aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/clx-remove-demo.patch27
-rw-r--r--gnu/packages/patches/hdf-eos5-build-shared.patch31
-rw-r--r--gnu/packages/patches/hdf-eos5-fix-szip.patch30
-rw-r--r--gnu/packages/patches/hdf-eos5-fortrantests.patch156
-rw-r--r--gnu/packages/patches/hdf-eos5-remove-gctp.patch55
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch62
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch29
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch18
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch61
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch266
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch17
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch33
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch267
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch188
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2819.patch102
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2821.patch16
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2824.patch85
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2828.patch185
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2831.patch120
-rw-r--r--gnu/packages/patches/icecat-avoid-bundled-includes.patch35
-rw-r--r--gnu/packages/patches/icecat-avoid-bundled-libraries.patch50
-rw-r--r--gnu/packages/patches/libupnp-CVE-2016-6255.patch50
-rw-r--r--gnu/packages/patches/qemu-CVE-2016-8576.patch62
-rw-r--r--gnu/packages/patches/qemu-CVE-2016-8577.patch36
-rw-r--r--gnu/packages/patches/qemu-CVE-2016-8578.patch27
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch32
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch51
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch54
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch34
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2016-4476.patch82
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt1.patch51
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt2.patch82
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt3.patch62
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt4.patch50
34 files changed, 524 insertions, 1982 deletions
diff --git a/gnu/packages/patches/clx-remove-demo.patch b/gnu/packages/patches/clx-remove-demo.patch
new file mode 100644
index 0000000000..c5fffea0d0
--- /dev/null
+++ b/gnu/packages/patches/clx-remove-demo.patch
@@ -0,0 +1,27 @@
+--- a/clx.asd 2016-02-16 00:06:48.161596976 -0500
++++ b/clx.asd 2016-02-16 00:06:54.793774658 -0500
+@@ -79,24 +79,6 @@
+ (:file "xtest")
+ (:file "screensaver")
+ (:file "xinerama")))
+- (:module demo
+- :default-component-class example-source-file
+- :components
+- ((:file "bezier")
+- ;; KLUDGE: this requires "bezier" for proper operation,
+- ;; but we don't declare that dependency here, because
+- ;; asdf doesn't load example files anyway.
+- (:file "beziertest")
+- (:file "clclock")
+- (:file "clipboard")
+- (:file "clx-demos")
+- (:file "gl-test")
+- ;; FIXME: compiling this generates 30-odd spurious code
+- ;; deletion notes. Find out why, and either fix or
+- ;; workaround the problem.
+- (:file "mandel")
+- (:file "menu")
+- (:file "zoid")))
+ (:module test
+ :default-component-class example-source-file
+ :components
diff --git a/gnu/packages/patches/hdf-eos5-build-shared.patch b/gnu/packages/patches/hdf-eos5-build-shared.patch
new file mode 100644
index 0000000000..f4ae5c73e3
--- /dev/null
+++ b/gnu/packages/patches/hdf-eos5-build-shared.patch
@@ -0,0 +1,31 @@
+Make shared library linking work.
+---
+ src/Makefile.in | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/src/Makefile.in b/src/Makefile.in
+index 86880e5..24efffe 100644
+--- a/src/Makefile.in
++++ b/src/Makefile.in
+@@ -72,7 +72,7 @@ LTCOMPILE = $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS) -DH5_USE_16_API
+ CCLD = $(CC)
+-LINK = $(LIBTOOL) --mode=link --tag=CC $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
++LINK = HDF5_USE_SHLIB=yes $(LIBTOOL) --mode=link --tag=CC $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+ SOURCES = $(libhe5_hdfeos_la_SOURCES)
+ DIST_SOURCES = $(libhe5_hdfeos_la_SOURCES)
+@@ -124,9 +124,6 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
+ INSTALL_SCRIPT = @INSTALL_SCRIPT@
+ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+
+-# Set LDFLAGS to allow the HDF-EOS library to use extern variables from
+-# HDF5
+-LDFLAGS = -Wl,-single_module
+ LIBOBJS = @LIBOBJS@
+ LIBS = @LIBS@
+ LIBTOOL = @LIBTOOL@
+--
+2.10.0
+
diff --git a/gnu/packages/patches/hdf-eos5-fix-szip.patch b/gnu/packages/patches/hdf-eos5-fix-szip.patch
new file mode 100644
index 0000000000..799f542ef3
--- /dev/null
+++ b/gnu/packages/patches/hdf-eos5-fix-szip.patch
@@ -0,0 +1,30 @@
+Ill-placed #endif causes missing symbol errors when compiling without
+szip. Reported to upstream maintainer.
+---
+ src/EHapi.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/EHapi.c b/src/EHapi.c
+index 46a9b5c..208f447 100755
+--- a/src/EHapi.c
++++ b/src/EHapi.c
+@@ -11379,6 +11379,7 @@ int HE5_szip_can_encode(void )
+ return(-1);
+ }
+
++#endif /* H5_HAVE_FILTER_SZIP */
+
+
+ /*----------------------------------------------------------------------------|
+@@ -11509,8 +11510,6 @@ HE5_EHHEisHE5(char *filename)
+ }
+ }
+
+-#endif /* H5_HAVE_FILTER_SZIP */
+-
+
+ #ifndef __cplusplus
+
+--
+2.10.0
+
diff --git a/gnu/packages/patches/hdf-eos5-fortrantests.patch b/gnu/packages/patches/hdf-eos5-fortrantests.patch
new file mode 100644
index 0000000000..7333056342
--- /dev/null
+++ b/gnu/packages/patches/hdf-eos5-fortrantests.patch
@@ -0,0 +1,156 @@
+Fix fortran line length/indentation issues in Fortran test programs.
+Reported to upstream maintainer.
+
+diff --git a/samples/he5_gd_writedataF_32.f b/samples/he5_gd_writedataF_32.f
+index 515edf9..9c86299 100755
+--- a/samples/he5_gd_writedataF_32.f
++++ b/samples/he5_gd_writedataF_32.f
+@@ -77,26 +77,26 @@ c ------------------------------
+
+ attr4 = "ABCDEFGH"
+ count(1) = 8
+- status = he5_gdwrattr(gdid,"GLOBAL_CHAR_ATTR",HE5T_NATIVE_CHAR,
+- 1 count,attr4)
++ status = he5_gdwrattr(gdid,"GLOBAL_CHAR_ATTR"
++ & ,HE5T_NATIVE_CHAR,count,attr4)
+ write(*,*) 'Status returned by he5_gdwrattr(): ',status
+
+ attr4 = "111"
+ count(1) = 3
+- status = he5_gdwrgattr(gdid,"GLOBAL_CHAR_ATTR_1",HE5T_NATIVE_CHAR,
+- 1 count,attr4)
++ status = he5_gdwrgattr(gdid,"GLOBAL_CHAR_ATTR_1"
++ & ,HE5T_NATIVE_CHAR,count,attr4)
+ write(*,*) 'Status returned by he5_gdwrgattr(): ',status
+
+ attr4 = "222222"
+ count(1) = 6
+- status = he5_ehwrglatt(gdfid,"GLOBAL_CHAR_ATTR_2",HE5T_NATIVE_CHAR,
+- 1 count,attr4)
++ status = he5_ehwrglatt(gdfid,"GLOBAL_CHAR_ATTR_2"
++ & ,HE5T_NATIVE_CHAR,count,attr4)
+ write(*,*) 'Status returned by he5_ehwrglatt(): ',status
+
+ attr5 = "abcdefgh111111111111"
+ count(1) = 20
+- status = he5_gdwrlattr(gdid,"Vegetation","LocalAttribute_0",
+- 1 HE5T_NATIVE_CHAR,count,attr5)
++ status = he5_gdwrlattr(gdid,"Vegetation"
++ & ,"LocalAttribute_0",HE5T_NATIVE_CHAR,count,attr5)
+ write(*,*) 'Status returned by he5_gdwrlattr(): ',status
+
+ endif
+diff --git a/samples/he5_gd_writedataF_64.f b/samples/he5_gd_writedataF_64.f
+index eff04f5..62a7398 100755
+--- a/samples/he5_gd_writedataF_64.f
++++ b/samples/he5_gd_writedataF_64.f
+@@ -77,26 +77,26 @@ c ------------------------------
+
+ attr4 = "ABCDEFGH"
+ count(1) = 8
+- status = he5_gdwrattr(gdid,"GLOBAL_CHAR_ATTR",HE5T_NATIVE_CHAR,
+- 1 count,attr4)
++ status = he5_gdwrattr(gdid,"GLOBAL_CHAR_ATTR"
++ & ,HE5T_NATIVE_CHAR,count,attr4)
+ write(*,*) 'Status returned by he5_gdwrattr(): ',status
+
+ attr4 = "111"
+ count(1) = 3
+- status = he5_gdwrgattr(gdid,"GLOBAL_CHAR_ATTR_1",HE5T_NATIVE_CHAR,
+- 1 count,attr4)
++ status = he5_gdwrgattr(gdid,"GLOBAL_CHAR_ATTR_1"
++ & ,HE5T_NATIVE_CHAR,count,attr4)
+ write(*,*) 'Status returned by he5_gdwrgattr(): ',status
+
+ attr4 = "222222"
+ count(1) = 6
+- status = he5_ehwrglatt(gdfid,"GLOBAL_CHAR_ATTR_2",HE5T_NATIVE_CHAR,
+- 1 count,attr4)
++ status = he5_ehwrglatt(gdfid,"GLOBAL_CHAR_ATTR_2"
++ & ,HE5T_NATIVE_CHAR,count,attr4)
+ write(*,*) 'Status returned by he5_ehwrglatt(): ',status
+
+ attr5 = "abcdefgh111111111111"
+ count(1) = 20
+- status = he5_gdwrlattr(gdid,"Vegetation","LocalAttribute_0",
+- 1 HE5T_NATIVE_CHAR,count,attr5)
++ status = he5_gdwrlattr(gdid,"Vegetation"
++ & ,"LocalAttribute_0",HE5T_NATIVE_CHAR,count,attr5)
+ write(*,*) 'Status returned by he5_gdwrlattr(): ',status
+
+ endif
+diff --git a/samples/he5_sw_writedataF_32.f b/samples/he5_sw_writedataF_32.f
+index 7abab9b..fedd49a 100755
+--- a/samples/he5_sw_writedataF_32.f
++++ b/samples/he5_sw_writedataF_32.f
+@@ -173,20 +173,21 @@ c Write Global Attribute
+ c ----------------------
+ attr4 = "ABCDEFGH"
+ count(1) = 8
+- status = he5_swwrattr(swid,"GLOBAL_CHAR_ATTR",HE5T_NATIVE_CHAR,
+- 1 count,attr4)
++ status = he5_swwrattr(swid,"GLOBAL_CHAR_ATTR"
++ & ,HE5T_NATIVE_CHAR,count,attr4)
+ write(*,*) 'Status returned by he5_swwrattr(): ',status
+
+ attr4 = "111"
+ count(1) = 3
+- status = he5_swwrgattr(swid,"GLOBAL_CHAR_ATTR_1",HE5T_NATIVE_CHAR,
+- 1 count,attr4)
++ status = he5_swwrgattr(swid,"GLOBAL_CHAR_ATTR_1"
++ & ,HE5T_NATIVE_CHAR,count,attr4)
+ write(*,*) 'Status returned by he5_swwrgattr(): ',status
+
+ attr4 = "222222"
+ count(1) = 6
+- status = he5_ehwrglatt(swfid,"GLOBAL_CHAR_ATTR_2",HE5T_NATIVE_CHAR,
+- 1 count,attr4)
++ status = he5_ehwrglatt(swfid
++ & ,"GLOBAL_CHAR_ATTR_2",HE5T_NATIVE_CHAR
++ & ,count,attr4)
+ write(*,*) 'Status returned by he5_ehwrglatt(): ',status
+
+ c Write Local Attribute
+diff --git a/samples/he5_sw_writedataF_64.f b/samples/he5_sw_writedataF_64.f
+index 79e34bd..e5d74cb 100755
+--- a/samples/he5_sw_writedataF_64.f
++++ b/samples/he5_sw_writedataF_64.f
+@@ -162,25 +162,27 @@ c Write Global Attribute
+ c ----------------------
+ attr4 = "ABCDEFGH"
+ count(1) = 8
+- status = he5_swwrattr(swid,"GLOBAL_CHAR_ATTR",HE5T_NATIVE_CHAR,
+- 1 count,attr4)
++ status = he5_swwrattr(swid,"GLOBAL_CHAR_ATTR"
++ & ,HE5T_NATIVE_CHAR,count,attr4)
+
+ attr4 = "111"
+ count(1) = 3
+- status = he5_swwrgattr(swid,"GLOBAL_CHAR_ATTR_1",HE5T_NATIVE_CHAR,
+- 1 count,attr4)
++ status = he5_swwrgattr(swid,"GLOBAL_CHAR_ATTR_1"
++ & ,HE5T_NATIVE_CHAR,count,attr4)
+
+ attr4 = "222222"
+ count(1) = 6
+- status = he5_ehwrglatt(swfid,"GLOBAL_CHAR_ATTR_2",HE5T_NATIVE_CHAR,
+- 1 count,attr4)
++ status = he5_ehwrglatt(swfid
++ & ,"GLOBAL_CHAR_ATTR_2",HE5T_NATIVE_CHAR
++ & ,count,attr4)
+
+ c Write Local Attribute
+ c ---------------------
+ attr5 = "abababababababababab"
+ count(1) = 20
+- status = he5_swwrlattr(swid,"Density","LocalAttribute_0",
+- 1 HE5T_NATIVE_CHAR,count,attr5)
++ status = he5_swwrlattr(swid,"Density"
++ & ,"LocalAttribute_0",HE5T_NATIVE_CHAR,count
++ & ,attr5)
+
+
+ endif
+--
+2.10.0
+
diff --git a/gnu/packages/patches/hdf-eos5-remove-gctp.patch b/gnu/packages/patches/hdf-eos5-remove-gctp.patch
new file mode 100644
index 0000000000..3b78357129
--- /dev/null
+++ b/gnu/packages/patches/hdf-eos5-remove-gctp.patch
@@ -0,0 +1,55 @@
+Don't build/install/use bundled gctp code/headers.
