Merge branch 'master' into staging

10 files changed, 352 insertions, 498 deletions

diff --git a/gnu/packages/patches/bind-CVE-2018-5738.patch b/gnu/packages/patches/bind-CVE-2018-5738.patch
new file mode 100644
index 0000000000..ddef014651
--- /dev/null
+++ b/gnu/packages/patches/bind-CVE-2018-5738.patch
@@ -0,0 +1,100 @@
+Fix CVE-2018-5738:
+
+https://kb.isc.org/article/AA-01616/0/CVE-2018-5738
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index f63554e..847c4ff 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 	CHECKM(named_config_getport(config, &port), "port");
+ 	dns_view_setdstport(view, port);
+ 
+-	CHECK(configure_view_acl(vconfig, config, named_g_config,
+-				 "allow-query", NULL, actx,
+-				 named_g_mctx, &view->queryacl));
+-
+ 	/*
+ 	 * Make the list of response policy zone names for a view that
+ 	 * is used for real lookups and so cares about hints.
+@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 				 "allow-query-cache-on", NULL, actx,
+ 				 named_g_mctx, &view->cacheonacl));
+ 	/*
+-	 * Set "allow-query-cache", "allow-recursion", and
+-	 * "allow-recursion-on" acls if configured in named.conf.
+-	 * (Ignore the global defaults for now, because these ACLs
+-	 * can inherit from each other when only some of them set at
+-	 * the options/view level.)
++	 * Set the "allow-query", "allow-query-cache", "allow-recursion",
++	 * and "allow-recursion-on" ACLs if configured in named.conf, but
++	 * NOT from the global defaults. This is done by leaving the third
++	 * argument to configure_view_acl() NULL.
++	 *
++	 * We ignore the global defaults here because these ACLs
++	 * can inherit from each other.  If any are still unset after
++	 * applying the inheritance rules, we'll look up the defaults at
++	 * that time.
+ 	 */
+-	CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
+-				 NULL, actx, named_g_mctx, &view->cacheacl));
++
++	/* named.conf only */
++	CHECK(configure_view_acl(vconfig, config, NULL,
++				 "allow-query", NULL, actx,
++				 named_g_mctx, &view->queryacl));
++
++	/* named.conf only */
++	CHECK(configure_view_acl(vconfig, config, NULL,
++				 "allow-query-cache", NULL, actx,
++				 named_g_mctx, &view->cacheacl));
+ 
+ 	if (strcmp(view->name, "_bind") != 0 &&
+ 	    view->rdclass != dns_rdataclass_chaos)
+ 	{
++		/* named.conf only */
+ 		CHECK(configure_view_acl(vconfig, config, NULL,
+ 					 "allow-recursion", NULL, actx,
+ 					 named_g_mctx, &view->recursionacl));
++		/* named.conf only */
+ 		CHECK(configure_view_acl(vconfig, config, NULL,
+ 					 "allow-recursion-on", NULL, actx,
+ 					 named_g_mctx, &view->recursiononacl));
+@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 		 * the global config.
+ 		 */
+ 		if (view->recursionacl == NULL) {
++			/* global default only */
+ 			CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ 						 "allow-recursion", NULL,
+ 						 actx, named_g_mctx,
+ 						 &view->recursionacl));
+ 		}
+ 		if (view->recursiononacl == NULL) {
++			/* global default only */
+ 			CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ 						 "allow-recursion-on", NULL,
+ 						 actx, named_g_mctx,
+ 						 &view->recursiononacl));
+ 		}
+ 		if (view->cacheacl == NULL) {
++			/* global default only */
+ 			CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ 						 "allow-query-cache", NULL,
+ 						 actx, named_g_mctx,
+@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 		CHECK(dns_acl_none(mctx, &view->cacheacl));
+ 	}
+ 
++	if (view->queryacl == NULL) {
++		/* global default only */
++		CHECK(configure_view_acl(NULL, NULL, named_g_config,
++					 "allow-query", NULL,
++					 actx, named_g_mctx,
++					 &view->queryacl));
++	}
++
+ 	/*
+ 	 * Ignore case when compressing responses to the specified
+ 	 * clients. This causes case not always to be preserved,
diff --git a/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch b/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch
new file mode 100644
index 0000000000..fbd596862b
