aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/ath9k-htc-firmware-binutils.patch39
-rw-r--r--gnu/packages/patches/binutils-mips-bash-bug.patch22
-rw-r--r--gnu/packages/patches/cmake-fix-tests.patch83
-rw-r--r--gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch142
-rw-r--r--gnu/packages/patches/expat-CVE-2015-1283-refix.patch39
-rw-r--r--gnu/packages/patches/expat-CVE-2016-0718.patch761
-rw-r--r--gnu/packages/patches/flex-CVE-2016-6354.patch30
-rw-r--r--gnu/packages/patches/fontconfig-CVE-2016-5384.patch170
-rw-r--r--gnu/packages/patches/gawk-fts-test.patch51
-rw-r--r--gnu/packages/patches/gcc-arm-bug-71399.patch55
-rw-r--r--gnu/packages/patches/gnupg-fix-expired-test.patch78
-rw-r--r--gnu/packages/patches/guile-relocatable.patch14
-rw-r--r--gnu/packages/patches/isl-0.11.1-aarch64-support.patch40
-rw-r--r--gnu/packages/patches/libx11-CVE-2016-7942.patch76
-rw-r--r--gnu/packages/patches/libx11-CVE-2016-7943.patch113
-rw-r--r--gnu/packages/patches/libxfixes-CVE-2016-7944.patch62
-rw-r--r--gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch420
-rw-r--r--gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch447
-rw-r--r--gnu/packages/patches/libxrender-CVE-2016-7949.patch66
-rw-r--r--gnu/packages/patches/libxrender-CVE-2016-7950.patch73
-rw-r--r--gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch152
-rw-r--r--gnu/packages/patches/libxv-CVE-2016-5407.patch162
-rw-r--r--gnu/packages/patches/libxvmc-CVE-2016-7953.patch42
-rw-r--r--gnu/packages/patches/linux-pam-no-setfsuid.patch75
-rw-r--r--gnu/packages/patches/openssl-CVE-2016-2177.patch286
-rw-r--r--gnu/packages/patches/openssl-CVE-2016-2178.patch112
-rw-r--r--gnu/packages/patches/perl-CVE-2015-8607.patch68
-rw-r--r--gnu/packages/patches/perl-CVE-2016-2381.patch116
-rw-r--r--gnu/packages/patches/perl-no-build-time.patch26
-rw-r--r--gnu/packages/patches/perl-reproducible-build-date.patch50
-rw-r--r--gnu/packages/patches/perl-source-date-epoch.patch19
-rw-r--r--gnu/packages/patches/procps-non-linux.patch40
-rw-r--r--gnu/packages/patches/python-3.4-fix-tests.patch12
-rw-r--r--gnu/packages/patches/python-3.5-fix-tests.patch46
-rw-r--r--gnu/packages/patches/python-disable-ssl-test.patch12
-rw-r--r--gnu/packages/patches/python-file-double-encoding-bug.patch50
-rw-r--r--gnu/packages/patches/python-fix-tests.patch15
-rw-r--r--gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch33
38 files changed, 523 insertions, 3574 deletions
diff --git a/gnu/packages/patches/ath9k-htc-firmware-binutils.patch b/gnu/packages/patches/ath9k-htc-firmware-binutils.patch
index edd411e1a8..aa253e135f 100644
--- a/gnu/packages/patches/ath9k-htc-firmware-binutils.patch
+++ b/gnu/packages/patches/ath9k-htc-firmware-binutils.patch
@@ -1,6 +1,12 @@
-This Binutils patch is from the ath9k-htc-firmware repository (version 1.3.2).
-Not applying it (apparently) leads to miscompiled firmware, and loading it
-fails with a "Target is unresponsive" message from the 'ath9k_htc' module.
+These Binutils patches are from the ath9k-htc-firmware repository
+(commit f6af791348b68ceadab375e4ed0f7bcda86cb3c0).
+
+Not applying the first patch (apparently) leads to miscompiled firmware,
+and loading it fails with a "Target is unresponsive" message from the
+'ath9k_htc' module.
+
+The final hunk, applied to 'gas/config/tc-xtensa.c', is copied from the
+upstream file 'local/patches/binutils-2.27_fixup.patch'.
From dbca73446265ce01b8e11462c3346b25953e3399 Mon Sep 17 00:00:00 2001
From: Sujith Manoharan <c_manoha@qca.qualcomm.com>
@@ -28873,16 +28879,6 @@ diff --git a/include/xtensa-config.h b/include/xtensa-config.h
index 30f4f41..fe9b051 100644
--- a/include/xtensa-config.h
+++ b/include/xtensa-config.h
-@@ -1,7 +1,7 @@
- /* Xtensa configuration settings.
-- Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010
-+ Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007
- Free Software Foundation, Inc.
-- Contributed by Bob Wilson (bob.wilson@acm.org) at Tensilica.
-+ Contributed by Bob Wilson (bwilson@tensilica.com) at Tensilica.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
@@ -44,10 +44,7 @@
#define XCHAL_HAVE_L32R 1
@@ -28973,3 +28969,20 @@ index 30f4f41..fe9b051 100644
#define XCHAL_MAX_INSTRUCTION_SIZE 3
--
1.8.1
+
+diff --git a/gas/config/tc-xtensa.c b/gas/config/tc-xtensa.c
+index d062044..ca261ae 100644
+--- a/gas/config/tc-xtensa.c
++++ b/gas/config/tc-xtensa.c
+@@ -2228,7 +2228,7 @@ xg_reverse_shift_count (char **cnt_argp)
+ cnt_arg = *cnt_argp;
+
+ /* replace the argument with "31-(argument)" */
+- new_arg = concat ("31-(", cnt_argp, ")", (char *) NULL);
++ new_arg = concat ("31-(", cnt_arg, ")", (char *) NULL);
+
+ free (cnt_arg);
+ *cnt_argp = new_arg;
+--
+2.10.1
+
diff --git a/gnu/packages/patches/binutils-mips-bash-bug.patch b/gnu/packages/patches/binutils-mips-bash-bug.patch
new file mode 100644
index 0000000000..08d3a79749
--- /dev/null
+++ b/gnu/packages/patches/binutils-mips-bash-bug.patch
@@ -0,0 +1,22 @@
+Bash 4.2.0(1)-release, which we use during bootstrap, does not yield the
+"x" case in:
+
+ case x"$EMULATION_NAME" in x) ;; *) ;; esac
+
+when 'EMULATION_NAME' is undefined. Bash 4.3.30(1)-release doesn't have this
+problem. Work around it.
+
+This Bash bug was fixed
+in <http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-007>.
+
+--- a/ld/emulparams/elf32bmipn32-defs.sh
++++ b/ld/emulparams/elf32bmipn32-defs.sh
+@@ -13,7 +13,7 @@ LITTLE_OUTPUT_FORMAT="elf32-littlemips"
+ TEMPLATE_NAME=elf32
+ EXTRA_EM_FILE=mipself
+
+-case x"$EMULATION_NAME" in
++case "x$EMULATION_NAME" in
+ xelf32*n32*) ELFSIZE=32 ;;
+ xelf64*) ELFSIZE=64 ;;
+ x) ;;
diff --git a/gnu/packages/patches/cmake-fix-tests.patch b/gnu/packages/patches/cmake-fix-tests.patch
index f59e2cd625..732b0023ab 100644
--- a/gnu/packages/patches/cmake-fix-tests.patch
+++ b/gnu/packages/patches/cmake-fix-tests.patch
@@ -1,6 +1,17 @@
---- cmake-3.2.2.orig/Tests/CMakeLists.txt 2015-04-14 01:09:00.000000000 +0800
-+++ cmake-3.2.2/Tests/CMakeLists.txt 2015-04-28 15:02:34.913039742 +0800
-@@ -342,10 +342,12 @@
+From af0a62dadfb3db25880bc653e2e4c97435a604c9 Mon Sep 17 00:00:00 2001
+From: Efraim Flashner <efraim@flashner.co.il>
+Date: Mon, 29 Aug 2016 20:07:58 +0300
+Subject: [PATCH] cmake-fix-tests
+
+---
+ Tests/CMakeLists.txt | 83 ++++++++++++++++++++++++++++------------------------
+ 1 file changed, 44 insertions(+), 39 deletions(-)
+
+diff --git a/Tests/CMakeLists.txt b/Tests/CMakeLists.txt
+index f21e430..56014a2 100644
+--- a/Tests/CMakeLists.txt
++++ b/Tests/CMakeLists.txt
+@@ -416,10 +416,12 @@ if(BUILD_TESTING)
endif()
# run test for BundleUtilities on supported platforms/compilers
@@ -17,7 +28,7 @@
if(NOT "${CMAKE_GENERATOR}" STREQUAL "Watcom WMake")
add_test(BundleUtilities ${CMAKE_CTEST_COMMAND}
-@@ -2257,16 +2259,17 @@
+@@ -2481,30 +2483,32 @@ ${CMake_BINARY_DIR}/bin/cmake -DDIR=dev -P ${CMake_SOURCE_DIR}/Utilities/Release
PASS_REGULAR_EXPRESSION "Could not find executable"
FAIL_REGULAR_EXPRESSION "SegFault")
@@ -31,6 +42,20 @@
- )
- set_tests_properties(CTestTestUpload PROPERTIES
- PASS_REGULAR_EXPRESSION "Upload\\.xml")
+-
+- configure_file(
+- "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in"
+- "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake"
+- @ONLY ESCAPE_QUOTES)
+- add_test(CTestCoverageCollectGCOV ${CMAKE_CTEST_COMMAND}
+- -C \${CTEST_CONFIGURATION_TYPE}
+- -S "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" -VV
+- --output-log "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/testOut.log"
+- )
+- set_tests_properties(CTestCoverageCollectGCOV PROPERTIES
+- PASS_REGULAR_EXPRESSION
+- "PASSED with correct output.*Testing/CoverageInfo/main.cpp.gcov")
+- set_property(TEST CTestCoverageCollectGCOV PROPERTY ENVIRONMENT CTEST_PARALLEL_LEVEL=)
+# This test requires network connectivity: skip it.
+# configure_file(
+# "${CMake_SOURCE_DIR}/Tests/CTestTestUpload/test.cmake.in"
@@ -42,6 +67,54 @@
+# )
+# set_tests_properties(CTestTestUpload PROPERTIES
+# PASS_REGULAR_EXPRESSION "Upload\\.xml")
++
++# This test times out
++# configure_file(
++# "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in"
++# "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake"
++# @ONLY ESCAPE_QUOTES)
++# add_test(CTestCoverageCollectGCOV ${CMAKE_CTEST_COMMAND}
++# -C \${CTEST_CONFIGURATION_TYPE}
++# -S "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" -VV
++# --output-log "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/testOut.log"
++# )
++# set_tests_properties(CTestCoverageCollectGCOV PROPERTIES
++# PASS_REGULAR_EXPRESSION
++# "PASSED with correct output.*Testing/CoverageInfo/main.cpp.gcov")
++# set_property(TEST CTestCoverageCollectGCOV PROPERTY ENVIRONMENT CTEST_PARALLEL_LEVEL=)
+
+ configure_file(
+ "${CMake_SOURCE_DIR}/Tests/CTestTestEmptyBinaryDirectory/test.cmake.in"
+@@ -2860,17 +2864,18 @@ ${CMake_BINARY_DIR}/bin/cmake -DDIR=dev -P ${CMake_SOURCE_DIR}/Utilities/Release
+ set_tests_properties(CTestTestStopTime PROPERTIES
+ PASS_REGULAR_EXPRESSION "The stop time has been passed")
+
+- configure_file(
+- "${CMake_SOURCE_DIR}/Tests/CTestTestSubdir/test.cmake.in"
+- "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake"
+- @ONLY ESCAPE_QUOTES)
+- add_test(CTestTestSubdir ${CMAKE_CTEST_COMMAND}
+- -S "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" -V
+- --output-log "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/testOutput.log"
+- )
+- #make sure all 3 subdirs were added
+- set_tests_properties(CTestTestSubdir PROPERTIES
+- PASS_REGULAR_EXPRESSION "0 tests failed out of 3")
++# This test fails to build 2 of the 3 tests
++# configure_file(
++# "${CMake_SOURCE_DIR}/Tests/CTestTestSubdir/test.cmake.in"
++# "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake"
++# @ONLY ESCAPE_QUOTES)
++# add_test(CTestTestSubdir ${CMAKE_CTEST_COMMAND}
++# -S "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" -V
++# --output-log "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/testOutput.log"
++# )
++# #make sure all 3 subdirs were added
++# set_tests_properties(CTestTestSubdir PROPERTIES
++# PASS_REGULAR_EXPRESSION "0 tests failed out of 3")
configure_file(
- "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in"
+ "${CMake_SOURCE_DIR}/Tests/CTestTestTimeout/test.cmake.in"
+--
+2.9.3
+
diff --git a/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch b/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch
deleted file mode 100644
index edc43f84f1..0000000000
--- a/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-Fix CVE-2012-6702 and CVE-2016-5300.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
-
-Patch copied from:
-https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u3/debian/patches/cve-2012-6702-plus-cve-2016-5300-v1.patch/
-
-From cb31522769d11a375078a073cba94e7176cb48a4 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Wed, 16 Mar 2016 15:30:12 +0100
-Subject: [PATCH] Resolve call to srand, use more entropy (patch version 1.0)
-
-Squashed backport against vanilla Expat 2.1.1, addressing:
-* CVE-2012-6702 -- unanticipated internal calls to srand
-* CVE-2016-5300 -- use of too little entropy
-
-Since commit e3e81a6d9f0885ea02d3979151c358f314bf3d6d
-(released with Expat 2.1.0) Expat called srand by itself
-from inside generate_hash_secret_salt for an instance
-of XML_Parser if XML_SetHashSalt was either (a) not called
-for that instance or if (b) salt 0 was passed to XML_SetHashSalt
-prior to parsing. That call to srand passed (rather litle)
-entropy extracted from the current time as a seed for srand.
-
-That call to srand (1) broke repeatability for code calling
-srand with a non-random seed prior to parsing with Expat,
-and (2) resulted in a rather small set of hashing salts in
-Expat in total.
-
-For a short- to mid-term fix, the new approach avoids calling
-srand altogether, extracts more entropy out of the clock and
-other sources, too.
-
-For a long term fix, we may want to read sizeof(long) bytes
-from a source like getrandom(..) on Linux, and from similar
-sources on other supported architectures.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1197087
----
- CMakeLists.txt | 3 +++
- lib/xmlparse.c | 48 +++++++++++++++++++++++++++++++++++++++++-------
- 2 files changed, 44 insertions(+), 7 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 353627e..524d514 100755
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -41,6 +41,9 @@ include_directories(${CMAKE_BINARY_DIR} ${CMAKE_SOURCE_DIR}/lib)
- if(MSVC)
- add_definitions(-D_CRT_SECURE_NO_WARNINGS -wd4996)
- endif(MSVC)
-+if(WIN32)
-+ add_definitions(-DCOMPILED_FROM_DSP)
-+endif(WIN32)
-
- set(expat_SRCS
- lib/xmlparse.c
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index e308c79..c5f942f 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -6,7 +6,14 @@
- #include <string.h> /* memset(), memcpy() */
- #include <assert.h>
- #include <limits.h> /* UINT_MAX */
--#include <time.h> /* time() */
-+
-+#ifdef COMPILED_FROM_DSP
-+#define getpid GetCurrentProcessId
-+#else
-+#include <sys/time.h> /* gettimeofday() */
-+#include <sys/types.h> /* getpid() */
-+#include <unistd.h> /* getpid() */
-+#endif
-
- #define XML_BUILDING_EXPAT 1
-
-@@ -432,7 +439,7 @@ static ELEMENT_TYPE *
- getElementType(XML_Parser parser, const ENCODING *enc,
- const char *ptr, const char *end);
-
--static unsigned long generate_hash_secret_salt(void);
-+static unsigned long generate_hash_secret_salt(XML_Parser parser);
- static XML_Bool startParsing(XML_Parser parser);
-
- static XML_Parser
-@@ -691,11 +698,38 @@ static const XML_Char implicitContext[] = {
- };
-
- static unsigned long
--generate_hash_secret_salt(void)
-+gather_time_entropy(void)
- {
-- unsigned int seed = time(NULL) % UINT_MAX;
-- srand(seed);
-- return rand();
-+#ifdef COMPILED_FROM_DSP
-+ FILETIME ft;
-+ GetSystemTimeAsFileTime(&ft); /* never fails */
-+ return ft.dwHighDateTime ^ ft.dwLowDateTime;
-+#else
-+ struct timeval tv;
-+ int gettimeofday_res;
-+
-+ gettimeofday_res = gettimeofday(&tv, NULL);
-+ assert (gettimeofday_res == 0);
-+
-+ /* Microseconds time is <20 bits entropy */
-+ return tv.tv_usec;
-+#endif
-+}
-+
-+static unsigned long
-+generate_hash_secret_salt(XML_Parser parser)
-+{
-+ /* Process ID is 0 bits entropy if attacker has local access
-+ * XML_Parser address is few bits of entropy if attacker has local access */
-+ const unsigned long entropy =
-+ gather_time_entropy() ^ getpid() ^ (unsigned long)parser;
-+
-+ /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */
-+ if (sizeof(unsigned long) == 4) {
-+ return entropy * 2147483647;
-+ } else {
-+ return entropy * 2305843009213693951;
-+ }
- }
-
- static XML_Bool /* only valid for root parser */
-@@ -703,7 +737,7 @@ startParsing(XML_Parser parser)
- {
- /* hash functions must be initialized before setContext() is called */
- if (hash_secret_salt == 0)
-- hash_secret_salt = generate_hash_secret_salt();
-+ hash_secret_salt = generate_hash_secret_salt(parser);
- if (ns) {
- /* implicit context only set for root parser, since child
- parsers (i.e. external entity parsers) will inherit it
---
-2.8.2
-
diff --git a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch b/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
deleted file mode 100644
index fc8d6291f5..0000000000
--- a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Follow-up upstream fix for CVE-2015-1283 to not rely on undefined
-behavior.
-
-Adapted from a patch from Debian (found in Debian package version
-2.1.0-6+deb8u2) to apply to upstream code:
-
-https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u2/debian/patches/CVE-2015-1283-refix.patch/
-
----
- lib/xmlparse.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 0f6f4cd..5c70c17 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -1727,7 +1727,8 @@ XML_GetBuffer(XML_Parser parser, int len)
- }
-
- if (len > bufferLim - bufferEnd) {
-- int neededSize = len + (int)(bufferEnd - bufferPtr);
-+ /* Do not invoke signed arithmetic overflow: */
-+ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
- if (neededSize < 0) {
- errorCode = XML_ERROR_NO_MEMORY;
- return NULL;
-@@ -1759,7 +1760,8 @@ XML_GetBuffer(XML_Parser parser, int len)
- if (bufferSize == 0)
- bufferSize = INIT_BUFFER_SIZE;
- do {
-- bufferSize *= 2;
-+ /* Do not invoke signed arithmetic overflow: */
-+ bufferSize = (int) (2U * (unsigned) bufferSize);
- } while (bufferSize < neededSize && bufferSize > 0);
- if (bufferSize <= 0) {
- errorCode = XML_ERROR_NO_MEMORY;
---
-2.8.3
-
diff --git a/gnu/packages/patches/expat-CVE-2016-0718.patch b/gnu/packages/patches/expat-CVE-2016-0718.patch
deleted file mode 100644
index 22436c20cc..0000000000
--- a/gnu/packages/patches/expat-CVE-2016-0718.patch
+++ /dev/null
@@ -1,761 +0,0 @@
-Fix CVE-2016-0718.
