Merge branch 'staging' into core-updates

10 files changed, 436 insertions, 157 deletions

diff --git a/gnu/packages/patches/emacs-exwm-fix-fullscreen-issue.patch b/gnu/packages/patches/emacs-exwm-fix-fullscreen-issue.patch
new file mode 100644
index 0000000000..5c9bd36598
--- /dev/null
+++ b/gnu/packages/patches/emacs-exwm-fix-fullscreen-issue.patch
@@ -0,0 +1,27 @@
+From 13a14579cc1bb772735f895dd5b4b90c6812f3ee Mon Sep 17 00:00:00 2001
+From: Chris Feng <chris.w.feng@gmail.com>
+Date: Sun, 29 Jul 2018 00:00:00 +0000
+Subject: [PATCH] Fix issues with destroying full screen X windows
+
+* exwm-manage.el (exwm-manage--unmanage-window): Set the Emacs window
+of an full screen X window as non-dedicated before killing its buffer
+so as not to cause other side effects.
+---
+ exwm-manage.el | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/exwm-manage.el b/exwm-manage.el
+index a0a9e05..349157f 100644
+--- a/exwm-manage.el
++++ b/exwm-manage.el
+@@ -392,6 +392,10 @@ manager is shutting down."
+                                :window window :parent exwm--root :x 0 :y 0))
+             (xcb:+request exwm--connection
+                 (make-instance 'xcb:DestroyWindow :window container))))
++        (when (exwm-layout--fullscreen-p)
++          (let ((window (get-buffer-window)))
++            (when window
++              (set-window-dedicated-p window nil))))
+         (exwm-manage--set-client-list)
+         (xcb:flush exwm--connection))
+       (let ((kill-buffer-func
diff --git a/gnu/packages/patches/irrlicht-use-system-libs.patch b/gnu/packages/patches/irrlicht-use-system-libs.patch
new file mode 100644
index 0000000000..e764f411d3
--- /dev/null
+++ b/gnu/packages/patches/irrlicht-use-system-libs.patch
@@ -0,0 +1,202 @@
+This patch is a combination of the two following patches with minor
+changes to the install code
+https://sources.debian.org/src/irrlicht/1.8.4+dfsg1-1/debian/patches/debian/link-against-needed-libs.diff/
+https://sources.debian.org/src/irrlicht/1.8.4+dfsg1-1/debian/patches/debian/use-system-libs.diff/
+
+
+---
+ include/IrrCompileConfig.h                  | 26 +++++++++------------
+ source/Irrlicht/CIrrDeviceLinux.h           |  2 +-
+ source/Irrlicht/COpenGLExtensionHandler.h   |  8 +++----
+ source/Irrlicht/COpenGLSLMaterialRenderer.h |  2 +-
+ source/Irrlicht/Makefile                    | 15 ++++++------
+ 5 files changed, 25 insertions(+), 28 deletions(-)
+
+diff --git a/include/IrrCompileConfig.h b/include/IrrCompileConfig.h
+index 6bb0589..2216353 100644
+--- a/include/IrrCompileConfig.h
++++ b/include/IrrCompileConfig.h
+@@ -238,6 +238,17 @@ for Windows based systems. You also have to set #define UNICODE for this to comp
+ #undef _IRR_WCHAR_FILESYSTEM

+ #endif

+ 

++//! Define _IRR_COMPILE_WITH_ZLIB_ to enable compiling the engine using zlib.

++/** This enables the engine to read from compressed .zip archives. If you

++disable this feature, the engine can still read archives, but only uncompressed

++ones. */

++#define _IRR_COMPILE_WITH_ZLIB_

++

++//! Define _IRR_USE_NON_SYSTEM_ZLIB_ to let irrlicht use the zlib which comes with irrlicht.

++/** If this is commented out, Irrlicht will try to compile using the zlib installed in the system.

++	This is only used when _IRR_COMPILE_WITH_ZLIB_ is defined. */

++#undef _IRR_USE_NON_SYSTEM_ZLIB_

++

+ //! Define _IRR_COMPILE_WITH_JPEGLIB_ to enable compiling the engine using libjpeg.

+ /** This enables the engine to read jpeg images. If you comment this out,

+ the engine will no longer read .jpeg images. */

+@@ -249,10 +260,7 @@ the engine will no longer read .jpeg images. */
+ //! Define _IRR_USE_NON_SYSTEM_JPEG_LIB_ to let irrlicht use the jpeglib which comes with irrlicht.

