Merge branch 'master' into python-tests

12 files changed, 350 insertions, 151 deletions

diff --git a/gnu/packages/patches/gst-plugins-base-fix-test-on-32bit.patch b/gnu/packages/patches/gst-plugins-base-fix-test-on-32bit.patch
deleted file mode 100644
index 4c6c7ed06e..0000000000
--- a/gnu/packages/patches/gst-plugins-base-fix-test-on-32bit.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-This fixes a test failure on i686.
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/gstreamer/gst-plugins-base/commit/?id=5e2e111627871c566ffc6607eda8f4ef4699d040
-
-From 5e2e111627871c566ffc6607eda8f4ef4699d040 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
-Date: Thu, 2 Feb 2017 14:56:39 +0200
-Subject: [PATCH] multifdsink: Make sure to use a 64 bit integer for the
- units-max property
-
----
- tests/check/elements/multifdsink.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/check/elements/multifdsink.c b/tests/check/elements/multifdsink.c
-index af138cc92..951b1b9fa 100644
---- a/tests/check/elements/multifdsink.c
-+++ b/tests/check/elements/multifdsink.c
-@@ -869,7 +869,7 @@ GST_START_TEST (test_client_kick)
-   gint i, initial_buffers = 3, num_buffers = 0;
- 
-   sink = setup_multifdsink ();
--  g_object_set (sink, "units-max", initial_buffers, NULL);
-+  g_object_set (sink, "units-max", (gint64) initial_buffers, NULL);
- 
-   fail_if (pipe (pfd1) == -1);
-   fail_if (pipe (pfd2) == -1);
--- 
-2.11.0
-
diff --git a/gnu/packages/patches/hubbub-sort-entities.patch b/gnu/packages/patches/hubbub-sort-entities.patch
new file mode 100644
index 0000000000..012e3c3022
--- /dev/null
+++ b/gnu/packages/patches/hubbub-sort-entities.patch
@@ -0,0 +1,13 @@
+Traverse the entities hash's keys in sorted order to ensure reproducibility.
+
+--- libhubbub-0.3.3/build/make-entities.pl
++++ libhubbub-0.3.3/build/make-entities.pl
+@@ -86,7 +86,7 @@
+ 
+ my $trie;
+ 
+-foreach my $key (keys %entities) {
++foreach my $key (sort keys %entities) {
+    $trie = insert_node($trie, $key, $entities{$key});
+ }
+ 
diff --git a/gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch b/gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch
deleted file mode 100644
index a5fdd7ffff..0000000000
--- a/gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-Fix CVE-2016-0739 (Weak Diffie-Hellman secret generation in
-dh_generate_x() and dh_generate_y()).
-
-"Due to a byte/bit confusion, the DH secret was too short. This file was
-completely reworked and will be commited in a future version."
-Source:
-https://git.libssh.org/projects/libssh.git/commit/?id=f8d0026c65fc8a55748ae481758e2cf376c26c86
-
-This patch was created by upstream for libssh-0.7.3, but applied without
-modification to libssh-0.6.3 by Debian. In Guix, we apply it without
-modification to libssh-0.6.5.