-
-Copied from Debian, as found in Debian package version 2.1.0-6+deb8u2.
-
-https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u2/debian/patches/CVE-2016-0718-v2-2-1.patch/
-
-From cdfcb1b5c95e93b00ae9e9d25708b4a3bee72c15 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Mon, 2 May 2016 00:02:44 +0200
-Subject: [PATCH] Address CVE-2016-0718 (/patch/ version 2.2.1)
-
-* Out of bounds memory access when doing text conversion on malformed input
-* Integer overflow related to memory allocation
-
-Reported by Gustavo Grieco
-
-Patch credits go to
-* Christian Heimes
-* Karl Waclawek
-* Gustavo Grieco
-* Sebastian Pipping
-* Pascal Cuoq
----
- expat/lib/xmlparse.c | 34 +++++++++-----
- expat/lib/xmltok.c | 115 +++++++++++++++++++++++++++++++++++-------------
- expat/lib/xmltok.h | 10 ++++-
- expat/lib/xmltok_impl.c | 62 +++++++++++++-------------
- 4 files changed, 146 insertions(+), 75 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index e308c79..13e080d 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -2436,11 +2436,11 @@ doContent(XML_Parser parser,
- for (;;) {
- int bufSize;
- int convLen;
-- XmlConvert(enc,
-+ const enum XML_Convert_Result convert_res = XmlConvert(enc,
- &fromPtr, rawNameEnd,
- (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1);
- convLen = (int)(toPtr - (XML_Char *)tag->buf);
-- if (fromPtr == rawNameEnd) {
-+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) {
- tag->name.strLen = convLen;
- break;
- }
-@@ -2661,11 +2661,11 @@ doContent(XML_Parser parser,
- if (MUST_CONVERT(enc, s)) {
- for (;;) {
- ICHAR *dataPtr = (ICHAR *)dataBuf;
-- XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
- *eventEndPP = s;
- charDataHandler(handlerArg, dataBuf,
- (int)(dataPtr - (ICHAR *)dataBuf));
-- if (s == next)
-+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
- break;
- *eventPP = s;
- }
-@@ -3269,11 +3269,11 @@ doCdataSection(XML_Parser parser,
- if (MUST_CONVERT(enc, s)) {
- for (;;) {
- ICHAR *dataPtr = (ICHAR *)dataBuf;
-- XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
- *eventEndPP = next;
- charDataHandler(handlerArg, dataBuf,
- (int)(dataPtr - (ICHAR *)dataBuf));
-- if (s == next)
-+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
- break;
- *eventPP = s;
- }
-@@ -5350,6 +5350,7 @@ reportDefault(XML_Parser parser, const ENCODING *enc,
- const char *s, const char *end)
- {
- if (MUST_CONVERT(enc, s)) {
-+ enum XML_Convert_Result convert_res;
- const char **eventPP;
- const char **eventEndPP;
- if (enc == encoding) {
-@@ -5362,11 +5363,11 @@ reportDefault(XML_Parser parser, const ENCODING *enc,
- }
- do {
- ICHAR *dataPtr = (ICHAR *)dataBuf;
-- XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
-+ convert_res = XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
- *eventEndPP = s;
- defaultHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf));
- *eventPP = s;
-- } while (s != end);
-+ } while ((convert_res != XML_CONVERT_COMPLETED) && (convert_res != XML_CONVERT_INPUT_INCOMPLETE));
- }
- else
- defaultHandler(handlerArg, (XML_Char *)s, (int)((XML_Char *)end - (XML_Char *)s));
-@@ -6169,8 +6170,8 @@ poolAppend(STRING_POOL *pool, const ENCODING *enc,
- if (!pool->ptr && !poolGrow(pool))
- return NULL;
- for (;;) {
-- XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
-- if (ptr == end)
-+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
-+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
- break;
- if (!poolGrow(pool))
- return NULL;
-@@ -6254,8 +6255,13 @@ poolGrow(STRING_POOL *pool)
- }
- }
- if (pool->blocks && pool->start == pool->blocks->s) {
-- int blockSize = (int)(pool->end - pool->start)*2;
-- BLOCK *temp = (BLOCK *)
-+ BLOCK *temp;
-+ int blockSize = (int)((unsigned)(pool->end - pool->start)*2U);
-+
-+ if (blockSize < 0)
-+ return XML_FALSE;
-+
-+ temp = (BLOCK *)
- pool->mem->realloc_fcn(pool->blocks,
- (offsetof(BLOCK, s)
- + blockSize * sizeof(XML_Char)));
-@@ -6270,6 +6276,10 @@ poolGrow(STRING_POOL *pool)
- else {
- BLOCK *tem;
- int blockSize = (int)(pool->end - pool->start);
-+
-+ if (blockSize < 0)
-+ return XML_FALSE;
-+
- if (blockSize < INIT_BLOCK_SIZE)
- blockSize = INIT_BLOCK_SIZE;
- else
-diff --git a/lib/xmltok.c b/lib/xmltok.c
-index bf09dfc..cb98ce1 100644
---- a/lib/xmltok.c
-+++ b/lib/xmltok.c
-@@ -318,39 +318,55 @@ enum { /* UTF8_cvalN is value of masked first byte of N byte sequence */
- UTF8_cval4 = 0xf0
- };
-
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- utf8_toUtf8(const ENCODING *enc,
- const char **fromP, const char *fromLim,
- char **toP, const char *toLim)
- {
-+ enum XML_Convert_Result res = XML_CONVERT_COMPLETED;
- char *to;
- const char *from;
- if (fromLim - *fromP > toLim - *toP) {
- /* Avoid copying partial characters. */
-+ res = XML_CONVERT_OUTPUT_EXHAUSTED;
- for (fromLim = *fromP + (toLim - *toP); fromLim > *fromP; fromLim--)
- if (((unsigned char)fromLim[-1] & 0xc0) != 0x80)
- break;
- }
-- for (to = *toP, from = *fromP; from != fromLim; from++, to++)
-+ for (to = *toP, from = *fromP; (from < fromLim) && (to < toLim); from++, to++)
- *to = *from;
- *fromP = from;
- *toP = to;
-+
-+ if ((to == toLim) && (from < fromLim))
-+ return XML_CONVERT_OUTPUT_EXHAUSTED;
-+ else
-+ return res;
- }
-
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- utf8_toUtf16(const ENCODING *enc,
- const char **fromP, const char *fromLim,
- unsigned short **toP, const unsigned short *toLim)
- {
-+ enum XML_Convert_Result res = XML_CONVERT_COMPLETED;
- unsigned short *to = *toP;
- const char *from = *fromP;
-- while (from != fromLim && to != toLim) {
-+ while (from < fromLim && to < toLim) {
- switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) {
- case BT_LEAD2:
-+ if (fromLim - from < 2) {
-+ res = XML_CONVERT_INPUT_INCOMPLETE;
-+ break;
-+ }
- *to++ = (unsigned short)(((from[0] & 0x1f) << 6) | (from[1] & 0x3f));
- from += 2;
- break;
- case BT_LEAD3:
-+ if (fromLim - from < 3) {
-+ res = XML_CONVERT_INPUT_INCOMPLETE;
-+ break;
-+ }
- *to++ = (unsigned short)(((from[0] & 0xf) << 12)
- | ((from[1] & 0x3f) << 6) | (from[2] & 0x3f));
- from += 3;
-@@ -358,8 +374,14 @@ utf8_toUtf16(const ENCODING *enc,
- case BT_LEAD4:
- {
- unsigned long n;
-- if (to + 1 == toLim)
-+ if (toLim - to < 2) {
-+ res = XML_CONVERT_OUTPUT_EXHAUSTED;
- goto after;
-+ }
-+ if (fromLim - from < 4) {
-+ res = XML_CONVERT_INPUT_INCOMPLETE;
-+ goto after;
-+ }
- n = ((from[0] & 0x7) << 18) | ((from[1] & 0x3f) << 12)
- | ((from[2] & 0x3f) << 6) | (from[3] & 0x3f);
- n -= 0x10000;
-@@ -377,6 +399,7 @@ utf8_toUtf16(const ENCODING *enc,
- after:
- *fromP = from;
- *toP = to;
-+ return res;
- }
-
- #ifdef XML_NS
-@@ -425,7 +448,7 @@ static const struct normal_encoding internal_utf8_encoding = {
- STANDARD_VTABLE(sb_) NORMAL_VTABLE(utf8_)
- };
-
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- latin1_toUtf8(const ENCODING *enc,
- const char **fromP, const char *fromLim,
- char **toP, const char *toLim)
-@@ -433,30 +456,35 @@ latin1_toUtf8(const ENCODING *enc,
- for (;;) {
- unsigned char c;
- if (*fromP == fromLim)
-- break;
-+ return XML_CONVERT_COMPLETED;
- c = (unsigned char)**fromP;
- if (c & 0x80) {
- if (toLim - *toP < 2)
-- break;
-+ return XML_CONVERT_OUTPUT_EXHAUSTED;
- *(*toP)++ = (char)((c >> 6) | UTF8_cval2);
- *(*toP)++ = (char)((c & 0x3f) | 0x80);
- (*fromP)++;
- }
- else {
- if (*toP == toLim)
-- break;
-+ return XML_CONVERT_OUTPUT_EXHAUSTED;
- *(*toP)++ = *(*fromP)++;
- }
- }
- }
-
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- latin1_toUtf16(const ENCODING *enc,
- const char **fromP, const char *fromLim,
- unsigned short **toP, const unsigned short *toLim)
- {
-- while (*fromP != fromLim && *toP != toLim)
-+ while (*fromP < fromLim && *toP < toLim)
- *(*toP)++ = (unsigned char)*(*fromP)++;
-+
-+ if ((*toP == toLim) && (*fromP < fromLim))
-+ return XML_CONVERT_OUTPUT_EXHAUSTED;
-+ else
-+ return XML_CONVERT_COMPLETED;
- }
-
- #ifdef XML_NS
-@@ -483,13 +511,18 @@ static const struct normal_encoding latin1_encoding = {
- STANDARD_VTABLE(sb_)
- };
-
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- ascii_toUtf8(const ENCODING *enc,
- const char **fromP, const char *fromLim,
- char **toP, const char *toLim)
- {
-- while (*fromP != fromLim && *toP != toLim)
-+ while (*fromP < fromLim && *toP < toLim)
- *(*toP)++ = *(*fromP)++;
-+
-+ if ((*toP == toLim) && (*fromP < fromLim))
-+ return XML_CONVERT_OUTPUT_EXHAUSTED;
-+ else
-+ return XML_CONVERT_COMPLETED;
- }
-
- #ifdef XML_NS
-@@ -536,13 +569,14 @@ unicode_byte_type(char hi, char lo)
- }
-
- #define DEFINE_UTF16_TO_UTF8(E) \
--static void PTRCALL \
-+static enum XML_Convert_Result PTRCALL \
- E ## toUtf8(const ENCODING *enc, \
- const char **fromP, const char *fromLim, \
- char **toP, const char *toLim) \
- { \
-- const char *from; \
-- for (from = *fromP; from != fromLim; from += 2) { \
-+ const char *from = *fromP; \
-+ fromLim = from + (((fromLim - from) >> 1) << 1); /* shrink to even */ \
-+ for (; from < fromLim; from += 2) { \
- int plane; \
- unsigned char lo2; \
- unsigned char lo = GET_LO(from); \
-@@ -552,7 +586,7 @@ E ## toUtf8(const ENCODING *enc, \
- if (lo < 0x80) { \
- if (*toP == toLim) { \
- *fromP = from; \
-- return; \
-+ return XML_CONVERT_OUTPUT_EXHAUSTED; \
- } \
- *(*toP)++ = lo; \
- break; \
-@@ -562,7 +596,7 @@ E ## toUtf8(const ENCODING *enc, \
- case 0x4: case 0x5: case 0x6: case 0x7: \
- if (toLim - *toP < 2) { \
- *fromP = from; \
-- return; \
-+ return XML_CONVERT_OUTPUT_EXHAUSTED; \
- } \
- *(*toP)++ = ((lo >> 6) | (hi << 2) | UTF8_cval2); \
- *(*toP)++ = ((lo & 0x3f) | 0x80); \
-@@ -570,7 +604,7 @@ E ## toUtf8(const ENCODING *enc, \
- default: \
- if (toLim - *toP < 3) { \
- *fromP = from; \
-- return; \
-+ return XML_CONVERT_OUTPUT_EXHAUSTED; \
- } \
- /* 16 bits divided 4, 6, 6 amongst 3 bytes */ \
- *(*toP)++ = ((hi >> 4) | UTF8_cval3); \
-@@ -580,7 +614,11 @@ E ## toUtf8(const ENCODING *enc, \
- case 0xD8: case 0xD9: case 0xDA: case 0xDB: \
- if (toLim - *toP < 4) { \
- *fromP = from; \
-- return; \
-+ return XML_CONVERT_OUTPUT_EXHAUSTED; \
-+ } \
-+ if (fromLim - from < 4) { \
-+ *fromP = from; \
-+ return XML_CONVERT_INPUT_INCOMPLETE; \
- } \
- plane = (((hi & 0x3) << 2) | ((lo >> 6) & 0x3)) + 1; \
- *(*toP)++ = ((plane >> 2) | UTF8_cval4); \
-@@ -596,20 +634,32 @@ E ## toUtf8(const ENCODING *enc, \
- } \
- } \
- *fromP = from; \
-+ if (from < fromLim) \
-+ return XML_CONVERT_INPUT_INCOMPLETE; \
-+ else \
-+ return XML_CONVERT_COMPLETED; \
- }
-
- #define DEFINE_UTF16_TO_UTF16(E) \
--static void PTRCALL \
-+static enum XML_Convert_Result PTRCALL \
- E ## toUtf16(const ENCODING *enc, \
- const char **fromP, const char *fromLim, \
- unsigned short **toP, const unsigned short *toLim) \
- { \
-+ enum XML_Convert_Result res = XML_CONVERT_COMPLETED; \
-+ fromLim = *fromP + (((fromLim - *fromP) >> 1) << 1); /* shrink to even */ \
- /* Avoid copying first half only of surrogate */ \
- if (fromLim - *fromP > ((toLim - *toP) << 1) \
-- && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) \
-+ && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) { \
- fromLim -= 2; \
-- for (; *fromP != fromLim && *toP != toLim; *fromP += 2) \
-+ res = XML_CONVERT_INPUT_INCOMPLETE; \
-+ } \
-+ for (; *fromP < fromLim && *toP < toLim; *fromP += 2) \
- *(*toP)++ = (GET_HI(*fromP) << 8) | GET_LO(*fromP); \
-+ if ((*toP == toLim) && (*fromP < fromLim)) \
-+ return XML_CONVERT_OUTPUT_EXHAUSTED; \
-+ else \
-+ return res; \
- }
-
- #define SET2(ptr, ch) \
-@@ -1288,7 +1338,7 @@ unknown_isInvalid(const ENCODING *enc, const char *p)
- return (c & ~0xFFFF) || checkCharRefNumber(c) < 0;
- }
-
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- unknown_toUtf8(const ENCODING *enc,
- const char **fromP, const char *fromLim,
- char **toP, const char *toLim)
-@@ -1299,21 +1349,21 @@ unknown_toUtf8(const ENCODING *enc,
- const char *utf8;
- int n;
- if (*fromP == fromLim)
-- break;
-+ return XML_CONVERT_COMPLETED;
- utf8 = uenc->utf8[(unsigned char)**fromP];
- n = *utf8++;
- if (n == 0) {
- int c = uenc->convert(uenc->userData, *fromP);
- n = XmlUtf8Encode(c, buf);
- if (n > toLim - *toP)
-- break;
-+ return XML_CONVERT_OUTPUT_EXHAUSTED;
- utf8 = buf;
- *fromP += (AS_NORMAL_ENCODING(enc)->type[(unsigned char)**fromP]
- - (BT_LEAD2 - 2));
- }
- else {
- if (n > toLim - *toP)
-- break;
-+ return XML_CONVERT_OUTPUT_EXHAUSTED;
- (*fromP)++;
- }
- do {
-@@ -1322,13 +1372,13 @@ unknown_toUtf8(const ENCODING *enc,
- }
- }
-
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- unknown_toUtf16(const ENCODING *enc,
- const char **fromP, const char *fromLim,
- unsigned short **toP, const unsigned short *toLim)
- {
- const struct unknown_encoding *uenc = AS_UNKNOWN_ENCODING(enc);
-- while (*fromP != fromLim && *toP != toLim) {
-+ while (*fromP < fromLim && *toP < toLim) {
- unsigned short c = uenc->utf16[(unsigned char)**fromP];
- if (c == 0) {
- c = (unsigned short)
-@@ -1340,6 +1390,11 @@ unknown_toUtf16(const ENCODING *enc,
- (*fromP)++;
- *(*toP)++ = c;
- }
-+
-+ if ((*toP == toLim) && (*fromP < fromLim))
-+ return XML_CONVERT_OUTPUT_EXHAUSTED;
-+ else
-+ return XML_CONVERT_COMPLETED;
- }
-
- ENCODING *
-@@ -1503,7 +1558,7 @@ initScan(const ENCODING * const *encodingTable,
- {
- const ENCODING **encPtr;
-
-- if (ptr == end)
-+ if (ptr >= end)
- return XML_TOK_NONE;
- encPtr = enc->encPtr;
- if (ptr + 1 == end) {
-diff --git a/lib/xmltok.h b/lib/xmltok.h
-index ca867aa..752007e 100644
---- a/lib/xmltok.h
-+++ b/lib/xmltok.h
-@@ -130,6 +130,12 @@ typedef int (PTRCALL *SCANNER)(const ENCODING *,
- const char *,
- const char **);
-
-+enum XML_Convert_Result {
-+ XML_CONVERT_COMPLETED = 0,
-+ XML_CONVERT_INPUT_INCOMPLETE = 1,
-+ XML_CONVERT_OUTPUT_EXHAUSTED = 2 /* and therefore potentially input remaining as well */
-+};
-+
- struct encoding {
- SCANNER scanners[XML_N_STATES];
- SCANNER literalScanners[XML_N_LITERAL_TYPES];
-@@ -158,12 +164,12 @@ struct encoding {
- const char *ptr,
- const char *end,
- const char **badPtr);
-- void (PTRCALL *utf8Convert)(const ENCODING *enc,
-+ enum XML_Convert_Result (PTRCALL *utf8Convert)(const ENCODING *enc,
- const char **fromP,
- const char *fromLim,
- char **toP,
- const char *toLim);
-- void (PTRCALL *utf16Convert)(const ENCODING *enc,
-+ enum XML_Convert_Result (PTRCALL *utf16Convert)(const ENCODING *enc,
- const char **fromP,
- const char *fromLim,
- unsigned short **toP,
-diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
-index 9c2895b..6c5a3ba 100644
---- a/lib/xmltok_impl.c
-+++ b/lib/xmltok_impl.c
-@@ -93,13 +93,13 @@ static int PTRCALL
- PREFIX(scanComment)(const ENCODING *enc, const char *ptr,
- const char *end, const char **nextTokPtr)
- {
-- if (ptr != end) {
-+ if (ptr < end) {
- if (!CHAR_MATCHES(enc, ptr, ASCII_MINUS)) {
- *nextTokPtr = ptr;
- return XML_TOK_INVALID;
- }
- ptr += MINBPC(enc);
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- INVALID_CASES(ptr, nextTokPtr)
- case BT_MINUS:
-@@ -147,7 +147,7 @@ PREFIX(scanDecl)(const ENCODING *enc, const char *ptr,
- *nextTokPtr = ptr;
- return XML_TOK_INVALID;
- }
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- case BT_PERCNT:
- if (ptr + MINBPC(enc) == end)
-@@ -233,7 +233,7 @@ PREFIX(scanPi)(const ENCODING *enc, const char *ptr,
- *nextTokPtr = ptr;
- return XML_TOK_INVALID;
- }
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
- case BT_S: case BT_CR: case BT_LF:
-@@ -242,7 +242,7 @@ PREFIX(scanPi)(const ENCODING *enc, const char *ptr,
- return XML_TOK_INVALID;
- }
- ptr += MINBPC(enc);
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- INVALID_CASES(ptr, nextTokPtr)
- case BT_QUEST:
-@@ -305,7 +305,7 @@ static int PTRCALL
- PREFIX(cdataSectionTok)(const ENCODING *enc, const char *ptr,
- const char *end, const char **nextTokPtr)
- {
-- if (ptr == end)
-+ if (ptr >= end)