+
+* cproj.h, proj.h: part of GCTP, therefore already present.
+* HE5_config.h, tutils.h: used for library building and testing.
+
+diff --git a/Makefile.in b/Makefile.in
+index f160d0d..367b537 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -206,7 +206,7 @@ LIBGCTP = $(top_builddir)/gctp/src/libGctp.la
+ @TESTDRIVERS_CONDITIONAL_TRUE@TESTDRIVERS = testdrivers
+ @INSTALL_INCLUDE_CONDITIONAL_FALSE@INCLUDE =
+ @INSTALL_INCLUDE_CONDITIONAL_TRUE@INCLUDE = include
+-SUBDIRS = gctp src $(INCLUDE) samples $(TESTDRIVERS)
++SUBDIRS = src $(INCLUDE) samples $(TESTDRIVERS)
+ all: all-recursive
+
+ .SUFFIXES:
+diff --git a/samples/Makefile.in b/samples/Makefile.in
+index 59331dd..64fda89 100644
+--- a/samples/Makefile.in
++++ b/samples/Makefile.in
+@@ -206,7 +206,6 @@ he5_gd_datainfo_SOURCES = he5_gd_datainfo.c
+ he5_gd_datainfo_OBJECTS = he5_gd_datainfo.$(OBJEXT)
+ he5_gd_datainfo_LDADD = $(LDADD)
+ am__DEPENDENCIES_1 = $(top_builddir)/src/libhe5_hdfeos.la
+-am__DEPENDENCIES_2 = $(top_builddir)/gctp/src/libGctp.la
+ he5_gd_datainfo_DEPENDENCIES = $(am__DEPENDENCIES_1) \
+ $(am__DEPENDENCIES_2)
+ he5_gd_defexternalfld_SOURCES = he5_gd_defexternalfld.c
+@@ -1093,7 +1092,7 @@ sharedstatedir = @sharedstatedir@
+ sysconfdir = @sysconfdir@
+ target_alias = @target_alias@
+ LIBHDFEOS5 = $(top_builddir)/src/libhe5_hdfeos.la
+-LIBGCTP = $(top_builddir)/gctp/src/libGctp.la
++LIBGCTP =
+
+ # Boilerplate definitions file
+
+diff --git a/include/Makefile.in b/include/Makefile.in
+index a572128..64dabb5 100644
+--- a/include/Makefile.in
++++ b/include/Makefile.in
+@@ -190,8 +190,7 @@ LIBGCTP = $(top_builddir)/gctp/src/libGctp.la
+ # Boilerplate include
+
+ # Headers to install
+-include_HEADERS = HE5_GctpFunc.h HE5_HdfEosDef.h HE5_config.h cproj.h ease.h \
+- isin.h proj.h tutils.h cfortHdf.h
++include_HEADERS = HE5_GctpFunc.h HE5_HdfEosDef.h ease.h isin.h cfortHdf.h
+
+ all: HE5_config.h
+ $(MAKE) $(AM_MAKEFLAGS) all-am
+--
+2.10.0
diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch
deleted file mode 100644
index 57bc45f3c2..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch
+++ /dev/null
@@ -1,62 +0,0 @@
- changeset: 312039:4290826b078c
- user: Timothy Nikkel <tnikkel@gmail.com>
- Date: Fri May 13 06:09:38 2016 +0200
- summary: Bug 1261230. r=mats, a=ritu
-
-diff -r 45a59425b498 -r 4290826b078c layout/generic/nsSubDocumentFrame.cpp
---- a/layout/generic/nsSubDocumentFrame.cpp Tue May 10 14:12:20 2016 +0200
-+++ b/layout/generic/nsSubDocumentFrame.cpp Fri May 13 06:09:38 2016 +0200
-@@ -132,6 +132,7 @@
- nsCOMPtr<nsIDocument> oldContainerDoc;
- nsView* detachedViews =
- frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc));
-+ frameloader->SetDetachedSubdocView(nullptr, nullptr);
- if (detachedViews) {
- if (oldContainerDoc == aContent->OwnerDoc()) {
- // Restore stashed presentation.
-@@ -142,7 +143,6 @@
- frameloader->Hide();
- }
- }
-- frameloader->SetDetachedSubdocView(nullptr, nullptr);
- }
-
- nsContentUtils::AddScriptRunner(new AsyncFrameInit(this));
-@@ -936,13 +936,16 @@
- if (!mPresShell->IsDestroying()) {
- mPresShell->FlushPendingNotifications(Flush_Frames);
- }
-+
-+ // Either the frame has been constructed by now, or it never will be,
-+ // either way we want to clear the stashed views.
-+ mFrameLoader->SetDetachedSubdocView(nullptr, nullptr);
-+
- nsSubDocumentFrame* frame = do_QueryFrame(mFrameElement->GetPrimaryFrame());
- if ((!frame && mHideViewerIfFrameless) ||
- mPresShell->IsDestroying()) {
- // Either the frame element has no nsIFrame or the presshell is being
-- // destroyed. Hide the nsFrameLoader, which destroys the presentation,
-- // and clear our references to the stashed presentation.
-- mFrameLoader->SetDetachedSubdocView(nullptr, nullptr);
-+ // destroyed. Hide the nsFrameLoader, which destroys the presentation.
- mFrameLoader->Hide();
- }
- return NS_OK;
-@@ -968,7 +971,7 @@
- // Detach the subdocument's views and stash them in the frame loader.
- // We can then reattach them if we're being reframed (for example if
- // the frame has been made position:fixed).
-- nsFrameLoader* frameloader = FrameLoader();
-+ RefPtr<nsFrameLoader> frameloader = FrameLoader();
- if (frameloader) {
- nsView* detachedViews = ::BeginSwapDocShellsForViews(mInnerView->GetFirstChild());
- frameloader->SetDetachedSubdocView(detachedViews, mContent->OwnerDoc());
-@@ -977,7 +980,7 @@
- // safely determine whether the frame is being reframed or destroyed.
- nsContentUtils::AddScriptRunner(
- new nsHideViewer(mContent,
-- mFrameLoader,
-+ frameloader,
- PresContext()->PresShell(),
- (mDidCreateDoc || mCallingShow)));
- }
diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch
deleted file mode 100644
index 843e2eb244..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch
+++ /dev/null
@@ -1,29 +0,0 @@
- changeset: 312044:09418166fd77
- user: Jon Coppeard <jcoppeard@mozilla.com>
- Date: Wed May 11 10:14:45 2016 +0100
- summary: Bug 1264575 - Add missing pre-barrier in Ion r=jandem a=ritu
-
-diff -r 9cc65cca1f71 -r 09418166fd77 js/src/jit-test/tests/self-hosting/bug1264575.js
---- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/js/src/jit-test/tests/self-hosting/bug1264575.js Wed May 11 10:14:45 2016 +0100
-@@ -0,0 +1,7 @@
-+function f(x, [y]) {}
-+f(0, []);
-+// jsfunfuzz-generated
-+let i = 0;
-+for (var z of [0, 0, 0]) {
-+ verifyprebarriers();
-+}
-diff -r 9cc65cca1f71 -r 09418166fd77 js/src/jit/MCallOptimize.cpp
---- a/js/src/jit/MCallOptimize.cpp Mon May 16 15:11:24 2016 -0400
-+++ b/js/src/jit/MCallOptimize.cpp Wed May 11 10:14:45 2016 +0100
-@@ -2263,7 +2263,8 @@
-
- callInfo.setImplicitlyUsedUnchecked();
-
-- MStoreFixedSlot* store = MStoreFixedSlot::New(alloc(), callInfo.getArg(0), slot, callInfo.getArg(2));
-+ MStoreFixedSlot* store =
-+ MStoreFixedSlot::NewBarriered(alloc(), callInfo.getArg(0), slot, callInfo.getArg(2));
- current->add(store);
- current->push(store);
-
diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch
deleted file mode 100644
index fab003158c..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch
+++ /dev/null
@@ -1,18 +0,0 @@
- changeset: 312051:9ec3d076fbee
- parents: 312049:e0a272d5e162
- user: Eric Faust <efaustbmo@gmail.com>
- Date: Wed May 04 15:54:43 2016 -0700
- summary: Bug 1269729 - Handle another OOM case on ARM. (r=jolesen) a=ritu
-
-diff -r e0a272d5e162 -r 9ec3d076fbee js/src/jit/arm/CodeGenerator-arm.cpp
---- a/js/src/jit/arm/CodeGenerator-arm.cpp Tue May 17 08:26:37 2016 -0400
-+++ b/js/src/jit/arm/CodeGenerator-arm.cpp Wed May 04 15:54:43 2016 -0700
-@@ -1116,7 +1116,7 @@
- for (int32_t i = 0; i < cases; i++) {
- CodeLabel cl;
- masm.writeCodePointer(cl.dest());
-- ool->addCodeLabel(cl);
-+ masm.propagateOOM(ool->addCodeLabel(cl));
- }
- addOutOfLineCode(ool, mir);
- }
diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch
deleted file mode 100644
index 0973203e0f..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch
+++ /dev/null
@@ -1,61 +0,0 @@
- changeset: 312055:b74f1ab939d2
- user: Olli Pettay <Olli.Pettay@helsinki.fi>
- Date: Mon May 16 21:42:24 2016 +0300
- summary: Bug 1273202, make sure to not keep objects alive too long because of some useless event dispatching, r=jwatt a=ritu
-
-diff -r 072992bf176d -r b74f1ab939d2 dom/html/HTMLInputElement.cpp
---- a/dom/html/HTMLInputElement.cpp Sun May 15 17:03:06 2016 +0300
-+++ b/dom/html/HTMLInputElement.cpp Mon May 16 21:42:24 2016 +0300
-@@ -1168,7 +1168,7 @@
- mFileList->Disconnect();
- }
- if (mNumberControlSpinnerIsSpinning) {
-- StopNumberControlSpinnerSpin();
-+ StopNumberControlSpinnerSpin(eDisallowDispatchingEvents);
- }
- DestroyImageLoadingContent();
- FreeData();
-@@ -3721,7 +3721,7 @@
- }
-
- void
--HTMLInputElement::StopNumberControlSpinnerSpin()
-+HTMLInputElement::StopNumberControlSpinnerSpin(SpinnerStopState aState)
- {
- if (mNumberControlSpinnerIsSpinning) {
- if (nsIPresShell::GetCapturingContent() == this) {
-@@ -3732,11 +3732,16 @@
-
- mNumberControlSpinnerIsSpinning = false;
-
-- FireChangeEventIfNeeded();
-+ if (aState == eAllowDispatchingEvents) {
-+ FireChangeEventIfNeeded();
-+ }
-
- nsNumberControlFrame* numberControlFrame =
- do_QueryFrame(GetPrimaryFrame());
- if (numberControlFrame) {
-+ MOZ_ASSERT(aState == eAllowDispatchingEvents,
-+ "Shouldn't have primary frame for the element when we're not "
-+ "allowed to dispatch events to it anymore.");
- numberControlFrame->SpinnerStateChanged();
- }
- }
-diff -r 072992bf176d -r b74f1ab939d2 dom/html/HTMLInputElement.h
---- a/dom/html/HTMLInputElement.h Sun May 15 17:03:06 2016 +0300
-+++ b/dom/html/HTMLInputElement.h Mon May 16 21:42:24 2016 +0300
-@@ -721,7 +721,12 @@
- HTMLInputElement* GetOwnerNumberControl();
-
- void StartNumberControlSpinnerSpin();
-- void StopNumberControlSpinnerSpin();
-+ enum SpinnerStopState {
-+ eAllowDispatchingEvents,
-+ eDisallowDispatchingEvents
-+ };
-+ void StopNumberControlSpinnerSpin(SpinnerStopState aState =
-+ eAllowDispatchingEvents);
- void StepNumberControlForUserEvent(int32_t aDirection);
-
- /**
diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch
deleted file mode 100644
index cd98d0b28b..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch
+++ /dev/null
@@ -1,266 +0,0 @@
- changeset: 312063:88bea96c802a
- user: Andrea Marchesini <amarchesini@mozilla.com>
- Date: Tue May 10 10:52:19 2016 +0200
- summary: Bug 1267130 - Improve the URL segment calculation, r=valentin a=ritu
-
-diff -r 28dcecced055 -r 88bea96c802a netwerk/base/nsStandardURL.cpp
---- a/netwerk/base/nsStandardURL.cpp Wed May 18 11:55:29 2016 +1200
-+++ b/netwerk/base/nsStandardURL.cpp Tue May 10 10:52:19 2016 +0200
-@@ -475,19 +475,28 @@
- }
-
- uint32_t
--nsStandardURL::AppendSegmentToBuf(char *buf, uint32_t i, const char *str, URLSegment &seg, const nsCString *escapedStr, bool useEscaped)
-+nsStandardURL::AppendSegmentToBuf(char *buf, uint32_t i, const char *str,
-+ const URLSegment &segInput, URLSegment &segOutput,
-+ const nsCString *escapedStr,
-+ bool useEscaped, int32_t *diff)
- {
-- if (seg.mLen > 0) {
-+ MOZ_ASSERT(segInput.mLen == segOutput.mLen);
-+
-+ if (diff) *diff = 0;
-+
-+ if (segInput.mLen > 0) {
- if (useEscaped) {
-- seg.mLen = escapedStr->Length();
-- memcpy(buf + i, escapedStr->get(), seg.mLen);
-+ MOZ_ASSERT(diff);
-+ segOutput.mLen = escapedStr->Length();
-+ *diff = segOutput.mLen - segInput.mLen;
-+ memcpy(buf + i, escapedStr->get(), segOutput.mLen);
-+ } else {
-+ memcpy(buf + i, str + segInput.mPos, segInput.mLen);
- }
-- else
-- memcpy(buf + i, str + seg.mPos, seg.mLen);
-- seg.mPos = i;
-- i += seg.mLen;
-+ segOutput.mPos = i;
-+ i += segOutput.mLen;
- } else {
-- seg.mPos = i;
-+ segOutput.mPos = i;
- }
- return i;
- }
-@@ -598,6 +607,20 @@
- }
- }
-
-+ // We must take a copy of every single segment because they are pointing to
-+ // the |spec| while we are changing their value, in case we must use
-+ // encoded strings.
