aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2017-12-19 01:42:40 +0100
committerMarius Bakke <mbakke@fastmail.com>2017-12-19 01:42:40 +0100
commit32cd878be0bb7e153fcaa6f3bfa2632867390ff9 (patch)
treefc1ff93949817c9d172c84d0410ac9225cad57ae /gnu/packages/patches
parent753425610274ccb59cce13490c096027c61621d0 (diff)
parent98bd11cfe7b931e9c6d6bf002a8a225fb7a1025b (diff)
downloadguix-32cd878be0bb7e153fcaa6f3bfa2632867390ff9.tar
guix-32cd878be0bb7e153fcaa6f3bfa2632867390ff9.tar.gz
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/borg-fix-archive-corruption-bug.patch68
-rw-r--r--gnu/packages/patches/eigen-arm-neon-fixes.patch245
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch137
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch28
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch16
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch28
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch195
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch179
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch80
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch72
-rw-r--r--gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch210
-rw-r--r--gnu/packages/patches/jemalloc-arm-address-bits.patch39
-rw-r--r--gnu/packages/patches/libvdpau-va-gl-unbundle.patch35
-rw-r--r--gnu/packages/patches/picprog-non-intel-support.patch74
-rw-r--r--gnu/packages/patches/python-scikit-learn-fix-test-non-determinism.patch25
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-15118.patch58
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-15119.patch68
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-15268.patch62
-rw-r--r--gnu/packages/patches/rsync-CVE-2017-16548.patch31
-rw-r--r--gnu/packages/patches/rsync-CVE-2017-17433-fix-tests.patch42
-rw-r--r--gnu/packages/patches/rsync-CVE-2017-17433.patch45
-rw-r--r--gnu/packages/patches/rsync-CVE-2017-17434-pt1.patch28
-rw-r--r--gnu/packages/patches/rsync-CVE-2017-17434-pt2.patch39
-rw-r--r--gnu/packages/patches/t1lib-CVE-2011-1552+.patch (renamed from gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch)0
24 files changed, 671 insertions, 1133 deletions
diff --git a/gnu/packages/patches/borg-fix-archive-corruption-bug.patch b/gnu/packages/patches/borg-fix-archive-corruption-bug.patch
new file mode 100644
index 0000000000..0debf119be
--- /dev/null
+++ b/gnu/packages/patches/borg-fix-archive-corruption-bug.patch
@@ -0,0 +1,68 @@
+Fix a bug in `borg check --repair` that corrupts existing archives:
+
+https://github.com/borgbackup/borg/issues/3444
+
+Patches copied from upstream source repository:
+
+https://github.com/borgbackup/borg/commit/e09892caec8a63d59e909518c4e9c230dbd69774
+https://github.com/borgbackup/borg/commit/a68d28bfa4db30561150c83eb6a0dca5efa4d9e8
+
+From a68d28bfa4db30561150c83eb6a0dca5efa4d9e8 Mon Sep 17 00:00:00 2001
+From: Thomas Waldmann <tw@waldmann-edv.de>
+Date: Sat, 16 Dec 2017 01:11:40 +0100
+Subject: [PATCH 1/2] modify borg check unit test so it "hangs", see #3444
+
+it doesn't infinitely hang, but slows down considerably.
+---
+ src/borg/testsuite/archiver.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/borg/testsuite/archiver.py b/src/borg/testsuite/archiver.py
+index c7def2c7..b3383e97 100644
+--- a/src/borg/testsuite/archiver.py
++++ b/src/borg/testsuite/archiver.py
+@@ -3006,7 +3006,7 @@ def test_missing_file_chunk(self):
+ def test_missing_archive_item_chunk(self):
+ archive, repository = self.open_archive('archive1')
+ with repository:
+- repository.delete(archive.metadata.items[-5])
++ repository.delete(archive.metadata.items[0])
+ repository.commit()
+ self.cmd('check', self.repository_location, exit_code=1)
+ self.cmd('check', '--repair', self.repository_location, exit_code=0)
+--
+2.15.1
+
+
+From e09892caec8a63d59e909518c4e9c230dbd69774 Mon Sep 17 00:00:00 2001
+From: Thomas Waldmann <tw@waldmann-edv.de>
+Date: Sat, 16 Dec 2017 01:16:05 +0100
+Subject: [PATCH 2/2] check --repair: fix malfunctioning validator, fixes #3444
+
+the major problem was the ('path' in item) expression.
+the dict has bytes-typed keys there, so it never succeeded as it
+looked for a str key. this is a 1.1 regression, 1.0 was fine.
+
+the dict -> StableDict change is just for being more specific,
+the check triggered correctly as StableDict subclasses dict,
+it was just a bit too general.
+---
+ src/borg/archive.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/borg/archive.py b/src/borg/archive.py
+index 239d00b7..be086800 100644
+--- a/src/borg/archive.py
++++ b/src/borg/archive.py
+@@ -1457,7 +1457,7 @@ def robust_iterator(archive):
+ """
+ item_keys = frozenset(key.encode() for key in self.manifest.item_keys)
+ required_item_keys = frozenset(key.encode() for key in REQUIRED_ITEM_KEYS)
+- unpacker = RobustUnpacker(lambda item: isinstance(item, dict) and 'path' in item,
++ unpacker = RobustUnpacker(lambda item: isinstance(item, StableDict) and b'path' in item,
+ self.manifest.item_keys)
+ _state = 0
+
+--
+2.15.1
+
diff --git a/gnu/packages/patches/eigen-arm-neon-fixes.patch b/gnu/packages/patches/eigen-arm-neon-fixes.patch
new file mode 100644
index 0000000000..0838f30463
--- /dev/null
+++ b/gnu/packages/patches/eigen-arm-neon-fixes.patch
@@ -0,0 +1,245 @@
+# HG changeset patch
+# User Gael Guennebaud <g.gael@free.fr>
+# Date 1497514590 -7200
+# Node ID d781c1de98342c5ca29c2fe719d8d3c96a35dcd4
+# Parent 48cd83b2b459aa9f3f5dca135d38760fe0b02a2f
+Bug 1436: fix compilation of Jacobi rotations with ARM NEON, some specializations of internal::conj_helper were missing.
+
+diff --git a/Eigen/Core b/Eigen/Core
+--- a/Eigen/Core
++++ b/Eigen/Core
+@@ -371,6 +371,7 @@
+ #include "src/Core/MathFunctions.h"
+ #include "src/Core/GenericPacketMath.h"
+ #include "src/Core/MathFunctionsImpl.h"
++#include "src/Core/arch/Default/ConjHelper.h"
+
+ #if defined EIGEN_VECTORIZE_AVX512
+ #include "src/Core/arch/SSE/PacketMath.h"
+diff --git a/Eigen/src/Core/arch/AVX/Complex.h b/Eigen/src/Core/arch/AVX/Complex.h
+--- a/Eigen/src/Core/arch/AVX/Complex.h
++++ b/Eigen/src/Core/arch/AVX/Complex.h
+@@ -204,23 +204,7 @@
+ }
+ };
+
+-template<> struct conj_helper<Packet8f, Packet4cf, false,false>
+-{
+- EIGEN_STRONG_INLINE Packet4cf pmadd(const Packet8f& x, const Packet4cf& y, const Packet4cf& c) const
+- { return padd(c, pmul(x,y)); }
+-
+- EIGEN_STRONG_INLINE Packet4cf pmul(const Packet8f& x, const Packet4cf& y) const
+- { return Packet4cf(Eigen::internal::pmul(x, y.v)); }
+-};
+-
+-template<> struct conj_helper<Packet4cf, Packet8f, false,false>
+-{
+- EIGEN_STRONG_INLINE Packet4cf pmadd(const Packet4cf& x, const Packet8f& y, const Packet4cf& c) const
+- { return padd(c, pmul(x,y)); }
+-
+- EIGEN_STRONG_INLINE Packet4cf pmul(const Packet4cf& x, const Packet8f& y) const
+- { return Packet4cf(Eigen::internal::pmul(x.v, y)); }
+-};
++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet4cf,Packet8f)
+
+ template<> EIGEN_STRONG_INLINE Packet4cf pdiv<Packet4cf>(const Packet4cf& a, const Packet4cf& b)
+ {
+@@ -400,23 +384,7 @@
+ }
+ };
+
+-template<> struct conj_helper<Packet4d, Packet2cd, false,false>
+-{
+- EIGEN_STRONG_INLINE Packet2cd pmadd(const Packet4d& x, const Packet2cd& y, const Packet2cd& c) const
+- { return padd(c, pmul(x,y)); }
+-
+- EIGEN_STRONG_INLINE Packet2cd pmul(const Packet4d& x, const Packet2cd& y) const
+- { return Packet2cd(Eigen::internal::pmul(x, y.v)); }
+-};
+-
+-template<> struct conj_helper<Packet2cd, Packet4d, false,false>
+-{
+- EIGEN_STRONG_INLINE Packet2cd pmadd(const Packet2cd& x, const Packet4d& y, const Packet2cd& c) const
+- { return padd(c, pmul(x,y)); }
+-
+- EIGEN_STRONG_INLINE Packet2cd pmul(const Packet2cd& x, const Packet4d& y) const
+- { return Packet2cd(Eigen::internal::pmul(x.v, y)); }