--- /dev/null
+++ b/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch
@@ -0,0 +1,36 @@
+Fix a regression in Binutils 2.30 where some symbols are incorrectly assumed
+to be addresses:
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=22764
+
+Patch taken from upstream (with ChangeLog entries and tests omitted):
+
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=279b2f94168ee91e02ccd070d27c983fc001fe12
+
+diff --git a/bfd/elfnn-aarch64.c b/bfd/elfnn-aarch64.c
+index af448f9..2737773 100644
+--- a/bfd/elfnn-aarch64.c
++++ b/bfd/elfnn-aarch64.c
+@@ -7189,10 +7189,19 @@ elfNN_aarch64_check_relocs (bfd *abfd, struct bfd_link_info *info,
+ #if ARCH_SIZE == 64
+ 	case BFD_RELOC_AARCH64_32:
+ #endif
+-	  if (bfd_link_pic (info)
+-	      && (sec->flags & SEC_ALLOC) != 0
+-	      && (sec->flags & SEC_READONLY) != 0)
++	  if (bfd_link_pic (info) && (sec->flags & SEC_ALLOC) != 0)
+ 	    {
++	      if (h != NULL
++		  /* This is an absolute symbol.  It represents a value instead
++		     of an address.  */
++		  && ((h->root.type == bfd_link_hash_defined
++		       && bfd_is_abs_section (h->root.u.def.section))
++		      /* This is an undefined symbol.  */
++		      || h->root.type == bfd_link_hash_undefined))
++		break;
++
++	      /* For local symbols, defined global symbols in a non-ABS section,
++		 it is assumed that the value is an address.  */
+ 	      int howto_index = bfd_r_type - BFD_RELOC_AARCH64_RELOC_START;
+ 	      _bfd_error_handler
+ 		/* xgettext:c-format */
diff --git a/gnu/packages/patches/elixir-disable-failing-tests.patch b/gnu/packages/patches/elixir-disable-failing-tests.patch
deleted file mode 100644
index 547598b292..0000000000
--- a/gnu/packages/patches/elixir-disable-failing-tests.patch
+++ /dev/null
@@ -1,284 +0,0 @@
-Most of these tests fail for unknown reasons when run in the chroot
-environment of a Guix build process.
-
-Common failures are:
-
- * Mix.Shell.cmd() fails with error 130
- * The git_repo fixture cannot be found
- * Communication with spawned processes fails with EPIPE
- * Failure to copy files
-
-
-diff --git a/lib/elixir/test/elixir/kernel/cli_test.exs b/lib/elixir/test/elixir/kernel/cli_test.exs
-index 3ffd56c..1232d19 100644
---- a/lib/elixir/test/elixir/kernel/cli_test.exs
-+++ b/lib/elixir/test/elixir/kernel/cli_test.exs
-@@ -39,6 +39,7 @@ end
- defmodule Kernel.CLI.OptionParsingTest do
-   use ExUnit.Case, async: true
-
-+  @tag :skip
-   test "properly parses paths" do
-     root = fixture_path("../../..") |> to_charlist
-     list = elixir('-pa "#{root}/*" -pz "#{root}/lib/*" -e "IO.inspect(:code.get_path, limit: :infinity)"')
-@@ -57,6 +58,7 @@ end
- defmodule Kernel.CLI.AtExitTest do
-   use ExUnit.Case, async: true
-
-+  @tag :skip
-   test "invokes at_exit callbacks" do
-     assert elixir(fixture_path("at_exit.exs") |> to_charlist) ==
-            'goodbye cruel world with status 1\n'
-@@ -66,6 +68,7 @@ end
- defmodule Kernel.CLI.ErrorTest do
-   use ExUnit.Case, async: true
-
-+  @tag :skip
-   test "properly format errors" do
-     assert :string.str('** (throw) 1', elixir('-e "throw 1"')) == 0
-     assert :string.str('** (ErlangError) erlang error: 1', elixir('-e "error 1"')) == 0
-@@ -86,6 +89,7 @@ defmodule Kernel.CLI.CompileTest do
-     {:ok, [tmp_dir_path: tmp_dir_path, beam_file_path: beam_file_path, fixture: fixture]}
-   end
-
-+  @tag :skip
-   test "compiles code", context do
-     assert elixirc('#{context[:fixture]} -o #{context[:tmp_dir_path]}') == ''
-     assert File.regular?(context[:beam_file_path])
-@@ -96,6 +100,7 @@ defmodule Kernel.CLI.CompileTest do
-     Code.delete_path context[:tmp_dir_path]
-   end
-
-+  @tag :skip
-   test "fails on missing patterns", context do
-     output = elixirc('#{context[:fixture]} non_existing.ex -o #{context[:tmp_dir_path]}')
-     assert :string.str(output, 'non_existing.ex') > 0, "expected non_existing.ex to be mentioned"
-@@ -103,6 +108,7 @@ defmodule Kernel.CLI.CompileTest do