- return XML_TOK_NONE;
- if (MINBPC(enc) > 1) {
- size_t n = end - ptr;
-@@ -348,7 +348,7 @@ PREFIX(cdataSectionTok)(const ENCODING *enc, const char *ptr,
- ptr += MINBPC(enc);
- break;
- }
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- #define LEAD_CASE(n) \
- case BT_LEAD ## n: \
-@@ -391,11 +391,11 @@ PREFIX(scanEndTag)(const ENCODING *enc, const char *ptr,
- *nextTokPtr = ptr;
- return XML_TOK_INVALID;
- }
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
- case BT_S: case BT_CR: case BT_LF:
-- for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) {
-+ for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) {
- switch (BYTE_TYPE(enc, ptr)) {
- case BT_S: case BT_CR: case BT_LF:
- break;
-@@ -432,7 +432,7 @@ static int PTRCALL
- PREFIX(scanHexCharRef)(const ENCODING *enc, const char *ptr,
- const char *end, const char **nextTokPtr)
- {
-- if (ptr != end) {
-+ if (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- case BT_DIGIT:
- case BT_HEX:
-@@ -441,7 +441,7 @@ PREFIX(scanHexCharRef)(const ENCODING *enc, const char *ptr,
- *nextTokPtr = ptr;
- return XML_TOK_INVALID;
- }
-- for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) {
-+ for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) {
- switch (BYTE_TYPE(enc, ptr)) {
- case BT_DIGIT:
- case BT_HEX:
-@@ -464,7 +464,7 @@ static int PTRCALL
- PREFIX(scanCharRef)(const ENCODING *enc, const char *ptr,
- const char *end, const char **nextTokPtr)
- {
-- if (ptr != end) {
-+ if (ptr < end) {
- if (CHAR_MATCHES(enc, ptr, ASCII_x))
- return PREFIX(scanHexCharRef)(enc, ptr + MINBPC(enc), end, nextTokPtr);
- switch (BYTE_TYPE(enc, ptr)) {
-@@ -474,7 +474,7 @@ PREFIX(scanCharRef)(const ENCODING *enc, const char *ptr,
- *nextTokPtr = ptr;
- return XML_TOK_INVALID;
- }
-- for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) {
-+ for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) {
- switch (BYTE_TYPE(enc, ptr)) {
- case BT_DIGIT:
- break;
-@@ -506,7 +506,7 @@ PREFIX(scanRef)(const ENCODING *enc, const char *ptr, const char *end,
- *nextTokPtr = ptr;
- return XML_TOK_INVALID;
- }
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
- case BT_SEMI:
-@@ -529,7 +529,7 @@ PREFIX(scanAtts)(const ENCODING *enc, const char *ptr, const char *end,
- #ifdef XML_NS
- int hadColon = 0;
- #endif
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
- #ifdef XML_NS
-@@ -716,7 +716,7 @@ PREFIX(scanLt)(const ENCODING *enc, const char *ptr, const char *end,
- hadColon = 0;
- #endif
- /* we have a start-tag */
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
- #ifdef XML_NS
-@@ -740,7 +740,7 @@ PREFIX(scanLt)(const ENCODING *enc, const char *ptr, const char *end,
- case BT_S: case BT_CR: case BT_LF:
- {
- ptr += MINBPC(enc);
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- CHECK_NMSTRT_CASES(enc, ptr, end, nextTokPtr)
- case BT_GT:
-@@ -785,7 +785,7 @@ static int PTRCALL
- PREFIX(contentTok)(const ENCODING *enc, const char *ptr, const char *end,
- const char **nextTokPtr)
- {
-- if (ptr == end)
-+ if (ptr >= end)
- return XML_TOK_NONE;
- if (MINBPC(enc) > 1) {
- size_t n = end - ptr;
-@@ -832,7 +832,7 @@ PREFIX(contentTok)(const ENCODING *enc, const char *ptr, const char *end,
- ptr += MINBPC(enc);
- break;
- }
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- #define LEAD_CASE(n) \
- case BT_LEAD ## n: \
-@@ -895,7 +895,7 @@ PREFIX(scanPercent)(const ENCODING *enc, const char *ptr, const char *end,
- *nextTokPtr = ptr;
- return XML_TOK_INVALID;
- }
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
- case BT_SEMI:
-@@ -921,7 +921,7 @@ PREFIX(scanPoundName)(const ENCODING *enc, const char *ptr, const char *end,
- *nextTokPtr = ptr;
- return XML_TOK_INVALID;
- }
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
- case BT_CR: case BT_LF: case BT_S:
-@@ -941,7 +941,7 @@ PREFIX(scanLit)(int open, const ENCODING *enc,
- const char *ptr, const char *end,
- const char **nextTokPtr)
- {
-- while (ptr != end) {
-+ while (ptr < end) {
- int t = BYTE_TYPE(enc, ptr);
- switch (t) {
- INVALID_CASES(ptr, nextTokPtr)
-@@ -973,7 +973,7 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
- const char **nextTokPtr)
- {
- int tok;
-- if (ptr == end)
-+ if (ptr >= end)
- return XML_TOK_NONE;
- if (MINBPC(enc) > 1) {
- size_t n = end - ptr;
-@@ -1141,7 +1141,7 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
- *nextTokPtr = ptr;
- return XML_TOK_INVALID;
- }
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
- case BT_GT: case BT_RPAR: case BT_COMMA:
-@@ -1204,10 +1204,10 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr,
- const char *end, const char **nextTokPtr)
- {
- const char *start;
-- if (ptr == end)
-+ if (ptr >= end)
- return XML_TOK_NONE;
- start = ptr;
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- #define LEAD_CASE(n) \
- case BT_LEAD ## n: ptr += n; break;
-@@ -1262,10 +1262,10 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr,
- const char *end, const char **nextTokPtr)
- {
- const char *start;
-- if (ptr == end)
-+ if (ptr >= end)
- return XML_TOK_NONE;
- start = ptr;
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- #define LEAD_CASE(n) \
- case BT_LEAD ## n: ptr += n; break;
-@@ -1326,7 +1326,7 @@ PREFIX(ignoreSectionTok)(const ENCODING *enc, const char *ptr,
- end = ptr + n;
- }
- }
-- while (ptr != end) {
-+ while (ptr < end) {
- switch (BYTE_TYPE(enc, ptr)) {
- INVALID_CASES(ptr, nextTokPtr)
- case BT_LT:
-@@ -1373,7 +1373,7 @@ PREFIX(isPublicId)(const ENCODING *enc, const char *ptr, const char *end,
- {
- ptr += MINBPC(enc);
- end -= MINBPC(enc);
-- for (; ptr != end; ptr += MINBPC(enc)) {
-+ for (; ptr < end; ptr += MINBPC(enc)) {
- switch (BYTE_TYPE(enc, ptr)) {
- case BT_DIGIT:
- case BT_HEX:
-@@ -1760,7 +1760,7 @@ PREFIX(updatePosition)(const ENCODING *enc,
- case BT_CR:
- pos->lineNumber++;
- ptr += MINBPC(enc);
-- if (ptr != end && BYTE_TYPE(enc, ptr) == BT_LF)
-+ if (ptr < end && BYTE_TYPE(enc, ptr) == BT_LF)
- ptr += MINBPC(enc);
- pos->columnNumber = (XML_Size)-1;
- break;
---
-2.8.2
-
diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch
new file mode 100644
index 0000000000..1f3cb028d4
--- /dev/null
+++ b/gnu/packages/patches/flex-CVE-2016-6354.patch
@@ -0,0 +1,30 @@
+Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354
+https://security-tracker.debian.org/tracker/CVE-2016-6354
+
+Patch copied from upstream source repository:
+https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
+
+From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001
+From: Will Estes <westes575@gmail.com>
+Date: Sat, 27 Feb 2016 11:56:05 -0500
+Subject: [PATCH] Fixed incorrect integer type
+
+---
+ src/flex.skl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/flex.skl b/src/flex.skl
+index 36a526a..64f853d 100644
+--- a/src/flex.skl
++++ b/src/flex.skl
+@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer()
+
+ else
+ {
+- yy_size_t num_to_read =
++ int num_to_read =
+ YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+
+ while ( num_to_read <= 0 )
diff --git a/gnu/packages/patches/fontconfig-CVE-2016-5384.patch b/gnu/packages/patches/fontconfig-CVE-2016-5384.patch
deleted file mode 100644
index 617d5afbaf..0000000000
--- a/gnu/packages/patches/fontconfig-CVE-2016-5384.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-Fix CVE-2016-5384 (double-free resulting in arbitrary code execution):
-
-<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5384>
-
-Copied from upstream code repository:
-
-<https://cgit.freedesktop.org/fontconfig/commit/?id=7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940>
-
-From 7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sat, 25 Jun 2016 19:18:53 +0200
-Subject: Properly validate offsets in cache files.
-
-The cache files are insufficiently validated. Even though the magic
-number at the beginning of the file as well as time stamps are checked,
-it is not verified if contained offsets are in legal ranges or are
-even pointers.
-
-The lack of validation allows an attacker to trigger arbitrary free()
-calls, which in turn allows double free attacks and therefore arbitrary
-code execution. Due to the conversion from offsets into pointers through
-macros, this even allows to circumvent ASLR protections.
-
-This attack vector allows privilege escalation when used with setuid
-binaries like fbterm. A user can create ~/.fonts or any other
-system-defined user-private font directory, run fc-cache and adjust
-cache files in ~/.cache/fontconfig. The execution of setuid binaries will
-scan these files and therefore are prone to attacks.
-
-If it's not about code execution, an endless loop can be created by
-letting linked lists become circular linked lists.
-
-This patch verifies that:
-
-- The file is not larger than the maximum addressable space, which
- basically only affects 32 bit systems. This allows out of boundary
- access into unallocated memory.
-- Offsets are always positive or zero
-- Offsets do not point outside file boundaries
-- No pointers are allowed in cache files, every "pointer or offset"
- field must be an offset or NULL
-- Iterating linked lists must not take longer than the amount of elements
- specified. A violation of this rule can break a possible endless loop.
-
-If one or more of these points are violated, the cache is recreated.
-This is current behaviour.
-
-Even though this patch fixes many issues, the use of mmap() shall be
-forbidden in setuid binaries. It is impossible to guarantee with these
-checks that a malicious user does not change cache files after
-verification. This should be handled in a different patch.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-
-diff --git a/src/fccache.c b/src/fccache.c
-index 71e8f03..02ec301 100644
---- a/src/fccache.c
-+++ b/src/fccache.c
-@@ -27,6 +27,7 @@
- #include <fcntl.h>
- #include <dirent.h>
- #include <string.h>
-+#include <limits.h>
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <assert.h>
-@@ -587,6 +588,82 @@ FcCacheTimeValid (FcConfig *config, FcCache *cache, struct stat *dir_stat)
- return cache->checksum == (int) dir_stat->st_mtime && fnano;
- }
-
-+static FcBool
-+FcCacheOffsetsValid (FcCache *cache)
-+{
-+ char *base = (char *)cache;
-+ char *end = base + cache->size;
-+ intptr_t *dirs;
-+ FcFontSet *fs;
-+ int i, j;
-+
-+ if (cache->dir < 0 || cache->dir > cache->size - sizeof (intptr_t) ||
-+ memchr (base + cache->dir, '\0', cache->size - cache->dir) == NULL)
-+ return FcFalse;
-+
-+ if (cache->dirs < 0 || cache->dirs >= cache->size ||
-+ cache->dirs_count < 0 ||
-+ cache->dirs_count > (cache->size - cache->dirs) / sizeof (intptr_t))
-+ return FcFalse;
-+
-+ dirs = FcCacheDirs (cache);
-+ if (dirs)
-+ {
-+ for (i = 0; i < cache->dirs_count; i++)
-+ {
-+ FcChar8 *dir;
-+
-+ if (dirs[i] < 0 ||
-+ dirs[i] > end - (char *) dirs - sizeof (intptr_t))
-+ return FcFalse;
-+
-+ dir = FcOffsetToPtr (dirs, dirs[i], FcChar8);
-+ if (memchr (dir, '\0', end - (char *) dir) == NULL)
-+ return FcFalse;
-+ }
-+ }
-+
-+ if (cache->set < 0 || cache->set > cache->size - sizeof (FcFontSet))
-+ return FcFalse;
-+
-+ fs = FcCacheSet (cache);
-+ if (fs)
-+ {
-+ if (fs->nfont > (end - (char *) fs) / sizeof (FcPattern))
-+ return FcFalse;
-+
-+ if (fs->fonts != 0 && !FcIsEncodedOffset(fs->fonts))
-+ return FcFalse;
-+
-+ for (i = 0; i < fs->nfont; i++)
-+ {
-+ FcPattern *font = FcFontSetFont (fs, i);
-+ FcPatternElt *e;
-+ FcValueListPtr l;
-+
-+ if ((char *) font < base ||
-+ (char *) font > end - sizeof (FcFontSet) ||
-+ font->elts_offset < 0 ||
-+ font->elts_offset > end - (char *) font ||
-+ font->num > (end - (char *) font - font->elts_offset) / sizeof (FcPatternElt))
-+ return FcFalse;
-+
-+
-+ e = FcPatternElts(font);
-+ if (e->values != 0 && !FcIsEncodedOffset(e->values))
-+ return FcFalse;
-+
-+ for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l))
-+ if (l->next != NULL && !FcIsEncodedOffset(l->next))
-+ break;
-+ if (j < 0)
-+ return FcFalse;
-+ }
-+ }
-+
-+ return FcTrue;
-+}
-+
- /*
- * Map a cache file into memory
- */
-@@ -596,7 +673,8 @@ FcDirCacheMapFd (FcConfig *config, int fd, struct stat *fd_stat, struct stat *di
- FcCache *cache;
- FcBool allocated = FcFalse;
-
-- if (fd_stat->st_size < (int) sizeof (FcCache))
-+ if (fd_stat->st_size > INTPTR_MAX ||
-+ fd_stat->st_size < (int) sizeof (FcCache))
- return NULL;
- cache = FcCacheFindByStat (fd_stat);
- if (cache)
-@@ -652,6 +730,7 @@ FcDirCacheMapFd (FcConfig *config, int fd, struct stat *fd_stat, struct stat *di
- if (cache->magic != FC_CACHE_MAGIC_MMAP ||
- cache->version < FC_CACHE_VERSION_NUMBER ||
- cache->size != (intptr_t) fd_stat->st_size ||
-+ !FcCacheOffsetsValid (cache) ||
- !FcCacheTimeValid (config, cache, dir_stat) ||
- !FcCacheInsert (cache, fd_stat))
- {
---
-cgit v0.10.2
-
diff --git a/gnu/packages/patches/gawk-fts-test.patch b/gnu/packages/patches/gawk-fts-test.patch
deleted file mode 100644
index de1f5c431c..0000000000
--- a/gnu/packages/patches/gawk-fts-test.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-This is upstream commit c9a018c. We have observed random failures of
-this test on i686 that seem related to load.
-
-2015-05-21 Arnold D. Robbins <arnold@skeeve.com>
-
- * fts.awk: Really remove atime from the output.
- This avoids spurious failures on heavily loaded systems.
-
-diff --git a/test/fts.awk b/test/fts.awk
-index b1df060..dea5b68 100644
---- a/test/fts.awk
-+++ b/test/fts.awk
-@@ -50,6 +50,11 @@ function sort_traverse(data, sorted, i)
- {
- asorti(data, sorted)
- for (i = 1; i in sorted; i++) {
-+ # 5/2015: skip for atime, since there can
-+ # occasionally be small differences.
-+ if (sorted[i] == "atime")
-+ continue
-+
- indent()
- printf("%s --> %s\n", sorted[i], data[sorted[i]]) > output
- }
-@@ -63,17 +68,20 @@ function traverse(data, i)
- printf("%s:\n", i) > output
-
- Level++
-- if (("mtime" in data[i]) && ! isarray(data[i][mtime])) {
-+ if (("mtime" in data[i]) && ! isarray(data[i]["mtime"])) {
- sort_traverse(data[i])
- } else {
- traverse(data[i])
- }
- Level--
-- } else if (data[i] != "atime") {
-- # 4/2015: skip for atime, since there can
-- # occasionally be small differences.
-- indent()
-- printf("%s --> %s\n", i, data[i]) > output
-+# } else {
-+# JUNK = 1
-+# if (i != "atime") {
-+# # 4/2015: skip for atime, since there can
-+# # occasionally be small differences.
-+# indent()
-+# printf("%s --> %s\n", i, data[i]) > output
-+# }
- }
- }
- }
diff --git a/gnu/packages/patches/gcc-arm-bug-71399.patch b/gnu/packages/patches/gcc-arm-bug-71399.patch
new file mode 100644
index 0000000000..6f04fece0e
--- /dev/null
+++ b/gnu/packages/patches/gcc-arm-bug-71399.patch
@@ -0,0 +1,55 @@
+Revert the following commit to work around a bootstrap comparison failure on
+ARMv7, as reported at <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71399>.
+
+commit f6ab85b7049a03962ea98924d00802da357a1ad3
+Author: renlin <renlin@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Wed Dec 2 14:06:31 2015 +0000
+
+ [PR67383][ARM][4.9]Backport of "Allow any register for DImode values in Thumb2"
+
+ This partially fix PR67383. It allows the reload more flexibility to choose
+ spilling pseudo registers.
+
+
+ gcc/ChangeLog:
+
+ 2015-12-02 Renlin Li <renlin.li@arm.com>
+
+ Backport from mainline.
+ 2014-04-22 Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>
+
+ * config/arm/arm.c (arm_hard_regno_mode_ok): Loosen
+ restrictions on core registers for DImode values in Thumb2.
+
+
+ git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-4_9-branch@231177 138bc75d-0d04-0410-961f-82ee72b054a4
+
+diff --git a/gcc/config/arm/arm.c b/gcc/config/arm/arm.c
+index 8ba6060..d9028a1 100644
+--- b/gcc/config/arm/arm.c
++++ a/gcc/config/arm/arm.c
+@@ -22624,19 +22624,12 @@
+ }
+
+ /* We allow almost any value to be stored in the general registers.