+-};
++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet2cd,Packet4d)
+
+ template<> EIGEN_STRONG_INLINE Packet2cd pdiv<Packet2cd>(const Packet2cd& a, const Packet2cd& b)
+ {
+diff --git a/Eigen/src/Core/arch/AltiVec/Complex.h b/Eigen/src/Core/arch/AltiVec/Complex.h
+--- a/Eigen/src/Core/arch/AltiVec/Complex.h
++++ b/Eigen/src/Core/arch/AltiVec/Complex.h
+@@ -224,23 +224,7 @@
+ }
+ };
+
+-template<> struct conj_helper<Packet4f, Packet2cf, false,false>
+-{
+- EIGEN_STRONG_INLINE Packet2cf pmadd(const Packet4f& x, const Packet2cf& y, const Packet2cf& c) const
+- { return padd(c, pmul(x,y)); }
+-
+- EIGEN_STRONG_INLINE Packet2cf pmul(const Packet4f& x, const Packet2cf& y) const
+- { return Packet2cf(internal::pmul<Packet4f>(x, y.v)); }
+-};
+-
+-template<> struct conj_helper<Packet2cf, Packet4f, false,false>
+-{
+- EIGEN_STRONG_INLINE Packet2cf pmadd(const Packet2cf& x, const Packet4f& y, const Packet2cf& c) const
+- { return padd(c, pmul(x,y)); }
+-
+- EIGEN_STRONG_INLINE Packet2cf pmul(const Packet2cf& x, const Packet4f& y) const
+- { return Packet2cf(internal::pmul<Packet4f>(x.v, y)); }
+-};
++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet2cf,Packet4f)
+
+ template<> EIGEN_STRONG_INLINE Packet2cf pdiv<Packet2cf>(const Packet2cf& a, const Packet2cf& b)
+ {
+@@ -416,23 +400,8 @@
+ return pconj(internal::pmul(a, b));
+ }
+ };
+-template<> struct conj_helper<Packet2d, Packet1cd, false,false>
+-{
+- EIGEN_STRONG_INLINE Packet1cd pmadd(const Packet2d& x, const Packet1cd& y, const Packet1cd& c) const
+- { return padd(c, pmul(x,y)); }
+
+- EIGEN_STRONG_INLINE Packet1cd pmul(const Packet2d& x, const Packet1cd& y) const
+- { return Packet1cd(internal::pmul<Packet2d>(x, y.v)); }
+-};
+-
+-template<> struct conj_helper<Packet1cd, Packet2d, false,false>
+-{
+- EIGEN_STRONG_INLINE Packet1cd pmadd(const Packet1cd& x, const Packet2d& y, const Packet1cd& c) const
+- { return padd(c, pmul(x,y)); }
+-
+- EIGEN_STRONG_INLINE Packet1cd pmul(const Packet1cd& x, const Packet2d& y) const
+- { return Packet1cd(internal::pmul<Packet2d>(x.v, y)); }
+-};
++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet1cd,Packet2d)
+
+ template<> EIGEN_STRONG_INLINE Packet1cd pdiv<Packet1cd>(const Packet1cd& a, const Packet1cd& b)
+ {
+diff --git a/Eigen/src/Core/arch/Default/ConjHelper.h b/Eigen/src/Core/arch/Default/ConjHelper.h
+new file mode 100644
+--- /dev/null
++++ b/Eigen/src/Core/arch/Default/ConjHelper.h
+@@ -0,0 +1,29 @@
++
++// This file is part of Eigen, a lightweight C++ template library
++// for linear algebra.
++//
++// Copyright (C) 2017 Gael Guennebaud <gael.guennebaud@inria.fr>
++//
++// This Source Code Form is subject to the terms of the Mozilla
++// Public License v. 2.0. If a copy of the MPL was not distributed
++// with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
++
++#ifndef EIGEN_ARCH_CONJ_HELPER_H
++#define EIGEN_ARCH_CONJ_HELPER_H
++
++#define EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(PACKET_CPLX, PACKET_REAL) \
++ template<> struct conj_helper<PACKET_REAL, PACKET_CPLX, false,false> { \
++ EIGEN_STRONG_INLINE PACKET_CPLX pmadd(const PACKET_REAL& x, const PACKET_CPLX& y, const PACKET_CPLX& c) const \
++ { return padd(c, pmul(x,y)); } \
++ EIGEN_STRONG_INLINE PACKET_CPLX pmul(const PACKET_REAL& x, const PACKET_CPLX& y) const \
++ { return PACKET_CPLX(Eigen::internal::pmul<PACKET_REAL>(x, y.v)); } \
++ }; \
++ \
++ template<> struct conj_helper<PACKET_CPLX, PACKET_REAL, false,false> { \
++ EIGEN_STRONG_INLINE PACKET_CPLX pmadd(const PACKET_CPLX& x, const PACKET_REAL& y, const PACKET_CPLX& c) const \
++ { return padd(c, pmul(x,y)); } \
++ EIGEN_STRONG_INLINE PACKET_CPLX pmul(const PACKET_CPLX& x, const PACKET_REAL& y) const \
++ { return PACKET_CPLX(Eigen::internal::pmul<PACKET_REAL>(x.v, y)); } \
++ };
++
++#endif // EIGEN_ARCH_CONJ_HELPER_H
+diff --git a/Eigen/src/Core/arch/NEON/Complex.h b/Eigen/src/Core/arch/NEON/Complex.h
+--- a/Eigen/src/Core/arch/NEON/Complex.h
++++ b/Eigen/src/Core/arch/NEON/Complex.h
+@@ -265,6 +265,8 @@
+ }
+ };
+
++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet2cf,Packet4f)
++
+ template<> EIGEN_STRONG_INLINE Packet2cf pdiv<Packet2cf>(const Packet2cf& a, const Packet2cf& b)
+ {
+ // TODO optimize it for NEON
+@@ -456,6 +458,8 @@
+ }
+ };
+
++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet1cd,Packet2d)
++
+ template<> EIGEN_STRONG_INLINE Packet1cd pdiv<Packet1cd>(const Packet1cd& a, const Packet1cd& b)
+ {
+ // TODO optimize it for NEON
+diff --git a/Eigen/src/Core/arch/SSE/Complex.h b/Eigen/src/Core/arch/SSE/Complex.h
+--- a/Eigen/src/Core/arch/SSE/Complex.h
++++ b/Eigen/src/Core/arch/SSE/Complex.h
+@@ -229,23 +229,7 @@
+ }
+ };
+
+-template<> struct conj_helper<Packet4f, Packet2cf, false,false>
+-{
+- EIGEN_STRONG_INLINE Packet2cf pmadd(const Packet4f& x, const Packet2cf& y, const Packet2cf& c) const
+- { return padd(c, pmul(x,y)); }
+-
+- EIGEN_STRONG_INLINE Packet2cf pmul(const Packet4f& x, const Packet2cf& y) const
+- { return Packet2cf(Eigen::internal::pmul<Packet4f>(x, y.v)); }
+-};
+-
+-template<> struct conj_helper<Packet2cf, Packet4f, false,false>
+-{
+- EIGEN_STRONG_INLINE Packet2cf pmadd(const Packet2cf& x, const Packet4f& y, const Packet2cf& c) const
+- { return padd(c, pmul(x,y)); }
+-
+- EIGEN_STRONG_INLINE Packet2cf pmul(const Packet2cf& x, const Packet4f& y) const
+- { return Packet2cf(Eigen::internal::pmul<Packet4f>(x.v, y)); }
+-};
++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet2cf,Packet4f)
+
+ template<> EIGEN_STRONG_INLINE Packet2cf pdiv<Packet2cf>(const Packet2cf& a, const Packet2cf& b)
+ {
+@@ -430,23 +414,7 @@
+ }
+ };
+
+-template<> struct conj_helper<Packet2d, Packet1cd, false,false>
+-{
+- EIGEN_STRONG_INLINE Packet1cd pmadd(const Packet2d& x, const Packet1cd& y, const Packet1cd& c) const
+- { return padd(c, pmul(x,y)); }
+-
+- EIGEN_STRONG_INLINE Packet1cd pmul(const Packet2d& x, const Packet1cd& y) const
+- { return Packet1cd(Eigen::internal::pmul<Packet2d>(x, y.v)); }
+-};
+-
+-template<> struct conj_helper<Packet1cd, Packet2d, false,false>
+-{
+- EIGEN_STRONG_INLINE Packet1cd pmadd(const Packet1cd& x, const Packet2d& y, const Packet1cd& c) const
+- { return padd(c, pmul(x,y)); }
+-
+- EIGEN_STRONG_INLINE Packet1cd pmul(const Packet1cd& x, const Packet2d& y) const
+- { return Packet1cd(Eigen::internal::pmul<Packet2d>(x.v, y)); }
+-};
++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet1cd,Packet2d)
+
+ template<> EIGEN_STRONG_INLINE Packet1cd pdiv<Packet1cd>(const Packet1cd& a, const Packet1cd& b)
+ {
+diff --git a/Eigen/src/Core/arch/ZVector/Complex.h b/Eigen/src/Core/arch/ZVector/Complex.h
+--- a/Eigen/src/Core/arch/ZVector/Complex.h
++++ b/Eigen/src/Core/arch/ZVector/Complex.h
+@@ -336,6 +336,9 @@
+ }
+ };
+
++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet2cf,Packet4f)
++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet1cd,Packet2d)
++
+ template<> EIGEN_STRONG_INLINE Packet1cd pdiv<Packet1cd>(const Packet1cd& a, const Packet1cd& b)
+ {
+ // TODO optimize it for AltiVec
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
deleted file mode 100644
index dbcaea1343..0000000000
--- a/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-http://www.openwall.com/lists/oss-security/2017/09/01/6
-
-CVE-2017-11403:
-http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37
-
-CVE-2017-14103:
-http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f
-
-some changes were made to make the patch apply
-
-# HG changeset patch
-# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
-# Date 1503875721 14400
-# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2
-# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad
-Attempt to fix Issue 440.