-     refute File.exists?(context[:beam_file_path]), "expected the sample to not be compiled"
-   end
-
-+  @tag :skip
-   test "fails on missing write access to .beam file", context do
-     compilation_args = '#{context[:fixture]} -o #{context[:tmp_dir_path]}'
-
-diff --git a/lib/elixir/test/elixir/kernel/dialyzer_test.exs b/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-index 801d852..40fc5bc 100644
---- a/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-+++ b/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-@@ -60,16 +60,19 @@ defmodule Kernel.DialyzerTest do
-     assert_dialyze_no_warnings! context
-   end
-
-+  @tag :skip
-   test "no warnings on rewrites", context do
-     copy_beam! context, Dialyzer.Rewrite
-     assert_dialyze_no_warnings! context
-   end
-
-+  @tag :skip
-   test "no warnings on raise", context do
-     copy_beam! context, Dialyzer.Raise
-     assert_dialyze_no_warnings! context
-   end
-
-+  @tag :skip
-   test "no warnings on macrocallback", context do
-     copy_beam! context, Dialyzer.Macrocallback
-     copy_beam! context, Dialyzer.Macrocallback.Impl
-diff --git a/lib/elixir/test/elixir/system_test.exs b/lib/elixir/test/elixir/system_test.exs
-index aafa559..0f9c178 100644
---- a/lib/elixir/test/elixir/system_test.exs
-+++ b/lib/elixir/test/elixir/system_test.exs
-@@ -53,7 +53,8 @@ defmodule SystemTest do
-     assert System.endianness in [:little, :big]
-     assert System.endianness == System.compiled_endianness
-   end
--
-+
-+  @tag :skip
-   test "argv/0" do
-     list = elixir('-e "IO.inspect System.argv" -- -o opt arg1 arg2 --long-opt 10')
-     {args, _} = Code.eval_string list, []
-diff --git a/lib/mix/test/mix/dep_test.exs b/lib/mix/test/mix/dep_test.exs
-index fff3351..d6ed1b3 100644
---- a/lib/mix/test/mix/dep_test.exs
-+++ b/lib/mix/test/mix/dep_test.exs
-@@ -244,6 +244,7 @@ defmodule Mix.DepTest do
-     end
-   end
-
-+  @tag :skip
-   test "remote converger" do
-     deps = [{:deps_repo, "0.1.0", path: "custom/deps_repo"},
-             {:git_repo, "0.2.0", git: MixTest.Case.fixture_path("git_repo")}]
-@@ -301,6 +302,7 @@ defmodule Mix.DepTest do
-     end
-   end
-
-+  @tag :skip
-   test "remote converger is not invoked if deps diverge" do
-     deps = [{:deps_repo, "0.1.0", path: "custom/deps_repo"},
-             {:git_repo, "0.2.0", git: MixTest.Case.fixture_path("git_repo"), only: :test}]
-
-diff --git a/lib/mix/test/mix/shell/io_test.exs b/lib/mix/test/mix/shell/io_test.exs
-index 9bfb6b4..d982ef3 100644
---- a/lib/mix/test/mix/shell/io_test.exs
-+++ b/lib/mix/test/mix/shell/io_test.exs
-@@ -29,6 +29,7 @@ defmodule Mix.Shell.IOTest do
-     assert capture_io("", fn -> refute yes?("Ok?") end)
-   end
-
-+  @tag :skip
-   test "runs a given command" do
-     assert capture_io("", fn -> assert cmd("echo hello") == 0 end) == "hello\n"
-
-diff --git a/lib/mix/test/mix/shell/quiet_test.exs b/lib/mix/test/mix/shell/quiet_test.exs
-index 626429b..99fab35 100644
---- a/lib/mix/test/mix/shell/quiet_test.exs
-+++ b/lib/mix/test/mix/shell/quiet_test.exs
-@@ -29,6 +29,7 @@ defmodule Mix.Shell.QuietTest do
-     assert capture_io("", fn -> refute yes?("Ok?") end)
-   end
-
-+  @tag :skip
-   test "runs a given command" do
-     assert capture_io("", fn -> assert cmd("echo hello") == 0 end) == ""
-
-diff --git a/lib/mix/test/mix/tasks/cmd_test.exs b/lib/mix/test/mix/tasks/cmd_test.exs
-index db4bf06..4d441f7 100644
---- a/lib/mix/test/mix/tasks/cmd_test.exs
-+++ b/lib/mix/test/mix/tasks/cmd_test.exs
-@@ -3,6 +3,7 @@ Code.require_file "../../test_helper.exs", __DIR__
- defmodule Mix.Tasks.CmdTest do
-   use MixTest.Case
-
-+  @tag :skip
-   test "runs the command for each app" do
-     in_fixture "umbrella_dep/deps/umbrella", fn ->
-       Mix.Project.in_project(:umbrella, ".", fn _ ->
-diff --git a/lib/mix/test/mix/tasks/deps.tree_test.exs b/lib/mix/test/mix/tasks/deps.tree_test.exs
-index 4f09ff3..c371997 100644
---- a/lib/mix/test/mix/tasks/deps.tree_test.exs
-+++ b/lib/mix/test/mix/tasks/deps.tree_test.exs