+ /** If this is commented out, Irrlicht will try to compile using the jpeg lib installed in the system.

+ 	This is only used when _IRR_COMPILE_WITH_LIBJPEG_ is defined. */

+-#define _IRR_USE_NON_SYSTEM_JPEG_LIB_

+-#ifdef NO_IRR_USE_NON_SYSTEM_JPEG_LIB_

+ #undef _IRR_USE_NON_SYSTEM_JPEG_LIB_

+-#endif

+ 

+ //! Define _IRR_COMPILE_WITH_LIBPNG_ to enable compiling the engine using libpng.

+ /** This enables the engine to read png images. If you comment this out,

+@@ -265,10 +273,7 @@ the engine will no longer read .png images. */
+ //! Define _IRR_USE_NON_SYSTEM_LIBPNG_ to let irrlicht use the libpng which comes with irrlicht.

+ /** If this is commented out, Irrlicht will try to compile using the libpng installed in the system.

+ 	This is only used when _IRR_COMPILE_WITH_LIBPNG_ is defined. */

+-#define _IRR_USE_NON_SYSTEM_LIB_PNG_

+-#ifdef NO_IRR_USE_NON_SYSTEM_LIB_PNG_

+ #undef _IRR_USE_NON_SYSTEM_LIB_PNG_

+-#endif

+ 

+ //! Define _IRR_D3D_NO_SHADER_DEBUGGING to disable shader debugging in D3D9

+ /** If _IRR_D3D_NO_SHADER_DEBUGGING is undefined in IrrCompileConfig.h,

+@@ -602,10 +607,7 @@ ones. */
+ /** If this is commented out, Irrlicht will try to compile using the zlib

+ installed on the system. This is only used when _IRR_COMPILE_WITH_ZLIB_ is

+ defined. */

+-#define _IRR_USE_NON_SYSTEM_ZLIB_

+-#ifdef NO_IRR_USE_NON_SYSTEM_ZLIB_

+ #undef _IRR_USE_NON_SYSTEM_ZLIB_

+-#endif

+ //! Define _IRR_COMPILE_WITH_ZIP_ENCRYPTION_ if you want to read AES-encrypted ZIP archives

+ #define _IRR_COMPILE_WITH_ZIP_ENCRYPTION_

+ #ifdef NO_IRR_COMPILE_WITH_ZIP_ENCRYPTION_

+@@ -623,18 +625,12 @@ library. */
+ /** If this is commented out, Irrlicht will try to compile using the bzlib

+ installed on the system. This is only used when _IRR_COMPILE_WITH_BZLIB_ is

+ defined. */

+-#define _IRR_USE_NON_SYSTEM_BZLIB_

+-#ifdef NO_IRR_USE_NON_SYSTEM_BZLIB_

+ #undef _IRR_USE_NON_SYSTEM_BZLIB_

+-#endif

+ //! Define _IRR_COMPILE_WITH_LZMA_ if you want to use LZMA compressed zip files.

+ /** LZMA is a very efficient compression code, known from 7zip. Irrlicht

+ currently only supports zip archives, though. */

+-#define _IRR_COMPILE_WITH_LZMA_

+-#ifdef NO_IRR_COMPILE_WITH_LZMA_

+ #undef _IRR_COMPILE_WITH_LZMA_

+ #endif

+-#endif

+ 

+ //! Define __IRR_COMPILE_WITH_MOUNT_ARCHIVE_LOADER_ if you want to mount folders as archives

+ #define __IRR_COMPILE_WITH_MOUNT_ARCHIVE_LOADER_

+diff --git a/source/Irrlicht/CIrrDeviceLinux.h b/source/Irrlicht/CIrrDeviceLinux.h
+index 4d2a2c6..8cf24ba 100644
+--- a/source/Irrlicht/CIrrDeviceLinux.h
++++ b/source/Irrlicht/CIrrDeviceLinux.h
+@@ -22,7 +22,7 @@
+ #define GLX_GLXEXT_LEGACY 1

+ #include <GL/glx.h>

+ #ifdef _IRR_OPENGL_USE_EXTPOINTER_

+-#include "glxext.h"

++#include <GL/glxext.h>

+ #endif

+ #endif

+ 

+diff --git a/source/Irrlicht/COpenGLExtensionHandler.h b/source/Irrlicht/COpenGLExtensionHandler.h
+index 1b77bad..3886a0e 100644
+--- a/source/Irrlicht/COpenGLExtensionHandler.h
++++ b/source/Irrlicht/COpenGLExtensionHandler.h
+@@ -35,7 +35,7 @@
+ 	#endif