+- Restrict doubleword quantities to even register pairs in ARM state
+- so that we can use ldrd. Do not allow very large Neon structure
+- opaque modes in general registers; they would use too many. */
++ Restrict doubleword quantities to even register pairs so that we can
++ use ldrd. Do not allow very large Neon structure opaque modes in
++ general registers; they would use too many. */
+ if (regno <= LAST_ARM_REGNUM)
+- {
+- if (ARM_NUM_REGS (mode) > 4)
+- return FALSE;
+-
+- if (TARGET_THUMB2)
+- return TRUE;
+-
+- return !(TARGET_LDRD && GET_MODE_SIZE (mode) > 4 && (regno & 1) != 0);
+- }
++ return !(TARGET_LDRD && GET_MODE_SIZE (mode) > 4 && (regno & 1) != 0)
++ && ARM_NUM_REGS (mode) <= 4;
+
+ if (regno == FRAME_POINTER_REGNUM
+ || regno == ARG_POINTER_REGNUM)
diff --git a/gnu/packages/patches/gnupg-fix-expired-test.patch b/gnu/packages/patches/gnupg-fix-expired-test.patch
deleted file mode 100644
index ac2564f50c..0000000000
--- a/gnu/packages/patches/gnupg-fix-expired-test.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-Fix a test that has an expiration date of 2016-09-17:
-
-https://bugs.gnupg.org/gnupg/issue2393
-
-Patch adapted from upstream source repository:
-
-https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=e584d6468a2e72cd01e55f46104f9f96b56c0b66
-
-The patch has been altered by commenting out a diff that does not apply
-to the version of GnuPG that we are applying it to, 2.1.13. This is
-what the patch author refers to below with "This commit includes changes
-to the old test as well, for those who need to backport it." We keep the
-old test and comment out the new test.
-
-From e584d6468a2e72cd01e55f46104f9f96b56c0b66 Mon Sep 17 00:00:00 2001
-From: Justus Winter <justus@g10code.com>
-Date: Thu, 23 Jun 2016 17:24:23 +0200
-Subject: [PATCH] tests/openpgp: Fake the system time for the tofu test.
-
-The keys in the tofu test are set to expire on 2016-09-17. Fake the
-system time for this test.
-
-This commit includes changes to the old test as well, for those who
-need to backport it.
-
-* tests/openpgp/gpg-agent.conf.tmpl: Drop trailing newlines.
-* tests/openpgp/tofu.scm: Fake system time.
-* tests/openpgp/tofu.test: Likewise.
-
-GnuPG-bug-id: 2393
-Signed-off-by: Justus Winter <justus@g10code.com>
----
- tests/openpgp/gpg-agent.conf.tmpl | 2 --
- tests/openpgp/tofu.scm | 4 +++-
- tests/openpgp/tofu.test | 3 +++
- 3 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/tests/openpgp/gpg-agent.conf.tmpl b/tests/openpgp/gpg-agent.conf.tmpl
-index b3cb54f..70e1633 100644
---- a/tests/openpgp/gpg-agent.conf.tmpl
-+++ b/tests/openpgp/gpg-agent.conf.tmpl
-@@ -1,4 +1,2 @@
- allow-preset-passphrase
- no-grab
--
--
-#diff --git a/tests/openpgp/tofu.scm b/tests/openpgp/tofu.scm
-#index 24fa9df..38b6a0f 100755
-#--- a/tests/openpgp/tofu.scm
-#+++ b/tests/openpgp/tofu.scm
-#@@ -19,7 +19,9 @@
-#
-# (load (with-path "defs.scm"))
-#
-#-(define GPG `(,(tool 'gpg) --no-permission-warning)) ;; w/o --always-trust
-#+ ;; Redefine GPG without --always-trust and a fixed time.
-#+(define GPG `(,(tool 'gpg) --no-permission-warning
-#+ --faked-system-time=1466684990))
-# (define GNUPGHOME (getenv "GNUPGHOME"))
-# (if (string=? "" GNUPGHOME)
-# (error "GNUPGHOME not set"))
-diff --git a/tests/openpgp/tofu.test b/tests/openpgp/tofu.test
-index 18c1756..0d34af4 100755
---- a/tests/openpgp/tofu.test
-+++ b/tests/openpgp/tofu.test
-@@ -4,6 +4,9 @@
-
- # set -x
-
-+# Redefine GPG with a fixed time.
-+GPG="$GPG --faked-system-time=1466684990"
-+
- KEYS="2183839A BC15C85A EE37CF96"
-
- # Make sure $srcdir is set.
---
-2.10.0
-
diff --git a/gnu/packages/patches/guile-relocatable.patch b/gnu/packages/patches/guile-relocatable.patch
index 077394cdde..2431495f24 100644
--- a/gnu/packages/patches/guile-relocatable.patch
+++ b/gnu/packages/patches/guile-relocatable.patch
@@ -1,8 +1,6 @@
This patch changes Guile to use a default search path relative to the
location of the `guile' binary, allowing it to be relocated.
-diff --git a/libguile/load.c b/libguile/load.c
-index af2ca45..19dd338 100644
--- a/libguile/load.c
+++ b/libguile/load.c
@@ -26,6 +26,7 @@
@@ -12,8 +10,8 @@ index af2ca45..19dd338 100644
+#include <libgen.h>
#include "libguile/_scm.h"
- #include "libguile/private-gc.h" /* scm_getenv_int */
-@@ -255,6 +256,32 @@ scm_init_load_path ()
+ #include "libguile/alist.h"
+@@ -325,6 +326,32 @@
SCM cpath = SCM_EOL;
#ifdef SCM_LIBRARY_DIR
@@ -43,10 +41,10 @@ index af2ca45..19dd338 100644
+ strcpy (ccache_dir, prefix);
+ strcat (ccache_dir, "/lib/guile/2.0/ccache");
+
- env = getenv ("GUILE_SYSTEM_PATH");
+ env = scm_i_mirror_backslashes (getenv ("GUILE_SYSTEM_PATH"));
if (env && strcmp (env, "") == 0)
/* special-case interpret system-path=="" as meaning no system path instead
-@@ -263,10 +290,7 @@ scm_init_load_path ()
+@@ -333,10 +360,7 @@
else if (env)
path = scm_parse_path (scm_from_locale_string (env), path);
else
@@ -56,9 +54,9 @@ index af2ca45..19dd338 100644
- scm_from_locale_string (SCM_PKGDATA_DIR));
+ path = scm_list_1 (scm_from_locale_string (module_dir));
- env = getenv ("GUILE_SYSTEM_COMPILED_PATH");
+ env = scm_i_mirror_backslashes (getenv ("GUILE_SYSTEM_COMPILED_PATH"));
if (env && strcmp (env, "") == 0)
-@@ -276,8 +300,7 @@ scm_init_load_path ()
+@@ -346,8 +370,7 @@
cpath = scm_parse_path (scm_from_locale_string (env), cpath);
else
{
diff --git a/gnu/packages/patches/isl-0.11.1-aarch64-support.patch b/gnu/packages/patches/isl-0.11.1-aarch64-support.patch
new file mode 100644
index 0000000000..c5607fc80d
--- /dev/null
+++ b/gnu/packages/patches/isl-0.11.1-aarch64-support.patch
@@ -0,0 +1,40 @@
+Add aarch64 support to config.guess and config.sub, as would be found if using
+a more recent version of autoconf.
+---
+ config.guess | 7 +++++++
+ config.sub | 1 +
+ 2 files changed, 8 insertions(+)
+
+diff --git a/config.guess b/config.guess
+index 40eaed4..baad294 100755
+--- a/config.guess
++++ b/config.guess
+@@ -861,6 +861,13 @@ EOF
+ i*86:Minix:*:*)
+ echo ${UNAME_MACHINE}-pc-minix
+ exit ;;
++ aarch64:Linux:*:*)
++ echo ${UNAME_MACHINE}-unknown-linux-gnu
++ exit ;;
++ aarch64_be:Linux:*:*)
++ UNAME_MACHINE=aarch64_be
++ echo ${UNAME_MACHINE}-unknown-linux-gnu
++ exit ;;
+ alpha:Linux:*:*)
+ case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+ EV5) UNAME_MACHINE=alphaev5 ;;
+diff --git a/config.sub b/config.sub
+index 30fdca8..8f5b018 100755
+--- a/config.sub
++++ b/config.sub
+@@ -247,6 +247,7 @@ case $basic_machine in
+ # Some are omitted here because they have special meanings below.
+ 1750a | 580 \
+ | a29k \
++ | aarch64 | aarch64_be \
+ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+ | am33_2.0 \
+--
+2.9.0
+
diff --git a/gnu/packages/patches/libx11-CVE-2016-7942.patch b/gnu/packages/patches/libx11-CVE-2016-7942.patch
deleted file mode 100644
index 75770235ef..0000000000
--- a/gnu/packages/patches/libx11-CVE-2016-7942.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-Fix CVE-2016-7942:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17
-
-From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:25:25 +0200
-Subject: [PATCH] Validation of server responses in XGetImage()
-
-Check if enough bytes were received for specified image type and
-geometry. Otherwise GetPixel and other functions could trigger an
-out of boundary read later on.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/GetImage.c | 29 ++++++++++++++++++++---------
- 1 file changed, 20 insertions(+), 9 deletions(-)
-
-diff --git a/src/GetImage.c b/src/GetImage.c
-index c461abc..ff32d58 100644
---- a/src/GetImage.c
-+++ b/src/GetImage.c
-@@ -59,6 +59,7 @@ XImage *XGetImage (
- char *data;
- unsigned long nbytes;
- XImage *image;
-+ int planes;
- LockDisplay(dpy);
- GetReq (GetImage, req);
- /*
-@@ -91,18 +92,28 @@ XImage *XGetImage (
- return (XImage *) NULL;
- }
- _XReadPad (dpy, data, nbytes);
-- if (format == XYPixmap)
-- image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
-- Ones (plane_mask &
-- (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
-- format, 0, data, width, height, dpy->bitmap_pad, 0);
-- else /* format == ZPixmap */
-- image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
-- rep.depth, ZPixmap, 0, data, width, height,
-- _XGetScanlinePad(dpy, (int) rep.depth), 0);
-+ if (format == XYPixmap) {
-+ image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
-+ Ones (plane_mask &
-+ (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
-+ format, 0, data, width, height, dpy->bitmap_pad, 0);
-+ planes = image->depth;
-+ } else { /* format == ZPixmap */
-+ image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
-+ rep.depth, ZPixmap, 0, data, width, height,
-+ _XGetScanlinePad(dpy, (int) rep.depth), 0);
-+ planes = 1;
-+ }
-
- if (!image)
- Xfree(data);
-+ if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
-+ INT_MAX / image->height <= image->bytes_per_line ||
-+ INT_MAX / planes <= image->height * image->bytes_per_line ||
-+ nbytes < planes * image->height * image->bytes_per_line) {
-+ XDestroyImage(image);
-+ image = NULL;
-+ }
- UnlockDisplay(dpy);
- SyncHandle();
- return (image);
---
-2.10.1
-
diff --git a/gnu/packages/patches/libx11-CVE-2016-7943.patch b/gnu/packages/patches/libx11-CVE-2016-7943.patch
deleted file mode 100644
index 7bcbc58dd4..0000000000
--- a/gnu/packages/patches/libx11-CVE-2016-7943.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-Fix CVE-2016-7943:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7943.
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9
-
-From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:22:57 +0200
-Subject: [PATCH] The validation of server responses avoids out of boundary
- accesses.
-
-v2: FontNames.c return a NULL list whenever a single
-length field from the server is incohent.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/FontNames.c | 23 +++++++++++++++++------
- src/ListExt.c | 12 ++++++++----
- src/ModMap.c | 3 ++-
- 3 files changed, 27 insertions(+), 11 deletions(-)
-
-diff --git a/src/FontNames.c b/src/FontNames.c
-index 21dcafe..e55f338 100644
---- a/src/FontNames.c
-+++ b/src/FontNames.c
-@@ -66,7 +66,7 @@ int *actualCount) /* RETURN */
-
- if (rep.nFonts) {
- flist = Xmalloc (rep.nFonts * sizeof(char *));
-- if (rep.length < (INT_MAX >> 2)) {
-+ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
- rlen = rep.length << 2;
- ch = Xmalloc(rlen + 1);
- /* +1 to leave room for last null-terminator */
-@@ -93,11 +93,22 @@ int *actualCount) /* RETURN */
- if (ch + length < chend) {
- flist[i] = ch + 1; /* skip over length */
- ch += length + 1; /* find next length ... */
-- length = *(unsigned char *)ch;
-- *ch = '\0'; /* and replace with null-termination */
-- count++;
-- } else
-- flist[i] = NULL;
-+ if (ch <= chend) {
-+ length = *(unsigned char *)ch;
-+ *ch = '\0'; /* and replace with null-termination */
-+ count++;
-+ } else {
-+ Xfree(flist);
-+ flist = NULL;
-+ count = 0;
-+ break;
-+ }
-+ } else {
-+ Xfree(flist);
-+ flist = NULL;
-+ count = 0;
-+ break;
-+ }
- }
- }
- *actualCount = count;
-diff --git a/src/ListExt.c b/src/ListExt.c
-index be6b989..0516e45 100644
---- a/src/ListExt.c
-+++ b/src/ListExt.c
-@@ -55,7 +55,7 @@ char **XListExtensions(
-
- if (rep.nExtensions) {
- list = Xmalloc (rep.nExtensions * sizeof (char *));
-- if (rep.length < (INT_MAX >> 2)) {
-+ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
- rlen = rep.length << 2;
- ch = Xmalloc (rlen + 1);
- /* +1 to leave room for last null-terminator */
-@@ -80,9 +80,13 @@ char **XListExtensions(
- if (ch + length < chend) {
- list[i] = ch+1; /* skip over length */
- ch += length + 1; /* find next length ... */
-- length = *ch;
-- *ch = '\0'; /* and replace with null-termination */
-- count++;
-+ if (ch <= chend) {
-+ length = *ch;
-+ *ch = '\0'; /* and replace with null-termination */
-+ count++;
-+ } else {
-+ list[i] = NULL;
-+ }
- } else
- list[i] = NULL;
- }
-diff --git a/src/ModMap.c b/src/ModMap.c
-index a809aa2..49a5d08 100644
---- a/src/ModMap.c
-+++ b/src/ModMap.c
-@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy)
- GetEmptyReq(GetModifierMapping, req);
- (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
-
-- if (rep.length < (INT_MAX >> 2)) {
-+ if (rep.length < (INT_MAX >> 2) &&
-+ (rep.length >> 1) == rep.numKeyPerModifier) {
- nbytes = (unsigned long)rep.length << 2;
- res = Xmalloc(sizeof (XModifierKeymap));
- if (res)
---
-2.10.1
-
diff --git a/gnu/packages/patches/libxfixes-CVE-2016-7944.patch b/gnu/packages/patches/libxfixes-CVE-2016-7944.patch
deleted file mode 100644
index 2ce463fc46..0000000000
--- a/gnu/packages/patches/libxfixes-CVE-2016-7944.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-Fix CVE-2016-7944:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e
-
-From 61c1039ee23a2d1de712843bed3480654d7ef42e Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 22:38:44 +0200
-Subject: [PATCH] Integer overflow on illegal server response
-
-The 32 bit field "rep.length" is not checked for validity, which allows
-an integer overflow on 32 bit systems.
-
-A malicious server could send INT_MAX as length, which gets multiplied
-by the size of XRectangle. In that case the client won't read the whole
-data from server, getting out of sync.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/Region.c | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/src/Region.c b/src/Region.c
-index cb0cf6e..59bcc1a 100644
---- a/src/Region.c
-+++ b/src/Region.c
-@@ -23,6 +23,7 @@
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
-+#include <limits.h>
- #include "Xfixesint.h"
-
- XserverRegion
-@@ -333,9 +334,17 @@ XFixesFetchRegionAndBounds (Display *dpy,
- bounds->y = rep.y;
- bounds->width = rep.width;
- bounds->height = rep.height;
-- nbytes = (long) rep.length << 2;
-- nrects = rep.length >> 1;
-- rects = Xmalloc (nrects * sizeof (XRectangle));
-+
-+ if (rep.length < (INT_MAX >> 2)) {
-+ nbytes = (long) rep.length << 2;
-+ nrects = rep.length >> 1;
-+ rects = Xmalloc (nrects * sizeof (XRectangle));
-+ } else {
-+ nbytes = 0;
-+ nrects = 0;
-+ rects = NULL;
-+ }
-+
- if (!rects)
- {
- _XEatDataWords(dpy, rep.length);
---
-2.10.1
-
diff --git a/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch b/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch
deleted file mode 100644
index ca899e34c0..0000000000
--- a/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch
+++ /dev/null
@@ -1,420 +0,0 @@
-Fix CVE-2016-7945:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7945
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=19a9cd607de73947fcfb104682f203ffe4e1f4e5
-
-From 19a9cd607de73947fcfb104682f203ffe4e1f4e5 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 22:31:34 +0200
-Subject: [PATCH] Properly validate server responses.
-
-By validating length fields from server responses, out of boundary
-accesses and endless loops can be mitigated.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/XGMotion.c | 3 ++-
- src/XGetBMap.c | 3 ++-
- src/XGetDCtl.c | 6 ++++--
- src/XGetFCtl.c | 7 ++++++-
- src/XGetKMap.c | 14 +++++++++++---
- src/XGetMMap.c | 11 +++++++++--
- src/XIQueryDevice.c | 36 ++++++++++++++++++++++++++++++++++--
- src/XListDev.c | 21 +++++++++++++++------
- src/XOpenDev.c | 13 ++++++++++---
- src/XQueryDv.c | 8 ++++++--
- 10 files changed, 99 insertions(+), 23 deletions(-)
-
-diff --git a/src/XGMotion.c b/src/XGMotion.c
-index 7785843..9433e29 100644
---- a/src/XGMotion.c
-+++ b/src/XGMotion.c
-@@ -114,7 +114,8 @@ XGetDeviceMotionEvents(
- }
- /* rep.axes is a CARD8, so assume max number of axes for bounds check */
- if (rep.nEvents <
-- (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) {
-+ (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int)))) &&
-+ rep.nEvents * (rep.axes + 1) <= rep.length) {
- size_t bsize = rep.nEvents *
- (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
- bufp = Xmalloc(bsize);
-diff --git a/src/XGetBMap.c b/src/XGetBMap.c
-index 002daba..13bb8c6 100644
---- a/src/XGetBMap.c
-+++ b/src/XGetBMap.c
-@@ -92,7 +92,8 @@ XGetDeviceButtonMapping(
-
- status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
- if (status == 1) {
-- if (rep.length <= (sizeof(mapping) >> 2)) {
-+ if (rep.length <= (sizeof(mapping) >> 2) &&
-+ rep.nElts <= (rep.length << 2)) {
- unsigned long nbytes = rep.length << 2;
- _XRead(dpy, (char *)mapping, nbytes);
-
-diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c
-index c5d3b53..7f6b396 100644
---- a/src/XGetDCtl.c
-+++ b/src/XGetDCtl.c
-@@ -93,7 +93,8 @@ XGetDeviceControl(
- if (rep.length > 0) {
- unsigned long nbytes;
- size_t size = 0;
-- if (rep.length < (INT_MAX >> 2)) {
-+ if (rep.length < (INT_MAX >> 2) &&
-+ (rep.length << 2) >= sizeof(xDeviceState)) {
- nbytes = (unsigned long) rep.length << 2;
- d = Xmalloc(nbytes);
- }
-@@ -117,7 +118,8 @@ XGetDeviceControl(
- size_t val_size;
-
- r = (xDeviceResolutionState *) d;
-- if (r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
-+ if (sizeof(xDeviceResolutionState) > nbytes ||
-+ r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
- goto out;
- val_size = 3 * sizeof(int) * r->num_valuators;
- if ((sizeof(xDeviceResolutionState) + val_size) > nbytes)
-diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c
-index 7fd6d0e..82dcc64 100644
---- a/src/XGetFCtl.c
-+++ b/src/XGetFCtl.c
-@@ -73,6 +73,7 @@ XGetFeedbackControl(
- XFeedbackState *Sav = NULL;
- xFeedbackState *f = NULL;
- xFeedbackState *sav = NULL;
-+ char *end = NULL;
- xGetFeedbackControlReq *req;
- xGetFeedbackControlReply rep;
- XExtDisplayInfo *info = XInput_find_display(dpy);
-@@ -105,10 +106,12 @@ XGetFeedbackControl(
- goto out;
- }
- sav = f;
-+ end = (char *)f + nbytes;
- _XRead(dpy, (char *)f, nbytes);
-
- for (i = 0; i < *num_feedbacks; i++) {
-- if (f->length > nbytes)
-+ if ((char *)f + sizeof(*f) > end ||
-+ f->length == 0 || f->length > nbytes)
- goto out;
- nbytes -= f->length;
-
-@@ -125,6 +128,8 @@ XGetFeedbackControl(
- case StringFeedbackClass:
- {
- xStringFeedbackState *strf = (xStringFeedbackState *) f;
-+ if ((char *)f + sizeof(*strf) > end)
-+ goto out;
- size += sizeof(XStringFeedbackState) +
- (strf->num_syms_supported * sizeof(KeySym));
- }
-diff --git a/src/XGetKMap.c b/src/XGetKMap.c
-index 0540ce4..008a72b 100644
---- a/src/XGetKMap.c
-+++ b/src/XGetKMap.c
-@@ -54,6 +54,7 @@ SOFTWARE.