-@@ -29,6 +29,7 @@ defmodule Mix.Tasks.Deps.TreeTest do
-     end
-   end
-
-+  @tag :skip
-   test "shows the dependency tree", context do
-     Mix.Project.push ConvergedDepsApp
-
-@@ -109,6 +110,7 @@ defmodule Mix.Tasks.Deps.TreeTest do
-     end
-   end
-
-+  @tag :skip
-   test "shows the dependency tree in DOT graph format", context do
-     Mix.Project.push ConvergedDepsApp
-
-diff --git a/lib/mix/test/mix/tasks/deps_test.exs b/lib/mix/test/mix/tasks/deps_test.exs
-index b061777..cc45cf8 100644
---- a/lib/mix/test/mix/tasks/deps_test.exs
-+++ b/lib/mix/test/mix/tasks/deps_test.exs
-@@ -96,6 +96,7 @@
-     end
-   end
-
-+  @tag :skip
-   test "prints list of dependencies and their lock status" do
-     Mix.Project.push DepsApp
-
-@@ -409,6 +409,7 @@ defmodule Mix.Tasks.DepsTest do
-     end
-   end
-
-+  @tag :skip
-   test "fails on diverged dependencies by requirement" do
-     Mix.Project.push ConvergedDepsApp
-
-@@ -440,6 +441,7 @@ defmodule Mix.Tasks.DepsTest do
-     end
-   end
-
-+  @tag :skip
-   test "fails on diverged dependencies even when optional" do
-     Mix.Project.push ConvergedDepsApp
-
-@@ -469,6 +471,7 @@ defmodule Mix.Tasks.DepsTest do
-     end
-   end
-
-+  @tag :skip
-   test "works with converged dependencies" do
-     Mix.Project.push ConvergedDepsApp
-
-@@ -491,6 +494,7 @@ defmodule Mix.Tasks.DepsTest do
-     purge [GitRepo, GitRepo.Mixfile]
-   end
-
-+  @tag :skip
-   test "works with overridden dependencies" do
-     Mix.Project.push OverriddenDepsApp
-
-diff --git a/lib/mix/test/mix/umbrella_test.exs b/lib/mix/test/mix/umbrella_test.exs
-index 69f9428..406668a 100644
---- a/lib/mix/test/mix/umbrella_test.exs
-+++ b/lib/mix/test/mix/umbrella_test.exs
-@@ -98,6 +98,7 @@ defmodule Mix.UmbrellaTest do
-     end
-   end
-
-+  @tag :skip
-   test "loads umbrella child dependencies in all environments" do
-     in_fixture "umbrella_dep/deps/umbrella", fn ->
-       Mix.Project.in_project :umbrella, ".", fn _ ->
-
-diff --git a/lib/elixir/test/elixir/kernel/dialyzer_test.exs b/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-index 792222c..e90beb9 100644
---- a/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-+++ b/lib/elixir/test/elixir/kernel/dialyzer_test.exs
-@@ -54,6 +54,7 @@ defmodule Kernel.DialyzerTest do
-     {:ok, [outdir: dir, dialyzer: dialyzer]}
-   end
-
-+  @tag :skip
-   test "no warnings on valid remote calls", context do
-     copy_beam! context, Dialyzer.RemoteCall
-     assert_dialyze_no_warnings! context
-@@ -78,11 +79,13 @@ defmodule Kernel.DialyzerTest do
-     assert_dialyze_no_warnings! context
-   end
-
-+  @tag :skip
-   test "no warnings on struct update", context do
-     copy_beam! context, Dialyzer.StructUpdate
-     assert_dialyze_no_warnings! context
-   end
-
-+  @tag :skip
-   test "no warnings on protocol calls with opaque types", context do
-     copy_beam! context, Dialyzer.ProtocolOpaque
-     copy_beam! context, Dialyzer.ProtocolOpaque.Entity
-@@ -90,6 +93,7 @@ defmodule Kernel.DialyzerTest do
-     assert_dialyze_no_warnings! context
-   end
-
-+  @tag :skip
-   test "no warnings on and/2 and or/2", context do
-     copy_beam! context, Dialyzer.BooleanCheck
-     assert_dialyze_no_warnings! context
-
-diff --git a/Makefile b/Makefile
-index 2fc4f9a..aef8366 100644
---- a/Makefile
-+++ b/Makefile
-@@ -201,7 +201,7 @@ $(TEST_EBIN)/%.beam: $(TEST_ERL)/%.erl
-        $(Q) mkdir -p $(TEST_EBIN)
-        $(Q) $(ERLC) -o $(TEST_EBIN) $<
-
--test_elixir: test_stdlib test_ex_unit test_logger test_mix test_eex test_iex
-+test_elixir: test_stdlib test_ex_unit test_logger test_eex test_iex
-
- test_stdlib: compile
-        @ echo "==> elixir (exunit)"
-
diff --git a/gnu/packages/patches/flann-cmake-3.11.patch b/gnu/packages/patches/flann-cmake-3.11.patch
new file mode 100644
index 0000000000..1fb76eca0a
--- /dev/null
+++ b/gnu/packages/patches/flann-cmake-3.11.patch
@@ -0,0 +1,84 @@
+Fixes this issue:
+ <https://github.com/mariusmuja/flann/issues/369>.
