Merge branch 'master' into staging

7 files changed, 657 insertions, 0 deletions

diff --git a/gnu/packages/patches/java-jeromq-fix-tests.patch b/gnu/packages/patches/java-jeromq-fix-tests.patch
new file mode 100644
index 0000000000..5466b92707
--- /dev/null
+++ b/gnu/packages/patches/java-jeromq-fix-tests.patch
@@ -0,0 +1,253 @@
+From 5803aadd3f209eba1ffbb2cf7bf16778019dbee1 Mon Sep 17 00:00:00 2001
+From: fredoboulo <fredoboulo@users.noreply.github.com>
+Date: Fri, 23 Feb 2018 23:55:57 +0100
+Subject: [PATCH] Fix #524 : V1 and V2 protocol downgrades handle received data
+ in handshake buffer
+
+This patch is upstream pull request, see:
+https://gihub.com/zeromq/jeromq/pull/527.
+
+It is merged on commit c2afa9c, and we can drop it on the
+0.4.4 release.
+
+---
+ src/main/java/zmq/io/StreamEngine.java            | 21 ++++++++++--
+ src/test/java/zmq/io/AbstractProtocolVersion.java | 41 +++++++++++++----------
+ src/test/java/zmq/io/V0ProtocolTest.java          | 12 +++++++
+ src/test/java/zmq/io/V1ProtocolTest.java          | 16 +++++++--
+ src/test/java/zmq/io/V2ProtocolTest.java          | 16 +++++++--
+ 5 files changed, 81 insertions(+), 25 deletions(-)
+
+diff --git a/src/main/java/zmq/io/StreamEngine.java b/src/main/java/zmq/io/StreamEngine.java
+index b8933c92..fe2f2d8d 100644
+--- a/src/main/java/zmq/io/StreamEngine.java
++++ b/src/main/java/zmq/io/StreamEngine.java
+@@ -816,9 +816,7 @@ private boolean handshake()
+             assert (bufferSize == headerSize);
+ 
+             //  Make sure the decoder sees the data we have already received.
+-            greetingRecv.flip();
+-            inpos = greetingRecv;
+-            insize = greetingRecv.limit();
++            decodeDataAfterHandshake(0);
+ 
+             //  To allow for interoperability with peers that do not forward
+             //  their subscriptions, we inject a phantom subscription message
+@@ -846,6 +844,8 @@ else if (greetingRecv.get(revisionPos) == Protocol.V1.revision) {
+             }
+             encoder = new V1Encoder(errno, Config.OUT_BATCH_SIZE.getValue());
+             decoder = new V1Decoder(errno, Config.IN_BATCH_SIZE.getValue(), options.maxMsgSize, options.allocator);
++
++            decodeDataAfterHandshake(V2_GREETING_SIZE);
+         }
+         else if (greetingRecv.get(revisionPos) == Protocol.V2.revision) {
+             //  ZMTP/2.0 framing.
+@@ -859,6 +859,8 @@ else if (greetingRecv.get(revisionPos) == Protocol.V2.revision) {
+             }
+             encoder = new V2Encoder(errno, Config.OUT_BATCH_SIZE.getValue());
+             decoder = new V2Decoder(errno, Config.IN_BATCH_SIZE.getValue(), options.maxMsgSize, options.allocator);
++
++            decodeDataAfterHandshake(V2_GREETING_SIZE);
+         }
+         else {
+             zmtpVersion = Protocol.V3;
+@@ -904,6 +906,19 @@ else if (greetingRecv.get(revisionPos) == Protocol.V2.revision) {
+         return true;
+     }
+ 
++    private void decodeDataAfterHandshake(int greetingSize)
++    {
++        final int pos = greetingRecv.position();
++        if (pos > greetingSize) {
++            // data is present after handshake
++            greetingRecv.position(greetingSize).limit(pos);
++
++            //  Make sure the decoder sees this extra data.