-
-diff -ru a/coders/png.c b/coders/png.c
---- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
-+++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400
-@@ -3106,7 +3106,9 @@
- if (length > PNG_MAX_UINT || count == 0)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(CorruptImageError,CorruptImage,image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "chunk length (%lu) > PNG_MAX_UINT",length);
-+ return ((Image*)NULL);
- }
-
- chunk=(unsigned char *) NULL;
-@@ -3117,13 +3119,16 @@
- if (chunk == (unsigned char *) NULL)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
-- image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " Could not allocate chunk memory");
-+ return ((Image*)NULL);
- }
- if (ReadBlob(image,length,chunk) < length)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(CorruptImageError,CorruptImage,image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " chunk reading was incomplete");
-+ return ((Image*)NULL);
- }
- p=chunk;
- }
-@@ -3198,7 +3203,7 @@
- jng_width, jng_height);
- MagickFreeMemory(chunk);
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-+ return ((Image *)NULL);
- }
-
- /* Temporarily set width and height resources to match JHDR */
-@@ -3233,8 +3238,9 @@
- if (color_image == (Image *) NULL)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
-- image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not open color_image blob");
-+ return ((Image *)NULL);
- }
- if (logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-@@ -3245,7 +3251,9 @@
- if (status == MagickFalse)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not open color_image blob");
-+ return ((Image *)NULL);
- }
-
- if (!image_info->ping && jng_color_type >= 12)
-@@ -3255,17 +3263,18 @@
- if (alpha_image_info == (ImageInfo *) NULL)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(ResourceLimitError,
-- MemoryAllocationFailed, image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not allocate alpha_image_info",length);
-+ return ((Image *)NULL);
- }
- GetImageInfo(alpha_image_info);
- alpha_image=AllocateImage(alpha_image_info);
- if (alpha_image == (Image *) NULL)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(ResourceLimitError,
-- MemoryAllocationFailed,
-- alpha_image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not allocate alpha_image");
-+ return ((Image *)NULL);
- }
- if (logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-@@ -3277,7 +3286,9 @@
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
- DestroyImage(alpha_image);
-- ThrowReaderException(CoderError,UnableToOpenBlob,image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not allocate alpha_image blob");
-+ return ((Image *)NULL);
- }
- if (jng_alpha_compression_method == 0)
- {
-@@ -3613,6 +3624,8 @@
- alpha_image = (Image *)NULL;
- DestroyImageInfo(alpha_image_info);
- alpha_image_info = (ImageInfo *)NULL;
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " Destroy the JNG image");
- DestroyImage(jng_image);
- jng_image = (Image *)NULL;
- }
-@@ -5146,8 +5159,8 @@
-
- if (image == (Image *) NULL)
- {
-- DestroyImageList(previous);
- CloseBlob(previous);
-+ DestroyImageList(previous);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
- return((Image *) NULL);
- }
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch
deleted file mode 100644
index 2cb3d46f62..0000000000
--- a/gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188.
-
-diff -ur a/coders/png.c b/coders/png.c
---- a/coders/png.c 2017-07-04 17:32:08.000000000 -0400
-+++ b/coders/png.c 2017-08-19 11:16:20.933969362 -0400
-@@ -4101,11 +4101,17 @@
- mng_info->image=image;
- }
-
-- if ((mng_info->mng_width > 65535L) || (mng_info->mng_height
-- > 65535L))
-- (void) ThrowException(&image->exception,ImageError,
-- WidthOrHeightExceedsLimit,
-- image->filename);
-+ if ((mng_info->mng_width > 65535L) ||
-+ (mng_info->mng_height > 65535L))
-+ {
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " MNG width or height is too large: %lu, %lu",
-+ mng_info->mng_width,mng_info->mng_height);
-+ MagickFreeMemory(chunk);
-+ ThrowReaderException(CorruptImageError,
-+ ImproperImageHeader,image);
-+ }
-+
- FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width,
- mng_info->mng_height);
- mng_info->frame.left=0;
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch
deleted file mode 100644
index 7036f37438..0000000000
--- a/gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd.
-
-diff -ur a/coders/wmf.c b/coders/wmf.c
---- a/coders/wmf.c 2016-09-05 15:20:23.000000000 -0400
-+++ b/coders/wmf.c 2017-08-19 10:38:08.984187264 -0400
-@@ -2719,8 +2719,8 @@
- if(image->exception.severity != UndefinedException)
- ThrowException2(exception,
- CoderWarning,
-- ddata->image->exception.reason,
-- ddata->image->exception.description);
-+ image->exception.reason,
-+ image->exception.description);
-
- if(logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),"leave ReadWMFImage()");
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch
deleted file mode 100644
index 71af9ffe59..0000000000
--- a/gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978.
-
-diff -ur a/coders/sun.c b/coders/sun.c
---- a/coders/sun.c 2016-05-30 13:19:54.000000000 -0400
-+++ b/coders/sun.c 2017-08-18 18:00:00.191023610 -0400
-@@ -1,5 +1,5 @@
- /*
--% Copyright (C) 2003-2015 GraphicsMagick Group
-+% Copyright (C) 2003-2017 GraphicsMagick Group
- % Copyright (C) 2002 ImageMagick Studio
- % Copyright 1991-1999 E. I. du Pont de Nemours and Company
- %
-@@ -577,6 +577,7 @@
- for (bit=7; bit >= 0; bit--)
- {
- index=((*p) & (0x01 << bit) ? 0x01 : 0x00);
-+ VerifyColormapIndex(image,index);
- indexes[x+7-bit]=index;
- q[x+7-bit]=image->colormap[index];
- }
-@@ -587,6 +588,7 @@
- for (bit=7; bit >= (long) (8-(image->columns % 8)); bit--)
- {
- index=((*p) & (0x01 << bit) ? 0x01 : 0x00);
-+ VerifyColormapIndex(image,index);
- indexes[x+7-bit]=index;
- q[x+7-bit]=image->colormap[index];
- }
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch
deleted file mode 100644
index 83478c13b3..0000000000
--- a/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-http://openwall.com/lists/oss-security/2017/08/31/3
-http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/b037d79b6ccd
-
-some changes were made to make the patch apply
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1503774853 18000
-# Node ID b037d79b6ccd0cfba7ba9ce09b454ed46d688036
-# Parent 198ea602ea7cc767dc3022bbcf887bcd4534158d
-JNX: Fix DOS issues
-
-diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c
---- a/coders/jnx.c Tue Aug 22 08:08:30 2017 -0500
-+++ b/coders/jnx.c Sat Aug 26 14:14:13 2017 -0500
-@@ -1,5 +1,5 @@
- /*
--% Copyright (C) 2012-2015 GraphicsMagick Group
-+% Copyright (C) 2012-2017 GraphicsMagick Group
- %
- % This program is covered by multiple licenses, which are described in
- % Copyright.txt. You should have received a copy of Copyright.txt with this
-@@ -100,6 +100,7 @@
-
- char img_label_str[MaxTextExtent];
-
-+
- alloc_size = TileInfo->PicSize + 2;
-
- if (image->logging)
-@@ -242,6 +243,9 @@
- total_tiles,
- current_tile;
-
-+ magick_off_t
-+ file_size;
-+
- /* Open image file. */
- assert(image_info != (const ImageInfo *) NULL);
- assert(image_info->signature == MagickSignature);
-@@ -254,9 +258,8 @@
- if (status == False)
- ThrowReaderException(FileOpenError, UnableToOpenFile, image);
-
-- memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
--
- /* Read JNX image header. */
-+ (void) memset(&JNXHeader, 0, sizeof(JNXHeader));
- JNXHeader.Version = ReadBlobLSBLong(image);
- if (JNXHeader.Version > 4)
- ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
-@@ -266,8 +269,6 @@
- JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image);
- JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image);
- JNXHeader.Levels = ReadBlobLSBLong(image);
-- if (JNXHeader.Levels > 20)
-- ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
- JNXHeader.Expiration = ReadBlobLSBLong(image);
- JNXHeader.ProductID = ReadBlobLSBLong(image);
- JNXHeader.CRC = ReadBlobLSBLong(image);