+Patch from Buildroot:
+ <https://github.com/buildroot/buildroot/commit/45a39b3e2ba42b72d19bfcef30db1b8da9ead51a>.
+
+From fa5ec96a94646492a3f908e12905b3e48a8e800b Mon Sep 17 00:00:00 2001
+From: Romain Naour <romain.naour@gmail.com>
+Date: Wed, 18 Apr 2018 20:24:13 +0200
+Subject: [PATCH] src/cpp: fix cmake >= 3.11 build
+
+CMake < 3.11 doesn't support add_library() without any source file
+(i.e add_library(foo SHARED)). But flann CMake use a trick that use
+an empty string "" as source list (i.e add_library(foo SHARED "")).
+This look like a bug in CMake < 3.11.
+
+With CMake >= 3.11, the new behaviour of add_library() break the
+existing flann CMake code.
+
+From CMake Changelog [1]:
+"add_library() and add_executable() commands can now be called without
+ any sources and will not complain as long as sources are added later
+ via the target_sources() command."
+
+Note: flann CMake code doesn't use target_sources() since no source file
+are provided intentionally since the flann shared library is created by
+linking with the flann_cpp_s static library with this line:
+
+target_link_libraries(flann_cpp -Wl,-whole-archive flann_cpp_s -Wl,-no-whole-archive)
+
+If you try to use "add_library(flann_cpp SHARED ${CPP_SOURCES})" (as it should
+be normally done), the link fail due to already defined symbol.
+
+They are building the shared version using the static library "to speedup the
+build time" [3]
+
+This issue is already reported upstream [2] with a proposed solution.
+
+Upstream status: Pending
+
+Fixes:
+http://autobuild.buildroot.net/results/b2f/b2febfaf8c44ce477b3e4a5b9b976fd25e8d7454
+
+[1] https://cmake.org/cmake/help/v3.11/release/3.11.html
+[2] https://github.com/mariusmuja/flann/issues/369
+[3] https://github.com/mariusmuja/flann/commit/0fd62b43be2fbb0b8d791ee36290791224dc030c
+
+Signed-off-by: Romain Naour <romain.naour@gmail.com>
+---
+ src/cpp/CMakeLists.txt | 4 ++--
+ src/cpp/empty.cpp      | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+ create mode 100644 src/cpp/empty.cpp
+
+diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt
+index b44a735..a816863 100644
+--- a/src/cpp/CMakeLists.txt
++++ b/src/cpp/CMakeLists.txt
+@@ -29,7 +29,7 @@ if (BUILD_CUDA_LIB)
+ endif()
+ 
+ if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_COMPILER_IS_GNUCC)
+-    add_library(flann_cpp SHARED "")
++    add_library(flann_cpp SHARED "empty.cpp")
+     set_target_properties(flann_cpp PROPERTIES LINKER_LANGUAGE CXX)
+     target_link_libraries(flann_cpp -Wl,-whole-archive flann_cpp_s -Wl,-no-whole-archive)
+ 
+@@ -85,7 +85,7 @@ if (BUILD_C_BINDINGS)
+     set_property(TARGET flann_s PROPERTY COMPILE_DEFINITIONS FLANN_STATIC)
+ 
+     if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_COMPILER_IS_GNUCC)
+-        add_library(flann SHARED "")
++        add_library(flann SHARED "empty.cpp")
+         set_target_properties(flann PROPERTIES LINKER_LANGUAGE CXX)
+         target_link_libraries(flann -Wl,-whole-archive flann_s -Wl,-no-whole-archive)
+     else()
+diff --git a/src/cpp/empty.cpp b/src/cpp/empty.cpp
+new file mode 100644
+index 0000000..40a8c17
+--- /dev/null
++++ b/src/cpp/empty.cpp
+@@ -0,0 +1 @@
++/* empty */
+-- 
+2.14.3
diff --git a/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch b/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch
deleted file mode 100644
index 306d4d348b..0000000000
--- a/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-Fix CVE-2018-12020:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
-https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
-
-Patch copied from upstream source repository:
-
-https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2326851c60793653069494379b16d84e4c10a0ac
-
-From 2326851c60793653069494379b16d84e4c10a0ac Mon Sep 17 00:00:00 2001
-From: Werner Koch <wk@gnupg.org>
-Date: Fri, 8 Jun 2018 10:45:21 +0200
-Subject: [PATCH] gpg: Sanitize diagnostic with the original file name.
-
-* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
---
-
-This fixes a forgotten sanitation of user supplied data in a verbose
-mode diagnostic.  The mention CVE is about using this to inject
-status-fd lines into the stderr output.  Other harm good as well be
-done.  Note that GPGME based applications are not affected because
-GPGME does not fold status output into stderr.