-+ URLSegment username(mUsername);
-+ URLSegment password(mPassword);
-+ URLSegment host(mHost);
-+ URLSegment path(mPath);
-+ URLSegment filepath(mFilepath);
-+ URLSegment directory(mDirectory);
-+ URLSegment basename(mBasename);
-+ URLSegment extension(mExtension);
-+ URLSegment query(mQuery);
-+ URLSegment ref(mRef);
-+
- //
- // generate the normalized URL string
- //
-@@ -607,9 +630,10 @@
- char *buf;
- mSpec.BeginWriting(buf);
- uint32_t i = 0;
-+ int32_t diff = 0;
-
- if (mScheme.mLen > 0) {
-- i = AppendSegmentToBuf(buf, i, spec, mScheme);
-+ i = AppendSegmentToBuf(buf, i, spec, mScheme, mScheme);
- net_ToLowerCase(buf + mScheme.mPos, mScheme.mLen);
- i = AppendToBuf(buf, i, "://", 3);
- }
-@@ -619,15 +643,22 @@
-
- // append authority
- if (mUsername.mLen > 0) {
-- i = AppendSegmentToBuf(buf, i, spec, mUsername, &encUsername, useEncUsername);
-- if (mPassword.mLen >= 0) {
-+ i = AppendSegmentToBuf(buf, i, spec, username, mUsername,
-+ &encUsername, useEncUsername, &diff);
-+ ShiftFromPassword(diff);
-+ if (password.mLen >= 0) {
- buf[i++] = ':';
-- i = AppendSegmentToBuf(buf, i, spec, mPassword, &encPassword, useEncPassword);
-+ i = AppendSegmentToBuf(buf, i, spec, password, mPassword,
-+ &encPassword, useEncPassword, &diff);
-+ ShiftFromHost(diff);
- }
- buf[i++] = '@';
- }
-- if (mHost.mLen > 0) {
-- i = AppendSegmentToBuf(buf, i, spec, mHost, &encHost, useEncHost);
-+ if (host.mLen > 0) {
-+ i = AppendSegmentToBuf(buf, i, spec, host, mHost, &encHost, useEncHost,
-+ &diff);
-+ ShiftFromPath(diff);
-+
- net_ToLowerCase(buf + mHost.mPos, mHost.mLen);
- MOZ_ASSERT(mPort >= -1, "Invalid negative mPort");
- if (mPort != -1 && mPort != mDefaultPort) {
-@@ -652,21 +683,23 @@
- }
- else {
- uint32_t leadingSlash = 0;
-- if (spec[mPath.mPos] != '/') {
-+ if (spec[path.mPos] != '/') {
- LOG(("adding leading slash to path\n"));
- leadingSlash = 1;
- buf[i++] = '/';
- // basename must exist, even if empty (bugs 113508, 429347)
- if (mBasename.mLen == -1) {
-- mBasename.mPos = i;
-- mBasename.mLen = 0;
-+ mBasename.mPos = basename.mPos = i;
-+ mBasename.mLen = basename.mLen = 0;
- }
- }
-
- // record corrected (file)path starting position
- mPath.mPos = mFilepath.mPos = i - leadingSlash;
-
-- i = AppendSegmentToBuf(buf, i, spec, mDirectory, &encDirectory, useEncDirectory);
-+ i = AppendSegmentToBuf(buf, i, spec, directory, mDirectory,
-+ &encDirectory, useEncDirectory, &diff);
-+ ShiftFromBasename(diff);
-
- // the directory must end with a '/'
- if (buf[i-1] != '/') {
-@@ -674,7 +707,9 @@
- mDirectory.mLen++;
- }
-
-- i = AppendSegmentToBuf(buf, i, spec, mBasename, &encBasename, useEncBasename);
-+ i = AppendSegmentToBuf(buf, i, spec, basename, mBasename,
-+ &encBasename, useEncBasename, &diff);
-+ ShiftFromExtension(diff);
-
- // make corrections to directory segment if leadingSlash
- if (leadingSlash) {
-@@ -687,18 +722,24 @@
-
- if (mExtension.mLen >= 0) {
- buf[i++] = '.';
-- i = AppendSegmentToBuf(buf, i, spec, mExtension, &encExtension, useEncExtension);
-+ i = AppendSegmentToBuf(buf, i, spec, extension, mExtension,
-+ &encExtension, useEncExtension, &diff);
-+ ShiftFromQuery(diff);
- }
- // calculate corrected filepath length
- mFilepath.mLen = i - mFilepath.mPos;
-
- if (mQuery.mLen >= 0) {
- buf[i++] = '?';
-- i = AppendSegmentToBuf(buf, i, spec, mQuery, &encQuery, useEncQuery);
-+ i = AppendSegmentToBuf(buf, i, spec, query, mQuery,
-+ &encQuery, useEncQuery,
-+ &diff);
-+ ShiftFromRef(diff);
- }
- if (mRef.mLen >= 0) {
- buf[i++] = '#';
-- i = AppendSegmentToBuf(buf, i, spec, mRef, &encRef, useEncRef);
-+ i = AppendSegmentToBuf(buf, i, spec, ref, mRef, &encRef, useEncRef,
-+ &diff);
- }
- // calculate corrected path length
- mPath.mLen = i - mPath.mPos;
-@@ -953,6 +994,39 @@
- #undef GOT_PREF
- }
-
-+#define SHIFT_FROM(name, what) \
-+void \
-+nsStandardURL::name(int32_t diff) \
-+{ \
-+ if (!diff) return; \
-+ if (what.mLen >= 0) { \
-+ CheckedInt<int32_t> pos = what.mPos; \
-+ pos += diff; \
-+ MOZ_ASSERT(pos.isValid()); \
-+ what.mPos = pos.value(); \
-+ }
-+
-+#define SHIFT_FROM_NEXT(name, what, next) \
-+ SHIFT_FROM(name, what) \
-+ next(diff); \
-+}
-+
-+#define SHIFT_FROM_LAST(name, what) \
-+ SHIFT_FROM(name, what) \
-+}
-+
-+SHIFT_FROM_NEXT(ShiftFromAuthority, mAuthority, ShiftFromUsername)
-+SHIFT_FROM_NEXT(ShiftFromUsername, mUsername, ShiftFromPassword)
-+SHIFT_FROM_NEXT(ShiftFromPassword, mPassword, ShiftFromHost)
-+SHIFT_FROM_NEXT(ShiftFromHost, mHost, ShiftFromPath)
-+SHIFT_FROM_NEXT(ShiftFromPath, mPath, ShiftFromFilepath)
-+SHIFT_FROM_NEXT(ShiftFromFilepath, mFilepath, ShiftFromDirectory)
-+SHIFT_FROM_NEXT(ShiftFromDirectory, mDirectory, ShiftFromBasename)
-+SHIFT_FROM_NEXT(ShiftFromBasename, mBasename, ShiftFromExtension)
-+SHIFT_FROM_NEXT(ShiftFromExtension, mExtension, ShiftFromQuery)
-+SHIFT_FROM_NEXT(ShiftFromQuery, mQuery, ShiftFromRef)
-+SHIFT_FROM_LAST(ShiftFromRef, mRef)
-+
- //----------------------------------------------------------------------------
- // nsStandardURL::nsISupports
- //----------------------------------------------------------------------------
-diff -r 28dcecced055 -r 88bea96c802a netwerk/base/nsStandardURL.h
---- a/netwerk/base/nsStandardURL.h Wed May 18 11:55:29 2016 +1200
-+++ b/netwerk/base/nsStandardURL.h Tue May 10 10:52:19 2016 +0200
-@@ -77,6 +77,7 @@
-
- URLSegment() : mPos(0), mLen(-1) {}
- URLSegment(uint32_t pos, int32_t len) : mPos(pos), mLen(len) {}
-+ URLSegment(const URLSegment& aCopy) : mPos(aCopy.mPos), mLen(aCopy.mLen) {}
- void Reset() { mPos = 0; mLen = -1; }
- // Merge another segment following this one to it if they're contiguous
- // Assumes we have something like "foo;bar" where this object is 'foo' and right
-@@ -177,7 +178,10 @@
- bool NormalizeIDN(const nsCSubstring &host, nsCString &result);
- void CoalescePath(netCoalesceFlags coalesceFlag, char *path);
-
-- uint32_t AppendSegmentToBuf(char *, uint32_t, const char *, URLSegment &, const nsCString *esc=nullptr, bool useEsc = false);
-+ uint32_t AppendSegmentToBuf(char *, uint32_t, const char *,
-+ const URLSegment &input, URLSegment &output,
-+ const nsCString *esc=nullptr,
-+ bool useEsc = false, int32_t* diff = nullptr);
- uint32_t AppendToBuf(char *, uint32_t, const char *, uint32_t);
-
- nsresult BuildNormalizedSpec(const char *spec);
-@@ -216,17 +220,17 @@
- const nsDependentCSubstring Ref() { return Segment(mRef); }
-
- // shift the URLSegments to the right by diff
-- void ShiftFromAuthority(int32_t diff) { mAuthority.mPos += diff; ShiftFromUsername(diff); }
-- void ShiftFromUsername(int32_t diff) { mUsername.mPos += diff; ShiftFromPassword(diff); }
-- void ShiftFromPassword(int32_t diff) { mPassword.mPos += diff; ShiftFromHost(diff); }
-- void ShiftFromHost(int32_t diff) { mHost.mPos += diff; ShiftFromPath(diff); }
-- void ShiftFromPath(int32_t diff) { mPath.mPos += diff; ShiftFromFilepath(diff); }
-- void ShiftFromFilepath(int32_t diff) { mFilepath.mPos += diff; ShiftFromDirectory(diff); }
-- void ShiftFromDirectory(int32_t diff) { mDirectory.mPos += diff; ShiftFromBasename(diff); }
-- void ShiftFromBasename(int32_t diff) { mBasename.mPos += diff; ShiftFromExtension(diff); }
-- void ShiftFromExtension(int32_t diff) { mExtension.mPos += diff; ShiftFromQuery(diff); }
-- void ShiftFromQuery(int32_t diff) { mQuery.mPos += diff; ShiftFromRef(diff); }
-- void ShiftFromRef(int32_t diff) { mRef.mPos += diff; }
-+ void ShiftFromAuthority(int32_t diff);
-+ void ShiftFromUsername(int32_t diff);
-+ void ShiftFromPassword(int32_t diff);
-+ void ShiftFromHost(int32_t diff);
-+ void ShiftFromPath(int32_t diff);
-+ void ShiftFromFilepath(int32_t diff);
-+ void ShiftFromDirectory(int32_t diff);
-+ void ShiftFromBasename(int32_t diff);
-+ void ShiftFromExtension(int32_t diff);
-+ void ShiftFromQuery(int32_t diff);
-+ void ShiftFromRef(int32_t diff);
-
- // fastload helper functions
- nsresult ReadSegment(nsIBinaryInputStream *, URLSegment &);
diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch
deleted file mode 100644
index 143b02fa58..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch
+++ /dev/null
@@ -1,17 +0,0 @@
- changeset: 312067:380ddd689680
- user: Timothy Nikkel <tnikkel@gmail.com>
- Date: Tue May 10 22:58:26 2016 -0500
- summary: Bug 1261752. Part 1. r=mats a=ritu
-
-diff -r 02df988a56ae -r 380ddd689680 view/nsViewManager.cpp
---- a/view/nsViewManager.cpp Thu May 26 10:06:15 2016 -0700
-+++ b/view/nsViewManager.cpp Tue May 10 22:58:26 2016 -0500
-@@ -416,7 +416,7 @@
- if (aWidget->NeedsPaint()) {
- // If an ancestor widget was hidden and then shown, we could
- // have a delayed resize to handle.