++            inpos = greetingRecv;
++            insize = greetingRecv.remaining();
++        }
++    }
++
+     private Msg identityMsg()
+     {
+         Msg msg = new Msg(options.identitySize);
+diff --git a/src/test/java/zmq/io/AbstractProtocolVersion.java b/src/test/java/zmq/io/AbstractProtocolVersion.java
+index e60db403..aa06b4a7 100644
+--- a/src/test/java/zmq/io/AbstractProtocolVersion.java
++++ b/src/test/java/zmq/io/AbstractProtocolVersion.java
+@@ -18,15 +18,18 @@
+ import zmq.SocketBase;
+ import zmq.ZError;
+ import zmq.ZMQ;
++import zmq.ZMQ.Event;
+ import zmq.util.Utils;
+ 
+ public abstract class AbstractProtocolVersion
+ {
++    protected static final int REPETITIONS = 1000;
++
+     static class SocketMonitor extends Thread
+     {
+-        private final Ctx             ctx;
+-        private final String          monitorAddr;
+-        private final List<ZMQ.Event> events = new ArrayList<>();
++        private final Ctx         ctx;
++        private final String      monitorAddr;
++        private final ZMQ.Event[] events = new ZMQ.Event[1];
+ 
+         public SocketMonitor(Ctx ctx, String monitorAddr)
+         {
+@@ -41,15 +44,15 @@ public void run()
+             boolean rc = s.connect(monitorAddr);
+             assertThat(rc, is(true));
+             // Only some of the exceptional events could fire
+-            while (true) {
+-                ZMQ.Event event = ZMQ.Event.read(s);
+-                if (event == null && s.errno() == ZError.ETERM) {
+-                    break;
+-                }
+-                assertThat(event, notNullValue());
+-
+-                events.add(event);
++
++            ZMQ.Event event = ZMQ.Event.read(s);
++            if (event == null && s.errno() == ZError.ETERM) {
++                s.close();
++                return;
+             }
++            assertThat(event, notNullValue());
++
++            events[0] = event;
+             s.close();
+         }
+     }
+@@ -69,11 +72,12 @@ public void run()
+         boolean rc = ZMQ.setSocketOption(receiver, ZMQ.ZMQ_LINGER, 0);
+         assertThat(rc, is(true));
+ 
+-        SocketMonitor monitor = new SocketMonitor(ctx, "inproc://monitor");
+-        monitor.start();
+         rc = ZMQ.monitorSocket(receiver, "inproc://monitor", ZMQ.ZMQ_EVENT_HANDSHAKE_PROTOCOL);
+         assertThat(rc, is(true));
+ 
++        SocketMonitor monitor = new SocketMonitor(ctx, "inproc://monitor");
++        monitor.start();
++
+         rc = ZMQ.bind(receiver, host);
+         assertThat(rc, is(true));
+ 
+@@ -81,17 +85,18 @@ public void run()
+         OutputStream out = sender.getOutputStream();
+         for (ByteBuffer raw : raws) {
+             out.write(raw.array());
+-            ZMQ.msleep(100);
+         }
+ 
+         Msg msg = ZMQ.recv(receiver, 0);
+         assertThat(msg, notNullValue());
+         assertThat(new String(msg.data(), ZMQ.CHARSET), is(payload));
+ 
+-        ZMQ.msleep(500);
+-        assertThat(monitor.events.size(), is(1));
+-        assertThat(monitor.events.get(0).event, is(ZMQ.ZMQ_EVENT_HANDSHAKE_PROTOCOL));
+-        assertThat((Integer) monitor.events.get(0).arg, is(version));
++        monitor.join();
++
++        final Event event = monitor.events[0];
++        assertThat(event, notNullValue());
++        assertThat(event.event, is(ZMQ.ZMQ_EVENT_HANDSHAKE_PROTOCOL));
++        assertThat((Integer) event.arg, is(version));
+ 
+         InputStream in = sender.getInputStream();
+         byte[] data = new byte[255];
+diff --git a/src/test/java/zmq/io/V0ProtocolTest.java b/src/test/java/zmq/io/V0ProtocolTest.java
+index bd547d23..1a5b7aef 100644
+--- a/src/test/java/zmq/io/V0ProtocolTest.java