-@@ -279,7 +280,41 @@
- if (EOFBlob(image))
- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-
-+ file_size = GetBlobSize(image);
-+
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "JNX Header:\n"
-+ " Version: %u\n"
-+ " DeviceSN: %u\n"
-+ " MapBounds:\n"
-+ " NorthEast: lat = %u, lon = %u\n"
-+ " SouthWest: lat = %u, lon = %u\n"
-+ " Levels: %u\n"
-+ " Expiration: %u\n"
-+ " ProductID: %u\n"
-+ " CRC: %u\n"
-+ " SigVersion: %u\n"
-+ " SigOffset: %u\n"
-+ " ZOrder: %u",
-+ JNXHeader.Version,
-+ JNXHeader.DeviceSN,
-+ JNXHeader.MapBounds.NorthEast.lat,
-+ JNXHeader.MapBounds.NorthEast.lon,
-+ JNXHeader.MapBounds.SouthWest.lat,
-+ JNXHeader.MapBounds.SouthWest.lon,
-+ JNXHeader.Levels,
-+ JNXHeader.Expiration,
-+ JNXHeader.ProductID,
-+ JNXHeader.CRC,
-+ JNXHeader.SigVersion,
-+ JNXHeader.SigOffset,
-+ JNXHeader.ZOrder);
-+
-+ if (JNXHeader.Levels > 20)
-+ ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
-+
- /* Read JNX image level info. */
-+ memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
- total_tiles = 0;
- current_tile = 0;
- for (i = 0; i < JNXHeader.Levels; i++)
-@@ -302,11 +337,23 @@
- {
- JNXLevelInfo[i].Copyright = NULL;
- }
-+
-+ if (EOFBlob(image))
-+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+
-+ if (image->logging)
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "Level[%u] Info:"
-+ " TileCount: %4u"
-+ " TilesOffset: %6u"
-+ " Scale: %04u",
-+ i,
-+ JNXLevelInfo[i].TileCount,
-+ JNXLevelInfo[i].TilesOffset,
-+ JNXLevelInfo[i].Scale
-+ );
- }
-
-- if (EOFBlob(image))
-- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
--
- /* Get the current limit */
- SaveLimit = GetMagickResourceLimit(MapResource);
-
-@@ -316,11 +363,32 @@
- /* Read JNX image data. */
- for (i = 0; i < JNXHeader.Levels; i++)
- {
-+ /*
-+ Validate TileCount against remaining file data
-+ */
-+ const magick_off_t current_offset = TellBlob(image);
-+ const size_t pos_list_entry_size =
-+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) +
-+ sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) +
-+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t);
-+ const magick_off_t remaining = file_size-current_offset;
-+ const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount);
-+
-+ if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed))
-+ {
-+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
-+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+ }
-+
- PositionList = MagickAllocateArray(TJNXTileInfo *,
- JNXLevelInfo[i].TileCount,
- sizeof(TJNXTileInfo));
- if (PositionList == NULL)
-- continue;
-+ {
-+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
-+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
-+ image);
-+ }
-
- (void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET);
- for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
-@@ -333,12 +401,15 @@
- PositionList[j].PicHeight = ReadBlobLSBShort(image);
- PositionList[j].PicSize = ReadBlobLSBLong(image);
- PositionList[j].PicOffset = ReadBlobLSBLong(image);
-- }
-
-- if (EOFBlob(image))
-- {
-- MagickFreeMemory(PositionList);
-- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+ if (EOFBlob(image) ||
-+ ((magick_off_t) PositionList[j].PicOffset +
-+ PositionList[j].PicSize > file_size))
-+ {
-+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
-+ MagickFreeMemory(PositionList);
-+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+ }
- }
-
- for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
-@@ -351,6 +422,9 @@
- image = ExtractTileJPG(image, image_info, PositionList+j, exception);
- (void) SetMonitorHandler(previous_handler);
-
-+ if (exception->severity >= ErrorException)
-+ break;
-+
- current_tile++;
- if (QuantumTick(current_tile,total_tiles))
- if (!MagickMonitorFormatted(current_tile,total_tiles,exception,
-
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch
deleted file mode 100644
index e129fd58fc..0000000000
--- a/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-http://openwall.com/lists/oss-security/2017/08/31/1
-http://openwall.com/lists/oss-security/2017/08/31/2
-http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/233a720bfd5e
-
-some changes were made to make the patch apply
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1503779175 18000
-# Node ID 233a720bfd5efd378f133a776507ed41230da617
-# Parent b037d79b6ccd0cfba7ba9ce09b454ed46d688036
-XBM: Fix DOS issues.
-
-diff -r b037d79b6ccd -r 233a720bfd5e coders/xbm.c
---- a/coders/xbm.c Sat Aug 26 14:14:13 2017 -0500
-+++ b/coders/xbm.c Sat Aug 26 15:26:15 2017 -0500
-@@ -1,5 +1,5 @@
- /*
--% Copyright (C) 2003 -2012 GraphicsMagick Group
-+% Copyright (C) 2003-2017 GraphicsMagick Group
- % Copyright (C) 2002 ImageMagick Studio
- % Copyright 1991-1999 E. I. du Pont de Nemours and Company
- %
-@@ -121,13 +121,15 @@
-
- static int XBMInteger(Image *image,short int *hex_digits)
- {
-+ unsigned int
-+ flag;
-+
- int
- c,
-- flag,
- value;
-
- value=0;
-- flag=0;
-+ flag=0U;
- for ( ; ; )
- {
- c=ReadBlobByte(image);
-@@ -158,18 +160,14 @@
- Image
- *image;
-
-- int
-- bit;
--
-- long
-- y;
--
- register IndexPacket
- *indexes;
-
-- register long
-+ register size_t
-+ bytes_per_line,
- i,
-- x;
-+ x,
-+ y;
-
- register PixelPacket
- *q;
-@@ -177,22 +175,24 @@
- register unsigned char
- *p;
-
-- short int
-- hex_digits[256];
--
- unsigned char
- *data;
-
- unsigned int
-+ bit,
-+ byte,
-+ padding,
-+ version;
-+
-+ int
-+ value;
-+
-+ short int
-+ hex_digits[256];
-+
-+ MagickPassFail
- status;
-
-- unsigned long
-- byte,
-- bytes_per_line,
-- padding,
-- value,
-- version;
--
- /*
- Open image file.
- */
-@@ -207,6 +207,8 @@
- /*
- Read X bitmap header.
- */
-+ (void) memset(buffer,0,sizeof(buffer));
-+ name[0]='\0';
- while (ReadBlobString(image,buffer) != (char *) NULL)
- if (sscanf(buffer,"#define %s %lu",name,&image->columns) == 2)
- if ((strlen(name) >= 6) &&
-@@ -278,6 +280,8 @@
- /*
- Initialize hex values.
- */
-+ for (i = 0; i < sizeof(hex_digits)/sizeof(hex_digits[0]); i++)
-+ hex_digits[i]=(-1);
- hex_digits['0']=0;
- hex_digits['1']=1;
- hex_digits['2']=2;
-@@ -311,40 +315,50 @@
- */
- p=data;
- if (version == 10)
-- for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2))
-+ for (i=0; i < (bytes_per_line*image->rows); (i+=2))
- {
- value=XBMInteger(image,hex_digits);
-+ if (value < 0)
-+ {
-+ MagickFreeMemory(data);
-+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-+ }
- *p++=(unsigned char) value;
- if (!padding || ((i+2) % bytes_per_line))
- *p++=(unsigned char) (value >> 8);
- }
- else
-- for (i=0; i < (long) (bytes_per_line*image->rows); i++)
-+ for (i=0; i < (bytes_per_line*image->rows); i++)
- {
- value=XBMInteger(image,hex_digits);
-+ if (value < 0)
-+ {
-+ MagickFreeMemory(data);
-+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-+ }
- *p++=(unsigned char) value;
- }
- /*
- Convert X bitmap image to pixel packets.
- */
- p=data;
-- for (y=0; y < (long) image->rows; y++)
-+ for (y=0; y < image->rows; y++)
- {
- q=SetImagePixels(image,0,y,image->columns,1);
- if (q == (PixelPacket *) NULL)
- break;
- indexes=AccessMutableIndexes(image);
-- bit=0;
-- byte=0;
-- for (x=0; x < (long) image->columns; x++)
-+ bit=0U;
-+ byte=0U;
-+ for (x=0; x < image->columns; x++)
- {
-- if (bit == 0)
-+ if (bit == 0U)
- byte=(*p++);
- indexes[x]=byte & 0x01 ? 0x01 : 0x00;
- bit++;
-- byte>>=1;
-- if (bit == 8)
-- bit=0;
-+ byte>>=1U;
-+ if (bit == 8U)
-+ bit=0U;
- }
- if (!SyncImagePixels(image))
- break;
-
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
deleted file mode 100644
index 46f6b032c7..0000000000
--- a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-http://openwall.com/lists/oss-security/2017/08/28/5
-http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d
-
-some changes were made to make the patch apply
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1503268616 18000
-# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072
-# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3
-PNM: For binary formats, verify sufficient backing file data before memory request.