- #include <config.h>
- #endif
-
-+#include <limits.h>
- #include <X11/extensions/XI.h>
- #include <X11/extensions/XIproto.h>
- #include <X11/Xlibint.h>
-@@ -93,9 +94,16 @@ XGetDeviceKeyMapping(register Display * dpy, XDevice * dev,
- return (KeySym *) NULL;
- }
- if (rep.length > 0) {
-- *syms_per_code = rep.keySymsPerKeyCode;
-- nbytes = (long)rep.length << 2;
-- mapping = (KeySym *) Xmalloc((unsigned)nbytes);
-+ if (rep.length < INT_MAX >> 2 &&
-+ rep.length == rep.keySymsPerKeyCode * keycount) {
-+ *syms_per_code = rep.keySymsPerKeyCode;
-+ nbytes = (long)rep.length << 2;
-+ mapping = (KeySym *) Xmalloc((unsigned)nbytes);
-+ } else {
-+ *syms_per_code = 0;
-+ nbytes = 0;
-+ mapping = NULL;
-+ }
- if (mapping)
- _XRead(dpy, (char *)mapping, nbytes);
- else
-diff --git a/src/XGetMMap.c b/src/XGetMMap.c
-index 246698c..33c114f 100644
---- a/src/XGetMMap.c
-+++ b/src/XGetMMap.c
-@@ -53,6 +53,7 @@ SOFTWARE.
- #include <config.h>
- #endif
-
-+#include <limits.h>
- #include <X11/extensions/XI.h>
- #include <X11/extensions/XIproto.h>
- #include <X11/Xlibint.h>
-@@ -85,8 +86,14 @@ XGetDeviceModifierMapping(
- SyncHandle();
- return (XModifierKeymap *) NULL;
- }
-- nbytes = (unsigned long)rep.length << 2;
-- res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap));
-+ if (rep.length < (INT_MAX >> 2) &&
-+ rep.numKeyPerModifier == rep.length >> 1) {
-+ nbytes = (unsigned long)rep.length << 2;
-+ res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap));
-+ } else {
-+ nbytes = 0;
-+ res = NULL;
-+ }
- if (res) {
- res->modifiermap = (KeyCode *) Xmalloc(nbytes);
- if (res->modifiermap)
-diff --git a/src/XIQueryDevice.c b/src/XIQueryDevice.c
-index fb8504f..a457cd6 100644
---- a/src/XIQueryDevice.c
-+++ b/src/XIQueryDevice.c
-@@ -26,6 +26,7 @@
- #include <config.h>
- #endif
-
-+#include <limits.h>
- #include <stdint.h>
- #include <X11/Xlibint.h>
- #include <X11/extensions/XI2proto.h>
-@@ -43,6 +44,7 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
- xXIQueryDeviceReq *req;
- xXIQueryDeviceReply reply;
- char *ptr;
-+ char *end;
- int i;
- char *buf;
-
-@@ -60,14 +62,24 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
- if (!_XReply(dpy, (xReply*) &reply, 0, xFalse))
- goto error;
-
-- *ndevices_return = reply.num_devices;
-- info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo));
-+ if (reply.length < INT_MAX / 4)
-+ {
-+ *ndevices_return = reply.num_devices;
-+ info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo));
-+ }
-+ else
-+ {
-+ *ndevices_return = 0;
-+ info = NULL;
-+ }
-+
- if (!info)
- goto error;
-
- buf = Xmalloc(reply.length * 4);
- _XRead(dpy, buf, reply.length * 4);
- ptr = buf;
-+ end = buf + reply.length * 4;
-
- /* info is a null-terminated array */
- info[reply.num_devices].name = NULL;
-@@ -79,6 +91,9 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
- XIDeviceInfo *lib = &info[i];
- xXIDeviceInfo *wire = (xXIDeviceInfo*)ptr;
-
-+ if (ptr + sizeof(xXIDeviceInfo) > end)
-+ goto error_loop;
-+
- lib->deviceid = wire->deviceid;
- lib->use = wire->use;
- lib->attachment = wire->attachment;
-@@ -87,12 +102,23 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
-
- ptr += sizeof(xXIDeviceInfo);
-
-+ if (ptr + wire->name_len > end)
-+ goto error_loop;
-+
- lib->name = Xcalloc(wire->name_len + 1, 1);
-+ if (lib->name == NULL)
-+ goto error_loop;
- strncpy(lib->name, ptr, wire->name_len);
-+ lib->name[wire->name_len] = '\0';
- ptr += ((wire->name_len + 3)/4) * 4;
-
- sz = size_classes((xXIAnyInfo*)ptr, nclasses);
- lib->classes = Xmalloc(sz);
-+ if (lib->classes == NULL)
-+ {
-+ Xfree(lib->name);
-+ goto error_loop;
-+ }
- ptr += copy_classes(lib, (xXIAnyInfo*)ptr, &nclasses);
- /* We skip over unused classes */
- lib->num_classes = nclasses;
-@@ -103,6 +129,12 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
- SyncHandle();
- return info;
-
-+error_loop:
-+ while (--i >= 0)
-+ {
-+ Xfree(info[i].name);
-+ Xfree(info[i].classes);
-+ }
- error:
- UnlockDisplay(dpy);
- error_unlocked:
-diff --git a/src/XListDev.c b/src/XListDev.c
-index b85ff3c..f850cd0 100644
---- a/src/XListDev.c
-+++ b/src/XListDev.c
-@@ -74,7 +74,7 @@ static int pad_to_xid(int base_size)
- }
-
- static size_t
--SizeClassInfo(xAnyClassPtr *any, int num_classes)
-+SizeClassInfo(xAnyClassPtr *any, size_t len, int num_classes)
- {
- int size = 0;
- int j;
-@@ -90,6 +90,8 @@ SizeClassInfo(xAnyClassPtr *any, int num_classes)
- {
- xValuatorInfoPtr v;
-
-+ if (len < sizeof(v))
-+ return 0;
- v = (xValuatorInfoPtr) *any;
- size += pad_to_xid(sizeof(XValuatorInfo) +
- (v->num_axes * sizeof(XAxisInfo)));
-@@ -98,6 +100,8 @@ SizeClassInfo(xAnyClassPtr *any, int num_classes)
- default:
- break;
- }
-+ if ((*any)->length > len)
-+ return 0;
- *any = (xAnyClassPtr) ((char *)(*any) + (*any)->length);
- }
-
-@@ -170,7 +174,7 @@ XListInputDevices(
- register Display *dpy,
- int *ndevices)
- {
-- size_t size;
-+ size_t s, size;
- xListInputDevicesReq *req;
- xListInputDevicesReply rep;
- xDeviceInfo *list, *slist = NULL;
-@@ -178,6 +182,7 @@ XListInputDevices(
- XDeviceInfo *clist = NULL;
- xAnyClassPtr any, sav_any;
- XAnyClassPtr Any;
-+ char *end = NULL;
- unsigned char *nptr, *Nptr;
- int i;
- unsigned long rlen;
-@@ -213,16 +218,20 @@ XListInputDevices(
-
- any = (xAnyClassPtr) ((char *)list + (*ndevices * sizeof(xDeviceInfo)));
- sav_any = any;
-+ end = (char *)list + rlen;
- for (i = 0; i < *ndevices; i++, list++) {
-- size += SizeClassInfo(&any, (int)list->num_classes);
-+ s = SizeClassInfo(&any, end - (char *)any, (int)list->num_classes);
-+ if (!s)
-+ goto out;
-+ size += s;
- }
-
-- Nptr = ((unsigned char *)list) + rlen + 1;
-+ Nptr = ((unsigned char *)list) + rlen;
- for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) {
-+ if (nptr >= Nptr)
-+ goto out;
- size += *nptr + 1;
- nptr += (*nptr + 1);
-- if (nptr > Nptr)
-- goto out;
- }
-
- clist = (XDeviceInfoPtr) Xmalloc(size);
-diff --git a/src/XOpenDev.c b/src/XOpenDev.c
-index 029dec2..4b3c460 100644
---- a/src/XOpenDev.c
-+++ b/src/XOpenDev.c
-@@ -53,6 +53,7 @@ SOFTWARE.
- #include <config.h>
- #endif
-
-+#include <limits.h>
- #include <X11/extensions/XI.h>
- #include <X11/extensions/XIproto.h>
- #include <X11/Xlibint.h>
-@@ -86,9 +87,15 @@ XOpenDevice(
- return (XDevice *) NULL;
- }
-
-- rlen = rep.length << 2;
-- dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes *
-- sizeof(XInputClassInfo));
-+ if (rep.length < INT_MAX >> 2 &&
-+ (rep.length << 2) >= rep.num_classes * sizeof(xInputClassInfo)) {
-+ rlen = rep.length << 2;
-+ dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes *
-+ sizeof(XInputClassInfo));
-+ } else {
-+ rlen = 0;
-+ dev = NULL;
-+ }
- if (dev) {
- int dlen; /* data length */
-
-diff --git a/src/XQueryDv.c b/src/XQueryDv.c
-index de1c0e5..7ee2272 100644
---- a/src/XQueryDv.c
-+++ b/src/XQueryDv.c
-@@ -73,7 +73,7 @@ XQueryDeviceState(
- xQueryDeviceStateReply rep;
- XDeviceState *state = NULL;
- XInputClass *any, *Any;
-- char *data = NULL;
-+ char *data = NULL, *end = NULL;
- XExtDisplayInfo *info = XInput_find_display(dpy);
-
- LockDisplay(dpy);
-@@ -92,6 +92,7 @@ XQueryDeviceState(
- if (rep.length < (INT_MAX >> 2)) {
- rlen = (unsigned long) rep.length << 2;
- data = Xmalloc(rlen);
-+ end = data + rlen;
- }
- if (!data) {
- _XEatDataWords(dpy, rep.length);
-@@ -100,7 +101,8 @@ XQueryDeviceState(
- _XRead(dpy, data, rlen);
-
- for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) {
-- if (any->length > rlen)
-+ if ((char *)any + sizeof(XInputClass) > end ||
-+ any->length == 0 || any->length > rlen)
- goto out;
- rlen -= any->length;
-
-@@ -114,6 +116,8 @@ XQueryDeviceState(
- case ValuatorClass:
- {
- xValuatorState *v = (xValuatorState *) any;
-+ if ((char *)any + sizeof(xValuatorState) > end)
-+ goto out;
- size += (sizeof(XValuatorState) +
- (v->num_valuators * sizeof(int)));
- }
---
-2.10.1
-
diff --git a/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch b/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch
deleted file mode 100644
index ece8b18309..0000000000
--- a/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch
+++ /dev/null
@@ -1,447 +0,0 @@
-Fix CVE-2016-7947 and CVE-2016-7948.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6
-
-From a0df3e1c7728205e5c7650b2e6dce684139254a6 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 22:21:40 +0200
-Subject: [PATCH] Avoid out of boundary accesses on illegal responses
-
-The responses of the connected X server have to be properly checked
-to avoid out of boundary accesses that could otherwise be triggered
-by a malicious server.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/XrrConfig.c | 32 +++++++++++++--------
- src/XrrCrtc.c | 83 ++++++++++++++++++++++++++++++++++++++++++-------------
- src/XrrMonitor.c | 18 ++++++++++++
- src/XrrOutput.c | 11 ++++++++
- src/XrrProvider.c | 28 ++++++++++++++++---
- src/XrrScreen.c | 52 ++++++++++++++++++++++------------
- 6 files changed, 172 insertions(+), 52 deletions(-)
-
-diff --git a/src/XrrConfig.c b/src/XrrConfig.c
-index 2f0282b..e68c45a 100644
---- a/src/XrrConfig.c
-+++ b/src/XrrConfig.c
-@@ -29,6 +29,7 @@
- #include <config.h>
- #endif
-
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetScreenInfo (Display *dpy,
- rep.rate = 0;
- rep.nrateEnts = 0;
- }
-+ if (rep.length < INT_MAX >> 2) {
-+ nbytes = (long) rep.length << 2;
-
-- nbytes = (long) rep.length << 2;
-+ nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
-+ ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */);
-
-- nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
-- ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */);
-+ /*
-+ * first we must compute how much space to allocate for
-+ * randr library's use; we'll allocate the structures in a single
-+ * allocation, on cleanlyness grounds.
-+ */
-
-- /*
-- * first we must compute how much space to allocate for
-- * randr library's use; we'll allocate the structures in a single
-- * allocation, on cleanlyness grounds.
-- */
-+ rbytes = sizeof (XRRScreenConfiguration) +
-+ (rep.nSizes * sizeof (XRRScreenSize) +
-+ rep.nrateEnts * sizeof (int));
-
-- rbytes = sizeof (XRRScreenConfiguration) +
-- (rep.nSizes * sizeof (XRRScreenSize) +
-- rep.nrateEnts * sizeof (int));
-+ scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
-+ } else {
-+ nbytes = 0;
-+ nbytesRead = 0;
-+ rbytes = 0;
-+ scp = NULL;
-+ }
-
-- scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
- if (scp == NULL) {
- _XEatData (dpy, (unsigned long) nbytes);
- return NULL;
-diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c
-index 5ae35c5..6665092 100644
---- a/src/XrrCrtc.c
-+++ b/src/XrrCrtc.c
-@@ -24,6 +24,7 @@
- #include <config.h>
- #endif
-
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc)
- return NULL;
- }
-
-- nbytes = (long) rep.length << 2;
-+ if (rep.length < INT_MAX >> 2)
-+ {
-+ nbytes = (long) rep.length << 2;
-
-- nbytesRead = (long) (rep.nOutput * 4 +
-- rep.nPossibleOutput * 4);
-+ nbytesRead = (long) (rep.nOutput * 4 +
-+ rep.nPossibleOutput * 4);
-
-- /*
-- * first we must compute how much space to allocate for
-- * randr library's use; we'll allocate the structures in a single
-- * allocation, on cleanlyness grounds.
-- */
-+ /*
-+ * first we must compute how much space to allocate for
-+ * randr library's use; we'll allocate the structures in a single
-+ * allocation, on cleanlyness grounds.