-- for (nsViewManager *vm = this; vm;
-+ for (RefPtr<nsViewManager> vm = this; vm;
- vm = vm->mRootView->GetParent()
- ? vm->mRootView->GetParent()->GetViewManager()
- : nullptr) {
diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch
deleted file mode 100644
index 23c509d6c1..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch
+++ /dev/null
@@ -1,33 +0,0 @@
- changeset: 312068:73cc9a2d8fc1
- user: Timothy Nikkel <tnikkel@gmail.com>
- Date: Tue May 10 22:58:47 2016 -0500
- summary: Bug 1261752. Part 2. r=mats a=ritu
-
-diff -r 380ddd689680 -r 73cc9a2d8fc1 view/nsViewManager.cpp
---- a/view/nsViewManager.cpp Tue May 10 22:58:26 2016 -0500
-+++ b/view/nsViewManager.cpp Tue May 10 22:58:47 2016 -0500
-@@ -372,7 +372,7 @@
- }
- }
- if (rootShell->GetViewManager() != this) {
-- return; // 'this' might have been destroyed
-+ return; // presentation might have been torn down
- }
- if (aFlushDirtyRegion) {
- nsAutoScriptBlocker scriptBlocker;
-@@ -1069,6 +1069,7 @@
- if (mPresShell) {
- mPresShell->GetPresContext()->RefreshDriver()->RevokeViewManagerFlush();
-
-+ RefPtr<nsViewManager> strongThis(this);
- CallWillPaintOnObservers();
-
- ProcessPendingUpdatesForView(mRootView, true);
-@@ -1085,6 +1086,7 @@
-
- if (mHasPendingWidgetGeometryChanges) {
- mHasPendingWidgetGeometryChanges = false;
-+ RefPtr<nsViewManager> strongThis(this);
- ProcessPendingUpdatesForView(mRootView, false);
- }
- }
diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch
deleted file mode 100644
index ee5e54e805..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch
+++ /dev/null
@@ -1,267 +0,0 @@
- changeset: 312069:3c2bd9158ad3
- user: Timothy Nikkel <tnikkel@gmail.com>
- Date: Tue May 10 22:58:47 2016 -0500
- summary: Bug 1261752. Part 3. r=mats a=ritu
-
-diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 layout/forms/nsComboboxControlFrame.cpp
---- a/layout/forms/nsComboboxControlFrame.cpp Tue May 10 22:58:47 2016 -0500
-+++ b/layout/forms/nsComboboxControlFrame.cpp Tue May 10 22:58:47 2016 -0500
-@@ -1417,7 +1417,11 @@
- // The popup's visibility doesn't update until the minimize animation has
- // finished, so call UpdateWidgetGeometry to update it right away.
- nsViewManager* viewManager = mDropdownFrame->GetView()->GetViewManager();
-- viewManager->UpdateWidgetGeometry();
-+ viewManager->UpdateWidgetGeometry(); // might destroy us
-+ }
-+
-+ if (!weakFrame.IsAlive()) {
-+ return consume;
- }
-
- return consume;
-diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 view/nsViewManager.cpp
---- a/view/nsViewManager.cpp Tue May 10 22:58:47 2016 -0500
-+++ b/view/nsViewManager.cpp Tue May 10 22:58:47 2016 -0500
-@@ -670,15 +670,16 @@
-
- void nsViewManager::WillPaintWindow(nsIWidget* aWidget)
- {
-- if (aWidget) {
-- nsView* view = nsView::GetViewFor(aWidget);
-- LayerManager *manager = aWidget->GetLayerManager();
-+ RefPtr<nsIWidget> widget(aWidget);
-+ if (widget) {
-+ nsView* view = nsView::GetViewFor(widget);
-+ LayerManager* manager = widget->GetLayerManager();
- if (view &&
- (view->ForcedRepaint() || !manager->NeedsWidgetInvalidation())) {
- ProcessPendingUpdates();
- // Re-get the view pointer here since the ProcessPendingUpdates might have
- // destroyed it during CallWillPaintOnObservers.
-- view = nsView::GetViewFor(aWidget);
-+ view = nsView::GetViewFor(widget);
- if (view) {
- view->SetForcedRepaint(false);
- }
-diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/PuppetWidget.cpp
---- a/widget/PuppetWidget.cpp Tue May 10 22:58:47 2016 -0500
-+++ b/widget/PuppetWidget.cpp Tue May 10 22:58:47 2016 -0500
-@@ -823,6 +823,8 @@
- mDirtyRegion.SetEmpty();
- mPaintTask.Revoke();
-
-+ RefPtr<PuppetWidget> strongThis(this);
-+
- mAttachedWidgetListener->WillPaintWindow(this);
-
- if (mAttachedWidgetListener) {
-diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/cocoa/nsChildView.mm
---- a/widget/cocoa/nsChildView.mm Tue May 10 22:58:47 2016 -0500
-+++ b/widget/cocoa/nsChildView.mm Tue May 10 22:58:47 2016 -0500
-@@ -3716,6 +3716,8 @@
-
- - (void)viewWillDraw
- {
-+ nsAutoRetainCocoaObject kungFuDeathGrip(self);
-+
- if (mGeckoChild) {
- // The OS normally *will* draw our NSWindow, no matter what we do here.
- // But Gecko can delete our parent widget(s) (along with mGeckoChild)
-diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/gonk/nsWindow.cpp
---- a/widget/gonk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500
-+++ b/widget/gonk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500
-@@ -196,7 +196,7 @@
- return;
- }
-
-- nsWindow *targetWindow = (nsWindow *)sTopWindows[0];
-+ RefPtr<nsWindow> targetWindow = (nsWindow *)sTopWindows[0];
- while (targetWindow->GetLastChild())
- targetWindow = (nsWindow *)targetWindow->GetLastChild();
-
-@@ -205,15 +205,15 @@
- listener->WillPaintWindow(targetWindow);
- }
-
-- LayerManager* lm = targetWindow->GetLayerManager();
-- if (mozilla::layers::LayersBackend::LAYERS_CLIENT == lm->GetBackendType()) {
-- // No need to do anything, the compositor will handle drawing
-- } else {
-- NS_RUNTIMEABORT("Unexpected layer manager type");
-- }
--
- listener = targetWindow->GetWidgetListener();
- if (listener) {
-+ LayerManager* lm = targetWindow->GetLayerManager();
-+ if (mozilla::layers::LayersBackend::LAYERS_CLIENT == lm->GetBackendType()) {
-+ // No need to do anything, the compositor will handle drawing
-+ } else {
-+ NS_RUNTIMEABORT("Unexpected layer manager type");
-+ }
-+
- listener->DidPaintWindow();
- }
- }
-diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/gtk/nsWindow.cpp
---- a/widget/gtk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500
-+++ b/widget/gtk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500
-@@ -469,6 +469,12 @@
- }
- }
-
-+nsIWidgetListener*
-+nsWindow::GetListener()
-+{
-+ return mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener;
-+}
-+
- nsresult
- nsWindow::DispatchEvent(WidgetGUIEvent* aEvent, nsEventStatus& aStatus)
- {
-@@ -481,8 +487,7 @@
- aEvent->refPoint.y = GdkCoordToDevicePixels(aEvent->refPoint.y);
-
- aStatus = nsEventStatus_eIgnore;
-- nsIWidgetListener* listener =
-- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener;
-+ nsIWidgetListener* listener = GetListener();
- if (listener) {
- aStatus = listener->HandleEvent(aEvent, mUseAttachedEvents);
- }
-@@ -2119,8 +2124,7 @@
- if (!mGdkWindow || mIsFullyObscured || !mHasMappedToplevel)
- return FALSE;
-
-- nsIWidgetListener *listener =
-- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener;
-+ nsIWidgetListener *listener = GetListener();
- if (!listener)
- return FALSE;
-
-@@ -2149,6 +2153,8 @@
- clientLayers->SendInvalidRegion(region);
- }
-
-+ RefPtr<nsWindow> strongThis(this);
-+
- // Dispatch WillPaintWindow notification to allow scripts etc. to run
- // before we paint
- {
-@@ -2161,8 +2167,7 @@
-
- // Re-get the listener since the will paint notification might have
- // killed it.
-- listener =
-- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener;
-+ listener = GetListener();
- if (!listener)
- return FALSE;
- }
-@@ -2223,6 +2228,13 @@
- // If this widget uses OMTC...
- if (GetLayerManager()->GetBackendType() == LayersBackend::LAYERS_CLIENT) {
- listener->PaintWindow(this, region);
-+
-+ // Re-get the listener since the will paint notification might have
-+ // killed it.
-+ listener = GetListener();
-+ if (!listener)
-+ return TRUE;
-+
- listener->DidPaintWindow();
- return TRUE;
- }
-@@ -2307,6 +2319,13 @@
- if (GetLayerManager()->GetBackendType() == LayersBackend::LAYERS_BASIC) {
- AutoLayerManagerSetup setupLayerManager(this, ctx, layerBuffering);
- painted = listener->PaintWindow(this, region);
-+
-+ // Re-get the listener since the will paint notification might have
-+ // killed it.
-+ listener = GetListener();
-+ if (!listener)
-+ return TRUE;
-+
- }
- }
-
-diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/gtk/nsWindow.h
---- a/widget/gtk/nsWindow.h Tue May 10 22:58:47 2016 -0500
-+++ b/widget/gtk/nsWindow.h Tue May 10 22:58:47 2016 -0500
-@@ -359,6 +359,7 @@
- GdkWindow** aWindow, gint* aButton,
- gint* aRootX, gint* aRootY);
- void ClearCachedResources();
-+ nsIWidgetListener* GetListener();
-
- GtkWidget *mShell;
- MozContainer *mContainer;
-diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/qt/nsWindow.cpp
---- a/widget/qt/nsWindow.cpp Tue May 10 22:58:47 2016 -0500
-+++ b/widget/qt/nsWindow.cpp Tue May 10 22:58:47 2016 -0500
-@@ -857,18 +857,28 @@
-
- // EVENTS
-
-+nsIWidgetListener*
-+nsWindow::GetPaintListener()
-+{
-+ return mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener;
-+}
-+
- void
- nsWindow::OnPaint()
- {
- LOGDRAW(("nsWindow::%s [%p]\n", __FUNCTION__, (void *)this));
-- nsIWidgetListener* listener =
-- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener;
-+ nsIWidgetListener* listener = GetPaintListener();
- if (!listener) {
- return;
- }
-
- listener->WillPaintWindow(this);
-
-+ nsIWidgetListener* listener = GetPaintListener();
-+ if (!listener) {
-+ return;
-+ }
-+
- switch (GetLayerManager()->GetBackendType()) {
- case mozilla::layers::LayersBackend::LAYERS_CLIENT: {
- nsIntRegion region(nsIntRect(0, 0, mWidget->width(), mWidget->height()));
-@@ -879,6 +889,11 @@
- NS_ERROR("Invalid layer manager");
- }
-
-+ nsIWidgetListener* listener = GetPaintListener();
-+ if (!listener) {
-+ return;
-+ }
-+
- listener->DidPaintWindow();
- }
-
-diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/qt/nsWindow.h
---- a/widget/qt/nsWindow.h Tue May 10 22:58:47 2016 -0500
-+++ b/widget/qt/nsWindow.h Tue May 10 22:58:47 2016 -0500
-@@ -254,6 +254,7 @@
- bool needDispatch;
- } MozCachedMoveEvent;
-
-+ nsIWidgetListener* GetPaintListener();
- bool CheckForRollup(double aMouseX, double aMouseY, bool aIsWheel);
- void* SetupPluginPort(void);
- nsresult SetWindowIconList(const nsTArray<nsCString> &aIconList);
-diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/windows/nsWindowGfx.cpp
---- a/widget/windows/nsWindowGfx.cpp Tue May 10 22:58:47 2016 -0500
-+++ b/widget/windows/nsWindowGfx.cpp Tue May 10 22:58:47 2016 -0500
-@@ -298,6 +298,8 @@
- clientLayerManager->SendInvalidRegion(region);
- }
-
-+ RefPtr<nsWindow> strongThis(this);
-+
- nsIWidgetListener* listener = GetPaintListener();
- if (listener) {
- listener->WillPaintWindow(this);
diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch
deleted file mode 100644
index a72698cc0b..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch
+++ /dev/null
@@ -1,188 +0,0 @@
- changeset: 312075:ee870911fabb
- user: Timothy Nikkel <tnikkel@gmail.com>
- Date: Wed May 04 16:12:48 2016 -0500
- summary: Bug 1265577. r=mats, a=lizzard
-
-diff -r 751208d22b91 -r ee870911fabb dom/base/nsFrameLoader.cpp
---- a/dom/base/nsFrameLoader.cpp Thu May 26 17:07:49 2016 -0400
-+++ b/dom/base/nsFrameLoader.cpp Wed May 04 16:12:48 2016 -0500
-@@ -155,7 +155,7 @@
- nsFrameLoader::nsFrameLoader(Element* aOwner, bool aNetworkCreated)
- : mOwnerContent(aOwner)
- , mAppIdSentToPermissionManager(nsIScriptSecurityManager::NO_APP_ID)
-- , mDetachedSubdocViews(nullptr)
-+ , mDetachedSubdocFrame(nullptr)
- , mIsPrerendered(false)
- , mDepthTooGreat(false)
- , mIsTopLevelContent(false)
-@@ -2507,18 +2507,18 @@
- }
-
- void
--nsFrameLoader::SetDetachedSubdocView(nsView* aDetachedViews,
-- nsIDocument* aContainerDoc)
-+nsFrameLoader::SetDetachedSubdocFrame(nsIFrame* aDetachedFrame,
-+ nsIDocument* aContainerDoc)
- {
-- mDetachedSubdocViews = aDetachedViews;
-+ mDetachedSubdocFrame = aDetachedFrame;
- mContainerDocWhileDetached = aContainerDoc;
- }
-
--nsView*
--nsFrameLoader::GetDetachedSubdocView(nsIDocument** aContainerDoc) const
-+nsIFrame*
-+nsFrameLoader::GetDetachedSubdocFrame(nsIDocument** aContainerDoc) const
- {
- NS_IF_ADDREF(*aContainerDoc = mContainerDocWhileDetached);
-- return mDetachedSubdocViews;
-+ return mDetachedSubdocFrame.GetFrame();
- }
-
- void
-diff -r 751208d22b91 -r ee870911fabb dom/base/nsFrameLoader.h
---- a/dom/base/nsFrameLoader.h Thu May 26 17:07:49 2016 -0400
-+++ b/dom/base/nsFrameLoader.h Wed May 04 16:12:48 2016 -0500
-@@ -23,6 +23,7 @@
- #include "mozilla/Attributes.h"
- #include "FrameMetrics.h"
- #include "nsStubMutationObserver.h"
-+#include "nsIFrame.h"
-
- class nsIURI;
- class nsSubDocumentFrame;
-@@ -197,23 +198,23 @@
- void SetRemoteBrowser(nsITabParent* aTabParent);
-
- /**
-- * Stashes a detached view on the frame loader. We do this when we're
-+ * Stashes a detached nsIFrame on the frame loader. We do this when we're
- * destroying the nsSubDocumentFrame. If the nsSubdocumentFrame is
-- * being reframed we'll restore the detached view when it's recreated,
-+ * being reframed we'll restore the detached nsIFrame when it's recreated,
- * otherwise we'll discard the old presentation and set the detached
-- * subdoc view to null. aContainerDoc is the document containing the
-+ * subdoc nsIFrame to null. aContainerDoc is the document containing the
- * the subdoc frame. This enables us to detect when the containing
- * document has changed during reframe, so we can discard the presentation
- * in that case.