+ 	#include <OpenGL/gl.h>

+ 	#if defined(_IRR_OPENGL_USE_EXTPOINTER_)

+-		#include "glext.h"

++		#include <GL/glext.h>

+ 	#endif

+ #elif defined(_IRR_COMPILE_WITH_SDL_DEVICE_) && !defined(_IRR_COMPILE_WITH_X11_DEVICE_)

+ 	#if defined(_IRR_OPENGL_USE_EXTPOINTER_)

+@@ -48,7 +48,7 @@
+ 	#define NO_SDL_GLEXT

+ 	#include <SDL/SDL_video.h>

+ 	#include <SDL/SDL_opengl.h>

+-	#include "glext.h"

++	#include <GL/glext.h>

+ #else

+ 	#if defined(_IRR_OPENGL_USE_EXTPOINTER_)

+ 		#define GL_GLEXT_LEGACY 1

+@@ -60,9 +60,9 @@
+ 	#include <GL/gl.h>

+ 	#include <GL/glx.h>

+ 	#if defined(_IRR_OPENGL_USE_EXTPOINTER_)

+-	#include "glext.h"

++	#include <GL/glext.h>

+ 	#undef GLX_ARB_get_proc_address // avoid problems with local glxext.h

+-	#include "glxext.h"

++	#include <GL/glxext.h>

+ 	#endif

+ #endif

+ 

+diff --git a/source/Irrlicht/COpenGLSLMaterialRenderer.h b/source/Irrlicht/COpenGLSLMaterialRenderer.h
+index ff71150..f8a6007 100644
+--- a/source/Irrlicht/COpenGLSLMaterialRenderer.h
++++ b/source/Irrlicht/COpenGLSLMaterialRenderer.h
+@@ -25,7 +25,7 @@
+ 	#include <GL/gl.h>

+ #endif

+ #if defined(_IRR_OPENGL_USE_EXTPOINTER_)

+-	#include "glext.h"

++	#include <GL/glext.h>

+ #endif

+ #endif

+ 

+diff --git a/source/Irrlicht/Makefile b/source/Irrlicht/Makefile
+index 67a3899..d9ea7f3 100644
+--- a/source/Irrlicht/Makefile
++++ b/source/Irrlicht/Makefile
+@@ -43,7 +43,7 @@ IRRIMAGEOBJ = CColorConverter.o CImage.o CImageLoaderBMP.o CImageLoaderDDS.o CIm
+ 	CImageWriterBMP.o CImageWriterJPG.o CImageWriterPCX.o CImageWriterPNG.o CImageWriterPPM.o CImageWriterPSD.o CImageWriterTGA.o

+ IRRVIDEOOBJ = CVideoModeList.o CFPSCounter.o $(IRRDRVROBJ) $(IRRIMAGEOBJ)

+ IRRSWRENDEROBJ = CSoftwareDriver.o CSoftwareTexture.o CTRFlat.o CTRFlatWire.o CTRGouraud.o CTRGouraudWire.o CTRNormalMap.o CTRStencilShadow.o CTRTextureFlat.o CTRTextureFlatWire.o CTRTextureGouraud.o CTRTextureGouraudAdd.o CTRTextureGouraudNoZ.o CTRTextureGouraudWire.o CZBuffer.o CTRTextureGouraudVertexAlpha2.o CTRTextureGouraudNoZ2.o CTRTextureLightMap2_M2.o CTRTextureLightMap2_M4.o CTRTextureLightMap2_M1.o CSoftwareDriver2.o CSoftwareTexture2.o CTRTextureGouraud2.o CTRGouraud2.o CTRGouraudAlpha2.o CTRGouraudAlphaNoZ2.o CTRTextureDetailMap2.o CTRTextureGouraudAdd2.o CTRTextureGouraudAddNoZ2.o CTRTextureWire2.o CTRTextureLightMap2_Add.o CTRTextureLightMapGouraud2_M4.o IBurningShader.o CTRTextureBlend.o CTRTextureGouraudAlpha.o CTRTextureGouraudAlphaNoZ.o CDepthBuffer.o CBurningShader_Raster_Reference.o

+-IRRIOOBJ = CFileList.o CFileSystem.o CLimitReadFile.o CMemoryFile.o CReadFile.o CWriteFile.o CXMLReader.o CXMLWriter.o CWADReader.o CZipReader.o CPakReader.o CNPKReader.o CTarReader.o CMountPointReader.o irrXML.o CAttributes.o lzma/LzmaDec.o