-
-References:
-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0739
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0739
-https://security-tracker.debian.org/tracker/CVE-2016-0739
-
----
- src/dh.c | 22 +++++++++++++++++-----
- 1 file changed, 17 insertions(+), 5 deletions(-)
-
-diff --git a/src/dh.c b/src/dh.c
-index e489a1d..d27b66e 100644
---- a/src/dh.c
-+++ b/src/dh.c
-@@ -227,15 +227,21 @@ void ssh_crypto_finalize(void) {
- }
- 
- int dh_generate_x(ssh_session session) {
-+  int keysize;
-+  if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
-+    keysize = 1023;
-+  } else {
-+    keysize = 2047;
-+  }
-   session->next_crypto->x = bignum_new();
-   if (session->next_crypto->x == NULL) {
-     return -1;
-   }
- 
- #ifdef HAVE_LIBGCRYPT
--  bignum_rand(session->next_crypto->x, 128);
-+  bignum_rand(session->next_crypto->x, keysize);
- #elif defined HAVE_LIBCRYPTO
--  bignum_rand(session->next_crypto->x, 128, 0, -1);
-+  bignum_rand(session->next_crypto->x, keysize, -1, 0);
- #endif
- 
-   /* not harder than this */
-@@ -248,15 +254,21 @@ int dh_generate_x(ssh_session session) {
- 
- /* used by server */
- int dh_generate_y(ssh_session session) {
--    session->next_crypto->y = bignum_new();
-+  int keysize;
-+  if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
-+    keysize = 1023;
-+  } else {
-+    keysize = 2047;
-+  }
-+  session->next_crypto->y = bignum_new();
-   if (session->next_crypto->y == NULL) {
-     return -1;
-   }
- 
- #ifdef HAVE_LIBGCRYPT
--  bignum_rand(session->next_crypto->y, 128);
-+  bignum_rand(session->next_crypto->y, keysize);
- #elif defined HAVE_LIBCRYPTO
--  bignum_rand(session->next_crypto->y, 128, 0, -1);
-+  bignum_rand(session->next_crypto->y, keysize, -1, 0);
- #endif
- 
-   /* not harder than this */
--- 
-cgit v0.12
-
diff --git a/gnu/packages/patches/netsurf-about.patch b/gnu/packages/patches/netsurf-about.patch
deleted file mode 100644
index 1fb8eae824..0000000000
--- a/gnu/packages/patches/netsurf-about.patch
+++ /dev/null
@@ -1,26 +0,0 @@
---- netsurf-all-3.5/netsurf/gtk/about.c
-+++ netsurf-all-3.5/netsurf/gtk/about.c
-@@ -79,11 +79,11 @@
- 	switch (response_id) {
- 
- 	case ABOUT_RESPONSE_ID_LICENCE:
--		about_open("about:credits");
-+		about_open("about:licence");
- 		break;
- 
- 	case ABOUT_RESPONSE_ID_CREDITS:
--		about_open("about:licence");
-+		about_open("about:credits");
- 		break;
- 	}
- 
---- netsurf-all-3.5/netsurf/desktop/version.c
-+++ netsurf-all-3.5/netsurf/desktop/version.c
-@@ -20,6 +20,6 @@
- 
- #include "desktop/version.h"
- 
--const char * const netsurf_version = "3.5 (6th April 1016)";
-+const char * const netsurf_version = "3.5 (6th April 2016)";
- const int netsurf_version_major = 3;
- const int netsurf_version_minor = 5;
diff --git a/gnu/packages/patches/netsurf-longer-test-timeout.patch b/gnu/packages/patches/netsurf-longer-test-timeout.patch
new file mode 100644
index 0000000000..4dd5a8539f
--- /dev/null
+++ b/gnu/packages/patches/netsurf-longer-test-timeout.patch
@@ -0,0 +1,20 @@
+Increase the timeout on dictionary tests to accommodate slower machines.
+
+--- netsurf-3.6/test/hashtable.c
++++ netsurf-3.6/test/hashtable.c
+@@ -286,6 +286,7 @@
+ 	tcase_add_checked_fixture(tc_dict_s,
+ 				  dicts_hashtable_create,
+ 				  dict_hashtable_teardown);
++	tcase_set_timeout(tc_dict_s, 30);
+ 
+ 	tcase_add_test(tc_dict_s, hashtable_dict_test);
+ 
+@@ -297,6 +298,7 @@
+ 	tcase_add_checked_fixture(tc_dict_l,
+ 				  dictl_hashtable_create,
+ 				  dict_hashtable_teardown);
++	tcase_set_timeout(tc_dict_l, 30);
+ 
+ 	tcase_add_test(tc_dict_l, hashtable_dict_test);
+ 
diff --git a/gnu/packages/patches/netsurf-system-utf8proc.patch b/gnu/packages/patches/netsurf-system-utf8proc.patch
new file mode 100644
index 0000000000..254bf52c93
--- /dev/null
+++ b/gnu/packages/patches/netsurf-system-utf8proc.patch
@@ -0,0 +1,64 @@
+Use upstream utf8proc package, as suggested in
+http://source.netsurf-browser.org/libutf8proc.git/commit/?id=770e329cceaf0620c7b482589a9b17ed1d19c16d
+
+Work around upstream's lack of a pkg-config file and update API.