- */
-- void SetDetachedSubdocView(nsView* aDetachedView,
-- nsIDocument* aContainerDoc);
-+ void SetDetachedSubdocFrame(nsIFrame* aDetachedFrame,
-+ nsIDocument* aContainerDoc);
-
- /**
-- * Retrieves the detached view and the document containing the view,
-- * as set by SetDetachedSubdocView().
-+ * Retrieves the detached nsIFrame and the document containing the nsIFrame,
-+ * as set by SetDetachedSubdocFrame().
- */
-- nsView* GetDetachedSubdocView(nsIDocument** aContainerDoc) const;
-+ nsIFrame* GetDetachedSubdocFrame(nsIDocument** aContainerDoc) const;
-
- /**
- * Applies a new set of sandbox flags. These are merged with the sandbox
-@@ -326,12 +327,12 @@
- nsRefPtr<nsFrameMessageManager> mMessageManager;
- nsCOMPtr<nsIInProcessContentFrameMessageManager> mChildMessageManager;
- private:
-- // Stores the root view of the subdocument while the subdocument is being
-+ // Stores the root frame of the subdocument while the subdocument is being
- // reframed. Used to restore the presentation after reframing.
-- nsView* mDetachedSubdocViews;
-+ nsWeakFrame mDetachedSubdocFrame;
- // Stores the containing document of the frame corresponding to this
- // frame loader. This is reference is kept valid while the subframe's
-- // presentation is detached and stored in mDetachedSubdocViews. This
-+ // presentation is detached and stored in mDetachedSubdocFrame. This
- // enables us to detect whether the frame has moved documents during
- // a reframe, so that we know not to restore the presentation.
- nsCOMPtr<nsIDocument> mContainerDocWhileDetached;
-diff -r 751208d22b91 -r ee870911fabb layout/generic/nsSubDocumentFrame.cpp
---- a/layout/generic/nsSubDocumentFrame.cpp Thu May 26 17:07:49 2016 -0400
-+++ b/layout/generic/nsSubDocumentFrame.cpp Wed May 04 16:12:48 2016 -0500
-@@ -130,13 +130,16 @@
- nsRefPtr<nsFrameLoader> frameloader = FrameLoader();
- if (frameloader) {
- nsCOMPtr<nsIDocument> oldContainerDoc;
-- nsView* detachedViews =
-- frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc));
-- frameloader->SetDetachedSubdocView(nullptr, nullptr);
-- if (detachedViews) {
-- if (oldContainerDoc == aContent->OwnerDoc()) {
-+ nsIFrame* detachedFrame =
-+ frameloader->GetDetachedSubdocFrame(getter_AddRefs(oldContainerDoc));
-+ frameloader->SetDetachedSubdocFrame(nullptr, nullptr);
-+ MOZ_ASSERT(oldContainerDoc || !detachedFrame);
-+ if (oldContainerDoc) {
-+ nsView* detachedView =
-+ detachedFrame ? detachedFrame->GetView() : nullptr;
-+ if (detachedView && oldContainerDoc == aContent->OwnerDoc()) {
- // Restore stashed presentation.
-- ::InsertViewsInReverseOrder(detachedViews, mInnerView);
-+ ::InsertViewsInReverseOrder(detachedView, mInnerView);
- ::EndSwapDocShellsForViews(mInnerView->GetFirstChild());
- } else {
- // Presentation is for a different document, don't restore it.
-@@ -252,11 +255,12 @@
- nsRefPtr<nsFrameLoader> frameloader = FrameLoader();
- if (frameloader) {
- nsCOMPtr<nsIDocument> oldContainerDoc;
-- nsView* detachedViews =
-- frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc));
-- if (detachedViews) {
-- nsSize size = detachedViews->GetBounds().Size();
-- nsPresContext* presContext = detachedViews->GetFrame()->PresContext();
-+ nsIFrame* detachedFrame =
-+ frameloader->GetDetachedSubdocFrame(getter_AddRefs(oldContainerDoc));
-+ nsView* view = detachedFrame ? detachedFrame->GetView() : nullptr;
-+ if (view) {
-+ nsSize size = view->GetBounds().Size();
-+ nsPresContext* presContext = detachedFrame->PresContext();
- return nsIntSize(presContext->AppUnitsToDevPixels(size.width),
- presContext->AppUnitsToDevPixels(size.height));
- }
-@@ -939,7 +943,7 @@
-
- // Either the frame has been constructed by now, or it never will be,
- // either way we want to clear the stashed views.
-- mFrameLoader->SetDetachedSubdocView(nullptr, nullptr);
-+ mFrameLoader->SetDetachedSubdocFrame(nullptr, nullptr);
-
- nsSubDocumentFrame* frame = do_QueryFrame(mFrameElement->GetPrimaryFrame());
- if ((!frame && mHideViewerIfFrameless) ||
-@@ -974,15 +978,25 @@
- RefPtr<nsFrameLoader> frameloader = FrameLoader();
- if (frameloader) {
- nsView* detachedViews = ::BeginSwapDocShellsForViews(mInnerView->GetFirstChild());
-- frameloader->SetDetachedSubdocView(detachedViews, mContent->OwnerDoc());
-
-- // We call nsFrameLoader::HideViewer() in a script runner so that we can
-- // safely determine whether the frame is being reframed or destroyed.
-- nsContentUtils::AddScriptRunner(
-- new nsHideViewer(mContent,
-- frameloader,
-- PresContext()->PresShell(),
-- (mDidCreateDoc || mCallingShow)));
-+ if (detachedViews && detachedViews->GetFrame()) {
-+ MOZ_ASSERT(mContent->OwnerDoc());
-+ frameloader->SetDetachedSubdocFrame(
-+ detachedViews->GetFrame(), mContent->OwnerDoc());
-+
-+ // We call nsFrameLoader::HideViewer() in a script runner so that we can
-+ // safely determine whether the frame is being reframed or destroyed.
-+ nsContentUtils::AddScriptRunner(
-+ new nsHideViewer(mContent,
-+ frameloader,
-+ PresContext()->PresShell(),
-+ (mDidCreateDoc || mCallingShow)));
-+ } else {
-+ frameloader->SetDetachedSubdocFrame(nullptr, nullptr);
-+ if (mDidCreateDoc || mCallingShow) {
-+ frameloader->Hide();
-+ }
-+ }
- }
-
- nsLeafFrame::DestroyFrom(aDestructRoot);
diff --git a/gnu/packages/patches/icecat-CVE-2016-2819.patch b/gnu/packages/patches/icecat-CVE-2016-2819.patch
deleted file mode 100644
index cbb833d43d..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2819.patch
+++ /dev/null
@@ -1,102 +0,0 @@
- changeset: 312054:072992bf176d
- user: Henri Sivonen <hsivonen@hsivonen.fi>
- Date: Sun May 15 17:03:06 2016 +0300
- summary: Bug 1270381. r=wchen. a=ritu
-
-diff -r d30748143c21 -r 072992bf176d parser/html/javasrc/TreeBuilder.java
---- a/parser/html/javasrc/TreeBuilder.java Mon May 09 18:05:32 2016 -0700
-+++ b/parser/html/javasrc/TreeBuilder.java Sun May 15 17:03:06 2016 +0300
-@@ -39,6 +39,11 @@
- import java.util.HashMap;
- import java.util.Map;
-
-+import org.xml.sax.ErrorHandler;
-+import org.xml.sax.Locator;
-+import org.xml.sax.SAXException;
-+import org.xml.sax.SAXParseException;
-+
- import nu.validator.htmlparser.annotation.Auto;
- import nu.validator.htmlparser.annotation.Const;
- import nu.validator.htmlparser.annotation.IdType;
-@@ -54,11 +59,6 @@
- import nu.validator.htmlparser.common.TokenHandler;
- import nu.validator.htmlparser.common.XmlViolationPolicy;
-
--import org.xml.sax.ErrorHandler;
--import org.xml.sax.Locator;
--import org.xml.sax.SAXException;
--import org.xml.sax.SAXParseException;
--
- public abstract class TreeBuilder<T> implements TokenHandler,
- TreeBuilderState<T> {
-
-@@ -1924,7 +1924,6 @@
- break starttagloop;
- }
- generateImpliedEndTags();
-- // XXX is the next if dead code?
- if (errorHandler != null && !isCurrent("table")) {
- errNoCheckUnclosedElementsOnStack();
- }
-@@ -2183,11 +2182,11 @@
- pop();
- }
- break;
-- } else if (node.isSpecial()
-+ } else if (eltPos == 0 || (node.isSpecial()
- && (node.ns != "http://www.w3.org/1999/xhtml"
-- || (node.name != "p"
-- && node.name != "address"
-- && node.name != "div"))) {
-+ || (node.name != "p"
-+ && node.name != "address"
-+ && node.name != "div")))) {
- break;
- }
- eltPos--;
-@@ -3878,7 +3877,7 @@
- pop();
- }
- break endtagloop;
-- } else if (node.isSpecial()) {
-+ } else if (eltPos == 0 || node.isSpecial()) {
- errStrayEndTag(name);
- break endtagloop;
- }
-@@ -4745,6 +4744,7 @@
- int furthestBlockPos = formattingEltStackPos + 1;
- while (furthestBlockPos <= currentPtr) {
- StackNode<T> node = stack[furthestBlockPos]; // weak ref
-+ assert furthestBlockPos > 0: "How is formattingEltStackPos + 1 not > 0?";
- if (node.isSpecial()) {
- break;
- }
-diff -r d30748143c21 -r 072992bf176d parser/html/nsHtml5TreeBuilder.cpp
---- a/parser/html/nsHtml5TreeBuilder.cpp Mon May 09 18:05:32 2016 -0700
-+++ b/parser/html/nsHtml5TreeBuilder.cpp Sun May 15 17:03:06 2016 +0300
-@@ -1102,7 +1102,7 @@
- pop();
- }
- break;
-- } else if (node->isSpecial() && (node->ns != kNameSpaceID_XHTML || (node->name != nsHtml5Atoms::p && node->name != nsHtml5Atoms::address && node->name != nsHtml5Atoms::div))) {
-+ } else if (!eltPos || (node->isSpecial() && (node->ns != kNameSpaceID_XHTML || (node->name != nsHtml5Atoms::p && node->name != nsHtml5Atoms::address && node->name != nsHtml5Atoms::div)))) {
- break;
- }
- eltPos--;
-@@ -2749,7 +2749,7 @@
- pop();
- }
- NS_HTML5_BREAK(endtagloop);
-- } else if (node->isSpecial()) {
-+ } else if (!eltPos || node->isSpecial()) {
- errStrayEndTag(name);
- NS_HTML5_BREAK(endtagloop);
- }
-@@ -3593,6 +3593,7 @@
- int32_t furthestBlockPos = formattingEltStackPos + 1;
- while (furthestBlockPos <= currentPtr) {
- nsHtml5StackNode* node = stack[furthestBlockPos];
-+ MOZ_ASSERT(furthestBlockPos > 0, "How is formattingEltStackPos + 1 not > 0?");
- if (node->isSpecial()) {
- break;
- }
diff --git a/gnu/packages/patches/icecat-CVE-2016-2821.patch b/gnu/packages/patches/icecat-CVE-2016-2821.patch
deleted file mode 100644
index 8255d60009..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2821.patch
+++ /dev/null
@@ -1,16 +0,0 @@
- changeset: 312045:7aea44059251
- user: Olli Pettay <Olli.Pettay@helsinki.fi>
- Date: Fri May 13 20:10:22 2016 +0300
- summary: Bug 1271460, don't leak editor created element objects, r=ehsan a=ritu
-
-diff -r 09418166fd77 -r 7aea44059251 editor/libeditor/nsHTMLInlineTableEditor.cpp
---- a/editor/libeditor/nsHTMLInlineTableEditor.cpp Wed May 11 10:14:45 2016 +0100
-+++ b/editor/libeditor/nsHTMLInlineTableEditor.cpp Fri May 13 20:10:22 2016 +0300
-@@ -109,7 +109,6 @@
-
- // get the root content node.