-
-CVE-id: CVE-2018-12020
-GnuPG-bug-id: 4012
-(cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b)
----
- g10/mainproc.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/g10/mainproc.c b/g10/mainproc.c
-index 33a654b34..ffa7ef6d8 100644
---- a/g10/mainproc.c
-+++ b/g10/mainproc.c
-@@ -638,7 +638,11 @@ proc_plaintext( CTX c, PACKET *pkt )
-     if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) )
- 	log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n"));
-     else if( opt.verbose )
--	log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name);
-+      {
-+        char *tmp = make_printable_string (pt->name, pt->namelen, 0);
-+        log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
-+        xfree (tmp);
-+      }
-     free_md_filter_context( &c->mfx );
-     c->mfx.md = md_open( 0, 0);
-     /* fixme: we may need to push the textfilter if we have sigclass 1
--- 
-2.17.1
-
diff --git a/gnu/packages/patches/password-store-gnupg-compat.patch b/gnu/packages/patches/password-store-gnupg-compat.patch
deleted file mode 100644
index 75c6362021..0000000000
--- a/gnu/packages/patches/password-store-gnupg-compat.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Copied from upstream mailing list:
-https://lists.zx2c4.com/pipermail/password-store/2018-February/003216.html.
-
-From 9b0c86159d754cc88dd3642564eed527153dfb7f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= <clement@lassieur.org>
-Date: Sat, 24 Feb 2018 12:05:46 +0100
-Subject: [PATCH] tests: fix compatibility with GnuPG 2.2.5
-
----
- tests/t0300-reencryption.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/t0300-reencryption.sh b/tests/t0300-reencryption.sh
-index 6d5811d..6d15364 100755
---- a/tests/t0300-reencryption.sh
-+++ b/tests/t0300-reencryption.sh
-@@ -10,7 +10,7 @@ canonicalize_gpg_keys() {
- 	$GPG --list-keys --with-colons "$@" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u
- }
- gpg_keys_from_encrypted_file() {
--	$GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u
-+	$GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | grep "public key is" | cut -d ' ' -f 5 | LC_ALL=C sort -u
- }
- gpg_keys_from_group() {
- 	local output="$($GPG --list-config --with-colons | sed -n "s/^cfg:group:$1:\\(.*\\)/\\1/p" | head -n 1)"
--- 
-2.16.2
-
diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
new file mode 100644
index 0000000000..6460cf5855
--- /dev/null
+++ b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
@@ -0,0 +1,36 @@
+Fix CVE-2018-12015:
+
+https://security-tracker.debian.org/tracker/CVE-2018-12015
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
+https://rt.cpan.org/Ticket/Display.html?id=125523
+
+Patch taken from this upstream commit and adapted to apply to
+the bundled copy in the Perl distribution:
+
+https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
+
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
+index 6244369..a83975f 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -845,6 +845,20 @@ sub _extract_file {
+         return;
+     }
+ 
++    ### If a file system already contains a block device with the same name as
++    ### the being extracted regular file, we would write the file's content
++    ### to the block device. So remove the existing file (block device) now.
++    ### If an archive contains multiple same-named entries, the last one
++    ### should replace the previous ones. So remove the old file now.
++    ### If the old entry is a symlink to a file outside of the CWD, the new
++    ### entry would create a file there. This is CVE-2018-12015
++    ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
++    if (-l $full || -e _) {
++	if (!unlink $full) {
++	    $self->_error( qq[Could not remove old file '$full': $!] );
++	    return;
++	}
++    }
+     if( length $entry->type && $entry->is_file ) {
+         my $fh = IO::File->new;
+         $fh->open( $full, '>' ) or (
diff --git a/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch b/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch
deleted file mode 100644
index e1e71a332a..0000000000
--- a/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 700076019b5aff72aac7651cc830aaef21ee9a47 Mon Sep 17 00:00:00 2001
-From: jakirkham <jakirkham@gmail.com>
-Date: Fri, 7 Jul 2017 05:57:56 -0400
-Subject: [PATCH] Drop ordereddict requirement (#84)
-
-* Drop ordereddict requirement
-
-As Python 2.7 is the minimum Python supported, every version of Python
-should have `ordereddict` preincluded in the standard library one way or
-another. So we can drop this dependency and just handle the differences
-between Python 2 and Python 3.
----
- nosetimer/plugin.py | 5 +----
- setup.py            | 1 -
- 2 files changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/nosetimer/plugin.py b/nosetimer/plugin.py
-index ef28e11..d093a51 100644
---- a/nosetimer/plugin.py
-+++ b/nosetimer/plugin.py
-@@ -12,10 +12,7 @@
- except ImportError:
-     import queue as Queue
- 
--try:
--    from collections import OrderedDict
--except ImportError:
--    from ordereddict import OrderedDict
-+from collections import OrderedDict
- 
- 
- # define constants
-diff --git a/setup.py b/setup.py
-index 6a55b82..d249325 100755
---- a/setup.py
-+++ b/setup.py
-@@ -27,7 +27,6 @@
-     install_requires=[
-         'nose',
-         'termcolor',
--        'ordereddict',
-     ],
-     license='MIT',
-     entry_points={
diff --git a/gnu/packages/patches/strace-kernel-4.16.patch b/gnu/packages/patches/strace-kernel-4.16.patch
deleted file mode 100644
index e86d3be439..0000000000
--- a/gnu/packages/patches/strace-kernel-4.16.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-Fix test failure when using Linux-Libre >= 4.16.