+
+--- netsurf-3.6/Makefile
++++ netsurf-3.6/Makefile
+@@ -527,10 +527,9 @@
+ $(eval $(call pkg_config_find_and_add,libcss,CSS))
+ $(eval $(call pkg_config_find_and_add,libdom,DOM))
+ $(eval $(call pkg_config_find_and_add,libnsutils,nsutils))
+-$(eval $(call pkg_config_find_and_add,libutf8proc,utf8proc))
+ 
+ # Common libraries without pkg-config support
+-LDFLAGS += -lz
++LDFLAGS += -lz -lutf8proc
+ 
+ # Optional libraries with pkgconfig
+ 
+--- netsurf-3.6/utils/idna.c
++++ netsurf-3.6/utils/idna.c
+@@ -26,7 +26,7 @@
+ #include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+-#include <libutf8proc/utf8proc.h>
++#include <utf8proc.h>
+ 
+ #include "utils/errors.h"
+ #include "utils/idna.h"
+@@ -250,7 +250,7 @@
+ 		return NSERROR_NOMEM;
+ 	}
+ 
+-	nfc_size = utf8proc_normalise(nfc_label, nfc_size,
++	nfc_size = utf8proc_normalize_utf32(nfc_label, nfc_size,
+ 		UTF8PROC_STABLE | UTF8PROC_COMPOSE);
+ 	if (nfc_size < 0) {
+ 		return NSERROR_NOMEM;
+@@ -565,7 +565,7 @@
+ 	}
+ 
+ 	/* Perform NFC normalisation */
+-	ucs4_len = utf8proc_normalise(ucs4, u_ucs4_len,
++	ucs4_len = utf8proc_normalize_utf32(ucs4, u_ucs4_len,
+ 		UTF8PROC_STABLE | UTF8PROC_COMPOSE);
+ 	if (ucs4_len < 0) {
+ 		free(ucs4);
+--- netsurf-3.6/test/Makefile
++++ netsurf-3.6/test/Makefile
+@@ -112,11 +112,11 @@
+ 		-D_XOPEN_SOURCE=600 \
+ 		-Itest -Iinclude -Icontent/handlers -Ifrontends -I. -I.. \
+ 		-Dnsgtk \
+-		$(shell pkg-config --cflags libcurl libparserutils libwapcaplet libdom libnsutils libutf8proc libidn) \
++		$(shell pkg-config --cflags libcurl libparserutils libwapcaplet libdom libnsutils libidn) \
+ 		$(LIB_CFLAGS) \
+ 		$(COV_CFLAGS)
+ 
+-TESTLDFLAGS := $(shell pkg-config --libs libcurl libparserutils libwapcaplet libdom libnsutils libutf8proc libidn) -lz \
++TESTLDFLAGS := $(shell pkg-config --libs libcurl libparserutils libwapcaplet libdom libnsutils libidn) -lz -lutf8proc \
+ 		$(LIB_LDFLAGS)\
+ 		$(COV_LDFLAGS)
+ 
diff --git a/gnu/packages/patches/netsurf-y2038-tests.patch b/gnu/packages/patches/netsurf-y2038-tests.patch
new file mode 100644
index 0000000000..407a5277c8
--- /dev/null
+++ b/gnu/packages/patches/netsurf-y2038-tests.patch
@@ -0,0 +1,25 @@
+These two test cases fail for us on i686.