++IRRIOOBJ = CFileList.o CFileSystem.o CLimitReadFile.o CMemoryFile.o CReadFile.o CWriteFile.o CXMLReader.o CXMLWriter.o CWADReader.o CZipReader.o CPakReader.o CNPKReader.o CTarReader.o CMountPointReader.o irrXML.o CAttributes.o

+ IRROTHEROBJ = CIrrDeviceSDL.o CIrrDeviceLinux.o CIrrDeviceConsole.o CIrrDeviceStub.o CIrrDeviceWin32.o CIrrDeviceFB.o CLogger.o COSOperator.o Irrlicht.o os.o

+ IRRGUIOBJ = CGUIButton.o CGUICheckBox.o CGUIComboBox.o CGUIContextMenu.o CGUIEditBox.o CGUIEnvironment.o CGUIFileOpenDialog.o CGUIFont.o CGUIImage.o CGUIInOutFader.o CGUIListBox.o CGUIMenu.o CGUIMeshViewer.o CGUIMessageBox.o CGUIModalScreen.o CGUIScrollBar.o CGUISpinBox.o CGUISkin.o CGUIStaticText.o CGUITabControl.o CGUITable.o CGUIToolBar.o CGUIWindow.o CGUIColorSelectDialog.o CDefaultGUIElementFactory.o CGUISpriteBank.o CGUIImageList.o CGUITreeView.o

+ ZLIBOBJ = zlib/adler32.o zlib/compress.o zlib/crc32.o zlib/deflate.o zlib/inffast.o zlib/inflate.o zlib/inftrees.o zlib/trees.o zlib/uncompr.o zlib/zutil.o

+@@ -56,14 +56,14 @@ BZIP2OBJ = bzip2/blocksort.o bzip2/huffman.o bzip2/crctable.o bzip2/randtable.o
+ EXTRAOBJ =

+ LINKOBJ = $(IRRMESHOBJ) $(IRROBJ) $(IRRPARTICLEOBJ) $(IRRANIMOBJ) \

+ 	$(IRRVIDEOOBJ) $(IRRSWRENDEROBJ) $(IRRIOOBJ) $(IRROTHEROBJ) \

+-	$(IRRGUIOBJ) $(ZLIBOBJ) $(JPEGLIBOBJ) $(LIBPNGOBJ) $(LIBAESGM) \

+-	$(BZIP2OBJ) $(EXTRAOBJ)

++	$(IRRGUIOBJ) $(LIBAESGM) \

++	$(EXTRAOBJ)

+ 

+ ###############

+ #Compiler flags

+-CXXINCS = -I../../include -Izlib -Ijpeglib -Ilibpng

++CXXINCS = -I../../include # -Izlib -Ijpeglib -Ilibpng

+ CPPFLAGS += $(CXXINCS) -DIRRLICHT_EXPORTS=1

+-CXXFLAGS += -Wall -pipe -fno-exceptions -fno-rtti -fstrict-aliasing

++CXXFLAGS += -Wall -pipe -fno-exceptions -fstrict-aliasing

+ ifndef NDEBUG

+ CXXFLAGS += -g -D_DEBUG

+ else

+@@ -88,7 +88,7 @@ STATIC_LIB = libIrrlicht.a
+ LIB_PATH = ../../lib/$(SYSTEM)

+ INSTALL_DIR = /usr/local/lib

+ sharedlib install: SHARED_LIB = libIrrlicht.so

+-sharedlib: LDFLAGS += -L/usr/X11R6/lib$(LIBSELECT) -lGL -lXxf86vm

++staticlib sharedlib: LDFLAGS += -L/usr/X11R6/lib$(LIBSELECT) -lGL -lXxf86vm -lX11 -lz -lpng -ljpeg -lbz2

+ staticlib sharedlib: CXXINCS += -I/usr/X11R6/include

+ 

+ #OSX specific options

+@@ -153,7 +153,8 @@ install install_osx:
+ 	$(RM) -r $(INSTALL_DIR)/../include/irrlicht

+ 	mkdir -p $(INSTALL_DIR)/../include/irrlicht

+ 	cp ../../include/*.h $(INSTALL_DIR)/../include/irrlicht/

+-	cp $(LIB_PATH)/$(SHARED_FULLNAME) $(INSTALL_DIR)

++	cp $(LIB_PATH)/$(SHARED_FULLNAME) $(INSTALL_DIR) || true

++	cp $(LIB_PATH)/$(STATIC_LIB) $(INSTALL_DIR) || true

+ 	cd $(INSTALL_DIR) && ln -s -f $(SHARED_FULLNAME) $(SONAME)