-
-diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
---- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500
-+++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500
-@@ -569,7 +569,7 @@
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
- image->colors);
- }
-- number_pixels=image->columns*image->rows;
-+ number_pixels=MagickArraySize(image->columns,image->rows);
- if (number_pixels == 0)
- ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
- if (image->storage_class == PseudoClass)
-@@ -858,14 +858,14 @@
- if (1 == bits_per_sample)
- {
- /* PBM */
-- bytes_per_row=((image->columns+7) >> 3);
-+ bytes_per_row=((image->columns+7U) >> 3);
- import_options.grayscale_miniswhite=MagickTrue;
- quantum_type=GrayQuantum;
- }
- else
- {
- /* PGM & XV_332 */
-- bytes_per_row=((bits_per_sample+7)/8)*image->columns;
-+ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
- if (XV_332_Format == format)
- {
- quantum_type=IndexQuantum;
-@@ -878,7 +878,8 @@
- }
- else
- {
-- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
-+ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
-+ image->columns);
- if (3 == samples_per_pixel)
- {
- /* PPM */
-@@ -915,6 +916,28 @@
- is_monochrome=MagickFalse;
- }
- }
-+
-+ /* Validate file size before allocating memory */
-+ if (BlobIsSeekable(image))
-+ {
-+ const magick_off_t file_size = GetBlobSize(image);
-+ const magick_off_t current_offset = TellBlob(image);
-+ if ((file_size > 0) &&
-+ (current_offset > 0) &&
-+ (file_size > current_offset))
-+ {
-+ const magick_off_t remaining = file_size-current_offset;
-+ const magick_off_t needed = (magick_off_t) image->rows *
-+ (magick_off_t) bytes_per_row;
-+ if ((remaining < (magick_off_t) bytes_per_row) ||
-+ (remaining < needed))
-+ {
-+ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
-+ image->filename);
-+ break;
-+ }
-+ }
-+ }
-
- scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
- if (scanline_set == (ThreadViewDataSet *) NULL)
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch
deleted file mode 100644
index 1f55d90d38..0000000000
--- a/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa
-http://openwall.com/lists/oss-security/2017/09/06/4
-
-some changes were made to make the patch apply
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1503257388 18000
-# Node ID 493da54370aa42cb430c52a69eb75db0001a5589
-# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f
-SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions.
-
-diff -r f87246749079 -r 493da54370aa coders/sun.c
---- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200
-+++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500
-@@ -498,6 +498,12 @@
- if (sun_info.depth < 8)
- image->depth=sun_info.depth;
-
-+ if (image_info->ping)
-+ {
-+ CloseBlob(image);
-+ return(image);
-+ }
-+
- /*
- Compute bytes per line and bytes per image for an unencoded
- image.
-@@ -522,15 +528,37 @@
- if (bytes_per_image > sun_info.length)
- ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-
-- if (image_info->ping)
-- {
-- CloseBlob(image);
-- return(image);
-- }
- if (sun_info.type == RT_ENCODED)
- sun_data_length=(size_t) sun_info.length;
- else
- sun_data_length=bytes_per_image;
-+
-+ /*
-+ Verify that data length claimed by header is supported by file size
-+ */
-+ if (sun_info.type == RT_ENCODED)
-+ {
-+ if (sun_data_length < bytes_per_image/255U)
-+ {
-+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-+ }
-+ }
-+ if (BlobIsSeekable(image))
-+ {
-+ const magick_off_t file_size = GetBlobSize(image);
-+ const magick_off_t current_offset = TellBlob(image);
-+ if ((file_size > 0) &&
-+ (current_offset > 0) &&
-+ (file_size > current_offset))
-+ {
-+ const magick_off_t remaining = file_size-current_offset;
-+ if (remaining < (magick_off_t) sun_data_length)
-+ {
-+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+ }
-+ }
-+ }
-+
- sun_data=MagickAllocateMemory(unsigned char *,sun_data_length);
- if (sun_data == (unsigned char *) NULL)
- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
-
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch
deleted file mode 100644
index 8e1166ba7a..0000000000
--- a/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch
+++ /dev/null
@@ -1,210 +0,0 @@
-http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a
-http://www.openwall.com/lists/oss-security/2017/09/22/2
-
-Some changes were made to make the patch apply.
-
-Notably, the DestroyJNG() function in the upstream diff has been replaced by
-its equivalent, a series of calls to MagickFreeMemory(), DestroyImageInfo(),
-and DestroyImage(). See
-http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5.
-
-# HG changeset patch
-# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
-# Date 1504014487 14400
-# Node ID 358608a46f0a9c55e9bb8b37d09bf1ac9bc87f06
-# Parent 38c362f0ae5e7a914c3fe822284c6953f8e6eee2
-Fix Issue 439
-
-diff -ru a/coders/png.c b/coders/png.c
---- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
-+++ b/coders/png.c 2017-09-30 08:20:16.218944991 -0400
-@@ -1176,15 +1176,15 @@
- /* allocate space */
- if (length == 0)
- {
-- (void) ThrowException2(&image->exception,CoderWarning,
-- "invalid profile length",(char *) NULL);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "invalid profile length");
- return (MagickFail);
- }
- info=MagickAllocateMemory(unsigned char *,length);
- if (info == (unsigned char *) NULL)
- {
-- (void) ThrowException2(&image->exception,CoderWarning,
-- "unable to copy profile",(char *) NULL);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "Unable to copy profile");
- return (MagickFail);
- }
- /* copy profile, skipping white space and column 1 "=" signs */
-@@ -1197,8 +1197,8 @@
- if (*sp == '\0')
- {
- MagickFreeMemory(info);
-- (void) ThrowException2(&image->exception,CoderWarning,
-- "ran out of profile data",(char *) NULL);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "ran out of profile data");
- return (MagickFail);
- }
- sp++;
-@@ -1234,8 +1234,9 @@
- if(SetImageProfile(image,profile_name,info,length) == MagickFail)
- {
- MagickFreeMemory(info);
-- (void) ThrowException(&image->exception,ResourceLimitError,
-- MemoryAllocationFailed,"unable to copy profile");
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "unable to copy profile");
-+ return MagickFail;
- }
- MagickFreeMemory(info);
- return MagickTrue;
-@@ -3285,7 +3286,6 @@
- if (status == MagickFalse)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- DestroyImage(alpha_image);
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
- " could not allocate alpha_image blob");
- return ((Image *)NULL);
-@@ -3534,7 +3534,7 @@
- CloseBlob(color_image);
- if (logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-- " Reading jng_image from color_blob.");
-+ " Reading jng_image from color_blob.");
-
- FormatString(color_image_info->filename,"%.1024s",color_image->filename);
-
-@@ -3558,13 +3558,18 @@
-
- if (logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-- " Copying jng_image pixels to main image.");
-+ " Copying jng_image pixels to main image.");
- image->rows=jng_height;
- image->columns=jng_width;
- length=image->columns*sizeof(PixelPacket);
-+ if ((jng_height == 0 || jng_width == 0) && logging)
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " jng_width=%lu jng_height=%lu",
-+ (unsigned long)jng_width,(unsigned long)jng_height);
- for (y=0; y < (long) image->rows; y++)
- {
-- s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception);
-+ s=AcquireImagePixels(jng_image,0,y,image->columns,1,