- nsCOMPtr<nsIContent> bodyContent = GetRoot();
-- NS_ENSURE_TRUE(bodyContent, NS_ERROR_FAILURE);
-
- DeleteRefToAnonymousNode(mAddColumnBeforeButton, bodyContent, ps);
- mAddColumnBeforeButton = nullptr;
diff --git a/gnu/packages/patches/icecat-CVE-2016-2824.patch b/gnu/packages/patches/icecat-CVE-2016-2824.patch
deleted file mode 100644
index 72772ed15f..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2824.patch
+++ /dev/null
@@ -1,85 +0,0 @@
- changeset: 312070:4b54feddf36c
- user: JerryShih <hshih@mozilla.com>
- Date: Wed May 25 16:27:41 2016 +0200
- summary: Bug 1248580 - strip the uploading element num according to the uniform array size. r=jgilbert a=ritu
-
-diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLContextValidate.cpp
---- a/dom/canvas/WebGLContextValidate.cpp Tue May 10 22:58:47 2016 -0500
-+++ b/dom/canvas/WebGLContextValidate.cpp Wed May 25 16:27:41 2016 +0200
-@@ -1531,9 +1531,10 @@
- if (!loc->ValidateArrayLength(setterElemSize, setterArraySize, this, funcName))
- return false;
-
-+ MOZ_ASSERT((size_t)loc->mActiveInfo->mElemCount > loc->mArrayIndex);
-+ size_t uniformElemCount = loc->mActiveInfo->mElemCount - loc->mArrayIndex;
- *out_rawLoc = loc->mLoc;
-- *out_numElementsToUpload = std::min((size_t)loc->mActiveInfo->mElemCount,
-- setterArraySize / setterElemSize);
-+ *out_numElementsToUpload = std::min(uniformElemCount, setterArraySize / setterElemSize);
- return true;
- }
-
-diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLProgram.cpp
---- a/dom/canvas/WebGLProgram.cpp Tue May 10 22:58:47 2016 -0500
-+++ b/dom/canvas/WebGLProgram.cpp Wed May 25 16:27:41 2016 +0200
-@@ -510,8 +510,14 @@
- const NS_LossyConvertUTF16toASCII userName(userName_wide);
-
- nsDependentCString baseUserName;
-- bool isArray;
-- size_t arrayIndex;
-+ bool isArray = false;
-+ // GLES 2.0.25, Section 2.10, p35
-+ // If the the uniform location is an array, then the location of the first
-+ // element of that array can be retrieved by either using the name of the
-+ // uniform array, or the name of the uniform array appended with "[0]".
-+ // The ParseName() can't recognize this rule. So always initialize
-+ // arrayIndex with 0.
-+ size_t arrayIndex = 0;
- if (!ParseName(userName, &baseUserName, &isArray, &arrayIndex))
- return nullptr;
-
-@@ -536,7 +542,8 @@
- return nullptr;
-
- nsRefPtr<WebGLUniformLocation> locObj = new WebGLUniformLocation(mContext, LinkInfo(),
-- loc, activeInfo);
-+ loc, arrayIndex,
-+ activeInfo);
- return locObj.forget();
- }
-
-diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLUniformLocation.cpp
---- a/dom/canvas/WebGLUniformLocation.cpp Tue May 10 22:58:47 2016 -0500
-+++ b/dom/canvas/WebGLUniformLocation.cpp Wed May 25 16:27:41 2016 +0200
-@@ -16,10 +16,13 @@
-
- WebGLUniformLocation::WebGLUniformLocation(WebGLContext* webgl,
- const webgl::LinkedProgramInfo* linkInfo,
-- GLuint loc, const WebGLActiveInfo* activeInfo)
-+ GLuint loc,
-+ size_t arrayIndex,
-+ const WebGLActiveInfo* activeInfo)
- : WebGLContextBoundObject(webgl)
- , mLinkInfo(linkInfo)
- , mLoc(loc)
-+ , mArrayIndex(arrayIndex)
- , mActiveInfo(activeInfo)
- { }
-
-diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLUniformLocation.h
---- a/dom/canvas/WebGLUniformLocation.h Tue May 10 22:58:47 2016 -0500
-+++ b/dom/canvas/WebGLUniformLocation.h Wed May 25 16:27:41 2016 +0200
-@@ -41,10 +41,11 @@
-
- const WeakPtr<const webgl::LinkedProgramInfo> mLinkInfo;
- const GLuint mLoc;
-+ const size_t mArrayIndex;
- const WebGLActiveInfo* const mActiveInfo;
-
- WebGLUniformLocation(WebGLContext* webgl, const webgl::LinkedProgramInfo* linkInfo,
-- GLuint loc, const WebGLActiveInfo* activeInfo);
-+ GLuint loc, size_t arrayIndex, const WebGLActiveInfo* activeInfo);
-
- bool ValidateForProgram(WebGLProgram* prog, WebGLContext* webgl,
- const char* funcName) const;
diff --git a/gnu/packages/patches/icecat-CVE-2016-2828.patch b/gnu/packages/patches/icecat-CVE-2016-2828.patch
deleted file mode 100644
index 951eb4fc46..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2828.patch
+++ /dev/null
@@ -1,185 +0,0 @@
- changeset: 312096:dc190bd03d24
- tag: FIREFOX_45_2_0esr_BUILD2
- tag: FIREFOX_45_2_0esr_RELEASE
- user: Jeff Gilbert <jgilbert@mozilla.com>
- Date: Thu Apr 14 13:50:04 2016 -0700
- summary: Bug 1224199 - Destroy SharedSurfaces before ~GLContext(). - r=jrmuizel a=lizzard
-
-diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLBlitHelper.cpp
---- a/gfx/gl/GLBlitHelper.cpp Mon Mar 07 11:51:12 2016 +0000
-+++ b/gfx/gl/GLBlitHelper.cpp Thu Apr 14 13:50:04 2016 -0700
-@@ -172,6 +172,9 @@
-
- GLBlitHelper::~GLBlitHelper()
- {
-+ if (!mGL->MakeCurrent())
-+ return;
-+
- DeleteTexBlitProgram();
-
- GLuint tex[] = {
-diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLContext.cpp
---- a/gfx/gl/GLContext.cpp Mon Mar 07 11:51:12 2016 +0000
-+++ b/gfx/gl/GLContext.cpp Thu Apr 14 13:50:04 2016 -0700
-@@ -2079,12 +2079,13 @@
- if (IsDestroyed())
- return;
-
-+ // Null these before they're naturally nulled after dtor, as we want GLContext to
-+ // still be alive in *their* dtors.
-+ mScreen = nullptr;
-+ mBlitHelper = nullptr;
-+ mReadTexImageHelper = nullptr;
-+
- if (MakeCurrent()) {
-- DestroyScreenBuffer();
--
-- mBlitHelper = nullptr;
-- mReadTexImageHelper = nullptr;
--
- mTexGarbageBin->GLContextTeardown();
- } else {
- NS_WARNING("MakeCurrent() failed during MarkDestroyed! Skipping GL object teardown.");
-@@ -2328,8 +2329,6 @@
- return false;
- }
-
-- DestroyScreenBuffer();
--
- // This will rebind to 0 (Screen) if needed when
- // it falls out of scope.
- ScopedBindFramebuffer autoFB(this);
-@@ -2349,12 +2348,6 @@
- }
-
- void
--GLContext::DestroyScreenBuffer()
--{
-- mScreen = nullptr;
--}
--
--void
- GLContext::ForceDirtyScreen()
- {
- ScopedBindFramebuffer autoFB(0);
-diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLContext.h
---- a/gfx/gl/GLContext.h Mon Mar 07 11:51:12 2016 +0000
-+++ b/gfx/gl/GLContext.h Thu Apr 14 13:50:04 2016 -0700
-@@ -3492,8 +3492,6 @@
- friend class GLScreenBuffer;
- UniquePtr<GLScreenBuffer> mScreen;
-
-- void DestroyScreenBuffer();
--
- SharedSurface* mLockedSurface;
-
- public:
-diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLReadTexImageHelper.cpp
---- a/gfx/gl/GLReadTexImageHelper.cpp Mon Mar 07 11:51:12 2016 +0000
-+++ b/gfx/gl/GLReadTexImageHelper.cpp Thu Apr 14 13:50:04 2016 -0700
-@@ -31,6 +31,9 @@
-
- GLReadTexImageHelper::~GLReadTexImageHelper()
- {
-+ if (!mGL->MakeCurrent())
-+ return;
-+
- mGL->fDeleteProgram(mPrograms[0]);
- mGL->fDeleteProgram(mPrograms[1]);
- mGL->fDeleteProgram(mPrograms[2]);
-diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceANGLE.cpp
---- a/gfx/gl/SharedSurfaceANGLE.cpp Mon Mar 07 11:51:12 2016 +0000
-+++ b/gfx/gl/SharedSurfaceANGLE.cpp Thu Apr 14 13:50:04 2016 -0700
-@@ -120,8 +120,10 @@
- {
- mEGL->fDestroySurface(Display(), mPBuffer);
-
-+ if (!mGL->MakeCurrent())
-+ return;
-+
- if (mFence) {
-- mGL->MakeCurrent();
- mGL->fDeleteFences(1, &mFence);
- }
- }
-diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceEGL.cpp
---- a/gfx/gl/SharedSurfaceEGL.cpp Mon Mar 07 11:51:12 2016 +0000
-+++ b/gfx/gl/SharedSurfaceEGL.cpp Thu Apr 14 13:50:04 2016 -0700
-@@ -87,9 +87,12 @@
- {
- mEGL->fDestroyImage(Display(), mImage);
-
-- mGL->MakeCurrent();
-- mGL->fDeleteTextures(1, &mProdTex);
-- mProdTex = 0;
-+ if (mSync) {
-+ // We can't call this unless we have the ext, but we will always have
-+ // the ext if we have something to destroy.
-+ mEGL->fDestroySync(Display(), mSync);
-+ mSync = 0;
-+ }
-
- if (mConsTex) {
- MOZ_ASSERT(mGarbageBin);
-@@ -97,12 +100,11 @@
- mConsTex = 0;
- }
-
-- if (mSync) {
-- // We can't call this unless we have the ext, but we will always have
-- // the ext if we have something to destroy.
-- mEGL->fDestroySync(Display(), mSync);
-- mSync = 0;
-- }
-+ if (!mGL->MakeCurrent())
-+ return;
-+
-+ mGL->fDeleteTextures(1, &mProdTex);
-+ mProdTex = 0;
- }
-
- void
-diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceGralloc.cpp
---- a/gfx/gl/SharedSurfaceGralloc.cpp Mon Mar 07 11:51:12 2016 +0000
-+++ b/gfx/gl/SharedSurfaceGralloc.cpp Thu Apr 14 13:50:04 2016 -0700
-@@ -154,7 +154,9 @@
-
- DEBUG_PRINT("[SharedSurface_Gralloc %p] destroyed\n", this);
-
-- mGL->MakeCurrent();
-+ if (!mGL->MakeCurrent())
-+ return;
-+
- mGL->fDeleteTextures(1, &mProdTex);
-
- if (mSync) {
-diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceIO.cpp
---- a/gfx/gl/SharedSurfaceIO.cpp Mon Mar 07 11:51:12 2016 +0000
-+++ b/gfx/gl/SharedSurfaceIO.cpp Thu Apr 14 13:50:04 2016 -0700
-@@ -111,11 +111,10 @@
-
- SharedSurface_IOSurface::~SharedSurface_IOSurface()
- {
-- if (mProdTex) {
-- DebugOnly<bool> success = mGL->MakeCurrent();
-- MOZ_ASSERT(success);
-- mGL->fDeleteTextures(1, &mProdTex);
-- }
-+ if (!mGL->MakeCurrent())
-+ return;
-+
-+ mGL->fDeleteTextures(1, &mProdTex);
- }
-
- ////////////////////////////////////////////////////////////////////////
-diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/TextureGarbageBin.cpp
---- a/gfx/gl/TextureGarbageBin.cpp Mon Mar 07 11:51:12 2016 +0000
-+++ b/gfx/gl/TextureGarbageBin.cpp Thu Apr 14 13:50:04 2016 -0700
-@@ -36,6 +36,7 @@
- if (!mGL)
- return;
-
-+ MOZ_RELEASE_ASSERT(mGL->IsCurrent());
- while (!mGarbageTextures.empty()) {
- GLuint tex = mGarbageTextures.top();
- mGarbageTextures.pop();
diff --git a/gnu/packages/patches/icecat-CVE-2016-2831.patch b/gnu/packages/patches/icecat-CVE-2016-2831.patch
deleted file mode 100644
index b99ecb6458..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2831.patch
+++ /dev/null
@@ -1,120 +0,0 @@
- changeset: 312091:a3fff31b8b70
- user: Xidorn Quan <quanxunzhen@gmail.com>
- Date: Thu Apr 14 17:38:13 2016 +1000
- summary: Bug 1261933 - Continue unlocking pointer even if the widget has gone. r=smaug a=lizzard
-
- MozReview-Commit-ID: 1siQhemFf9O
-
-diff -r f5e862ea4a72 -r a3fff31b8b70 dom/base/nsDocument.cpp
---- a/dom/base/nsDocument.cpp Tue May 31 18:35:26 2016 -0700
-+++ b/dom/base/nsDocument.cpp Thu Apr 14 17:38:13 2016 +1000
-@@ -12315,49 +12315,37 @@
- bool
- nsDocument::SetPointerLock(Element* aElement, int aCursorStyle)
- {
-- // NOTE: aElement will be nullptr when unlocking.