+ 	cd $(INSTALL_DIR) && ln -s -f $(SONAME) $(SHARED_LIB)

+ #	ldconfig -n $(INSTALL_DIR)

+-- 
+2.18.0
+
diff --git a/gnu/packages/patches/lxc-CVE-2018-6556.patch b/gnu/packages/patches/lxc-CVE-2018-6556.patch
new file mode 100644
index 0000000000..7eab7101f1
--- /dev/null
+++ b/gnu/packages/patches/lxc-CVE-2018-6556.patch
@@ -0,0 +1,116 @@
+Fix CVE-2018-6556:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6556
+https://bugzilla.suse.com/show_bug.cgi?id=988348#c8
+
+Patch copied from upstream source repository:
+
+https://github.com/lxc/lxc/commit/c1cf54ebf251fdbad1e971679614e81649f1c032
+
+From c1cf54ebf251fdbad1e971679614e81649f1c032 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Wed, 25 Jul 2018 19:56:54 +0200
+Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
+
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
+ src/lxc/utils.c            | 12 ++++++++++++
+ src/lxc/utils.h            |  5 +++++
+ 3 files changed, 49 insertions(+), 3 deletions(-)
+
+diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c
+index ec9cd97e0..c5beb6c8d 100644
+--- a/src/lxc/cmd/lxc_user_nic.c
++++ b/src/lxc/cmd/lxc_user_nic.c
+@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[])
+ 			exit(EXIT_FAILURE);
+ 		}
+ 	} else if (request == LXC_USERNIC_DELETE) {
+-		netns_fd = open(args.pid, O_RDONLY);
++		char opath[LXC_PROC_PID_FD_LEN];
++
++		/* Open the path with O_PATH which will not trigger an actual
++		 * open(). Don't report an errno to the caller to not leak
++		 * information whether the path exists or not.
++		 * When stracing setuid is stripped so this is not a concern
++		 * either.
++		 */
++		netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
+ 		if (netns_fd < 0) {
+-			usernic_error("Could not open \"%s\": %s\n", args.pid,
+-				      strerror(errno));
++			usernic_error("Failed to open \"%s\"\n", args.pid);
++			exit(EXIT_FAILURE);
++		}
++
++		if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
++			usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
++			close(netns_fd);
++			exit(EXIT_FAILURE);
++		}
++
++		ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
++		if (ret < 0 || (size_t)ret >= sizeof(opath)) {
++			close(netns_fd);
++			exit(EXIT_FAILURE);
++		}
++
++		/* Now get an fd that we can use in setns() calls. */
++		ret = open(opath, O_RDONLY | O_CLOEXEC);
++		if (ret < 0) {
++			usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
++			close(netns_fd);
+ 			exit(EXIT_FAILURE);
+ 		}
++		close(netns_fd);
++		netns_fd = ret;
+ 	}
+ 
+ 	if (!create_db_dir(LXC_USERNIC_DB)) {
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index 530b1f81a..3b854e35b 100644
+--- a/src/lxc/utils.c
++++ b/src/lxc/utils.c
+@@ -2544,6 +2544,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
+ 	return has_type;
+ }
+ 
++bool fhas_fs_type(int fd, fs_type_magic magic_val)
++{
++	int ret;
++	struct statfs sb;
++
++	ret = fstatfs(fd, &sb);
++	if (ret < 0)
++		return false;
++