-+ &image->exception);
- q=SetImagePixels(image,0,y,image->columns,1);
- (void) memcpy(q,s,length);
- if (!SyncImagePixels(image))
-@@ -3589,45 +3594,79 @@
- CloseBlob(alpha_image);
- if (logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-- " Reading opacity from alpha_blob.");
-+ " Reading opacity from alpha_blob.");
-
- FormatString(alpha_image_info->filename,"%.1024s",
- alpha_image->filename);
-
- jng_image=ReadImage(alpha_image_info,exception);
-
-- for (y=0; y < (long) image->rows; y++)
-+ if (jng_image == (Image *)NULL)
- {
-- s=AcquireImagePixels(jng_image,0,y,image->columns,1,
-- &image->exception);
-- if (image->matte)
-- {
-- q=SetImagePixels(image,0,y,image->columns,1);
-- for (x=(long) image->columns; x > 0; x--,q++,s++)
-- q->opacity=(Quantum) MaxRGB-s->red;
-- }
-- else
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " jng_image is NULL.");
-+ if (color_image_info)
-+ DestroyImageInfo(color_image_info);
-+ if (alpha_image_info)
-+ DestroyImageInfo(alpha_image_info);
-+ if (color_image)
-+ DestroyImage(color_image);
-+ if (alpha_image)
-+ DestroyImage(alpha_image);
-+ }
-+ else
-+ {
-+
-+ if (logging)
- {
-- q=SetImagePixels(image,0,y,image->columns,1);
-- for (x=(long) image->columns; x > 0; x--,q++,s++)
-- {
-- q->opacity=(Quantum) MaxRGB-s->red;
-- if (q->opacity != OpaqueOpacity)
-- image->matte=MagickTrue;
-- }
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " Read jng_image.");
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " jng_image->width=%lu, jng_image->height=%lu",
-+ (unsigned long)jng_width,(unsigned long)jng_height);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " image->rows=%lu, image->columns=%lu",
-+ (unsigned long)image->rows,
-+ (unsigned long)image->columns);
- }
-- if (!SyncImagePixels(image))
-- break;
-- }
-- (void) LiberateUniqueFileResource(alpha_image->filename);
-- DestroyImage(alpha_image);
-- alpha_image = (Image *)NULL;
-- DestroyImageInfo(alpha_image_info);
-- alpha_image_info = (ImageInfo *)NULL;
-- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-- " Destroy the JNG image");
-- DestroyImage(jng_image);
-- jng_image = (Image *)NULL;
-+
-+ for (y=0; y < (long) image->rows; y++)
-+ {
-+ s=AcquireImagePixels(jng_image,0,y,image->columns,1,
-+ &image->exception);
-+ if (image->matte)
-+ {
-+ q=SetImagePixels(image,0,y,image->columns,1);
-+ for (x=(long) image->columns; x > 0; x--,q++,s++)
-+ q->opacity=(Quantum) MaxRGB-s->red;
-+ }
-+ else
-+ {
-+ q=SetImagePixels(image,0,y,image->columns,1);
-+ for (x=(long) image->columns; x > 0; x--,q++,s++)
-+ {
-+ q->opacity=(Quantum) MaxRGB-s->red;
-+ if (q->opacity != OpaqueOpacity)
-+ image->matte=MagickTrue;
-+ }
-+ }
-+ if (!SyncImagePixels(image))
-+ break;
-+ }
-+ (void) LiberateUniqueFileResource(alpha_image->filename);
-+ if (color_image_info)
-+ DestroyImageInfo(color_image_info);
-+ if (alpha_image_info)
-+ DestroyImageInfo(alpha_image_info);
-+ if (color_image)
-+ DestroyImage(color_image);
-+ if (alpha_image)
-+ DestroyImage(alpha_image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " Destroy the JNG image");
-+ DestroyImage(jng_image);
-+ jng_image = (Image *)NULL;
-+ }
- }
- }
diff --git a/gnu/packages/patches/jemalloc-arm-address-bits.patch b/gnu/packages/patches/jemalloc-arm-address-bits.patch
new file mode 100644
index 0000000000..f2ef24c25a
--- /dev/null
+++ b/gnu/packages/patches/jemalloc-arm-address-bits.patch
@@ -0,0 +1,39 @@
+From 8cfc9dec37b312a2686f602bbcdd102ca07cca99 Mon Sep 17 00:00:00 2001
+From: David Goldblatt <davidgoldblatt@fb.com>
+Date: Fri, 29 Sep 2017 13:54:08 -0700
+Subject: [PATCH] ARM: Don't extend bit LG_VADDR to compute high address bits.
+
+In userspace ARM on Linux, zero-ing the high bits is the correct way to do this.
+This doesn't fix the fact that we currently set LG_VADDR to 48 on ARM, when in
+fact larger virtual address sizes are coming soon. We'll cross that bridge when
+we come to it.
+---
+ include/jemalloc/internal/rtree.h | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/include/jemalloc/internal/rtree.h b/include/jemalloc/internal/rtree.h
+index b5d4db39..4563db23 100644
+--- a/include/jemalloc/internal/rtree.h
++++ b/include/jemalloc/internal/rtree.h
+@@ -178,9 +178,21 @@ rtree_leaf_elm_bits_read(tsdn_t *tsdn, rtree_t *rtree, rtree_leaf_elm_t *elm,
+
+ JEMALLOC_ALWAYS_INLINE extent_t *
+ rtree_leaf_elm_bits_extent_get(uintptr_t bits) {
++# ifdef __aarch64__
++ /*
++ * aarch64 doesn't sign extend the highest virtual address bit to set
++ * the higher ones. Instead, the high bits gets zeroed.
++ */
++ uintptr_t high_bit_mask = ((uintptr_t)1 << LG_VADDR) - 1;
++ /* Mask off the slab bit. */
++ uintptr_t low_bit_mask = ~(uintptr_t)1;
++ uintptr_t mask = high_bit_mask & low_bit_mask;
++ return (extent_t *)(bits & mask);
++# else
+ /* Restore sign-extended high bits, mask slab bit. */
+ return (extent_t *)((uintptr_t)((intptr_t)(bits << RTREE_NHIB) >>
+ RTREE_NHIB) & ~((uintptr_t)0x1));
++# endif
+ }
+
+ JEMALLOC_ALWAYS_INLINE szind_t
diff --git a/gnu/packages/patches/libvdpau-va-gl-unbundle.patch b/gnu/packages/patches/libvdpau-va-gl-unbundle.patch
new file mode 100644
index 0000000000..b15e15c2a3
--- /dev/null
+++ b/gnu/packages/patches/libvdpau-va-gl-unbundle.patch
@@ -0,0 +1,35 @@
+From 18e3ff648356cf06a39372aa4a4bbf2732d9d0f4 Mon Sep 17 00:00:00 2001
+From: Efraim Flashner <efraim@flashner.co.il>
+Date: Tue, 12 Dec 2017 21:36:44 +0200
+Subject: [PATCH] don't use bundled libvdpau headers
+
+---
+ CMakeLists.txt | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 0484179..e950707 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -9,16 +9,17 @@ find_package(PkgConfig REQUIRED)
+ find_package(X11 REQUIRED)
+ pkg_check_modules(LIBVA libva-x11 REQUIRED)
+ pkg_check_modules(LIBGL gl REQUIRED)
++pkg_check_modules(LIBVDPAU vdpau REQUIRED)
+
+ set(DRIVER_NAME "vdpau_va_gl" CACHE STRING "driver name")
+ set(LIB_SUFFIX "" CACHE STRING "library path suffix (if needed)")
+ set(LIB_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/lib${LIB_SUFFIX}/vdpau" CACHE PATH "library installation path")
+
+ include_directories (
+- 3rdparty
+ ${X11_INCLUDE_DIRS}
+ ${LIBVA_INCLUDE_DIRS}
+ ${LIBGL_INCLUDE_DIRS}
++ ${LIBVDPAU_INCLUDE_DIRS}
+ ${GENERATED_INCLUDE_DIRS}
+ ${CMAKE_BINARY_DIR}
+ )
+--
+2.15.1
+
diff --git a/gnu/packages/patches/picprog-non-intel-support.patch b/gnu/packages/patches/picprog-non-intel-support.patch
new file mode 100644
index 0000000000..8908207011
--- /dev/null
+++ b/gnu/packages/patches/picprog-non-intel-support.patch
@@ -0,0 +1,74 @@
+https://sources.debian.org/data/main/p/picprog/1.9.1-3/debian/patches/20_iopl.patch
+
+Description: Avoid some functions in some architectures
+ Upstream uses iopl() function and other architecture-dependent
+ codes. This patch adds building switches to avoid them in
+ some architectures.
+Author: Koichi Akabe <vbkaisetsu@gmail.com>
+Last-Update: 2011-11-30
+
+--- picprog-1.9.1.orig/picport.cc
++++ picprog-1.9.1/picport.cc
+@@ -38,7 +38,12 @@
+ #include <ctime>
+
+ #include <sys/ioctl.h>
+-#include <sys/io.h>
++
++#if defined(__i386__) || defined(__x86_64__)
++ #include <sys/io.h>
++ #define HAVE_IOPL
++#endif
++
+ #include <fcntl.h>
+ #include <sys/time.h>
+ #include <unistd.h>
+@@ -160,8 +165,12 @@
+ // Not root. Cannot use realtime scheduling.
+ use_nanosleep = 0;
+ }
++#ifdef HAVE_IOPL
+ if (iopl (3))
+ disable_interrupts = 0;
++#else
++ disable_interrupts = 0;
++#endif
+
+ #ifdef CPU_SETSIZE
+ // When computing the delay loops, we do not want the cpu's to change.