-- nsCOMPtr<nsPIDOMWindow> window = GetWindow();
-- if (!window) {
-- NS_WARNING("SetPointerLock(): No Window");
-- return false;
-- }
--
-- nsIDocShell *docShell = window->GetDocShell();
-- if (!docShell) {
-- NS_WARNING("SetPointerLock(): No DocShell (window already closed?)");
-- return false;
-- }
--
-- nsRefPtr<nsPresContext> presContext;
-- docShell->GetPresContext(getter_AddRefs(presContext));
-- if (!presContext) {
-- NS_WARNING("SetPointerLock(): Unable to get presContext in \
-- domWindow->GetDocShell()->GetPresContext()");
-+ MOZ_ASSERT(!aElement || aElement->OwnerDoc() == this,
-+ "We should be either unlocking pointer (aElement is nullptr), "
-+ "or locking pointer to an element in this document");
-+#ifdef DEBUG
-+ if (!aElement) {
-+ nsCOMPtr<nsIDocument> pointerLockedDoc =
-+ do_QueryReferent(EventStateManager::sPointerLockedDoc);
-+ MOZ_ASSERT(pointerLockedDoc == this);
-+ }
-+#endif
-+
-+ nsIPresShell* shell = GetShell();
-+ if (!shell) {
-+ NS_WARNING("SetPointerLock(): No PresShell");
- return false;
- }
--
-- nsCOMPtr<nsIPresShell> shell = presContext->PresShell();
-- if (!shell) {
-- NS_WARNING("SetPointerLock(): Unable to find presContext->PresShell()");
-- return false;
-- }
--
-- nsIFrame* rootFrame = shell->GetRootFrame();
-- if (!rootFrame) {
-- NS_WARNING("SetPointerLock(): Unable to get root frame");
-+ nsPresContext* presContext = shell->GetPresContext();
-+ if (!presContext) {
-+ NS_WARNING("SetPointerLock(): Unable to get PresContext");
- return false;
- }
-
-- nsCOMPtr<nsIWidget> widget = rootFrame->GetNearestWidget();
-- if (!widget) {
-- NS_WARNING("SetPointerLock(): Unable to find widget in \
-- shell->GetRootFrame()->GetNearestWidget();");
-- return false;
-- }
--
-- if (aElement && (aElement->OwnerDoc() != this)) {
-- NS_WARNING("SetPointerLock(): Element not in this document.");
-- return false;
-+ nsCOMPtr<nsIWidget> widget;
-+ nsIFrame* rootFrame = shell->GetRootFrame();
-+ if (!NS_WARN_IF(!rootFrame)) {
-+ widget = rootFrame->GetNearestWidget();
-+ NS_WARN_IF_FALSE(widget, "SetPointerLock(): Unable to find widget "
-+ "in shell->GetRootFrame()->GetNearestWidget();");
-+ if (aElement && !widget) {
-+ return false;
-+ }
- }
-
- // Hide the cursor and set pointer lock for future mouse events
-diff -r f5e862ea4a72 -r a3fff31b8b70 dom/events/EventStateManager.cpp
---- a/dom/events/EventStateManager.cpp Tue May 31 18:35:26 2016 -0700
-+++ b/dom/events/EventStateManager.cpp Thu Apr 14 17:38:13 2016 +1000
-@@ -4128,10 +4128,6 @@
- // NOTE: aElement will be nullptr when unlocking.
- sIsPointerLocked = !!aElement;
-
-- if (!aWidget) {
-- return;
-- }
--
- // Reset mouse wheel transaction
- WheelTransaction::EndTransaction();
-
-@@ -4140,6 +4136,8 @@
- do_GetService("@mozilla.org/widget/dragservice;1");
-
- if (sIsPointerLocked) {
-+ MOZ_ASSERT(aWidget, "Locking pointer requires a widget");
-+
- // Store the last known ref point so we can reposition the pointer after unlock.
- mPreLockPoint = sLastRefPoint;
-
-@@ -4164,7 +4162,9 @@
- // pre-pointerlock position, so that the synthetic mouse event reports
- // no movement.
- sLastRefPoint = mPreLockPoint;
-- aWidget->SynthesizeNativeMouseMove(mPreLockPoint + aWidget->WidgetToScreenOffset());
-+ if (aWidget) {
-+ aWidget->SynthesizeNativeMouseMove(mPreLockPoint + aWidget->WidgetToScreenOffset());
-+ }
-
- // Don't retarget events to this element any more.
- nsIPresShell::SetCapturingContent(nullptr, CAPTURE_POINTERLOCK);
diff --git a/gnu/packages/patches/icecat-avoid-bundled-includes.patch b/gnu/packages/patches/icecat-avoid-bundled-includes.patch
deleted file mode 100644
index d11b528b8e..0000000000
--- a/gnu/packages/patches/icecat-avoid-bundled-includes.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-Do not use headers from bundled libraries.
-
---- icecat-38.3.0/xpcom/build/moz.build.orig 2015-10-12 19:33:43.000000000 -0400
-+++ icecat-38.3.0/xpcom/build/moz.build 2015-10-13 16:37:28.693224858 -0400
-@@ -92,10 +92,5 @@
- '/docshell/base',
- ]
-
--if CONFIG['MOZ_VPX']:
-- LOCAL_INCLUDES += [
-- '/media/libvpx',
-- ]
--
- if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'cocoa':
- CXXFLAGS += CONFIG['TK_CFLAGS']
---- icecat-38.3.0/storage/src/moz.build.orig 2015-10-12 19:34:45.000000000 -0400
-+++ icecat-38.3.0/storage/src/moz.build 2015-10-13 18:48:26.584724518 -0400
-@@ -66,7 +66,6 @@
- DEFINES['SQLITE_MAX_LIKE_PATTERN_LENGTH'] = 50000
-
- LOCAL_INCLUDES += [
-- '/db/sqlite3/src',
- '/dom/base',
- ]
-
---- icecat-38.3.0/dom/indexedDB/moz.build.orig 2015-10-12 19:35:00.000000000 -0400
-+++ icecat-38.3.0/dom/indexedDB/moz.build 2015-10-13 19:10:10.528756487 -0400
-@@ -91,7 +91,6 @@
- FAIL_ON_WARNINGS = True
-
- LOCAL_INCLUDES += [
-- '/db/sqlite3/src',
- '/dom/base',
- '/dom/storage',
- '/dom/workers',
diff --git a/gnu/packages/patches/icecat-avoid-bundled-libraries.patch b/gnu/packages/patches/icecat-avoid-bundled-libraries.patch
new file mode 100644
index 0000000000..267f7b8aac
--- /dev/null
+++ b/gnu/packages/patches/icecat-avoid-bundled-libraries.patch
@@ -0,0 +1,50 @@
+Fixes needed when avoiding bundled libraries.
+
+--- icecat-45.3.0/xpcom/build/moz.build.orig
++++ icecat-45.3.0/xpcom/build/moz.build
+@@ -92,10 +92,5 @@
+ '/docshell/base',
+ ]
+
+-if CONFIG['MOZ_VPX']:
+- LOCAL_INCLUDES += [
+- '/media/libvpx',
+- ]
+-
+ if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'cocoa':
+ CXXFLAGS += CONFIG['TK_CFLAGS']
+--- icecat-45.3.0/storage/moz.build.orig
++++ icecat-45.3.0/storage/moz.build
+@@ -108,7 +108,6 @@
+ DEFINES['SQLITE_MAX_LIKE_PATTERN_LENGTH'] = 50000
+
+ LOCAL_INCLUDES += [
+- '/db/sqlite3/src',
+ '/dom/base',
+ ]
+
+--- icecat-45.3.0/dom/indexedDB/moz.build.orig
++++ icecat-45.3.0/dom/indexedDB/moz.build
+@@ -96,7 +96,6 @@
+ SOURCES['Key.cpp'].flags += ['-Wno-error=type-limits']
+
+ LOCAL_INCLUDES += [
+- '/db/sqlite3/src',
+ '/dom/base',
+ '/dom/storage',
+ '/dom/workers',
+--- icecat-45.3.0/modules/libmar/tests/Makefile.in.orig
++++ icecat-45.3.0/modules/libmar/tests/Makefile.in
+@@ -10,12 +10,5 @@
+ ifndef MOZ_PROFILE_GENERATE
+ libs::
+ $(INSTALL) ../tool/signmar$(BIN_SUFFIX) $(TESTROOT)/unit
+- $(INSTALL) $(DEPTH)/dist/bin/$(DLL_PREFIX)nss3$(DLL_SUFFIX) $(TESTROOT)/unit
+-ifndef MOZ_FOLD_LIBS
+- $(INSTALL) $(DEPTH)/dist/bin/$(DLL_PREFIX)nssutil3$(DLL_SUFFIX) $(TESTROOT)/unit
+- $(INSTALL) $(DEPTH)/dist/bin/$(DLL_PREFIX)plc4$(DLL_SUFFIX) $(TESTROOT)/unit
+- $(INSTALL) $(DEPTH)/dist/bin/$(DLL_PREFIX)nspr4$(DLL_SUFFIX) $(TESTROOT)/unit
+- $(INSTALL) $(DEPTH)/dist/bin/$(DLL_PREFIX)plds4$(DLL_SUFFIX) $(TESTROOT)/unit
+-endif
+ endif
+ endif # Not Android
diff --git a/gnu/packages/patches/libupnp-CVE-2016-6255.patch b/gnu/packages/patches/libupnp-CVE-2016-6255.patch
new file mode 100644
index 0000000000..c9a3fa284c
--- /dev/null
+++ b/gnu/packages/patches/libupnp-CVE-2016-6255.patch
@@ -0,0 +1,50 @@
+Fix CVE-2016-6255:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255
+http://www.openwall.com/lists/oss-security/2016/07/18/13
+
+Patch adapted from upstream commit:
+
+https://github.com/mrjimenez/pupnp/commit/d64d6a44906b5aa5306bdf1708531d698654dda5
+
+The upstream change is simplified to unconditionally disable the HTTP
+POST feature.
+
+From d64d6a44906b5aa5306bdf1708531d698654dda5 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@srcf.ucam.org>
+Date: Tue, 23 Feb 2016 13:53:20 -0800
+Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
+ default
+
+If there's no registered handler for a POST request, the default behaviour
+is to write it to the filesystem. Several million deployed devices appear
+to have this behaviour, making it possible to (at least) store arbitrary
+data on them. Add a configure option that enables this behaviour, and change
+the default to just drop POSTs that aren't directly handled.