+
+See https://en.wikipedia.org/wiki/Year_2038_problem
+
+--- netsurf-3.6/test/time.c
++++ netsurf-3.6/test/time.c
+@@ -77,18 +77,10 @@
+ 		.expected = "Tue, 12 Jun 2001 12:12:12 GMT"
+ 	},
+ 	{
+-		.test     = "Thu, 16 Jul 2207 12:45:12 GMT",
+-		.expected = "Thu, 16 Jul 2207 12:45:12 GMT"
+-	},
+-	{
+ 		.test     = "Thu, 16 Aug 2007 19:45:12 GMT",
+ 		.expected = "Thu, 16 Aug 2007 19:45:12 GMT"
+ 	},
+ 	{
+-		.test     = "Tue, 16 Sep 3456 00:45:12 GMT",
+-		.expected = "Tue, 16 Sep 3456 00:45:12 GMT"
+-	},
+-	{
+ 		.test     = "Sun, 16 Oct 1988 19:45:59 GMT",
+ 		.expected = "Sun, 16 Oct 1988 19:45:59 GMT"
+ 	},
diff --git a/gnu/packages/patches/ntfs-3g-CVE-2017-0358.patch b/gnu/packages/patches/ntfs-3g-CVE-2017-0358.patch
index 6edd676e38..83c9dbb3d4 100644
--- a/gnu/packages/patches/ntfs-3g-CVE-2017-0358.patch
+++ b/gnu/packages/patches/ntfs-3g-CVE-2017-0358.patch
@@ -2,25 +2,26 @@ Fix CVE-2017-0358:
 http://seclists.org/oss-sec/2017/q1/259
 This patch was copied from the above URL.
 
-diff -ur ntfs-3g.old/src/lowntfs-3g.c ntfs-3g/src/lowntfs-3g.c
---- ntfs-3g.old/src/lowntfs-3g.c	2017-02-09 15:01:04.074331542 -0500
-+++ ntfs-3g/src/lowntfs-3g.c	2017-02-09 15:06:35.757580937 -0500
-@@ -3827,13 +3827,14 @@
-	struct stat st;
-	pid_t pid;
-	const char *cmd = "/sbin/modprobe";
+diff --git a/src/lowntfs-3g.c b/src/lowntfs-3g.c
+index 0bb38f9..c6d1dad 100644
+--- a/src/lowntfs-3g.c
++++ b/src/lowntfs-3g.c
+@@ -3827,13 +3827,14 @@ static fuse_fstype load_fuse_module(void)
+ 	struct stat st;
+ 	pid_t pid;
+ 	const char *cmd = "/sbin/modprobe";
 +	char *env = (char*)NULL;
-	struct timespec req = { 0, 100000000 };   /* 100 msec */
-	fuse_fstype fstype;
-        
-	if (!stat(cmd, &st) && !geteuid()) {
-		pid = fork();
-		if (!pid) {
+ 	struct timespec req = { 0, 100000000 };   /* 100 msec */
+ 	fuse_fstype fstype;
+         
+ 	if (!stat(cmd, &st) && !geteuid()) {
+ 		pid = fork();
+ 		if (!pid) {
 -			execl(cmd, cmd, "fuse", NULL);
 +			execle(cmd, cmd, "fuse", NULL, &env);
-			_exit(1);
-		} else if (pid != -1)
-			waitpid(pid, NULL, 0);
+ 			_exit(1);
+ 		} else if (pid != -1)
+ 			waitpid(pid, NULL, 0);
 diff -ur ntfs-3g.old/src/ntfs-3g.c ntfs-3g/src/ntfs-3g.c
 --- ntfs-3g.old/src/ntfs-3g.c	2017-02-09 15:01:04.074331542 -0500
 +++ ntfs-3g/src/ntfs-3g.c	2017-02-09 15:06:26.077252571 -0500
diff --git a/gnu/packages/patches/shadow-CVE-2017-2616.patch b/gnu/packages/patches/shadow-CVE-2017-2616.patch
new file mode 100644
index 0000000000..f88aac40bc
--- /dev/null
+++ b/gnu/packages/patches/shadow-CVE-2017-2616.patch
@@ -0,0 +1,72 @@
+Fix CVE-2017-2616:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616
+http://seclists.org/oss-sec/2017/q1/490
+http://seclists.org/oss-sec/2017/q1/474
+
+Patch copied from upstream source repository:
+
+https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686
+
+From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index f20d230..d86aa86 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -379,11 +379,13 @@ static void prepare_pam_close_session (void)