-
-Taken from upstream:
-https://github.com/strace/strace/commit/bcff87c31c0f27c678a43d6b7f67dab363a974fa
-
-From bcff87c31c0f27c678a43d6b7f67dab363a974fa Mon Sep 17 00:00:00 2001
-From: Masatake YAMATO <yamato@redhat.com>
-Date: Wed, 2 May 2018 17:11:07 +0900
-Subject: [PATCH] tests/ioctl_kvm_run.c: handle cpuid at the end of vcpu dentry
-
-Since Linux 4.16, kernel appends the cpuid as suffix to the entry
-for a kvm vcpu in /proc/$pid/fd like:
-
-    anon_inode:kvm-vcpu:0
-
-That was
-
-    anon_inode:kvm-vcpu
-
-This kernel change causes the test case failure on newer kernels.
-Update the test to deal with the new name as well as the old one.
-
-* tests/ioctl_kvm_run.c: Include unistd.h for using readlink(2).
-(vcpu_dev_should_have_cpuid): New function for detecting whether
-a proc entry for given fd has the cpuid suffix or not.
-(main): Trim vcpu_dev to remove the cpuid suffix if needed.
-(vcpu_dev): Remove const modifier.
----
- tests/ioctl_kvm_run.c | 29 ++++++++++++++++++++++++++++-
- 1 file changed, 28 insertions(+), 1 deletion(-)
-
-diff --git a/tests/ioctl_kvm_run.c b/tests/ioctl_kvm_run.c
-index 179461430..e1bef5796 100644
---- a/tests/ioctl_kvm_run.c
-+++ b/tests/ioctl_kvm_run.c
-@@ -40,6 +40,7 @@
- # include <string.h>
- # include <sys/ioctl.h>
- # include <sys/mman.h>
-+# include <unistd.h>
- # include <linux/kvm.h>
- 
- static int
-@@ -56,7 +57,7 @@ kvm_ioctl(int fd, unsigned long cmd, const char *cmd_str, void *arg)
- 
- static const char dev[] = "/dev/kvm";
- static const char vm_dev[] = "anon_inode:kvm-vm";
--static const char vcpu_dev[] = "anon_inode:kvm-vcpu";
-+static char vcpu_dev[] = "anon_inode:kvm-vcpu:0";
- static size_t page_size;
- 
- extern const char code[];
-@@ -165,6 +166,23 @@ run_kvm(const int vcpu_fd, struct kvm_run *const run, const size_t mmap_size,
- 	}
- }
- 
-+static int
-+vcpu_dev_should_have_cpuid(int fd)
-+{
-+	int r = 0;
-+	char *filename = NULL;
-+	char buf[sizeof(vcpu_dev)];
-+
-+	if (asprintf(&filename, "/proc/%d/fd/%d", getpid(), fd) < 0)
-+		error_msg_and_fail("asprintf");
-+
-+	if (readlink(filename, buf, sizeof(buf)) == sizeof(buf) - 1
-+	    && (memcmp(buf, vcpu_dev, sizeof(buf) - 1) == 0))
-+		r = 1;
-+	free(filename);
-+	return r;
-+}
-+
- int
- main(void)
- {
-@@ -208,6 +226,15 @@ main(void)
- 	       (unsigned long) page_size, (unsigned long) page_size, mem);
- 
- 	int vcpu_fd = KVM_IOCTL(vm_fd, KVM_CREATE_VCPU, NULL);
-+	if (!vcpu_dev_should_have_cpuid(vcpu_fd))
-+		/*
-+		 * This is an older kernel that doesn't place a cpuid
-+		 * at the end of the dentry associated with vcpu_fd.
-+		 * Trim the cpuid part of vcpu_dev like:
-+		 * "anon_inode:kvm-vcpu:0" -> "anon_inode:kvm-vcpu"
-+		 */
-+		vcpu_dev[strlen (vcpu_dev) - 2] = '\0';
-+
- 	printf("ioctl(%d<%s>, KVM_CREATE_VCPU, 0) = %d<%s>\n",
- 	       vm_fd, vm_dev, vcpu_fd, vcpu_dev);
- 
diff --git a/gnu/packages/patches/upx-fix-CVE-2017-15056.patch b/gnu/packages/patches/upx-fix-CVE-2017-15056.patch
new file mode 100644
index 0000000000..525980e73e
--- /dev/null
+++ b/gnu/packages/patches/upx-fix-CVE-2017-15056.patch
@@ -0,0 +1,96 @@
+From 3e0c2966dffb5dadb512a476ef4be3d0cc51c2be Mon Sep 17 00:00:00 2001
+From: Pierre Neidhardt <ambrevar@gmail.com>
+Date: Sat, 16 Jun 2018 16:35:00 +0200
+Subject: [PATCH] Protect against bad crafted input
+
+Also check for wrap-around when checking oversize involving e_shoff and e_shnum.