+@@ -403,13 +412,17 @@
+ {
+ struct timeval tv1, tv2;
+ gettimeofday (&tv1, 0);
++#if defined(__i386__) or defined(__x86_64__)
+ if (tsc_1000ns > 1 && disable_interrupts)
+ asm volatile("pushf; cli");
++#endif
+ set_clock_data (1, b); // set data, clock up
+ delay (cable_delay);
+ set_clock_data (0, b); // clock down
++#if defined(__i386__) or defined(__x86_64__)
+ if (tsc_1000ns > 1 && disable_interrupts)
+ asm volatile("popf");
++#endif
+ gettimeofday (&tv2, 0);
+
+ // We may have spent a long time in an interrupt or in another task
+@@ -428,13 +441,17 @@
+ {
+ struct timeval tv1, tv2;
+ gettimeofday (&tv1, 0);
++#if defined(__i386__) or defined(__x86_64__)
+ if (tsc_1000ns > 1 && disable_interrupts)
+ asm volatile("pushf; cli");
++#endif
+ set_clock_data (1, 1); // clock up
+ delay (cable_delay);
+ set_clock_data (0, 1); // set data up, clock down
++#if defined(__i386__) or defined(__x86_64__)
+ if (tsc_1000ns > 1 && disable_interrupts)
+ asm volatile("popf");
++#endif
+ gettimeofday (&tv2, 0);
+
+ // We may have spent a long time in an interrupt or in another task
diff --git a/gnu/packages/patches/python-scikit-learn-fix-test-non-determinism.patch b/gnu/packages/patches/python-scikit-learn-fix-test-non-determinism.patch
new file mode 100644
index 0000000000..90328cc0eb
--- /dev/null
+++ b/gnu/packages/patches/python-scikit-learn-fix-test-non-determinism.patch
@@ -0,0 +1,25 @@
+This patch stops a test sometimes failing because of non-determinism. See
+https://github.com/scikit-learn/scikit-learn/pull/9542
+
+From ff9f6db6e8b59c2b3528c8137ed4054f57c1d7c4 Mon Sep 17 00:00:00 2001
+From: Hanmin Qin <qinhanmin2005@sina.com>
+Date: Sun, 13 Aug 2017 22:13:49 +0800
+Subject: [PATCH] add random_state
+
+---
+ sklearn/tests/test_kernel_ridge.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sklearn/tests/test_kernel_ridge.py b/sklearn/tests/test_kernel_ridge.py
+index 4750a096ac6..979875870b6 100644
+--- a/sklearn/tests/test_kernel_ridge.py
++++ b/sklearn/tests/test_kernel_ridge.py
+@@ -10,7 +10,7 @@
+ from sklearn.utils.testing import assert_array_almost_equal
+
+
+-X, y = make_regression(n_features=10)
++X, y = make_regression(n_features=10, random_state=0)
+ Xcsr = sp.csr_matrix(X)
+ Xcsc = sp.csc_matrix(X)
+ Y = np.array([y, y]).T
diff --git a/gnu/packages/patches/qemu-CVE-2017-15118.patch b/gnu/packages/patches/qemu-CVE-2017-15118.patch
deleted file mode 100644
index d427317be9..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-15118.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-Fix CVE-2017-15118:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15118
-https://bugzilla.redhat.com/show_bug.cgi?id=1516922
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=51ae4f8455c9e32c54770c4ebc25bf86a8128183
-
-From 51ae4f8455c9e32c54770c4ebc25bf86a8128183 Mon Sep 17 00:00:00 2001
-From: Eric Blake <eblake@redhat.com>
-Date: Wed, 22 Nov 2017 15:07:22 -0600
-Subject: [PATCH] nbd/server: CVE-2017-15118 Stack smash on large export name
-
-Introduced in commit f37708f6b8 (2.10). The NBD spec says a client
-can request export names up to 4096 bytes in length, even though
-they should not expect success on names longer than 256. However,
-qemu hard-codes the limit of 256, and fails to filter out a client
-that probes for a longer name; the result is a stack smash that can
-potentially give an attacker arbitrary control over the qemu
-process.
-
-The smash can be easily demonstrated with this client:
-$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)
-
-If the qemu NBD server binary (whether the standalone qemu-nbd, or
-the builtin server of QMP nbd-server-start) was compiled with
--fstack-protector-strong, the ability to exploit the stack smash
-into arbitrary execution is a lot more difficult (but still
-theoretically possible to a determined attacker, perhaps in
-combination with other CVEs). Still, crashing a running qemu (and
-losing the VM) is bad enough, even if the attacker did not obtain
-full execution control.
-
-CC: qemu-stable@nongnu.org
-Signed-off-by: Eric Blake <eblake@redhat.com>
----
- nbd/server.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/nbd/server.c b/nbd/server.c
-index a81801e3bc..92c0fdd03b 100644
---- a/nbd/server.c
-+++ b/nbd/server.c
-@@ -386,6 +386,10 @@ static int nbd_negotiate_handle_info(NBDClient *client, uint32_t length,
- msg = "name length is incorrect";
- goto invalid;
- }
-+ if (namelen >= sizeof(name)) {
-+ msg = "name too long for qemu";
-+ goto invalid;
-+ }
- if (nbd_read(client->ioc, name, namelen, errp) < 0) {
- return -EIO;
- }
---
-2.15.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-15119.patch b/gnu/packages/patches/qemu-CVE-2017-15119.patch
deleted file mode 100644
index 6265ecf8d6..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-15119.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-Fix CVE-2017-15119:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15119
-https://bugzilla.redhat.com/show_bug.cgi?id=1516925
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=fdad35ef6c5839d50dfc14073364ac893afebc30
-
-From fdad35ef6c5839d50dfc14073364ac893afebc30 Mon Sep 17 00:00:00 2001
-From: Eric Blake <eblake@redhat.com>
-Date: Wed, 22 Nov 2017 16:25:16 -0600
-Subject: [PATCH] nbd/server: CVE-2017-15119 Reject options larger than 32M
-
-The NBD spec gives us permission to abruptly disconnect on clients
-that send outrageously large option requests, rather than having
-to spend the time reading to the end of the option. No real
-option request requires that much data anyways; and meanwhile, we
-already have the practice of abruptly dropping the connection on
-any client that sends NBD_CMD_WRITE with a payload larger than 32M.
-
-For comparison, nbdkit drops the connection on any request with
-more than 4096 bytes; however, that limit is probably too low
-(as the NBD spec states an export name can theoretically be up
-to 4096 bytes, which means a valid NBD_OPT_INFO could be even
-longer) - even if qemu doesn't permit exports longer than 256
-bytes.
-
-It could be argued that a malicious client trying to get us to
-read nearly 4G of data on a bad request is a form of denial of
-service. In particular, if the server requires TLS, but a client
-that does not know the TLS credentials sends any option (other
-than NBD_OPT_STARTTLS or NBD_OPT_EXPORT_NAME) with a stated
-payload of nearly 4G, then the server was keeping the connection
-alive trying to read all the payload, tying up resources that it
-would rather be spending on a client that can get past the TLS
-handshake. Hence, this warranted a CVE.
-
-Present since at least 2.5 when handling known options, and made
-worse in 2.6 when fixing support for NBD_FLAG_C_FIXED_NEWSTYLE
-to handle unknown options.
-
-CC: qemu-stable@nongnu.org
-Signed-off-by: Eric Blake <eblake@redhat.com>
----
- nbd/server.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/nbd/server.c b/nbd/server.c
-index 7d6801b427..a81801e3bc 100644
---- a/nbd/server.c
-+++ b/nbd/server.c
-@@ -673,6 +673,12 @@ static int nbd_negotiate_options(NBDClient *client, uint16_t myflags,
- }
- length = be32_to_cpu(length);
-
-+ if (length > NBD_MAX_BUFFER_SIZE) {
-+ error_setg(errp, "len (%" PRIu32" ) is larger than max len (%u)",
-+ length, NBD_MAX_BUFFER_SIZE);
-+ return -EINVAL;
-+ }
-+
- trace_nbd_negotiate_options_check_option(option,
- nbd_opt_lookup(option));
- if (client->tlscreds &&
---
-2.15.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-15268.patch b/gnu/packages/patches/qemu-CVE-2017-15268.patch
deleted file mode 100644
index 8238c3059f..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-15268.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-Fix CVE-2017-15268:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15268
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a7b20a8efa28e5f22c26c06cd06c2f12bc863493
-
-From a7b20a8efa28e5f22c26c06cd06c2f12bc863493 Mon Sep 17 00:00:00 2001
-From: "Daniel P. Berrange" <berrange@redhat.com>
-Date: Mon, 9 Oct 2017 14:43:42 +0100
-Subject: [PATCH] io: monitor encoutput buffer size from websocket GSource
-
-The websocket GSource is monitoring the size of the rawoutput
-buffer to determine if the channel can accepts more writes.
-The rawoutput buffer, however, is merely a temporary staging
-buffer before data is copied into the encoutput buffer. Thus
-its size will always be zero when the GSource runs.
-
-This flaw causes the encoutput buffer to grow without bound
-if the other end of the underlying data channel doesn't
-read data being sent. This can be seen with VNC if a client
-is on a slow WAN link and the guest OS is sending many screen
-updates. A malicious VNC client can act like it is on a slow
-link by playing a video in the guest and then reading data
-very slowly, causing QEMU host memory to expand arbitrarily.