++++ b/src/test/java/zmq/io/V0ProtocolTest.java
+@@ -10,6 +10,18 @@
+ 
+ public class V0ProtocolTest extends AbstractProtocolVersion
+ {
++    @Test
++    public void testFixIssue524() throws IOException, InterruptedException
++    {
++        for (int idx = 0; idx < REPETITIONS; ++idx) {
++            if (idx % 100 == 0) {
++                System.out.print(idx + " ");
++            }
++            testProtocolVersion0short();
++        }
++        System.out.println();
++    }
++
+     @Test(timeout = 2000)
+     public void testProtocolVersion0short() throws IOException, InterruptedException
+     {
+diff --git a/src/test/java/zmq/io/V1ProtocolTest.java b/src/test/java/zmq/io/V1ProtocolTest.java
+index e1045f34..764159d0 100644
+--- a/src/test/java/zmq/io/V1ProtocolTest.java
++++ b/src/test/java/zmq/io/V1ProtocolTest.java
+@@ -10,7 +10,19 @@
+ 
+ public class V1ProtocolTest extends AbstractProtocolVersion
+ {
+-    @Test(timeout = 2000)
++    @Test
++    public void testFixIssue524() throws IOException, InterruptedException
++    {
++        for (int idx = 0; idx < REPETITIONS; ++idx) {
++            if (idx % 100 == 0) {
++                System.out.print(idx + " ");
++            }
++            testProtocolVersion1short();
++        }
++        System.out.println();
++    }
++
++    @Test
+     public void testProtocolVersion1short() throws IOException, InterruptedException
+     {
+         List<ByteBuffer> raws = raws(0);
+@@ -25,7 +37,7 @@ public void testProtocolVersion1short() throws IOException, InterruptedException
+         assertProtocolVersion(1, raws, "abcdefg");
+     }
+ 
+-    @Test(timeout = 2000)
++    @Test
+     public void testProtocolVersion1long() throws IOException, InterruptedException
+     {
+         List<ByteBuffer> raws = raws(0);
+diff --git a/src/test/java/zmq/io/V2ProtocolTest.java b/src/test/java/zmq/io/V2ProtocolTest.java
+index d5e64bce..7fda31bc 100644
+--- a/src/test/java/zmq/io/V2ProtocolTest.java
++++ b/src/test/java/zmq/io/V2ProtocolTest.java
+@@ -21,7 +21,19 @@ protected ByteBuffer identity()
+                 .put((byte) 0);
+     }
+ 
+-    @Test(timeout = 2000)
++    @Test
++    public void testFixIssue524() throws IOException, InterruptedException
++    {
++        for (int idx = 0; idx < REPETITIONS; ++idx) {
++            if (idx % 100 == 0) {
++                System.out.print(idx + " ");
++            }
++            testProtocolVersion2short();
++        }
++        System.out.println();
++    }
++
++    @Test
+     public void testProtocolVersion2short() throws IOException, InterruptedException
+     {
+         List<ByteBuffer> raws = raws(1);
+@@ -38,7 +50,7 @@ public void testProtocolVersion2short() throws IOException, InterruptedException
+         assertProtocolVersion(2, raws, "abcdefg");
+     }
+ 
+-    @Test(timeout = 2000)
++    @Test
+     public void testProtocolVersion2long() throws IOException, InterruptedException
+     {
+         List<ByteBuffer> raws = raws(1);
diff --git a/gnu/packages/patches/java-simple-xml-fix-tests.patch b/gnu/packages/patches/java-simple-xml-fix-tests.patch
new file mode 100644
index 0000000000..6270b87009
--- /dev/null
+++ b/gnu/packages/patches/java-simple-xml-fix-tests.patch
@@ -0,0 +1,37 @@
+From b3b7a305f1278ec414500bf96c4c7a7f634c941b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jens=20Thee=C3=9F?= <theess@subshell.com>
+Date: Thu, 15 Sep 2016 13:08:26 +0200
+Subject: [PATCH] Dictionary uses stable order. This fixes unit tests.
+
+This is upstream pull request #15:
+https://github.com/ngallagher/simplexml/pull/15
+This software is unmaintained, this pull request will no get merged.
+The patch is modified, to match the directory layout of the tarball.