-+ */
-
-- rbytes = (sizeof (XRRCrtcInfo) +
-- rep.nOutput * sizeof (RROutput) +
-- rep.nPossibleOutput * sizeof (RROutput));
-+ rbytes = (sizeof (XRRCrtcInfo) +
-+ rep.nOutput * sizeof (RROutput) +
-+ rep.nPossibleOutput * sizeof (RROutput));
-+
-+ xci = (XRRCrtcInfo *) Xmalloc(rbytes);
-+ }
-+ else
-+ {
-+ nbytes = 0;
-+ nbytesRead = 0;
-+ rbytes = 0;
-+ xci = NULL;
-+ }
-
-- xci = (XRRCrtcInfo *) Xmalloc(rbytes);
- if (xci == NULL) {
- _XEatDataWords (dpy, rep.length);
- UnlockDisplay (dpy);
-@@ -194,12 +206,21 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc)
- if (!_XReply (dpy, (xReply *) &rep, 0, xFalse))
- goto out;
-
-- nbytes = (long) rep.length << 2;
-+ if (rep.length < INT_MAX >> 2)
-+ {
-+ nbytes = (long) rep.length << 2;
-
-- /* three channels of CARD16 data */
-- nbytesRead = (rep.size * 2 * 3);
-+ /* three channels of CARD16 data */
-+ nbytesRead = (rep.size * 2 * 3);
-
-- crtc_gamma = XRRAllocGamma (rep.size);
-+ crtc_gamma = XRRAllocGamma (rep.size);
-+ }
-+ else
-+ {
-+ nbytes = 0;
-+ nbytesRead = 0;
-+ crtc_gamma = NULL;
-+ }
-
- if (!crtc_gamma)
- {
-@@ -357,7 +378,7 @@ XRRGetCrtcTransform (Display *dpy,
- xRRGetCrtcTransformReq *req;
- int major_version, minor_version;
- XRRCrtcTransformAttributes *attr;
-- char *extra = NULL, *e;
-+ char *extra = NULL, *end = NULL, *e;
- int p;
-
- *attributes = NULL;
-@@ -395,9 +416,17 @@ XRRGetCrtcTransform (Display *dpy,
- else
- {
- int extraBytes = rep.length * 4 - CrtcTransformExtra;
-- extra = Xmalloc (extraBytes);
-+ if (rep.length < INT_MAX / 4 &&
-+ rep.length * 4 >= CrtcTransformExtra) {
-+ extra = Xmalloc (extraBytes);
-+ end = extra + extraBytes;
-+ } else
-+ extra = NULL;
- if (!extra) {
-- _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
-+ if (rep.length > (CrtcTransformExtra >> 2))
-+ _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
-+ else
-+ _XEatDataWords (dpy, rep.length);
- UnlockDisplay (dpy);
- SyncHandle ();
- return False;
-@@ -429,22 +458,38 @@ XRRGetCrtcTransform (Display *dpy,
-
- e = extra;
-
-+ if (e + rep.pendingNbytesFilter > end) {
-+ XFree (extra);
-+ return False;
-+ }
- memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter);
- attr->pendingFilter[rep.pendingNbytesFilter] = '\0';
- e += (rep.pendingNbytesFilter + 3) & ~3;
- for (p = 0; p < rep.pendingNparamsFilter; p++) {
- INT32 f;
-+ if (e + 4 > end) {
-+ XFree (extra);
-+ return False;
-+ }
- memcpy (&f, e, 4);
- e += 4;
- attr->pendingParams[p] = (XFixed) f;
- }
- attr->pendingNparams = rep.pendingNparamsFilter;
-
-+ if (e + rep.currentNbytesFilter > end) {
-+ XFree (extra);
-+ return False;
-+ }
- memcpy (attr->currentFilter, e, rep.currentNbytesFilter);
- attr->currentFilter[rep.currentNbytesFilter] = '\0';
- e += (rep.currentNbytesFilter + 3) & ~3;
- for (p = 0; p < rep.currentNparamsFilter; p++) {
- INT32 f;
-+ if (e + 4 > end) {
-+ XFree (extra);
-+ return False;
-+ }
- memcpy (&f, e, 4);
- e += 4;
- attr->currentParams[p] = (XFixed) f;
-diff --git a/src/XrrMonitor.c b/src/XrrMonitor.c
-index a9eaa7b..adc5330 100644
---- a/src/XrrMonitor.c
-+++ b/src/XrrMonitor.c
-@@ -24,6 +24,7 @@
- #include <config.h>
- #endif
-
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -65,6 +66,15 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
- return NULL;
- }
-
-+ if (rep.length > INT_MAX >> 2 ||
-+ rep.nmonitors > INT_MAX / SIZEOF(xRRMonitorInfo) ||
-+ rep.noutputs > INT_MAX / 4 ||
-+ rep.nmonitors * SIZEOF(xRRMonitorInfo) > INT_MAX - rep.noutputs * 4) {
-+ _XEatData (dpy, rep.length);
-+ UnlockDisplay (dpy);
-+ SyncHandle ();
-+ return NULL;
-+ }
- nbytes = (long) rep.length << 2;
- nmon = rep.nmonitors;
- noutput = rep.noutputs;
-@@ -111,6 +121,14 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
- mon[m].outputs = output;
- buf += SIZEOF (xRRMonitorInfo);
- xoutput = (CARD32 *) buf;
-+ if (xmon->noutput > rep.noutputs) {
-+ Xfree(buf);
-+ Xfree(mon);
-+ UnlockDisplay (dpy);
-+ SyncHandle ();
-+ return NULL;
-+ }
-+ rep.noutputs -= xmon->noutput;
- for (o = 0; o < xmon->noutput; o++)
- output[o] = xoutput[o];
- output += xmon->noutput;
-diff --git a/src/XrrOutput.c b/src/XrrOutput.c
-index 85f0b6e..30f3d40 100644
---- a/src/XrrOutput.c
-+++ b/src/XrrOutput.c
-@@ -25,6 +25,7 @@
- #include <config.h>
- #endif
-
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -60,6 +61,16 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output)
- return NULL;
- }
-
-+ if (rep.length > INT_MAX >> 2 || rep.length < (OutputInfoExtra >> 2))
-+ {
-+ if (rep.length > (OutputInfoExtra >> 2))
-+ _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2));
-+ else
-+ _XEatDataWords (dpy, rep.length);
-+ UnlockDisplay (dpy);
-+ SyncHandle ();
-+ return NULL;
-+ }
- nbytes = ((long) (rep.length) << 2) - OutputInfoExtra;
-
- nbytesRead = (long) (rep.nCrtcs * 4 +
-diff --git a/src/XrrProvider.c b/src/XrrProvider.c
-index 9e620c7..d796cd0 100644
---- a/src/XrrProvider.c
-+++ b/src/XrrProvider.c
-@@ -25,6 +25,7 @@
- #include <config.h>
- #endif
-
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -59,12 +60,20 @@ XRRGetProviderResources(Display *dpy, Window window)
- return NULL;
- }
-
-- nbytes = (long) rep.length << 2;
-+ if (rep.length < INT_MAX >> 2) {
-+ nbytes = (long) rep.length << 2;
-
-- nbytesRead = (long) (rep.nProviders * 4);
-+ nbytesRead = (long) (rep.nProviders * 4);
-
-- rbytes = (sizeof(XRRProviderResources) + rep.nProviders * sizeof(RRProvider));
-- xrpr = (XRRProviderResources *) Xmalloc(rbytes);
-+ rbytes = (sizeof(XRRProviderResources) + rep.nProviders *
-+ sizeof(RRProvider));
-+ xrpr = (XRRProviderResources *) Xmalloc(rbytes);
-+ } else {
-+ nbytes = 0;
-+ nbytesRead = 0;
-+ rbytes = 0;
-+ xrpr = NULL;
-+ }
-
- if (xrpr == NULL) {
- _XEatDataWords (dpy, rep.length);
-@@ -121,6 +130,17 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
- return NULL;
- }
-
-+ if (rep.length > INT_MAX >> 2 || rep.length < ProviderInfoExtra >> 2)
-+ {
-+ if (rep.length < ProviderInfoExtra >> 2)
-+ _XEatDataWords (dpy, rep.length);
-+ else
-+ _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2));
-+ UnlockDisplay (dpy);
-+ SyncHandle ();
-+ return NULL;
-+ }
-+
- nbytes = ((long) rep.length << 2) - ProviderInfoExtra;
-
- nbytesRead = (long)(rep.nCrtcs * 4 +
-diff --git a/src/XrrScreen.c b/src/XrrScreen.c
-index b8ce7e5..1f7ffe6 100644
---- a/src/XrrScreen.c
-+++ b/src/XrrScreen.c
-@@ -24,6 +24,7 @@
- #include <config.h>
- #endif
-
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -105,27 +106,36 @@ doGetScreenResources (Display *dpy, Window window, int poll)
- xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version);
- }
-
-- nbytes = (long) rep.length << 2;
-+ if (rep.length < INT_MAX >> 2) {
-+ nbytes = (long) rep.length << 2;
-
-- nbytesRead = (long) (rep.nCrtcs * 4 +
-- rep.nOutputs * 4 +
-- rep.nModes * SIZEOF (xRRModeInfo) +
-- ((rep.nbytesNames + 3) & ~3));
-+ nbytesRead = (long) (rep.nCrtcs * 4 +
-+ rep.nOutputs * 4 +
-+ rep.nModes * SIZEOF (xRRModeInfo) +
-+ ((rep.nbytesNames + 3) & ~3));
-
-- /*
-- * first we must compute how much space to allocate for
-- * randr library's use; we'll allocate the structures in a single
-- * allocation, on cleanlyness grounds.
-- */
-+ /*
-+ * first we must compute how much space to allocate for
-+ * randr library's use; we'll allocate the structures in a single
-+ * allocation, on cleanlyness grounds.
-+ */
-+
-+ rbytes = (sizeof (XRRScreenResources) +
-+ rep.nCrtcs * sizeof (RRCrtc) +
-+ rep.nOutputs * sizeof (RROutput) +
-+ rep.nModes * sizeof (XRRModeInfo) +
-+ rep.nbytesNames + rep.nModes); /* '\0' terminate names */
-
-- rbytes = (sizeof (XRRScreenResources) +
-- rep.nCrtcs * sizeof (RRCrtc) +
-- rep.nOutputs * sizeof (RROutput) +
-- rep.nModes * sizeof (XRRModeInfo) +
-- rep.nbytesNames + rep.nModes); /* '\0' terminate names */
-+ xrsr = (XRRScreenResources *) Xmalloc(rbytes);
-+ wire_names = (char *) Xmalloc (rep.nbytesNames);
-+ } else {
-+ nbytes = 0;
-+ nbytesRead = 0;
-+ rbytes = 0;
-+ xrsr = NULL;
-+ wire_names = NULL;
-+ }
-
-- xrsr = (XRRScreenResources *) Xmalloc(rbytes);
-- wire_names = (char *) Xmalloc (rep.nbytesNames);
- if (xrsr == NULL || wire_names == NULL) {
- Xfree (xrsr);
- Xfree (wire_names);
-@@ -174,6 +184,14 @@ doGetScreenResources (Display *dpy, Window window, int poll)
- wire_name = wire_names;
- for (i = 0; i < rep.nModes; i++) {
- xrsr->modes[i].name = names;
-+ if (xrsr->modes[i].nameLength > rep.nbytesNames) {
-+ Xfree (xrsr);
-+ Xfree (wire_names);
-+ UnlockDisplay (dpy);
-+ SyncHandle ();
-+ return NULL;
-+ }
-+ rep.nbytesNames -= xrsr->modes[i].nameLength;
- memcpy (names, wire_name, xrsr->modes[i].nameLength);
- names[xrsr->modes[i].nameLength] = '\0';
- names += xrsr->modes[i].nameLength + 1;
---
-2.10.1
-
diff --git a/gnu/packages/patches/libxrender-CVE-2016-7949.patch b/gnu/packages/patches/libxrender-CVE-2016-7949.patch
deleted file mode 100644
index 3a2be4ea8e..0000000000
--- a/gnu/packages/patches/libxrender-CVE-2016-7949.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-Fix CVE-2016-7949:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7949
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4
-
-From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:43:09 +0200
-Subject: [PATCH] Validate lengths while parsing server data.
-
-Individual lengths inside received server data can overflow
-the previously reserved memory.
-
-It is therefore important to validate every single length
-field to not overflow the previously agreed sum of all invidual
-length fields.
-
-v2: consume remaining bytes in the reply buffer on error.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb@laas.fr
----
- src/Xrender.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/src/Xrender.c b/src/Xrender.c
-index 3102eb2..71cf3e6 100644
---- a/src/Xrender.c
-+++ b/src/Xrender.c
-@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
- screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
- screen->subpixel = SubPixelUnknown;
- xDepth = (xPictDepth *) (xScreen + 1);
-+ if (screen->ndepths > rep.numDepths) {
-+ Xfree (xri);
-+ Xfree (xData);
-+ _XEatDataWords (dpy, rep.length);
-+ UnlockDisplay (dpy);
-+ SyncHandle ();
-+ return 0;
-+ }
-+ rep.numDepths -= screen->ndepths;
- for (nd = 0; nd < screen->ndepths; nd++)
- {
- depth->depth = xDepth->depth;
- depth->nvisuals = xDepth->nPictVisuals;
- depth->visuals = visual;
- xVisual = (xPictVisual *) (xDepth + 1);
-+ if (depth->nvisuals > rep.numVisuals) {
-+ Xfree (xri);
-+ Xfree (xData);
-+ _XEatDataWords (dpy, rep.length);
-+ UnlockDisplay (dpy);
-+ SyncHandle ();
-+ return 0;
-+ }
-+ rep.numVisuals -= depth->nvisuals;
- for (nv = 0; nv < depth->nvisuals; nv++)
- {
- visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
---
-2.10.1
-
diff --git a/gnu/packages/patches/libxrender-CVE-2016-7950.patch b/gnu/packages/patches/libxrender-CVE-2016-7950.patch
deleted file mode 100644
index 1a64b6e724..0000000000
--- a/gnu/packages/patches/libxrender-CVE-2016-7950.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-Fix CVE-2016-7950:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714
-
-From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:42:09 +0200
-Subject: [PATCH] Avoid OOB write in XRenderQueryFilters
-
-The memory for filter names is reserved right after receiving the reply.
-After that, filters are iterated and each individual filter name is
-stored in that reserved memory.
-
-The individual name lengths are not checked for validity, which means
-that a malicious server can reserve less memory than it will write to
-during each iteration.
-
-v2: consume remaining bytes in reply buffer on error.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/Filter.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/src/Filter.c b/src/Filter.c
-index edfa572..8d701eb 100644
---- a/src/Filter.c
-+++ b/src/Filter.c
-@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
- char *name;
- char len;
- int i;
-- unsigned long nbytes, nbytesAlias, nbytesName;
-+ unsigned long nbytes, nbytesAlias, nbytesName, reply_left;
-
- if (!RenderHasExtension (info))
- return NULL;
-@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
- * Read the filter aliases
- */
- _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
-+ reply_left = 8 + rep.length - 2 * rep.numAliases;;
-
- /*
- * Read the filter names
-@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
- {
- int l;
- _XRead (dpy, &len, 1);
-+ reply_left--;
- l = len & 0xff;
-+ if ((unsigned long)l + 1 > nbytesName) {
-+ _XEatDataWords(dpy, reply_left);
-+ Xfree(filters);
-+ UnlockDisplay (dpy);
-+ SyncHandle ();
-+ return NULL;
-+ }
-+ nbytesName -= l + 1;
- filters->filter[i] = name;
- _XRead (dpy, name, l);
-+ reply_left -= l;
- name[l] = '\0';
- name += l + 1;
- }
---
-2.10.1
-
diff --git a/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch b/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch
deleted file mode 100644
index 9df6cf3f4d..0000000000
--- a/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-Fix CVE-2016-7951 and CVE-2016-7952
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7951
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7952
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af3129ec4a7a4f4b54a0d59701beeae3
-
-From 9556ad67af3129ec4a7a4f4b54a0d59701beeae3 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:37:01 +0200
-Subject: [PATCH] Out of boundary access and endless loop in libXtst
-
-A lack of range checks in libXtst allows out of boundary accesses.
-The checks have to be done in-place here, because it cannot be done
-without in-depth knowledge of the read data.
-
-If XRecordStartOfData, XRecordEndOfData, or XRecordClientDied
-without a client sequence have attached data, an endless loop would
-occur. The do-while-loop continues until the current index reaches
-the end. But in these cases, the current index would not be
-incremented, leading to an endless processing.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/XRecord.c | 43 +++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 39 insertions(+), 4 deletions(-)
-
-diff --git a/src/XRecord.c b/src/XRecord.c
-index 50420c0..fefd842 100644
---- a/src/XRecord.c
-+++ b/src/XRecord.c
-@@ -749,15 +749,23 @@ parse_reply_call_callback(
- switch (rep->category) {
- case XRecordFromServer:
- if (rep->elementHeader&XRecordFromServerTime) {
-+ if (current_index + 4 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD32(rep->clientSwapped,
- reply->buf+current_index,
- data->server_time);
- current_index += 4;
- }
-+ if (current_index + 1 > rep->length << 2)
-+ return Error;
- switch (reply->buf[current_index]) {
- case X_Reply: /* reply */
-+ if (current_index + 8 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD32(rep->clientSwapped,
- reply->buf+current_index+4, datum_bytes);
-+ if (datum_bytes < 0 || datum_bytes > ((INT_MAX >> 2) - 8))
-+ return Error;
- datum_bytes = (datum_bytes+8) << 2;
- break;
- default: /* error or event */
-@@ -766,52 +774,73 @@ parse_reply_call_callback(
- break;
- case XRecordFromClient:
- if (rep->elementHeader&XRecordFromClientTime) {
-+ if (current_index + 4 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD32(rep->clientSwapped,
- reply->buf+current_index,
- data->server_time);
- current_index += 4;
- }
- if (rep->elementHeader&XRecordFromClientSequence) {
-+ if (current_index + 4 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD32(rep->clientSwapped,
- reply->buf+current_index,
- data->client_seq);
- current_index += 4;
- }
-+ if (current_index + 4 > rep->length<<2)
-+ return Error;
- if (reply->buf[current_index+2] == 0
- && reply->buf[current_index+3] == 0) /* needn't swap 0 */
- { /* BIG-REQUESTS */
-+ if (current_index + 8 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD32(rep->clientSwapped,
- reply->buf+current_index+4, datum_bytes);
- } else {
- EXTRACT_CARD16(rep->clientSwapped,
- reply->buf+current_index+2, datum_bytes);
- }
-+ if (datum_bytes < 0 || datum_bytes > INT_MAX >> 2)
-+ return Error;
- datum_bytes <<= 2;
- break;
- case XRecordClientStarted:
-+ if (current_index + 8 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD16(rep->clientSwapped,
- reply->buf+current_index+6, datum_bytes);
- datum_bytes = (datum_bytes+2) << 2;
- break;
- case XRecordClientDied:
- if (rep->elementHeader&XRecordFromClientSequence) {
-+ if (current_index + 4 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD32(rep->clientSwapped,
- reply->buf+current_index,
- data->client_seq);
- current_index += 4;
-- }
-- /* fall through */
-+ } else if (current_index < rep->length << 2)
-+ return Error;
-+ datum_bytes = 0;
-+ break;
- case XRecordStartOfData:
- case XRecordEndOfData:
-+ if (current_index < rep->length << 2)
-+ return Error;
- datum_bytes = 0;
-+ break;
- }
-
- if (datum_bytes > 0) {
-- if (current_index + datum_bytes > rep->length << 2)
-+ if (INT_MAX - datum_bytes < (rep->length << 2) - current_index) {
- fprintf(stderr,
- "XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n",
-- (long)rep->length << 2, current_index + datum_bytes,
-+ (unsigned long)rep->length << 2, current_index + datum_bytes,
- dpy->last_request_read);
-+ return Error;
-+ }
- /*
- * This assignment (and indeed the whole buffer sharing
- * scheme) assumes arbitrary 4-byte boundaries are
-@@ -863,6 +892,12 @@ XRecordEnableContext(Display *dpy, XRecordContext context,
- return 0;
- }
-
-+ if (rep.length > INT_MAX >> 2) {
-+ UnlockDisplay(dpy);
-+ SyncHandle();
-+ return 0;
-+ }
-+
- if (rep.length > 0) {
- reply = alloc_reply_buffer(info, rep.length<<2);
- if (!reply) {
---
-2.10.1
-
diff --git a/gnu/packages/patches/libxv-CVE-2016-5407.patch b/gnu/packages/patches/libxv-CVE-2016-5407.patch
deleted file mode 100644
index e6a76c9f70..0000000000
--- a/gnu/packages/patches/libxv-CVE-2016-5407.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-Fix CVE-2016-5407:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17
-
-From d9da580b46a28ab497de2e94fdc7b9ff953dab17 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:30:03 +0200
-Subject: [PATCH] Protocol handling issues in libXv - CVE-2016-5407
-
-The Xv query functions for adaptors and encodings suffer from out of
-boundary accesses if a hostile X server sends a maliciously crafted
-response.
-
-A previous fix already checks the received length against fixed values
-but ignores additional length specifications which are stored inside
-the received data.
-
-These lengths are accessed in a for-loop. The easiest way to guarantee
-a correct processing is by validating all lengths against the
-remaining size left before accessing referenced memory.