+
+raised by https://github.com/upx/upx/pull/190
+	modified:   p_lx_elf.cpp
+---
+ src/p_lx_elf.cpp | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
+index 822a7652..41e805ee 100644
+--- a/src/p_lx_elf.cpp
++++ b/src/p_lx_elf.cpp
+@@ -235,8 +235,17 @@ PackLinuxElf32::PackLinuxElf32help1(InputFile *f)
+         sz_phdrs = 0;
+         return;
+     }
++    if (0==e_phnum) throwCantUnpack("0==e_phnum");
+     e_phoff = get_te32(&ehdri.e_phoff);
++    unsigned const last_Phdr = e_phoff + e_phnum * sizeof(Elf32_Phdr);
++    if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) {
++        throwCantUnpack("bad e_phoff");
++    }
+     e_shoff = get_te32(&ehdri.e_shoff);
++    unsigned const last_Shdr = e_shoff + e_shnum * sizeof(Elf32_Shdr);
++    if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) {
++        throwCantUnpack("bad e_shoff");
++    }
+     sz_phdrs = e_phnum * e_phentsize;
+ 
+     if (f && Elf32_Ehdr::ET_DYN!=e_type) {
+@@ -599,8 +608,17 @@ PackLinuxElf64::PackLinuxElf64help1(InputFile *f)
+         sz_phdrs = 0;
+         return;
+     }
++    if (0==e_phnum) throwCantUnpack("0==e_phnum");
+     e_phoff = get_te64(&ehdri.e_phoff);
++    upx_uint64_t const last_Phdr = e_phoff + e_phnum * sizeof(Elf64_Phdr);
++    if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) {
++        throwCantUnpack("bad e_phoff");
++    }
+     e_shoff = get_te64(&ehdri.e_shoff);
++    upx_uint64_t const last_Shdr = e_shoff + e_shnum * sizeof(Elf64_Shdr);
++    if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) {
++        throwCantUnpack("bad e_shoff");
++    }
+     sz_phdrs = e_phnum * e_phentsize;
+ 
+     if (f && Elf64_Ehdr::ET_DYN!=e_type) {
+@@ -3763,6 +3781,9 @@ void PackLinuxElf64::pack4(OutputFile *fo, Filter &ft)
+ 
+ void PackLinuxElf64::unpack(OutputFile *fo)
+ {
++    if (e_phoff != sizeof(Elf64_Ehdr)) {// Phdrs not contiguous with Ehdr
++        throwCantUnpack("bad e_phoff");
++    }
+     unsigned const c_phnum = get_te16(&ehdri.e_phnum);
+     upx_uint64_t old_data_off = 0;
+     upx_uint64_t old_data_len = 0;
+@@ -3828,6 +3849,9 @@ void PackLinuxElf64::unpack(OutputFile *fo)
+     unsigned total_out = 0;
+     unsigned c_adler = upx_adler32(NULL, 0);
+     unsigned u_adler = upx_adler32(NULL, 0);
++    if ((MAX_ELF_HDR - sizeof(Elf64_Ehdr))/sizeof(Elf64_Phdr) < u_phnum) {
++        throwCantUnpack("bad compressed e_phnum");
++    }
+ 
+     // Packed ET_EXE has no PT_DYNAMIC.
+     // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld.
+@@ -4383,6 +4407,9 @@ Elf64_Sym const *PackLinuxElf64::elf_lookup(char const *name) const
+ 
+ void PackLinuxElf32::unpack(OutputFile *fo)
+ {
++    if (e_phoff != sizeof(Elf32_Ehdr)) {// Phdrs not contiguous with Ehdr
++        throwCantUnpack("bad e_phoff");
++    }
+     unsigned const c_phnum = get_te16(&ehdri.e_phnum);
+     unsigned old_data_off = 0;
+     unsigned old_data_len = 0;
+@@ -4449,6 +4476,9 @@ void PackLinuxElf32::unpack(OutputFile *fo)
+     unsigned total_out = 0;
+     unsigned c_adler = upx_adler32(NULL, 0);
+     unsigned u_adler = upx_adler32(NULL, 0);
++    if ((MAX_ELF_HDR - sizeof(Elf32_Ehdr))/sizeof(Elf32_Phdr) < u_phnum) {
++        throwCantUnpack("bad compressed e_phnum");
++    }
+ 
+     // Packed ET_EXE has no PT_DYNAMIC.
+     // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld.
+-- 
+2.17.0
+