++	return is_fs_type(&sb, magic_val);
++}
++
+ bool lxc_nic_exists(char *nic)
+ {
+ #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
+diff --git a/src/lxc/utils.h b/src/lxc/utils.h
+index 6a0bebded..0805f5d0d 100644
+--- a/src/lxc/utils.h
++++ b/src/lxc/utils.h
+@@ -95,6 +95,10 @@
+ #define CGROUP2_SUPER_MAGIC 0x63677270
+ #endif
+ 
++#ifndef NSFS_MAGIC
++#define NSFS_MAGIC 0x6e736673
++#endif
++
+ /* Useful macros */
+ /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
+ #define LXC_NUMSTRLEN64 21
+@@ -580,6 +584,7 @@ extern void *must_realloc(void *orig, size_t sz);
+ /* __typeof__ should be safe to use with all compilers. */
+ typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
+ extern bool has_fs_type(const char *path, fs_type_magic magic_val);
++extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
+ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
+ extern bool lxc_nic_exists(char *nic);
+ extern int lxc_make_tmpfile(char *template, bool rm);
diff --git a/gnu/packages/patches/mariadb-client-test-32bit.patch b/gnu/packages/patches/mariadb-client-test-32bit.patch
new file mode 100644
index 0000000000..02017e324d
--- /dev/null
+++ b/gnu/packages/patches/mariadb-client-test-32bit.patch
@@ -0,0 +1,37 @@
+From 93efa48a7b972fc463406603574a4d508eefe792 Mon Sep 17 00:00:00 2001
+From: Sergei Golubchik <serg@mariadb.org>
+Date: Sun, 13 May 2018 18:50:21 +0200
+Subject: [PATCH] fix failing main.mysql_client_test test on 32bit
+
+in `ulonglong=ulong*uint` multiplication
+is done in ulong, wrapping around on 32bit.
+
+This became visible after C/C changed the
+default charset to utf8, thus changing
+mbmaxlem from 1 to 3.
+---
+ tests/mysql_client_fw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/mysql_client_fw.c b/tests/mysql_client_fw.c
+index f69eb28a2871..4d036887629a 100644
+--- a/tests/mysql_client_fw.c
++++ b/tests/mysql_client_fw.c
+@@ -768,7 +768,7 @@ static void do_verify_prepare_field(MYSQL_RES *result,
+ {
+   MYSQL_FIELD *field;
+   CHARSET_INFO *cs;
+-  ulonglong expected_field_length;
++  ulonglong expected_field_length= length;
+ 
+   if (!(field= mysql_fetch_field_direct(result, no)))
+   {
+@@ -777,7 +777,7 @@ static void do_verify_prepare_field(MYSQL_RES *result,
+   }
+   cs= get_charset(field->charsetnr, 0);
+   DIE_UNLESS(cs);
+-  if ((expected_field_length= length * cs->mbmaxlen) > UINT_MAX32)
++  if ((expected_field_length*= cs->mbmaxlen) > UINT_MAX32)
+     expected_field_length= UINT_MAX32;
+   if (!opt_silent)
+   {
diff --git a/gnu/packages/patches/meson-for-build-rpath.patch b/gnu/packages/patches/meson-for-build-rpath.patch
index 04c07d05bf..ef9a73f07c 100644
--- a/gnu/packages/patches/meson-for-build-rpath.patch
+++ b/gnu/packages/patches/meson-for-build-rpath.patch
@@ -2,8 +2,7 @@ This patch removes a part of meson that clears the rpath upon installation.
 This will only be applied to a special version of meson, used for the
 meson-build-system.
 