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
++			} else {
++				pid_child = 0;
+ 			}
+ 		} while (!stop);
+ 	}
+ 
+-	if (0 != caught) {
++	if (0 != caught && 0 != pid_child) {
+ 		(void) fputs ("\n", stderr);
+ 		(void) fputs (_("Session terminated, terminating shell..."),
+ 		              stderr);
+@@ -393,9 +395,22 @@ static void prepare_pam_close_session (void)
+ 		snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n"));
+ 
+ 		(void) signal (SIGALRM, kill_child);
++		(void) signal (SIGCHLD, catch_signals);
+ 		(void) alarm (2);
+ 
+-		(void) wait (&status);
++		sigemptyset (&ourset);
++		if ((sigaddset (&ourset, SIGALRM) != 0)
++		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
++			kill_child (0);
++		} else {
++			while (0 == waitpid (pid_child, &status, WNOHANG)) {
++				sigsuspend (&ourset);
++			}
++			pid_child = 0;
++			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++		}
++
+ 		(void) fputs (_(" ...terminated.\n"), stderr);
+ 	}
+ 
diff --git a/gnu/packages/patches/util-linux-CVE-2017-2616.patch b/gnu/packages/patches/util-linux-CVE-2017-2616.patch
new file mode 100644
index 0000000000..2c82fb06d2
--- /dev/null
+++ b/gnu/packages/patches/util-linux-CVE-2017-2616.patch
@@ -0,0 +1,65 @@
+Fix CVE-2017-2616:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616
+http://seclists.org/oss-sec/2017/q1/474
+
+Patch copied from upstream source repository:
+
+https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit/?id=dffab154d29a288aa171ff50263ecc8f2e14a891
+
+From b018571132cb8c9fece3d75ed240cc74cdb5f0f7 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Wed, 1 Feb 2017 11:58:09 +0100
+Subject: [PATCH] su: properly clear child PID
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported-by: Tobias Stöckmann <tobias@stoeckmann.org>
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ login-utils/su-common.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/login-utils/su-common.c b/login-utils/su-common.c
+index 0ea4e40bd..b1720f037 100644
+--- a/login-utils/su-common.c
++++ b/login-utils/su-common.c
+@@ -376,6 +376,9 @@ create_watching_parent (void)
+             }
+           else
+             status = WEXITSTATUS (status);
++
++	  /* child is gone, don't use the PID anymore */
++	  child = (pid_t) -1;
+         }
+       else if (caught_signal)
+         status = caught_signal + 128;
+@@ -385,7 +388,7 @@ create_watching_parent (void)
+   else
+     status = 1;
+ 
+-  if (caught_signal)
++  if (caught_signal && child != (pid_t)-1)
+     {
+       fprintf (stderr, _("\nSession terminated, killing shell..."));
+       kill (child, SIGTERM);
+@@ -395,9 +398,12 @@ create_watching_parent (void)
+ 
+   if (caught_signal)
+     {
+-      sleep (2);
+-      kill (child, SIGKILL);
+-      fprintf (stderr, _(" ...killed.\n"));
++      if (child != (pid_t)-1)
++	{
++	  sleep (2);
++	  kill (child, SIGKILL);
++	  fprintf (stderr, _(" ...killed.\n"));
++	}
+ 
+       /* Let's terminate itself with the received signal.