-
-This makes the previously applied check obsolete, therefore I removed
-it.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/Xv.c | 46 +++++++++++++++++++++++++++++-----------------
- 1 file changed, 29 insertions(+), 17 deletions(-)
-
-diff --git a/src/Xv.c b/src/Xv.c
-index e47093a..be450c4 100644
---- a/src/Xv.c
-+++ b/src/Xv.c
-@@ -158,6 +158,7 @@ XvQueryAdaptors(
- size_t size;
- unsigned int ii, jj;
- char *name;
-+ char *end;
- XvAdaptorInfo *pas = NULL, *pa;
- XvFormat *pfs, *pf;
- char *buffer = NULL;
-@@ -197,17 +198,13 @@ XvQueryAdaptors(
- /* GET INPUT ADAPTORS */
-
- if (rep.num_adaptors == 0) {
-- /* If there's no adaptors, there's nothing more to do. */
-+ /* If there are no adaptors, there's nothing more to do. */
- status = Success;
- goto out;
- }
-
-- if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) {
-- /* If there's not enough data for the number of adaptors,
-- then we have a problem. */
-- status = XvBadReply;
-- goto out;
-- }
-+ u.buffer = buffer;
-+ end = buffer + size;
-
- size = rep.num_adaptors * sizeof(XvAdaptorInfo);
- if ((pas = Xmalloc(size)) == NULL) {
-@@ -225,9 +222,12 @@ XvQueryAdaptors(
- pa++;
- }
-
-- u.buffer = buffer;
- pa = pas;
- for (ii = 0; ii < rep.num_adaptors; ii++) {
-+ if (u.buffer + sz_xvAdaptorInfo > end) {
-+ status = XvBadReply;
-+ goto out;
-+ }
- pa->type = u.pa->type;
- pa->base_id = u.pa->base_id;
- pa->num_ports = u.pa->num_ports;
-@@ -239,6 +239,10 @@ XvQueryAdaptors(
- size = u.pa->name_size;
- u.buffer += pad_to_int32(sz_xvAdaptorInfo);
-
-+ if (u.buffer + size > end) {
-+ status = XvBadReply;
-+ goto out;
-+ }
- if ((name = Xmalloc(size + 1)) == NULL) {
- status = XvBadAlloc;
- goto out;
-@@ -259,6 +263,11 @@ XvQueryAdaptors(
-
- pf = pfs;
- for (jj = 0; jj < pa->num_formats; jj++) {
-+ if (u.buffer + sz_xvFormat > end) {
-+ Xfree(pfs);
-+ status = XvBadReply;
-+ goto out;
-+ }
- pf->depth = u.pf->depth;
- pf->visual_id = u.pf->visual;
- pf++;
-@@ -327,6 +336,7 @@ XvQueryEncodings(
- size_t size;
- unsigned int jj;
- char *name;
-+ char *end;
- XvEncodingInfo *pes = NULL, *pe;
- char *buffer = NULL;
- union {
-@@ -364,17 +374,13 @@ XvQueryEncodings(
- /* GET ENCODINGS */
-
- if (rep.num_encodings == 0) {
-- /* If there's no encodings, there's nothing more to do. */
-+ /* If there are no encodings, there's nothing more to do. */
- status = Success;
- goto out;
- }
-
-- if (size < (rep.num_encodings * sz_xvEncodingInfo)) {
-- /* If there's not enough data for the number of adaptors,
-- then we have a problem. */
-- status = XvBadReply;
-- goto out;
-- }
-+ u.buffer = buffer;
-+ end = buffer + size;
-
- size = rep.num_encodings * sizeof(XvEncodingInfo);
- if ((pes = Xmalloc(size)) == NULL) {
-@@ -391,10 +397,12 @@ XvQueryEncodings(
- pe++;
- }
-
-- u.buffer = buffer;
--
- pe = pes;
- for (jj = 0; jj < rep.num_encodings; jj++) {
-+ if (u.buffer + sz_xvEncodingInfo > end) {
-+ status = XvBadReply;
-+ goto out;
-+ }
- pe->encoding_id = u.pe->encoding;
- pe->width = u.pe->width;
- pe->height = u.pe->height;
-@@ -405,6 +413,10 @@ XvQueryEncodings(
- size = u.pe->name_size;
- u.buffer += pad_to_int32(sz_xvEncodingInfo);
-
-+ if (u.buffer + size > end) {
-+ status = XvBadReply;
-+ goto out;
-+ }
- if ((name = Xmalloc(size + 1)) == NULL) {
- status = XvBadAlloc;
- goto out;
---
-2.10.1
-
diff --git a/gnu/packages/patches/libxvmc-CVE-2016-7953.patch b/gnu/packages/patches/libxvmc-CVE-2016-7953.patch
deleted file mode 100644
index 737abdeb9f..0000000000
--- a/gnu/packages/patches/libxvmc-CVE-2016-7953.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Fix CVE-2016-7953:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7953
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb
-
-From 2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 22:34:27 +0200
-Subject: [PATCH] Avoid buffer underflow on empty strings.
-
-If an empty string is received from an x-server, do not underrun the
-buffer by accessing "rep.nameLen - 1" unconditionally, which could end
-up being -1.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/XvMC.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/XvMC.c b/src/XvMC.c
-index 7336760..3ee4212 100644
---- a/src/XvMC.c
-+++ b/src/XvMC.c
-@@ -576,9 +576,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
- if (*name && *busID && tmpBuf) {
- _XRead(dpy, tmpBuf, realSize);
- strncpy(*name,tmpBuf,rep.nameLen);
-- (*name)[rep.nameLen - 1] = '\0';
-+ (*name)[rep.nameLen == 0 ? 0 : rep.nameLen - 1] = '\0';
- strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
-- (*busID)[rep.busIDLen - 1] = '\0';
-+ (*busID)[rep.busIDLen == 0 ? 0 : rep.busIDLen - 1] = '\0';
- XFree(tmpBuf);
- } else {
- XFree(*name);
---
-2.10.1
-
diff --git a/gnu/packages/patches/linux-pam-no-setfsuid.patch b/gnu/packages/patches/linux-pam-no-setfsuid.patch
new file mode 100644
index 0000000000..f92fbc057a
--- /dev/null
+++ b/gnu/packages/patches/linux-pam-no-setfsuid.patch
@@ -0,0 +1,75 @@
+On systems without 'setfsuid', use 'setreuid' instead.
+
+The patch originates from the Debian project for GNU/Hurd.
+Authors: Steve Langasek <vorlon@debian.org>
+Upstream status: A ticket was opened to request apply the patch,
+ticket: 'https://fedorahosted.org/linux-pam/ticket/64'.
+
+--- Linux-PAM-1.2.1/libpam/pam_modutil_priv.c 2015-03-24 06:02:32.000000000 -0600
++++ pam_modutil_priv-mod.c 2016-09-20 13:36:53.150663205 -0500
+@@ -14,7 +14,9 @@
+ #include <syslog.h>
+ #include <pwd.h>
+ #include <grp.h>
++#ifdef HAVE_SYS_FSUID_H
+ #include <sys/fsuid.h>
++#endif /* HAVE_SYS_FSUID_H */
+
+ /*
+ * Two setfsuid() calls in a row are necessary to check
+@@ -22,17 +24,55 @@
+ */
+ static int change_uid(uid_t uid, uid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ uid_t tmp = setfsuid(uid);
+ if (save)
+ *save = tmp;
+ return (uid_t) setfsuid(uid) == uid ? 0 : -1;
++#else
++ uid_t euid = geteuid();
++ uid_t ruid = getuid();
++ if (save)
++ *save = ruid;
++ if (ruid == uid && uid != 0)
++ if (setreuid(euid, uid))
++ return -1;
++ else {
++ setreuid(0, -1);
++ if (setreuid(-1, uid)) {
++ setreuid(-1, 0);
++ setreuid(0, -1);
++ if (setreuid(-1, uid))
++ return -1;
++ }
++ }
++#endif
+ }
+ static int change_gid(gid_t gid, gid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ gid_t tmp = setfsgid(gid);
+ if (save)
+ *save = tmp;
+ return (gid_t) setfsgid(gid) == gid ? 0 : -1;
++#else
++ gid_t egid = getegid();
++ gid_t rgid = getgid();
++ if (save)
++ *save = rgid;
++ if (rgid == gid)
++ if (setregid(egid, gid))
++ return -1;
++ else {
++ setregid(0, -1);
++ if (setregid(-1, gid)) {
++ setregid(-1, 0);
++ setregid(0, -1);
++ if (setregid(-1, gid))
++ return -1;
++ }
++ }
++#endif
+ }
+
+ static int cleanup(struct pam_modutil_privs *p)
diff --git a/gnu/packages/patches/openssl-CVE-2016-2177.patch b/gnu/packages/patches/openssl-CVE-2016-2177.patch
deleted file mode 100644
index f6465aeaa7..0000000000
--- a/gnu/packages/patches/openssl-CVE-2016-2177.patch
+++ /dev/null
@@ -1,286 +0,0 @@
-Fix CVE-2016-2177.
-
-<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177>
-
-Source:
-<https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7>
-
-From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Thu, 5 May 2016 11:10:26 +0100
-Subject: [PATCH] Avoid some undefined pointer arithmetic
-
-A common idiom in the codebase is:
-
-if (p + len > limit)
-{
- return; /* Too long */
-}
-
-Where "p" points to some malloc'd data of SIZE bytes and
-limit == p + SIZE
-
-"len" here could be from some externally supplied data (e.g. from a TLS
-message).
-
-The rules of C pointer arithmetic are such that "p + len" is only well
-defined where len <= SIZE. Therefore the above idiom is actually
-undefined behaviour.
-
-For example this could cause problems if some malloc implementation
-provides an address for "p" such that "p + len" actually overflows for
-values of len that are too big and therefore p + len < limit!
-
-Issue reported by Guido Vranken.
-
-CVE-2016-2177
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
----
- ssl/s3_srvr.c | 14 +++++++-------
- ssl/ssl_sess.c | 2 +-
- ssl/t1_lib.c | 56 ++++++++++++++++++++++++++++++--------------------------
- 3 files changed, 38 insertions(+), 34 deletions(-)
-
-diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
-index ab28702..ab7f690 100644
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
-@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s)
-
- session_length = *(p + SSL3_RANDOM_SIZE);
-
-- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
-+ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s)
- /* get the session-id */
- j = *(p++);
-
-- if (p + j > d + n) {
-+ if ((d + n) - p < j) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s)
-
- if (SSL_IS_DTLS(s)) {
- /* cookie stuff */
-- if (p + 1 > d + n) {
-+ if ((d + n) - p < 1) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
- }
- cookie_len = *(p++);
-
-- if (p + cookie_len > d + n) {
-+ if ((d + n ) - p < cookie_len) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s)
- }
- }
-
-- if (p + 2 > d + n) {
-+ if ((d + n ) - p < 2) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s)
- }
-
- /* i bytes of cipher data + 1 byte for compression length later */
-- if ((p + i + 1) > (d + n)) {
-+ if ((d + n) - p < i + 1) {
- /* not enough data */
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s)
-
- /* compression */
- i = *(p++);
-- if ((p + i) > (d + n)) {
-+ if ((d + n) - p < i) {
- /* not enough data */
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
-index b182998..54ee783 100644
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
- int r;
- #endif
-
-- if (session_id + len > limit) {
-+ if (limit - session_id < len) {
- fatal = 1;
- goto err;
- }
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index fb64607..cdac011 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
- 0x02, 0x03, /* SHA-1/ECDSA */
- };
-
-- if (data >= (limit - 2))
-+ if (limit - data <= 2)
- return;
- data += 2;
-
-- if (data > (limit - 4))
-+ if (limit - data < 4)
- return;
- n2s(data, type);
- n2s(data, size);
-@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
- if (type != TLSEXT_TYPE_server_name)
- return;
-
-- if (data + size > limit)
-+ if (limit - data < size)
- return;
- data += size;
-
-@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
- const size_t len1 = sizeof(kSafariExtensionsBlock);
- const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
-
-- if (data + len1 + len2 != limit)
-+ if (limit - data != (int)(len1 + len2))
- return;
- if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
- return;
-@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
- } else {
- const size_t len = sizeof(kSafariExtensionsBlock);
-
-- if (data + len != limit)
-+ if (limit - data != (int)(len))
- return;
- if (memcmp(data, kSafariExtensionsBlock, len) != 0)
- return;
-@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
- if (data == limit)
- goto ri_check;
-
-- if (data > (limit - 2))
-+ if (limit - data < 2)
- goto err;
-
- n2s(data, len);
-
-- if (data + len != limit)
-+ if (limit - data != len)
- goto err;
-
-- while (data <= (limit - 4)) {
-+ while (limit - data >= 4) {
- n2s(data, type);
- n2s(data, size);
-
-- if (data + size > (limit))
-+ if (limit - data < size)
- goto err;
- # if 0
- fprintf(stderr, "Received extension type %d size %d\n", type, size);
-@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s,
- if (s->hit || s->cert->srv_ext.meths_count == 0)
- return 1;
-
-- if (data >= limit - 2)
-+ if (limit - data <= 2)
- return 1;
- n2s(data, len);
-
-- if (data > limit - len)
-+ if (limit - data < len)
- return 1;
-
-- while (data <= limit - 4) {
-+ while (limit - data >= 4) {
- n2s(data, type);
- n2s(data, size);
-
-- if (data + size > limit)
-+ if (limit - data < size)
- return 1;
- if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
- return 0;
-@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
- SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
- # endif
-
-- if (data >= (d + n - 2))
-+ if ((d + n) - data <= 2)
- goto ri_check;
-
- n2s(data, length);
-- if (data + length != d + n) {
-+ if ((d + n) - data != length) {
- *al = SSL_AD_DECODE_ERROR;
- return 0;
- }
-
-- while (data <= (d + n - 4)) {
-+ while ((d + n) - data >= 4) {
- n2s(data, type);
- n2s(data, size);
-
-- if (data + size > (d + n))
-+ if ((d + n) - data < size)
- goto ri_check;
-
- if (s->tlsext_debug_cb)
-@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
- /* Skip past DTLS cookie */
- if (SSL_IS_DTLS(s)) {
- i = *(p++);
-- p += i;
-- if (p >= limit)
-+
-+ if (limit - p <= i)
- return -1;
-+
-+ p += i;
- }
- /* Skip past cipher list */
- n2s(p, i);
-- p += i;
-- if (p >= limit)
-+ if (limit - p <= i)
- return -1;
-+ p += i;
-+
- /* Skip past compression algorithm list */
- i = *(p++);
-- p += i;
-- if (p > limit)
-+ if (limit - p < i)
- return -1;
-+ p += i;
-+
- /* Now at start of extensions */
-- if ((p + 2) >= limit)
-+ if (limit - p <= 2)
- return 0;
- n2s(p, i);
-- while ((p + 4) <= limit) {
-+ while (limit - p >= 4) {
- unsigned short type, size;
- n2s(p, type);
- n2s(p, size);
-- if (p + size > limit)
-+ if (limit - p < size)
- return 0;
- if (type == TLSEXT_TYPE_session_ticket) {
- int r;
---
-2.8.4
-
diff --git a/gnu/packages/patches/openssl-CVE-2016-2178.patch b/gnu/packages/patches/openssl-CVE-2016-2178.patch
deleted file mode 100644
index 37cf2763af..0000000000
--- a/gnu/packages/patches/openssl-CVE-2016-2178.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-Fix CVE-2016-2178.
-
-<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178>
-
-Source:
-<https://git.openssl.org/?p=openssl.git;a=commit;h=621eaf49a289bfac26d4cbcdb7396e796784c534>
-<https://git.openssl.org/?p=openssl.git;a=commit;h=b7d0f2834e139a20560d64c73e2565e93715ce2b>
-
-From 621eaf49a289bfac26d4cbcdb7396e796784c534 Mon Sep 17 00:00:00 2001
-From: Cesar Pereida <cesar.pereida@aalto.fi>
-Date: Mon, 23 May 2016 12:45:25 +0300
-Subject: [PATCH 1/2] Fix DSA, preserve BN_FLG_CONSTTIME
-
-Operations in the DSA signing algorithm should run in constant time in
-order to avoid side channel attacks. A flaw in the OpenSSL DSA
-implementation means that a non-constant time codepath is followed for
-certain operations. This has been demonstrated through a cache-timing
-attack to be sufficient for an attacker to recover the private DSA key.
-
-CVE-2016-2178
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
----
- crypto/dsa/dsa_ossl.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
-index efc4f1b..b29eb4b 100644
---- a/crypto/dsa/dsa_ossl.c
-+++ b/crypto/dsa/dsa_ossl.c
-@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- if (!BN_rand_range(&k, dsa->q))
- goto err;
- while (BN_is_zero(&k)) ;
-- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-- BN_set_flags(&k, BN_FLG_CONSTTIME);
-- }
-
- if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
- if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
-@@ -279,9 +276,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- }
-
- K = &kq;
-+
-+ BN_set_flags(K, BN_FLG_CONSTTIME);
- } else {
- K = &k;
- }
-+
- DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
- dsa->method_mont_p);
- if (!BN_mod(r, r, dsa->q, ctx))
---
-2.8.4
-
-From b7d0f2834e139a20560d64c73e2565e93715ce2b Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 7 Jun 2016 09:12:51 +0100
-Subject: [PATCH 2/2] More fix DSA, preserve BN_FLG_CONSTTIME
-
-The previous "fix" still left "k" exposed to constant time problems in
-the later BN_mod_inverse() call. Ensure both k and kq have the
-BN_FLG_CONSTTIME flag set at the earliest opportunity after creation.
-
-CVE-2016-2178
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
----
- crypto/dsa/dsa_ossl.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
-index b29eb4b..58013a4 100644
---- a/crypto/dsa/dsa_ossl.c
-+++ b/crypto/dsa/dsa_ossl.c
-@@ -247,7 +247,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- do
- if (!BN_rand_range(&k, dsa->q))
- goto err;
-- while (BN_is_zero(&k)) ;
-+ while (BN_is_zero(&k));
-+
-+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-+ BN_set_flags(&k, BN_FLG_CONSTTIME);
-+ }
-+
-
- if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
- if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
-@@ -261,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- if (!BN_copy(&kq, &k))
- goto err;
-
-+ BN_set_flags(&kq, BN_FLG_CONSTTIME);
-+
- /*
- * We do not want timing information to leak the length of k, so we
- * compute g^k using an equivalent exponent of fixed length. (This
-@@ -276,8 +283,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- }
-
- K = &kq;
--
-- BN_set_flags(K, BN_FLG_CONSTTIME);
- } else {
- K = &k;
- }
---
-2.8.4
-
diff --git a/gnu/packages/patches/perl-CVE-2015-8607.patch b/gnu/packages/patches/perl-CVE-2015-8607.patch
deleted file mode 100644
index 4c25d41740..0000000000
--- a/gnu/packages/patches/perl-CVE-2015-8607.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 3a629609084d147838368262171b923f0770e564 Mon Sep 17 00:00:00 2001
-From: Tony Cook <tony@develop-help.com>
-Date: Tue, 15 Dec 2015 10:56:54 +1100
-Subject: ensure File::Spec::canonpath() preserves taint
-
-Previously the unix specific XS implementation of canonpath() would
-return an untainted path when supplied a tainted path.
-
-For the empty string case, newSVpvs() already sets taint as needed on
-its result.
-
-This issue was assigned CVE-2015-8607.
-
-Bug: https://rt.perl.org/Ticket/Display.html?id=126862
-Bug-Debian: https://bugs.debian.org/810719
-Origin: upstream
-Patch-Name: fixes/CVE-2015-8607_file_spec_taint_fix.diff
----
- dist/PathTools/Cwd.xs | 1 +
- dist/PathTools/t/taint.t | 19 ++++++++++++++++++-
- 2 files changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs
-index 9d4dcf0..3d018dc 100644
---- a/dist/PathTools/Cwd.xs
-+++ b/dist/PathTools/Cwd.xs
-@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path)
- *o = 0;
- SvPOK_on(retval);
- SvCUR_set(retval, o - SvPVX(retval));
-+ SvTAINT(retval);
- return retval;
- }
-
-diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t
-index 309b3e5..48f8c5b 100644
---- a/dist/PathTools/t/taint.t
-+++ b/dist/PathTools/t/taint.t
-@@ -12,7 +12,7 @@ use Test::More;
- BEGIN {
- plan(
- ${^TAINT}
-- ? (tests => 17)
-+ ? (tests => 21)
- : (skip_all => "A perl without taint support")
- );
- }
-@@ -34,3 +34,20 @@ foreach my $func (@Functions) {
-
- # Previous versions of Cwd tainted $^O
- is !tainted($^O), 1, "\$^O should not be tainted";
-+
-+{
-+ # [perl #126862] canonpath() loses taint
-+ my $tainted = substr($ENV{PATH}, 0, 0);
-+ # yes, getcwd()'s result should be tainted, and is tested above
-+ # but be sure
-+ ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)),
-+ "canonpath() keeps taint on non-empty string";
-+ ok tainted(File::Spec->canonpath($tainted)),
-+ "canonpath() keeps taint on empty string";
-+
-+ (Cwd::getcwd() =~ /^(.*)/);
-+ my $untainted = $1;
-+ ok !tainted($untainted), "make sure our untainted value is untainted";
-+ ok !tainted(File::Spec->canonpath($untainted)),
-+ "canonpath() doesn't add taint to untainted string";
-+}
diff --git a/gnu/packages/patches/perl-CVE-2016-2381.patch b/gnu/packages/patches/perl-CVE-2016-2381.patch
deleted file mode 100644
index 99d1944a5d..0000000000
--- a/gnu/packages/patches/perl-CVE-2016-2381.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-Fix CVE-2016-2381 (ambiguous handling of duplicated environment variables).