-Patch for Meson 0.42.0 by Peter Mikkelsen <petermikkelsen10@gmail.com>
-Adjusted for Meson 0.47.1 by Ricardo Wurmus <rekado@elephly.net>
+Original patch for Meson 0.42.0 by Peter Mikkelsen <petermikkelsen10@gmail.com>
 
 --- meson-0.47.1/mesonbuild/minstall.py.old	2018-08-10 11:01:27.812327013 +0200
 +++ meson-0.47.1/mesonbuild/minstall.py	2018-08-10 11:01:51.940368505 +0200
diff --git a/gnu/packages/patches/openblas-fix-tests-i686.patch b/gnu/packages/patches/openblas-fix-tests-i686.patch
deleted file mode 100644
index 3325546ea3..0000000000
--- a/gnu/packages/patches/openblas-fix-tests-i686.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-Fix a test failure on some i686 systems:
-
-https://github.com/xianyi/OpenBLAS/issues/1575
-
-This patch is a squashed version of these commits:
-
-https://github.com/xianyi/OpenBLAS/pull/1583
-
-diff --git a/kernel/x86/KERNEL.NEHALEM b/kernel/x86/KERNEL.NEHALEM
-index 835520ef..65b03ae5 100644
---- a/kernel/x86/KERNEL.NEHALEM
-+++ b/kernel/x86/KERNEL.NEHALEM
-@@ -1,3 +1 @@
- include $(KERNELDIR)/KERNEL.PENRYN
--SSWAPKERNEL  = ../arm/swap.c
--DSWAPKERNEL  = ../arm/swap.c
-diff --git a/kernel/x86/swap.S b/kernel/x86/swap.S
-index 54b00b33..e30c2789 100644
---- a/kernel/x86/swap.S
-+++ b/kernel/x86/swap.S
-@@ -138,6 +138,14 @@
- /* INCX != 1 or INCY != 1 */
- 
- .L14:
-+	cmpl	$0, %ebx
-+	jne	.L141
-+	cmpl	$0, %ecx
-+	jne	.L141
-+/* INCX == 0 and INCY == 0 */
-+	jmp	.L27
-+
-+.L141:
- 	movl	%edx, %eax
- 	sarl	$2,   %eax
- 	jle	.L28
diff --git a/gnu/packages/patches/polkit-drop-test.patch b/gnu/packages/patches/polkit-drop-test.patch
deleted file mode 100644
index 2fd0c8bdf6..0000000000
--- a/gnu/packages/patches/polkit-drop-test.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Drop test failing with the following message:
-FAIL: polkitbackendjsauthoritytest
-==================================
-/PolkitBackendJsAuthority/get_admin_identities: Error getting system bus: Could not connect: No such file or directoryError loading /var/run/ConsoleKit/database: Error statting file /var/run/ConsoleKit/database: No such file or directory
-
-
-diff -ru polkit-0.112.old/test/Makefile.in polkit-0.112/test/Makefile.in
---- polkit-0.112.old/test/Makefile.in	2013-07-08 22:52:13.000000000 +0200
-+++ polkit-0.112/test/Makefile.in	2014-11-09 18:43:47.000000000 +0100
-@@ -388,7 +388,7 @@
- top_build_prefix = @top_build_prefix@
- top_builddir = @top_builddir@
- top_srcdir = @top_srcdir@
--SUBDIRS = mocklibc . polkit polkitbackend
-+SUBDIRS = mocklibc . polkit
- AM_CFLAGS = $(GLIB_CFLAGS)
- noinst_LTLIBRARIES = libpolkit-test-helper.la
- libpolkit_test_helper_la_SOURCES = polkittesthelper.c polkittesthelper.h
diff --git a/gnu/packages/patches/pulseaudio-glibc-2.27.patch b/gnu/packages/patches/pulseaudio-glibc-2.27.patch
deleted file mode 100644
index 79d86abeee..0000000000
--- a/gnu/packages/patches/pulseaudio-glibc-2.27.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-Copied from:
-https://cgit.freedesktop.org/pulseaudio/pulseaudio/commit/?id=dfb0460fb4743aec047cdf755a660a9ac2d0f3fb
-
-
-From dfb0460fb4743aec047cdf755a660a9ac2d0f3fb Mon Sep 17 00:00:00 2001
-From: Tanu Kaskinen <tanuk@iki.fi>
-Date: Wed, 24 Jan 2018 03:51:49 +0200
-Subject: [PATCH] memfd-wrappers: only define memfd_create() if not already
- defined
-
-glibc 2.27 is to be released soon, and it will provide memfd_create().
-If glibc provides the function, we must not define it ourselves,
-otherwise building fails due to conflict between the two implementations
-of the same function.
-
-BugLink: https://bugs.freedesktop.org/show_bug.cgi?id=104733
----
- configure.ac                   | 3 +++
- src/pulsecore/memfd-wrappers.h | 7 ++++---
- 2 files changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 0084c86e..0eb44b08 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -610,6 +610,9 @@ AS_IF([test "x$enable_memfd" = "xyes" && test "x$HAVE_MEMFD" = "x0"],
-     [AC_MSG_ERROR([*** Your Linux kernel does not support memfd shared memory.
-                   *** Use linux v3.17 or higher for such a feature.])])
- 
-+AS_IF([test "x$HAVE_MEMFD" = "x1"],
-+    AC_CHECK_FUNCS([memfd_create]))
-+
- AC_SUBST(HAVE_MEMFD)
- AM_CONDITIONAL([HAVE_MEMFD], [test "x$HAVE_MEMFD" = x1])
- AS_IF([test "x$HAVE_MEMFD" = "x1"], AC_DEFINE([HAVE_MEMFD], 1, [Have memfd shared memory.]))
-diff --git a/src/pulsecore/memfd-wrappers.h b/src/pulsecore/memfd-wrappers.h
-index 3bed9b2b..c7aadfd3 100644
---- a/src/pulsecore/memfd-wrappers.h
-+++ b/src/pulsecore/memfd-wrappers.h
-@@ -20,13 +20,14 @@
-   License along with PulseAudio; if not, see <http://www.gnu.org/licenses/>.
- ***/
- 
--#ifdef HAVE_MEMFD
-+#if defined(HAVE_MEMFD) && !defined(HAVE_MEMFD_CREATE)
- 