-
-This issue is assigned CVE-2017-15268, publically reported in
-
- https://bugs.launchpad.net/qemu/+bug/1718964
-
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
----
- io/channel-websock.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/io/channel-websock.c b/io/channel-websock.c
-index d1d471f86e..04bcc059cd 100644
---- a/io/channel-websock.c
-+++ b/io/channel-websock.c
-@@ -28,7 +28,7 @@
- #include <time.h>
-
-
--/* Max amount to allow in rawinput/rawoutput buffers */
-+/* Max amount to allow in rawinput/encoutput buffers */
- #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
-
- #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
-@@ -1208,7 +1208,7 @@ qio_channel_websock_source_check(GSource *source)
- if (wsource->wioc->rawinput.offset || wsource->wioc->io_eof) {
- cond |= G_IO_IN;
- }
-- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
-+ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
- cond |= G_IO_OUT;
- }
-
---
-2.15.0
-
diff --git a/gnu/packages/patches/rsync-CVE-2017-16548.patch b/gnu/packages/patches/rsync-CVE-2017-16548.patch
new file mode 100644
index 0000000000..52a75ea241
--- /dev/null
+++ b/gnu/packages/patches/rsync-CVE-2017-16548.patch
@@ -0,0 +1,31 @@
+https://bugzilla.samba.org/show_bug.cgi?id=13112
+https://git.samba.org/rsync.git/?p=rsync.git;a=patch;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
+
+From 47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayned@samba.org>
+Date: Sun, 5 Nov 2017 11:33:15 -0800
+Subject: [PATCH] Enforce trailing \0 when receiving xattr name values. Fixes
+ bug 13112.
+
+---
+ xattrs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xattrs.c b/xattrs.c
+index 68305d7..4867e6f 100644
+--- a/xattrs.c
++++ b/xattrs.c
+@@ -824,6 +824,10 @@ void receive_xattr(int f, struct file_struct *file)
+ out_of_memory("receive_xattr");
+ name = ptr + dget_len + extra_len;
+ read_buf(f, name, name_len);
++ if (name_len < 1 || name[name_len-1] != '\0') {
++ rprintf(FERROR, "Invalid xattr name received (missing trailing \\0).\n");
++ exit_cleanup(RERR_FILEIO);
++ }
+ if (dget_len == datum_len)
+ read_buf(f, ptr, dget_len);
+ else {
+--
+1.9.1
+
diff --git a/gnu/packages/patches/rsync-CVE-2017-17433-fix-tests.patch b/gnu/packages/patches/rsync-CVE-2017-17433-fix-tests.patch
new file mode 100644
index 0000000000..74bac0fc33
--- /dev/null
+++ b/gnu/packages/patches/rsync-CVE-2017-17433-fix-tests.patch
@@ -0,0 +1,42 @@
+https://git.samba.org/?p=rsync.git;a=patch;h=f5e8a17e093065fb20fea00a29540fe2c7896441
+minor edits were made to get the patch to apply
+
+From f5e8a17e093065fb20fea00a29540fe2c7896441 Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayned@samba.org>
+Date: Sun, 3 Dec 2017 15:49:56 -0800
+Subject: [PATCH] Fix issue with earlier path-check (fixes "make check") and
+ make a BOOL more explicit.
+
+---
+ checksum.c | 2 +-
+ receiver.c | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/receiver.c b/receiver.c
+index 9c46242..75cb00d 100644
+--- a/receiver.c
++++ b/receiver.c
+@@ -574,15 +574,15 @@ int recv_files(int f_in, int f_out, char *local_name)
+ file = dir_flist->files[cur_flist->parent_ndx];
+ fname = local_name ? local_name : f_name(file, fbuf);
+
+- if (daemon_filter_list.head
+- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
++ if (DEBUG_GTE(RECV, 1))
++ rprintf(FINFO, "recv_files(%s)\n", fname);
++
++ if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')
++ && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
+ rprintf(FERROR, "attempt to hack rsync failed.\n");
+ exit_cleanup(RERR_PROTOCOL);
+ }
+
+- if (DEBUG_GTE(RECV, 1))
+- rprintf(FINFO, "recv_files(%s)\n", fname);
+-
+ #ifdef SUPPORT_XATTRS
+ if (preserve_xattrs && iflags & ITEM_REPORT_XATTR && do_xfers
+ && !(want_xattr_optim && BITS_SET(iflags, ITEM_XNAME_FOLLOWS|ITEM_LOCAL_CHANGE)))
+--
+1.9.1
+
diff --git a/gnu/packages/patches/rsync-CVE-2017-17433.patch b/gnu/packages/patches/rsync-CVE-2017-17433.patch
new file mode 100644
index 0000000000..84e4067509
--- /dev/null
+++ b/gnu/packages/patches/rsync-CVE-2017-17433.patch
@@ -0,0 +1,45 @@
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17433
+https://git.samba.org/?p=rsync.git;a=patch;h=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51
+
+From 3e06d40029cfdce9d0f73d87cfd4edaf54be9c51 Mon Sep 17 00:00:00 2001
+From: Jeriko One <jeriko.one@gmx.us>
+Date: Thu, 2 Nov 2017 23:44:19 -0700
+Subject: [PATCH] Check fname in recv_files sooner.
+
+---
+ receiver.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/receiver.c b/receiver.c
+index baae3a9..9fdafa1 100644
+--- a/receiver.c
++++ b/receiver.c
+@@ -574,6 +574,12 @@ int recv_files(int f_in, int f_out, char *local_name)
+ file = dir_flist->files[cur_flist->parent_ndx];
+ fname = local_name ? local_name : f_name(file, fbuf);
+
++ if (daemon_filter_list.head
++ && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
++ rprintf(FERROR, "attempt to hack rsync failed.\n");
++ exit_cleanup(RERR_PROTOCOL);
++ }
++
+ if (DEBUG_GTE(RECV, 1))
+ rprintf(FINFO, "recv_files(%s)\n", fname);
+
+@@ -645,12 +651,6 @@ int recv_files(int f_in, int f_out, char *local_name)
+
+ cleanup_got_literal = 0;
+
+- if (daemon_filter_list.head
+- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
+- rprintf(FERROR, "attempt to hack rsync failed.\n");
+- exit_cleanup(RERR_PROTOCOL);
+- }
+-
+ if (read_batch) {
+ int wanted = redoing
+ ? we_want_redo(ndx)
+--
+1.9.1
+
diff --git a/gnu/packages/patches/rsync-CVE-2017-17434-pt1.patch b/gnu/packages/patches/rsync-CVE-2017-17434-pt1.patch
new file mode 100644
index 0000000000..0d9298743d
--- /dev/null
+++ b/gnu/packages/patches/rsync-CVE-2017-17434-pt1.patch
@@ -0,0 +1,28 @@
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17434
+https://git.samba.org/?p=rsync.git;a=patch;h=5509597decdbd7b91994210f700329d8a35e70a1
+
+From 5509597decdbd7b91994210f700329d8a35e70a1 Mon Sep 17 00:00:00 2001
+From: Jeriko One <jeriko.one@gmx.us>
+Date: Thu, 16 Nov 2017 17:26:03 -0800
+Subject: [PATCH] Check daemon filter against fnamecmp in recv_files().
+
+---
+ receiver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/receiver.c b/receiver.c
+index 9fdafa1..9c46242 100644
+--- a/receiver.c
++++ b/receiver.c
+@@ -722,7 +722,7 @@ int recv_files(int f_in, int f_out, char *local_name)
+ break;
+ }
+ if (!fnamecmp || (daemon_filter_list.head
+- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0)) {
++ && check_filter(&daemon_filter_list, FLOG, fnamecmp, 0) < 0)) {
+ fnamecmp = fname;
+ fnamecmp_type = FNAMECMP_FNAME;
+ }
+--
+1.9.1
+
diff --git a/gnu/packages/patches/rsync-CVE-2017-17434-pt2.patch b/gnu/packages/patches/rsync-CVE-2017-17434-pt2.patch
new file mode 100644
index 0000000000..fad19d01fb
--- /dev/null
+++ b/gnu/packages/patches/rsync-CVE-2017-17434-pt2.patch
@@ -0,0 +1,39 @@
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17434
+https://git.samba.org/?p=rsync.git;a=patch;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9
+
+From 70aeb5fddd1b2f8e143276f8d5a085db16c593b9 Mon Sep 17 00:00:00 2001
+From: Jeriko One <jeriko.one@gmx.us>
+Date: Thu, 16 Nov 2017 17:05:42 -0800
+Subject: [PATCH] Sanitize xname in read_ndx_and_attrs.
+
+---
+ rsync.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/rsync.c b/rsync.c
+index b82e598..a0945ba 100644
+--- a/rsync.c
++++ b/rsync.c
+@@ -49,6 +49,7 @@ extern int flist_eof;
+ extern int file_old_total;
+ extern int keep_dirlinks;
+ extern int make_backups;
++extern int sanitize_paths;
+ extern struct file_list *cur_flist, *first_flist, *dir_flist;
+ extern struct chmod_mode_struct *daemon_chmod_modes;
+ #ifdef ICONV_OPTION
+@@ -396,6 +397,11 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr,
+ if (iflags & ITEM_XNAME_FOLLOWS) {
+ if ((len = read_vstring(f_in, buf, MAXPATHLEN)) < 0)
+ exit_cleanup(RERR_PROTOCOL);
++
++ if (sanitize_paths) {
++ sanitize_path(buf, buf, "", 0, SP_DEFAULT);
++ len = strlen(buf);
++ }
+ } else {
+ *buf = '\0';
+ len = -1;
+--
+1.9.1
+
diff --git a/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch b/gnu/packages/patches/t1lib-CVE-2011-1552+.patch
index aaa31f7b93..aaa31f7b93 100644
--- a/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch
+++ b/gnu/packages/patches/t1lib-CVE-2011-1552+.patch