-
-Copied from upstream:
-http://perl5.git.perl.org/perl.git/commit/ae37b791a73a9e78dedb89fb2429d2628cf58076
-
-References:
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
-http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html
-https://security-tracker.debian.org/tracker/CVE-2016-2381
-
----
-
-From 1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 Mon Sep 17 00:00:00 2001
-From: Tony Cook <tony@develop-help.com>
-Date: Wed, 27 Jan 2016 11:52:15 +1100
-Subject: remove duplicate environment variables from environ
-
-If we see duplicate environment variables while iterating over
-environ[]:
-
-a) make sure we use the same value in %ENV that getenv() returns.
-
-Previously on a duplicate, %ENV would have the last entry for the name
-from environ[], but a typical getenv() would return the first entry.
-
-Rather than assuming all getenv() implementations return the first entry
-explicitly call getenv() to ensure they agree.
-
-b) remove duplicate entries from environ
-
-Previously if there was a duplicate definition for a name in environ[]
-setting that name in %ENV could result in an unsafe value being passed
-to a child process, so ensure environ[] has no duplicates.
-
-Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff
----
- perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 49 insertions(+), 2 deletions(-)
-
-diff --git a/perl.c b/perl.c
-index 67d32ce..26aeb91 100644
---- a/perl.c
-+++ b/perl.c
-@@ -4277,23 +4277,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env)
- }
- if (env) {
- char *s, *old_var;
-+ STRLEN nlen;
- SV *sv;
-+ HV *dups = newHV();
-+
- for (; *env; env++) {
- old_var = *env;
-
- if (!(s = strchr(old_var,'=')) || s == old_var)
- continue;
-+ nlen = s - old_var;
-
- #if defined(MSDOS) && !defined(DJGPP)
- *s = '\0';
- (void)strupr(old_var);
- *s = '=';
- #endif
-- sv = newSVpv(s+1, 0);
-- (void)hv_store(hv, old_var, s - old_var, sv, 0);
-+ if (hv_exists(hv, old_var, nlen)) {
-+ const char *name = savepvn(old_var, nlen);
-+
-+ /* make sure we use the same value as getenv(), otherwise code that
-+ uses getenv() (like setlocale()) might see a different value to %ENV
-+ */
-+ sv = newSVpv(PerlEnv_getenv(name), 0);
-+
-+ /* keep a count of the dups of this name so we can de-dup environ later */
-+ if (hv_exists(dups, name, nlen))
-+ ++SvIVX(*hv_fetch(dups, name, nlen, 0));
-+ else
-+ (void)hv_store(dups, name, nlen, newSViv(1), 0);
-+
-+ Safefree(name);
-+ }
-+ else {
-+ sv = newSVpv(s+1, 0);
-+ }
-+ (void)hv_store(hv, old_var, nlen, sv, 0);
- if (env_is_not_environ)
- mg_set(sv);
- }
-+ if (HvKEYS(dups)) {
-+ /* environ has some duplicate definitions, remove them */
-+ HE *entry;
-+ hv_iterinit(dups);
-+ while ((entry = hv_iternext_flags(dups, 0))) {
-+ STRLEN nlen;
-+ const char *name = HePV(entry, nlen);
-+ IV count = SvIV(HeVAL(entry));
-+ IV i;
-+ SV **valp = hv_fetch(hv, name, nlen, 0);
-+
-+ assert(valp);
-+
-+ /* try to remove any duplicate names, depending on the
-+ * implementation used in my_setenv() the iteration might
-+ * not be necessary, but let's be safe.
-+ */
-+ for (i = 0; i < count; ++i)
-+ my_setenv(name, 0);
-+
-+ /* and set it back to the value we set $ENV{name} to */
-+ my_setenv(name, SvPV_nolen(*valp));
-+ }
-+ }
-+ SvREFCNT_dec_NN(dups);
- }
- #endif /* USE_ENVIRON_ARRAY */
- #endif /* !PERL_MICRO */
diff --git a/gnu/packages/patches/perl-no-build-time.patch b/gnu/packages/patches/perl-no-build-time.patch
deleted file mode 100644
index 5d78e8f462..0000000000
--- a/gnu/packages/patches/perl-no-build-time.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Do not record the configuration and build time so that builds can be
-reproduced bit-for-bit.
-
---- perl-5.22.0/Configure 1970-01-01 01:00:00.000000000 +0100
-+++ perl-5.22.0/Configure 2015-12-13 00:14:43.148165080 +0100
-@@ -3834,6 +3817,7 @@ esac
-
- : who configured the system
- cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1`
-+cf_time='Thu Jan 1 00:00:01 UTC 1970'
- case "$cf_by" in
- "")
- cf_by=`(logname) 2>/dev/null`
-
---- perl-5.22.0/perl.c 2015-12-13 00:25:30.269156627 +0100
-+++ perl-5.22.0/perl.c 2015-12-13 00:25:38.265218175 +0100
-@@ -1795,7 +1795,7 @@ S_Internals_V(pTHX_ CV *cv)
- PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options,
- sizeof(non_bincompat_options) - 1, SVs_TEMP));
-
--#ifdef __DATE__
-+#if 0
- # ifdef __TIME__
- PUSHs(Perl_newSVpvn_flags(aTHX_
- STR_WITH_LEN("Compiled at " __DATE__ " " __TIME__),
-
diff --git a/gnu/packages/patches/perl-reproducible-build-date.patch b/gnu/packages/patches/perl-reproducible-build-date.patch
new file mode 100644
index 0000000000..bf0d4b8f6d
--- /dev/null
+++ b/gnu/packages/patches/perl-reproducible-build-date.patch
@@ -0,0 +1,50 @@
+Don't encode the current timestamp.
+
+This affects the output of `perl -V`, specifically the message "Compiled
+at [...]".
+
+The 'cf_time' and 'cf_by' values show up in 'config.h' and
+in 'Config_heavy.pl'.
+
+Use the output of 'uname -s' instead of 'uname -a' to avoid recording
+the kernel version ('uname -o' leads to directory names like
+'x86_64-gnulinux' instead of 'x86_64-linux', which might cause breakage
+down the road.)
+
+diff --git a/perl.c b/perl.c
+index 228a0d8..ed38313 100644
+--- a/perl.c
++++ b/perl.c
+@@ -1825,6 +1825,7 @@ S_Internals_V(pTHX_ CV *cv)
+ PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options,
+ sizeof(non_bincompat_options) - 1, SVs_TEMP));
+
++#define PERL_BUILD_DATE "Jan 1 1970 00:00:00"
+ #ifndef PERL_BUILD_DATE
+ # ifdef __DATE__
+ # ifdef __TIME__
+
+--- a/Configure 1970-01-01 01:00:00.000000000 +0100
++++ b/Configure 2016-10-01 14:47:20.017319739 +0200
+@@ -3276,7 +3276,7 @@ $eunicefix tr
+ : Try to determine whether config.sh was made on this system
+ case "$config_sh" in
+ '')
+-myuname=`$uname -a 2>/dev/null`
++myuname=`$uname -s 2>/dev/null`
+ $test -z "$myuname" && myuname=`hostname 2>/dev/null`
+ # Downcase everything to avoid ambiguity.
+ # Remove slashes and single quotes so we can use parts of this in
+@@ -3845,10 +3845,10 @@
+ . ./posthint.sh
+
+ : who configured the system
+-cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1`
++cf_time="1970-01-01"
+ case "$cf_by" in
+ "")
+- cf_by=`(logname) 2>/dev/null`
++ cf_by="guix"
+ case "$cf_by" in
+ "")
+ cf_by=`(whoami) 2>/dev/null`
diff --git a/gnu/packages/patches/perl-source-date-epoch.patch b/gnu/packages/patches/perl-source-date-epoch.patch
deleted file mode 100644
index 37330c9537..0000000000
--- a/gnu/packages/patches/perl-source-date-epoch.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Adapted from <https://bugs.debian.org/801621>.
-Make Pod::Man honor the SOURCE_DATE_EPOCH environment variable.
-
---- perl-5.22.0/cpan/podlators/lib/Pod/Man.pm 2015-12-12 22:33:03.321787590 +0100
-+++ perl-5.22.0/cpan/podlators/lib/Pod/Man.pm 2015-12-12 22:36:33.367361338 +0100
-@@ -884,7 +884,12 @@ sub devise_date {
- my ($self) = @_;
- my $input = $self->source_filename;
- my $time;
-- if ($input) {
-+
-+ if (defined($ENV{SOURCE_DATE_EPOCH}) &&
-+ $ENV{SOURCE_DATE_EPOCH} !~ /\D/) {
-+ $time = $ENV{SOURCE_DATE_EPOCH};
-+ }
-+ elsif ($input) {
- $time = (stat $input)[9] || time;
- } else {
- $time = time;
diff --git a/gnu/packages/patches/procps-non-linux.patch b/gnu/packages/patches/procps-non-linux.patch
deleted file mode 100644
index 9d369aeb2c..0000000000
--- a/gnu/packages/patches/procps-non-linux.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From aa9bd38d0a6fe53aff7f78fb2d9f61e55677c7b5 Mon Sep 17 00:00:00 2001
-From: Craig Small <csmall@enc.com.au>
-Date: Sun, 17 Apr 2016 09:09:41 +1000
-Subject: [PATCH] tests: Conditionally add prctl to test process
-
-prctl was already bypassed on Cygwin systems. This extends to
-non-Linux systems such as kFreeBSD and Hurd.
-
----
- lib/test_process.c | 4 ++--
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/lib/test_process.c b/lib/test_process.c
-index 6e652ed..6a4776c 100644
---- a/lib/test_process.c
-+++ b/lib/test_process.c
-@@ -21,7 +21,9 @@
- #include <stdlib.h>
- #include <unistd.h>
- #include <signal.h>
-+#ifdef __linux__
- #include <sys/prctl.h>
-+#endif
- #include "c.h"
-
- #define DEFAULT_SLEEPTIME 300
-@@ -78,8 +80,10 @@
- sigaction(SIGUSR1, &signal_action, NULL);
- sigaction(SIGUSR2, &signal_action, NULL);
-
-+#ifdef __linux__
- /* set process name */
- prctl(PR_SET_NAME, MY_NAME, NULL, NULL, NULL);
-+#endif
-
- while (sleep_time > 0) {
- sleep_time = sleep(sleep_time);
---
-2.8.2
-
diff --git a/gnu/packages/patches/python-3.4-fix-tests.patch b/gnu/packages/patches/python-3.4-fix-tests.patch
new file mode 100644
index 0000000000..d1f8138e79
--- /dev/null
+++ b/gnu/packages/patches/python-3.4-fix-tests.patch
@@ -0,0 +1,12 @@
+--- Lib/test/test_posixpath.py 2014-03-01 05:46:56.984311000 +0100
++++ Lib/test/test_posixpath.py 2014-03-07 00:59:20.888311000 +0100
+@@ -319,7 +319,11 @@
+ del env['HOME']
+ home = pwd.getpwuid(os.getuid()).pw_dir
+ # $HOME can end with a trailing /, so strip it (see #17809)
+- self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
++ # The Guix builders have '/' as a home directory, so
++ # home.rstrip("/") will be an empty string and the test will
++ # fail. Let's just disable it since it does not really make
++ # sense with such a bizarre setup.
++ # self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
diff --git a/gnu/packages/patches/python-3.5-fix-tests.patch b/gnu/packages/patches/python-3.5-fix-tests.patch
new file mode 100644
index 0000000000..46d2a84efb
--- /dev/null
+++ b/gnu/packages/patches/python-3.5-fix-tests.patch
@@ -0,0 +1,46 @@
+Additional test fixes which affect Python 3.5 (and presumably later) but not
+prior revisions of Python.
+
+--- Lib/test/test_pathlib.py 2014-03-01 03:02:36.088311000 +0100
++++ Lib/test/test_pathlib.py 2014-03-01 04:56:37.768311000 +0100
+@@ -1986,8 +1986,9 @@
+ expect = set() if not support.fs_is_case_insensitive(BASE) else given
+ self.assertEqual(given, expect)
+ self.assertEqual(set(p.rglob("FILEd*")), set())
+
++ @unittest.skipIf(True, "Guix builder home is '/' which causes trouble for these tests")
+ def test_expanduser(self):
+ P = self.cls
+ support.import_module('pwd')
+ import pwd
+--- Lib/test/test_tarfile.py 2016-02-24 19:22:52.597208055 +0000
++++ Lib/test/test_tarfile.py 2016-02-24 20:50:48.941950135 +0000
+@@ -2305,11 +2305,14 @@
+ try:
+ import pwd, grp
+ except ImportError:
+ return False
+- if pwd.getpwuid(0)[0] != 'root':
+- return False
+- if grp.getgrgid(0)[0] != 'root':
++ try:
++ if pwd.getpwuid(0)[0] != 'root':
++ return False
++ if grp.getgrgid(0)[0] != 'root':
++ return False
++ except KeyError:
+ return False
+ return True
+
+
+--- Lib/test/test_asyncio/test_base_events.py
++++ Lib/test/test_asyncio/test_base_events.py
+@@ -142,6 +142,8 @@ class BaseEventTests(test_utils.TestCase):
+ (INET, STREAM, TCP, '', ('1.2.3.4', 1)),
+ base_events._ipaddr_info('1.2.3.4', b'1', INET, STREAM, TCP))
+
++ @unittest.skipUnless(support.is_resource_enabled('network'),
++ 'network is not enabled')
+ def test_getaddrinfo_servname(self):
+ INET = socket.AF_INET
+ STREAM = socket.SOCK_STREAM
diff --git a/gnu/packages/patches/python-disable-ssl-test.patch b/gnu/packages/patches/python-disable-ssl-test.patch
deleted file mode 100644
index e351c77505..0000000000
--- a/gnu/packages/patches/python-disable-ssl-test.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Disable a test that fails with openssl-1.0.2b.
-
---- Lib/test/test_ssl.py.orig 2015-02-25 06:27:45.000000000 -0500
-+++ Lib/test/test_ssl.py 2015-06-12 03:14:09.395212502 -0400
-@@ -2718,6 +2718,7 @@
- chatty=True, connectionchatty=True)
- self.assertIs(stats['compression'], None)
-
-+ @unittest.skipIf(True, "openssl 1.0.2b complains: dh key too small")
- def test_dh_params(self):
- # Check we can get a connection with ephemeral Diffie-Hellman
- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
diff --git a/gnu/packages/patches/python-file-double-encoding-bug.patch b/gnu/packages/patches/python-file-double-encoding-bug.patch
new file mode 100644
index 0000000000..bbe825c36a
--- /dev/null
+++ b/gnu/packages/patches/python-file-double-encoding-bug.patch
@@ -0,0 +1,50 @@
+Fix bug that breaks file's Python bindings when using Python 3. This patch
+should not be applied when using Python 2.
+
+Copied from upstream source repository:
+
+https://github.com/file/file/commit/73e043d2a986234b187a00ed0c8d1f7bf83df372
+
+From 73e043d2a986234b187a00ed0c8d1f7bf83df372 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Tue, 28 Jun 2016 17:10:22 +0000
+Subject: [PATCH] PR/562: Reiner Herrmann: Avoid double encoding with python3
+
+---
+ python/magic.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/python/magic.py b/python/magic.py
+index c48f7d5..b0f7a17 100644
+--- a/python/magic.py
++++ b/python/magic.py
+@@ -134,7 +134,7 @@ class Magic(object):
+ if isinstance(r, str):
+ return r
+ else:
+- return str(r).encode('utf-8')
++ return str(r, 'utf-8')
+
+ def descriptor(self, fd):
+ """
+@@ -152,7 +152,7 @@ class Magic(object):
+ if isinstance(r, str):
+ return r
+ else:
+- return str(r).encode('utf-8')
++ return str(r, 'utf-8')
+
+ def error(self):
+ """
+@@ -163,7 +163,7 @@ class Magic(object):
+ if isinstance(e, str):
+ return e
+ else:
+- return str(e).encode('utf-8')
++ return str(e, 'utf-8')
+
+ def setflags(self, flags):
+ """
+--
+2.10.1
+
diff --git a/gnu/packages/patches/python-fix-tests.patch b/gnu/packages/patches/python-fix-tests.patch
index 82c19980f9..e093307c51 100644
--- a/gnu/packages/patches/python-fix-tests.patch
+++ b/gnu/packages/patches/python-fix-tests.patch
@@ -20,21 +20,6 @@ http://bugs.python.org/issue20868 .
def test_tarfile_root_owner(self):
tmpdir, tmpdir2, base_name = self._create_files()
---- Lib/test/test_posixpath.py 2014-03-01 05:46:56.984311000 +0100
-+++ Lib/test/test_posixpath.py 2014-03-07 00:59:20.888311000 +0100
-@@ -319,7 +319,11 @@
- del env['HOME']
- home = pwd.getpwuid(os.getuid()).pw_dir
- # $HOME can end with a trailing /, so strip it (see #17809)
-- self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
-+ # The Guix builders have '/' as a home directory, so
-+ # home.rstrip("/") will be an empty string and the test will
-+ # fail. Let's just disable it since it does not really make
-+ # sense with such a bizarre setup.
-+ # self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
-
- def test_normpath(self):
- self.assertEqual(posixpath.normpath(""), ".")
--- Lib/test/test_socket.py.orig 2014-03-02 22:14:12.264311000 +0100
+++ Lib/test/test_socket.py 2014-03-21 03:50:45.660311000 +0100
@@ -819,6 +819,8 @@
diff --git a/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch b/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch
new file mode 100644
index 0000000000..1426883216
--- /dev/null
+++ b/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch
@@ -0,0 +1,33 @@
+Do not define BSDWAIT to avoid error "storage size of ‘w’ isn’t known".
+
+This is an adapted version of the upstream patch taken from here:
+https://github.com/tcsh-org/tcsh/commit/4689eb60a74bf13bc146ca3d76e9d7a124ab7b49.patch
+
+From 4689eb60a74bf13bc146ca3d76e9d7a124ab7b49 Mon Sep 17 00:00:00 2001
+From: christos <christos>
+Date: Fri, 23 Sep 2016 19:17:28 +0000
+Subject: [PATCH] Don't define BSDWAIT for linux anymore.
+
+---
+ sh.proc.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/sh.proc.c b/sh.proc.c
+index 49b199f..874d67c 100644
+--- sh.proc.c
++++ sh.proc.c
+@@ -47,11 +47,9 @@ RCSID("$tcsh$")
+ # define HZ 16
+ #endif /* aiws */
+
+-#if defined(_BSD) || (defined(IRIS4D) && __STDC__) || defined(__lucid) || defined(__linux__) || defined(__GNU__) || defined(__GLIBC__)
+-# if !defined(__ANDROID__)
+-# define BSDWAIT
+-# endif
+-#endif /* _BSD || (IRIS4D && __STDC__) || __lucid || glibc */
++#if defined(_BSD) || (defined(IRIS4D) && __STDC__) || defined(__lucid)
++# define BSDWAIT
++#endif /* _BSD || (IRIS4D && __STDC__) || __lucid */
+ #ifndef WTERMSIG
+ # define WTERMSIG(w) (((union wait *) &(w))->w_termsig)
+ # ifndef BSDWAIT