- #include <sys/syscall.h>
- #include <fcntl.h>
- 
- /*
-- * No glibc wrappers exist for memfd_create(2), so provide our own.
-+ * Before glibc version 2.27 there was no wrapper for memfd_create(2),
-+ * so we have to provide our own.
-  *
-  * Also define memfd fcntl sealing macros. While they are already
-  * defined in the kernel header file <linux/fcntl.h>, that file as
-@@ -63,6 +64,6 @@ static inline int memfd_create(const char *name, unsigned int flags) {
- #define F_SEAL_WRITE    0x0008  /* prevent writes */
- #endif
- 
--#endif /* HAVE_MEMFD */
-+#endif /* HAVE_MEMFD && !HAVE_MEMFD_CREATE */
- 
- #endif
--- 
-2.16.2
-
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2018-14526.patch b/gnu/packages/patches/wpa-supplicant-CVE-2018-14526.patch
new file mode 100644
index 0000000000..d3d5cbc46a
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-CVE-2018-14526.patch
@@ -0,0 +1,53 @@
+Fix CVE-2018-14526:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14526
+https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
+
+Patch downloaded from upstream:
+
+https://w1.fi/security/2018-1/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
+
+From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Sun, 15 Jul 2018 01:25:53 +0200
+Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data
+
+Ignore unauthenticated encrypted EAPOL-Key data in supplicant
+processing. When using WPA2, these are frames that have the Encrypted
+flag set, but not the MIC flag.
+
+When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
+not the MIC flag, had their data field decrypted without first verifying
+the MIC. In case the data field was encrypted using RC4 (i.e., when
+negotiating TKIP as the pairwise cipher), this meant that
+unauthenticated but decrypted data would then be processed. An adversary
+could abuse this as a decryption oracle to recover sensitive information
+in the data field of EAPOL-Key messages (e.g., the group key).
+(CVE-2018-14526)
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/rsn_supp/wpa.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c
+--- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c	2016-10-02 21:51:11.000000000 +0300
++++ wpa_supplicant-2.6/src/rsn_supp/wpa.c	2018-08-08 16:55:11.506831029 +0300
+@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
+ 
+ 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
+ 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
++		/*
++		 * Only decrypt the Key Data field if the frame's authenticity
++		 * was verified. When using AES-SIV (FILS), the MIC flag is not
++		 * set, so this check should only be performed if mic_len != 0
++		 * which is the case in this code branch.
++		 */
++		if (!(key_info & WPA_KEY_INFO_MIC)) {
++			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
++			goto out;
++		}
+ 		if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
+ 						    &key_data_len))
+ 			goto out;
diff --git a/gnu/packages/patches/xorg-server-rotate-fb.patch b/gnu/packages/patches/xorg-server-rotate-fb.patch
deleted file mode 100644
index f47036b2a7..0000000000
--- a/gnu/packages/patches/xorg-server-rotate-fb.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-commit a85e94a50c94b07574c8701a3ff3c1243f4257f4
-Author: Olivier Fourdan <ofourdan@redhat.com>
-Date:   Fri Jun 15 08:57:12 2018 +0200
-
-    modesetting: use drmmode_bo_import() for rotate_fb
-    
-    drmmode_shadow_allocate() still uses drmModeAddFB() which may fail if
-    the format is not as expected, preventing from using a rotated output.
-    
-    Change it to use the new function drmmode_bo_import() which takes care
-    of calling the drmModeAddFB2() API.
-    
-    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=106715
-    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-    Tested-by: Tomas Pelka <tpelka@redhat.com>
-    Reviewed-by: Lyude Paul <lyude@redhat.com>
-
-diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
-index 859a21a9d..ec11b3f56 100644
---- a/hw/xfree86/drivers/modesetting/drmmode_display.c
-+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
-@@ -1794,11 +1794,8 @@ drmmode_shadow_allocate(xf86CrtcPtr crtc, int width, int height)
-         return NULL;
-     }
- 
--    ret = drmModeAddFB(drmmode->fd, width, height, crtc->scrn->depth,
--                       drmmode->kbpp,
--                       drmmode_bo_get_pitch(&drmmode_crtc->rotate_bo),
--                       drmmode_bo_get_handle(&drmmode_crtc->rotate_bo),
--                       &drmmode_crtc->rotate_fb_id);
-+    ret = drmmode_bo_import(drmmode, &drmmode_crtc->rotate_bo,
-+                            &drmmode_crtc->rotate_fb_id);
- 
-     if (ret) {
-         ErrorF("failed to add rotate fb\n");