+        *
+-- 
+2.11.1
+
diff --git a/gnu/packages/patches/vdirsyncer-test-suite-slow-machines.patch b/gnu/packages/patches/vdirsyncer-test-suite-slow-machines.patch
new file mode 100644
index 0000000000..03093e8330
--- /dev/null
+++ b/gnu/packages/patches/vdirsyncer-test-suite-slow-machines.patch
@@ -0,0 +1,42 @@
+Fix test failures caused by some build machines running more slowly than
+expected, which manifest like this:
+
+------
+>       raise FailedHealthCheck(message)
+E       hypothesis.errors.FailedHealthCheck: Data generation is extremely slow: Only produced 4 valid examples in 1.08 seconds (1 invalid ones and 0 exceeded maximum size). Try decreasing size of the data you're generating (with e.g.average_size or max_leaves parameters).
+E       See http://hypothesis.readthedocs.org/en/latest/healthchecks.html for more information about this. If you want to disable just this health check, add HealthCheck.too_slowto the suppress_health_check settings for this test.
+
+/gnu/store/b8d1r8bilvm3jkncgrpvmg3dni9cgcr1-python-hypothesis-3.1.0/lib/python3.5/site-packages/hypothesis/core.py:296: FailedHealthCheck
+------
+
+Patch copied from upstream source repository:
+
+https://github.com/pimutils/vdirsyncer/commit/10490a12f13f03495e0945eb9d45d7aed9ab0a6c
+
+From 10490a12f13f03495e0945eb9d45d7aed9ab0a6c Mon Sep 17 00:00:00 2001
+From: Markus Unterwaditzer <markus@unterwaditzer.net>
+Date: Sat, 18 Feb 2017 15:45:06 +0100
+Subject: [PATCH] Unconditionally disable HealthCheck.too_slow
+
+---
+ tests/conftest.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tests/conftest.py b/tests/conftest.py
+index e0a07d5..3afd7cd 100644
+--- a/tests/conftest.py
++++ b/tests/conftest.py
+@@ -26,10 +26,12 @@ def benchmark():
+ else:
+     del pytest_benchmark
+ 
++
++settings.suppress_health_check = [HealthCheck.too_slow]
++
+ settings.register_profile("ci", settings(
+     max_examples=1000,
+     verbosity=Verbosity.verbose,
+-    suppress_health_check=[HealthCheck.too_slow]
+ ))
+ settings.register_profile("deterministic", settings(
+     derandomize=True,
diff --git a/gnu/packages/patches/vim-CVE-2017-5953.patch b/gnu/packages/patches/vim-CVE-2017-5953.patch
new file mode 100644
index 0000000000..070f98c2cb
--- /dev/null
+++ b/gnu/packages/patches/vim-CVE-2017-5953.patch
@@ -0,0 +1,32 @@
+Fix CVE-2017-5953:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953
+https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY
+
+This change is adapted from the upstream source repository:
+
+https://github.com/vim/vim/commit/6d3c8586fc81b022e9f06c611b9926108fb878c7
+
+diff --git a/src/spellfile.c b/src/spellfile.c
+index c7d87c6..00ef019 100644
+--- a/src/spellfile.c
++++ b/src/spellfile.c
+@@ -1585,7 +1585,7 @@ spell_read_tree(
+     int		prefixtree,	/* TRUE for the prefix tree */
+     int		prefixcnt)	/* when "prefixtree" is TRUE: prefix count */
+ {
+-    int		len;
++    long	len;
+     int		idx;
+     char_u	*bp;
+     idx_T	*ip;
+@@ -1595,6 +1595,9 @@ spell_read_tree(
+     len = get4c(fd);
+     if (len < 0)
+ 	return SP_TRUNCERROR;
++    if (len >= LONG_MAX / (long)sizeof(int))
++	/* Invalid length, multiply with sizeof(int) would overflow. */
++	return SP_FORMERROR;
+     if (len > 0)
+     {
+ 	/* Allocate the byte array. */