056.patch
@@ -0,0 +1,96 @@
+From 3e0c2966dffb5dadb512a476ef4be3d0cc51c2be Mon Sep 17 00:00:00 2001
+From: Pierre Neidhardt <ambrevar@gmail.com>
+Date: Sat, 16 Jun 2018 16:35:00 +0200
+Subject: [PATCH] Protect against bad crafted input
+
+Also check for wrap-around when checking oversize involving e_shoff and e_shnum.
+
+raised by https://github.com/upx/upx/pull/190
+ modified: p_lx_elf.cpp
+---
+ src/p_lx_elf.cpp | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
+index 822a7652..41e805ee 100644
+--- a/src/p_lx_elf.cpp
++++ b/src/p_lx_elf.cpp
+@@ -235,8 +235,17 @@ PackLinuxElf32::PackLinuxElf32help1(InputFile *f)
+ sz_phdrs = 0;
+ return;
+ }
++ if (0==e_phnum) throwCantUnpack("0==e_phnum");
+ e_phoff = get_te32(&ehdri.e_phoff);
++ unsigned const last_Phdr = e_phoff + e_phnum * sizeof(Elf32_Phdr);
++ if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) {
++ throwCantUnpack("bad e_phoff");
++ }
+ e_shoff = get_te32(&ehdri.e_shoff);
++ unsigned const last_Shdr = e_shoff + e_shnum * sizeof(Elf32_Shdr);
++ if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) {
++ throwCantUnpack("bad e_shoff");
++ }
+ sz_phdrs = e_phnum * e_phentsize;
+
+ if (f && Elf32_Ehdr::ET_DYN!=e_type) {
+@@ -599,8 +608,17 @@ PackLinuxElf64::PackLinuxElf64help1(InputFile *f)
+ sz_phdrs = 0;
+ return;
+ }
++ if (0==e_phnum) throwCantUnpack("0==e_phnum");
+ e_phoff = get_te64(&ehdri.e_phoff);
++ upx_uint64_t const last_Phdr = e_phoff + e_phnum * sizeof(Elf64_Phdr);
++ if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) {
++ throwCantUnpack("bad e_phoff");
++ }
+ e_shoff = get_te64(&ehdri.e_shoff);
++ upx_uint64_t const last_Shdr = e_shoff + e_shnum * sizeof(Elf64_Shdr);
++ if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) {
++ throwCantUnpack("bad e_shoff");
++ }
+ sz_phdrs = e_phnum * e_phentsize;
+
+ if (f && Elf64_Ehdr::ET_DYN!=e_type) {
+@@ -3763,6 +3781,9 @@ void PackLinuxElf64::pack4(OutputFile *fo, Filter &ft)
+
+ void PackLinuxElf64::unpack(OutputFile *fo)
+ {
++ if (e_phoff != sizeof(Elf64_Ehdr)) {// Phdrs not contiguous with Ehdr
++ throwCantUnpack("bad e_phoff");
++ }
+ unsigned const c_phnum = get_te16(&ehdri.e_phnum);
+ upx_uint64_t old_data_off = 0;
+ upx_uint64_t old_data_len = 0;
+@@ -3828,6 +3849,9 @@ void PackLinuxElf64::unpack(OutputFile *fo)
+ unsigned total_out = 0;
+ unsigned c_adler = upx_adler32(NULL, 0);
+ unsigned u_adler = upx_adler32(NULL, 0);
++ if ((MAX_ELF_HDR - sizeof(Elf64_Ehdr))/sizeof(Elf64_Phdr) < u_phnum) {
++ throwCantUnpack("bad compressed e_phnum");
++ }
+
+ // Packed ET_EXE has no PT_DYNAMIC.
+ // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld.
+@@ -4383,6 +4407,9 @@ Elf64_Sym const *PackLinuxElf64::elf_lookup(char const *name) const
+
+ void PackLinuxElf32::unpack(OutputFile *fo)
+ {
++ if (e_phoff != sizeof(Elf32_Ehdr)) {// Phdrs not contiguous with Ehdr
++ throwCantUnpack("bad e_phoff");
++ }
+ unsigned const c_phnum = get_te16(&ehdri.e_phnum);
+ unsigned old_data_off = 0;
+ unsigned old_data_len = 0;
+@@ -4449,6 +4476,9 @@ void PackLinuxElf32::unpack(OutputFile *fo)
+ unsigned total_out = 0;
+ unsigned c_adler = upx_adler32(NULL, 0);
+ unsigned u_adler = upx_adler32(NULL, 0);
++ if ((MAX_ELF_HDR - sizeof(Elf32_Ehdr))/sizeof(Elf32_Phdr) < u_phnum) {
++ throwCantUnpack("bad compressed e_phnum");
++ }
+
+ // Packed ET_EXE has no PT_DYNAMIC.
+ // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld.
+--
+2.17.0
+