+
+---
+ src/main/java/org/simpleframework/xml/util/Dictionary.java | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/main/java/org/simpleframework/xml/util/Dictionary.java b/src/main/java/org/simpleframework/xml/util/Dictionary.java
+index 077d2514..c7327426 100644
+--- a/src/org/simpleframework/xml/util/Dictionary.java
++++ b/src/org/simpleframework/xml/util/Dictionary.java
+@@ -19,8 +19,8 @@
+ package org.simpleframework.xml.util;
+ 
+ import java.util.AbstractSet;
+-import java.util.HashMap;
+ import java.util.Iterator;
++import java.util.LinkedHashMap;
+ 
+ /**
+  * The <code>Dictionary</code> object represents a mapped set of entry
+@@ -134,7 +134,7 @@ public T remove(String name) {
+     *
+     * @see org.simpleframework.xml.util.Entry
+     */
+-   private static class Table<T> extends HashMap<String, T> {
++   private static class Table<T> extends LinkedHashMap<String, T> {
+       
+       /**
+        * Constructor for the <code>Table</code> object. This will
diff --git a/gnu/packages/patches/lrzip-CVE-2017-8842.patch b/gnu/packages/patches/lrzip-CVE-2017-8842.patch
new file mode 100644
index 0000000000..89b4f2f5d9
--- /dev/null
+++ b/gnu/packages/patches/lrzip-CVE-2017-8842.patch
@@ -0,0 +1,23 @@
+From 38386bd482c0a8102a79958cb3eddcb97a167ca3 Mon Sep 17 00:00:00 2001
+From: Con Kolivas <kernel@kolivas.org>
+Date: Fri, 9 Mar 2018 17:39:40 +1100
+Subject: [PATCH] CVE-2017-8842 Fix divide-by-zero in bufRead::get
+
+---
+ libzpaq/libzpaq.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libzpaq/libzpaq.h b/libzpaq/libzpaq.h
+index 93387da..cbe211d 100644
+--- a/libzpaq/libzpaq.h
++++ b/libzpaq/libzpaq.h
+@@ -465,7 +465,8 @@ struct bufRead: public libzpaq::Reader {
+ 
+ 	int get() {
+ 		if (progress && !(*s_len % 128)) {
+-			int pct = (total_len - *s_len) * 100 / total_len;
++			int pct = (total_len > 0) ?
++				(total_len - *s_len) * 100 / total_len : 100;
+ 
+ 			if (pct / 10 != *last_pct / 10) {
+ 				int i;
diff --git a/gnu/packages/patches/shadow-CVE-2018-7169.patch b/gnu/packages/patches/shadow-CVE-2018-7169.patch
new file mode 100644
index 0000000000..eeae5b9b71
--- /dev/null
+++ b/gnu/packages/patches/shadow-CVE-2018-7169.patch
@@ -0,0 +1,191 @@
+Fix CVE-2018-7169:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7169
+
+Patch copied from upstream source repository:
+
+https://github.com/shadow-maint/shadow/commit/fb28c99b8a66ff2605c5cb96abc0a4d975f92de0
+
+From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Thu, 15 Feb 2018 23:49:40 +1100
+Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group
+
+This is necessary to match the kernel-side policy of "self-mapping in a
+user namespace is fine, but you cannot drop groups" -- a policy that was
+created in order to stop user namespaces from allowing trivial privilege
+escalation by dropping supplementary groups that were "blacklisted" from
+certain paths.
+
+This is the simplest fix for the underlying issue, and effectively makes
+it so that unless a user has a valid mapping set in /etc/subgid (which
+only administrators can modify) -- and they are currently trying to use
+that mapping -- then /proc/$pid/setgroups will be set to deny. This
+workaround is only partial, because ideally it should be possible to set
+an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
+administrators to further restrict newgidmap(1).
+
+We also don't write anything in the "allow" case because "allow" is the
+default, and users may have already written "deny" even if they
+technically are allowed to use setgroups. And we don't write anything if
+the setgroups policy is already "deny".
+
+Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
+Fixes: CVE-2018-7169
+Reported-by: Craig Furman <craig.furman89@gmail.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ src/newgidmap.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 80 insertions(+), 9 deletions(-)
+
+diff --git a/src/newgidmap.c b/src/newgidmap.c
+index b1e33513..59a2e75c 100644
+--- a/src/newgidmap.c
++++ b/src/newgidmap.c
+@@ -46,32 +46,37 @@
+  */
+ const char *Prog;
+ 
+-static bool verify_range(struct passwd *pw, struct map_range *range)
++
++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
+ {
+ 	/* An empty range is invalid */
+ 	if (range->count == 0)
+ 		return false;
+ 
+-	/* Test /etc/subgid */
+-	if (have_sub_gids(pw->pw_name, range->lower, range->count))
++	/* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
++	if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
++		*allow_setgroups = true;
+ 		return true;
++	}
+ 
+-	/* Allow a process to map its own gid */
+-	if ((range->count == 1) && (pw->pw_gid == range->lower))
++	/* Allow a process to map its own gid. */
++	if ((range->count == 1) && (pw->pw_gid == range->lower)) {
++		/* noop -- if setgroups is enabled already we won't disable it. */
+ 		return true;
++	}
+ 
+ 	return false;
+ }
+ 
+ static void verify_ranges(struct passwd *pw, int ranges,
+-	struct map_range *mappings)
++	struct map_range *mappings, bool *allow_setgroups)
+ {
+ 	struct map_range *mapping;
+ 	int idx;
+ 
+ 	mapping = mappings;
+ 	for (idx = 0; idx < ranges; idx++, mapping++) {
+-		if (!verify_range(pw, mapping)) {
++		if (!verify_range(pw, mapping, allow_setgroups)) {
+ 			fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
+ 				Prog,
+ 				mapping->upper,
+@@ -89,6 +94,70 @@ static void usage(void)
+ 	exit(EXIT_FAILURE);
+ }
+ 
++void write_setgroups(int proc_dir_fd, bool allow_setgroups)
++{
++	int setgroups_fd;
++	char *policy, policy_buffer[4096];
++
++	/*
++	 * Default is "deny", and any "allow" will out-rank a "deny". We don't
++	 * forcefully write an "allow" here because the process we are writing
++	 * mappings for may have already set themselves to "deny" (and "allow"
++	 * is the default anyway). So allow_setgroups == true is a noop.
++	 */
++	policy = "deny\n";
++	if (allow_setgroups)
++		return;
++
++	setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
++	if (setgroups_fd < 0) {
++		/*
++		 * If it's an ENOENT then we are on too old a kernel for the setgroups
++		 * code to exist. Emit a warning and bail on this.
++		 */
++		if (ENOENT == errno) {
++			fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
++			goto out;
++		}
++		fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++	/*
++	 * Check whether the policy is already what we want. /proc/self/setgroups
++	 * is write-once, so attempting to write after it's already written to will
++	 * fail.
++	 */
++	if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
++		fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++	if (!strncmp(policy_buffer, policy, strlen(policy)))
++		goto out;
++
++	/* Write the policy. */
++	if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
++		fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++	if (dprintf(setgroups_fd, "%s", policy) < 0) {
++		fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
++			Prog,
++			policy,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++out:
++	close(setgroups_fd);
++}
++
+ /*
+  * newgidmap - Set the gid_map for the specified process
+  */
+@@ -103,6 +172,7 @@ int main(int argc, char **argv)
+ 	struct stat st;
+ 	struct passwd *pw;
+ 	int written;
++	bool allow_setgroups = false;
+ 
+ 	Prog = Basename (argv[0]);
+ 
+@@ -145,7 +215,7 @@ int main(int argc, char **argv)
+ 				(unsigned long) getuid ()));
+ 		return EXIT_FAILURE;
+ 	}
+-	
++
+ 	/* Get the effective uid and effective gid of the target process */
+ 	if (fstat(proc_dir_fd, &st) < 0) {
+ 		fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
+@@ -177,8 +247,9 @@ int main(int argc, char **argv)
+ 	if (!mappings)
+ 		usage();
+ 
+-	verify_ranges(pw, ranges, mappings);
++	verify_ranges(pw, ranges, mappings, &allow_setgroups);
+ 
++	write_setgroups(proc_dir_fd, allow_setgroups);
+ 	write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
+ 	sub_gid_close();
+ 
+-- 
+2.16.2
+
diff --git a/gnu/packages/patches/util-linux-CVE-2018-7738.patch b/gnu/packages/patches/util-linux-CVE-2018-7738.patch
new file mode 100644
index 0000000000..080e2f56ba
--- /dev/null
+++ b/gnu/packages/patches/util-linux-CVE-2018-7738.patch
@@ -0,0 +1,49 @@
+Fix CVE-2018-7738:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738
+
+Patch copied from upstream source repository:
+
+https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55
+
+From 75f03badd7ed9f1dd951863d75e756883d3acc55 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 16 Nov 2017 16:27:32 +0100
+Subject: [PATCH] bash-completion: (umount) use findmnt, escape a space in
+ paths
+
+ # mount /dev/sdc1 /mnt/test/foo\ bar
+ # umount <tab>
+
+has to return "/mnt/test/foo\ bar".
+
+Changes:
+
+ * don't use mount | awk output, we have findmnt
+ * force compgen use \n as entries separator
+
+Addresses: https://github.com/karelzak/util-linux/issues/539
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ bash-completion/umount | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/bash-completion/umount b/bash-completion/umount
+index d76cb9fff..98c90d61a 100644
+--- a/bash-completion/umount
++++ b/bash-completion/umount
+@@ -40,9 +40,10 @@ _umount_module()
+ 			return 0
+ 			;;
+ 	esac
+-	local DEVS_MPOINTS
+-	DEVS_MPOINTS="$(mount | awk '{print $1, $3}')"
+-	COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) )
+-	return 0
++
++	local oldifs=$IFS
++	IFS=$'\n'
++	COMPREPLY=( $( compgen -W '$(findmnt -lno TARGET | sed "s/\([[:blank:]]\)/\\\\\1/g")' -- "$cur" ) )
++	IFS=$oldifs
+ }
+ complete -F _umount_module umount
diff --git a/gnu/packages/patches/zsh-CVE-2018-7548.patch b/gnu/packages/patches/zsh-CVE-2018-7548.patch
new file mode 100644
index 0000000000..1ee15fad73
--- /dev/null
+++ b/gnu/packages/patches/zsh-CVE-2018-7548.patch
@@ -0,0 +1,48 @@
+Fix CVE-2018-7548:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7548
+
+Patch copied from upstream source repository:
+
+https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102
+
+From 110b13e1090bc31ac1352b28adc2d02b6d25a102 Mon Sep 17 00:00:00 2001
+From: Joey Pabalinas <joeypabalinas@gmail.com>
+Date: Tue, 23 Jan 2018 22:28:08 -0800
+Subject: [PATCH] 42313: avoid null-pointer deref when using ${(PA)...} on an
+ empty array result
+
+---
+ ChangeLog   | 5 +++++
+ Src/subst.c | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index d2ba94afc..3037edda4 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,3 +1,8 @@
+#+2018-01-23  Barton E. Schaefer  <schaefer@zsh.org>
+#+
+#+       * Joey Pabalinas: 42313: Src/subst.c: avoid null-pointer deref
+#+       when using ${(PA)...} on an empty array result
+#+
+# 2018-01-23  Oliver Kiddle  <okiddle@yahoo.co.uk>
+# 
+#        * 42317: Completion/Linux/Command/_cryptsetup,
+diff --git a/Src/subst.c b/Src/subst.c
+index d027e3d83..a265a187e 100644
+--- a/Src/subst.c
++++ b/Src/subst.c
+@@ -2430,7 +2430,7 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags,
+ 		val = aval[0];
+ 		isarr = 0;
+ 	    }
+-	    s = dyncat(val, s);
++	    s = val ? dyncat(val, s) : dupstring(s);
+ 	    /* Now behave po-faced as if it was always like that... */
+ 	    subexp = 0;
+ 	    /*
+-- 
+2.16.2
+
diff --git a/gnu/packages/patches/zsh-CVE-2018-7549.patch b/gnu/packages/patches/zsh-CVE-2018-7549.patch
new file mode 100644
index 0000000000..abefcdf2f9
--- /dev/null
+++ b/gnu/packages/patches/zsh-CVE-2018-7549.patch
@@ -0,0 +1,56 @@
+Fix CVE-2018-7549:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7549
+
+Patch copied from upstream source repository:
+
+https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd
+
+From c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd Mon Sep 17 00:00:00 2001
+From: Stephane Chazelas <stephane.chazelas@gmail.com>
+Date: Fri, 22 Dec 2017 22:17:09 +0000
+Subject: [PATCH] Avoid crash copying empty hash table.
+
+Visible with typeset -p.
+---
+ ChangeLog    |  2 ++
+ Src/params.c | 11 +++++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index f74c26b88..e3628cfa7 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,5 +1,7 @@
+# 2018-01-04  Peter Stephenson  <p.stephenson@samsung.com>
+# 
+#+       * Stephane: 42159: Src/params.c: avoid crash copying empty hash table.
+#+
+#        * Sebastian: 42188: Src/Modules/system.c: It is necessary to
+#        close the lock descriptor in some failure cases.
+#
+diff --git a/Src/params.c b/Src/params.c
+index 31ff0445b..de7730ae7 100644
+--- a/Src/params.c
++++ b/Src/params.c
+@@ -549,10 +549,13 @@ scancopyparams(HashNode hn, UNUSED(int flags))
+ HashTable
+ copyparamtable(HashTable ht, char *name)
+ {
+-    HashTable nht = newparamtable(ht->hsize, name);
+-    outtable = nht;
+-    scanhashtable(ht, 0, 0, 0, scancopyparams, 0);
+-    outtable = NULL;
++    HashTable nht = 0;
++    if (ht) {
++	nht = newparamtable(ht->hsize, name);
++	outtable = nht;
++	scanhashtable(ht, 0, 0, 0, scancopyparams, 0);
++	outtable = NULL;
++    }
+     return nht;
+ }
+ 
+-- 
+2.16.2
+