+
+Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
+(cherry picked from commit c91a8a3903367e1163765b73eb4d43be7d7927fa)
+---
+ configure.ac | 9 +++++++++
+ upnp/inc/upnpconfig.h.in | 9 +++++++++
+ upnp/src/genlib/net/http/webserver.c | 4 ++++
+ 3 files changed, 22 insertions(+)
+
+diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c
+index 26bf0f7..7ae8c1e 100644
+--- a/upnp/src/genlib/net/http/webserver.c
++++ b/upnp/src/genlib/net/http/webserver.c
+@@ -1367,9 +1367,13 @@ static int http_RecvPostMessage(
+ if (Fp == NULL)
+ return HTTP_INTERNAL_SERVER_ERROR;
+ } else {
++#if 0
+ Fp = fopen(filename, "wb");
+ if (Fp == NULL)
+ return HTTP_UNAUTHORIZED;
++#else
++ return HTTP_NOT_FOUND;
++#endif
+ }
+ parser->position = POS_ENTITY;
+ do {
diff --git a/gnu/packages/patches/qemu-CVE-2016-8576.patch b/gnu/packages/patches/qemu-CVE-2016-8576.patch
new file mode 100644
index 0000000000..5031b59d81
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2016-8576.patch
@@ -0,0 +1,62 @@
+From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 7 Oct 2016 10:15:29 +0200
+Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/hcd-xhci.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 726435c..ee4fa48 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -54,6 +54,8 @@
+ * to the specs when it gets them */
+ #define ER_FULL_HACK
+
++#define TRB_LINK_LIMIT 4
++
+ #define LEN_CAP 0x40
+ #define LEN_OPER (0x400 + 0x10 * MAXPORTS)
+ #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
+@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+ dma_addr_t *addr)
+ {
+ PCIDevice *pci_dev = PCI_DEVICE(xhci);
++ uint32_t link_cnt = 0;
+
+ while (1) {
+ TRBType type;
+@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+ ring->dequeue += TRB_SIZE;
+ return type;
+ } else {
++ if (++link_cnt > TRB_LINK_LIMIT) {
++ return 0;
++ }
+ ring->dequeue = xhci_mask64(trb->parameter);
+ if (trb->control & TRB_LK_TC) {
+ ring->ccs = !ring->ccs;
+@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+ bool ccs = ring->ccs;
+ /* hack to bundle together the two/three TDs that make a setup transfer */
+ bool control_td_set = 0;
++ uint32_t link_cnt = 0;
+
+ while (1) {
+ TRBType type;
+@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+ type = TRB_TYPE(trb);
+
+ if (type == TR_LINK) {
++ if (++link_cnt > TRB_LINK_LIMIT) {
++ return -length;
++ }
+ dequeue = xhci_mask64(trb.parameter);
+ if (trb.control & TRB_LK_TC) {
+ ccs = !ccs;
+--
+1.8.3.1
+
diff --git a/gnu/packages/patches/qemu-CVE-2016-8577.patch b/gnu/packages/patches/qemu-CVE-2016-8577.patch
new file mode 100644
index 0000000000..c4132d2fb1
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2016-8577.patch
@@ -0,0 +1,36 @@
+Subject: [Qemu-devel] [PATCH] 9pfs: fix potential host memory leak in v9fs_read
+From: Li Qiang <liq3ea@gmail.com>
+
+In 9pfs read dispatch function, it doesn't free two QEMUIOVector
+object thus causing potential memory leak. This patch avoid this.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+---
+ hw/9pfs/9p.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 119ee58..543a791 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
+ if (len < 0) {
+ /* IO error return the error */
+ err = len;
+- goto out;
++ goto out_free_iovec;
+ }
+ } while (count < max_count && len > 0);
+ err = pdu_marshal(pdu, offset, "d", count);
+ if (err < 0) {
+- goto out;
++ goto out_free_iovec;
+ }
+ err += offset + count;
++out_free_iovec:
+ qemu_iovec_destroy(&qiov);
+ qemu_iovec_destroy(&qiov_full);
+ } else if (fidp->fid_type == P9_FID_XATTR) {
+--
+1.8.3.1
+
diff --git a/gnu/packages/patches/qemu-CVE-2016-8578.patch b/gnu/packages/patches/qemu-CVE-2016-8578.patch
new file mode 100644
index 0000000000..92ba365727
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2016-8578.patch
@@ -0,0 +1,27 @@
+From: Li Qiang <liq3ea@gmail.com>
+
+In 9pfs function v9fs_iov_vunmarshal, it will not allocate space
+for empty string. This will cause several NULL pointer dereference
+issues. this patch fix this issue.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+---
+ fsdev/9p-iov-marshal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
+index 663cad5..1d16f8d 100644
+--- a/fsdev/9p-iov-marshal.c
++++ b/fsdev/9p-iov-marshal.c
+@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
+ str->data = g_malloc(str->size + 1);
+ copied = v9fs_unpack(str->data, out_sg, out_num, offset,
+ str->size);
+- if (copied > 0) {
++ if (copied >= 0) {
+ str->data[str->size] = 0;
+ } else {
+ v9fs_string_free(str);
+--
+1.8.3.1
+
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch
deleted file mode 100644
index 00e5b7c771..0000000000
--- a/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 25 Oct 2015 15:45:50 +0200
-Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no
- PMF in use
-
-WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
-enabled. Verify that PMF is in use before using this field on station
-side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- wpa_supplicant/wnm_sta.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
-index 954de67..7d79499 100644
---- a/wpa_supplicant/wnm_sta.c
-+++ b/wpa_supplicant/wnm_sta.c
-@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s,
- end = ptr + key_len_total;
- wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total);
-
-+ if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) {
-+ wpa_msg(wpa_s, MSG_INFO,
-+ "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
-+ return;
-+ }
-+
- while (ptr + 1 < end) {
- if (ptr + 2 + ptr[1] > end) {
- wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element "
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch
deleted file mode 100644
index bfc4c74e95..0000000000
--- a/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From bef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Nov 2015 18:24:16 +0200
-Subject: [PATCH] EAP-pwd server: Fix last fragment length validation
-
-All but the last fragment had their length checked against the remaining
-room in the reassembly buffer. This allowed a suitably constructed last
-fragment frame to try to add extra data that would go beyond the buffer.
-The length validation code in wpabuf_put_data() prevents an actual
-buffer write overflow from occurring, but this results in process
-termination. (CVE-2015-5314)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_server/eap_server_pwd.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
-index cb83ff7..9f787ab 100644
---- a/src/eap_server/eap_server_pwd.c
-+++ b/src/eap_server/eap_server_pwd.c
-@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
- /*
- * the first and all intermediate fragments have the M bit set
- */
-- if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
-+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
- if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
- wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
- "attack detected! (%d+%d > %d)",
-@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
- }
- wpabuf_put_data(data->inbuf, pos, len);
- data->in_frag_pos += len;
-+ }
-+ if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
- wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment",
- (int) len);
- return;
-@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
- * buffering fragments so that's how we know it's the last)
- */
- if (data->in_frag_pos) {
-- wpabuf_put_data(data->inbuf, pos, len);
-- data->in_frag_pos += len;
- pos = wpabuf_head_u8(data->inbuf);
- len = data->in_frag_pos;
- wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
---
-1.9.1
-
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch
deleted file mode 100644
index 82c26398b6..0000000000
--- a/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Nov 2015 18:18:17 +0200
-Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation
-
-All but the last fragment had their length checked against the remaining
-room in the reassembly buffer. This allowed a suitably constructed last
-fragment frame to try to add extra data that would go beyond the buffer.
-The length validation code in wpabuf_put_data() prevents an actual
-buffer write overflow from occurring, but this results in process
-termination. (CVE-2015-5315)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_pwd.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index 1f78544..75ceef1 100644
---- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
- /*
- * buffer and ACK the fragment
- */
-- if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
-+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
- data->in_frag_pos += len;
- if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
- wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
-@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
- return NULL;
- }
- wpabuf_put_data(data->inbuf, pos, len);
--
-+ }
-+ if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
- resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
- EAP_PWD_HDR_SIZE,
- EAP_CODE_RESPONSE, eap_get_id(reqData));
-@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
- * we're buffering and this is the last fragment
- */
- if (data->in_frag_pos) {
-- wpabuf_put_data(data->inbuf, pos, len);
- wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
- (int) len);
-- data->in_frag_pos += len;
- pos = wpabuf_head_u8(data->inbuf);
- len = data->in_frag_pos;
- }
---
-1.9.1
-
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch
deleted file mode 100644
index 3088f6a6dc..0000000000
--- a/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Nov 2015 19:35:44 +0200
-Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message
-
-If the Confirm message is received from the server before the Identity
-exchange has been completed, the group has not yet been determined and
-data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
-did not take this corner case into account and could end up
-dereferencing a NULL pointer and terminating the process if invalid
-message sequence is received. (CVE-2015-5316)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_pwd.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index 75ceef1..892b590 100644
---- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
- wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
-
- fin:
-- bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
-+ if (data->grp)
-+ bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
- BN_clear_free(x);
- BN_clear_free(y);
- if (data->outbuf == NULL) {
---
-1.9.1
-
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4476.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4476.patch
deleted file mode 100644
index acad6be0a4..0000000000
--- a/gnu/packages/patches/wpa-supplicant-CVE-2016-4476.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
----
- src/utils/common.c | 12 ++++++++++++
- src/utils/common.h | 1 +
- src/wps/wps_attr_process.c | 10 ++++++++++
- 3 files changed, 23 insertions(+)
-
-diff --git a/src/utils/common.c b/src/utils/common.c
-index 450e2c6..27b7c02 100644
---- a/src/utils/common.c
-+++ b/src/utils/common.c
-@@ -697,6 +697,18 @@ int is_hex(const u8 *data, size_t len)
- }
-
-
-+int has_ctrl_char(const u8 *data, size_t len)
-+{
-+ size_t i;
-+
-+ for (i = 0; i < len; i++) {
-+ if (data[i] < 32 || data[i] == 127)
-+ return 1;
-+ }
-+ return 0;
-+}
-+
-+
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len)
-diff --git a/src/utils/common.h b/src/utils/common.h
-index 701dbb2..a972240 100644
---- a/src/utils/common.h
-+++ b/src/utils/common.h
-@@ -488,6 +488,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
-
- char * wpa_config_parse_string(const char *value, size_t *len);
- int is_hex(const u8 *data, size_t len);
-+int has_ctrl_char(const u8 *data, size_t len);
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len);
-diff --git a/src/wps/wps_attr_process.c b/src/wps/wps_attr_process.c
-index eadb22f..e8c4579 100644
---- a/src/wps/wps_attr_process.c
-+++ b/src/wps/wps_attr_process.c
-@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credential *cred)
- cred->key_len--;
- #endif /* CONFIG_WPS_STRICT */
- }
-+
-+
-+ if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
-+ (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
-+ wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
-+ wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
-+ cred->key, cred->key_len);
-+ return -1;
-+ }
-+
- return 0;
- }
-
---
-1.9.1
-
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt1.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt1.patch
deleted file mode 100644
index 507a96e47c..0000000000
--- a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt1.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Fri, 4 Mar 2016 18:46:41 +0200
-Subject: [PATCH 2/5] Reject psk parameter set with invalid passphrase
- character
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a passphrase configuration attempt if that passphrase
-includes an invalid passphrase.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file psk parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the passphrase value before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject up to 63 characters of
-almost arbitrary data into the configuration file. Such configuration
-file could result in wpa_supplicant trying to load a library (e.g.,
-opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
-load_dynamic_eap) from user controlled location when starting again.
-This would allow code from that library to be executed under the
-wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
----
- wpa_supplicant/config.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
-index b1c7870..fdd9643 100644
---- a/wpa_supplicant/config.c
-+++ b/wpa_supplicant/config.c
-@@ -478,6 +478,12 @@ static int wpa_config_parse_psk(const struct parse_data *data,
- }
- wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)",
- (u8 *) value, len);
-+ if (has_ctrl_char((u8 *) value, len)) {
-+ wpa_printf(MSG_ERROR,
-+ "Line %d: Invalid passphrase character",
-+ line);
-+ return -1;
-+ }
- if (ssid->passphrase && os_strlen(ssid->passphrase) == len &&
- os_memcmp(ssid->passphrase, value, len) == 0) {
- /* No change to the previously configured value */
---
-1.9.1
-
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt2.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt2.patch
deleted file mode 100644
index 684d25de96..0000000000
--- a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt2.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <pstew@google.com>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network
- output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Signed-off-by: Paul Stewart <pstew@google.com>
----
- src/utils/common.c | 11 +++++++++++
- src/utils/common.h | 1 +
- wpa_supplicant/config.c | 15 +++++++++++++--
- 3 files changed, 25 insertions(+), 2 deletions(-)
-
-diff --git a/src/utils/common.c b/src/utils/common.c
-index 27b7c02..9856463 100644
---- a/src/utils/common.c
-+++ b/src/utils/common.c
-@@ -709,6 +709,17 @@ int has_ctrl_char(const u8 *data, size_t len)
- }
-
-
-+int has_newline(const char *str)
-+{
-+ while (*str) {
-+ if (*str == '\n' || *str == '\r')
-+ return 1;
-+ str++;
-+ }
-+ return 0;
-+}
-+
-+
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len)
-diff --git a/src/utils/common.h b/src/utils/common.h
-index a972240..d19927b 100644
---- a/src/utils/common.h
-+++ b/src/utils/common.h
-@@ -489,6 +489,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
- char * wpa_config_parse_string(const char *value, size_t *len);
- int is_hex(const u8 *data, size_t len);
- int has_ctrl_char(const u8 *data, size_t len);
-+int has_newline(const char *str);
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len);
-diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
-index fdd9643..eb97cd5 100644
---- a/wpa_supplicant/config.c
-+++ b/wpa_supplicant/config.c
-@@ -2699,8 +2699,19 @@ char * wpa_config_get(struct wpa_ssid *ssid, const char *var)
-
- for (i = 0; i < NUM_SSID_FIELDS; i++) {
- const struct parse_data *field = &ssid_fields[i];
-- if (os_strcmp(var, field->name) == 0)
-- return field->writer(field, ssid);
-+ if (os_strcmp(var, field->name) == 0) {
-+ char *ret = field->writer(field, ssid);
-+
-+ if (ret && has_newline(ret)) {
-+ wpa_printf(MSG_ERROR,
-+ "Found newline in value for %s; not returning it",
-+ var);
-+ os_free(ret);
-+ ret = NULL;
-+ }
-+
-+ return ret;
-+ }
- }
-
- return NULL;
---
-1.9.1
-
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt3.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt3.patch
deleted file mode 100644
index 2dd38fee31..0000000000
--- a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt3.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Tue, 5 Apr 2016 23:33:10 +0300
-Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the
- string values
-
-Most of the cred block parameters are written as strings without
-filtering and if there is an embedded newline character in the value,
-unexpected configuration file data might be written.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file cred parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the credential value before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject almost arbitrary data
-into the configuration file. Such configuration file could result in
-wpa_supplicant trying to load a library (e.g., opensc_engine_path,
-pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
-controlled location when starting again. This would allow code from that
-library to be executed under the wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
----
- wpa_supplicant/config.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
-index eb97cd5..69152ef 100644
---- a/wpa_supplicant/config.c
-+++ b/wpa_supplicant/config.c
-@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
-
- if (os_strcmp(var, "password") == 0 &&
- os_strncmp(value, "ext:", 4) == 0) {
-+ if (has_newline(value))
-+ return -1;
- str_clear_free(cred->password);
- cred->password = os_strdup(value);
- cred->ext_password = 1;
-@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
- }
-
- val = wpa_config_parse_string(value, &len);
-- if (val == NULL) {
-+ if (val == NULL ||
-+ (os_strcmp(var, "excluded_ssid") != 0 &&
-+ os_strcmp(var, "roaming_consortium") != 0 &&
-+ os_strcmp(var, "required_roaming_consortium") != 0 &&
-+ has_newline(val))) {
- wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
- "value '%s'.", line, var, value);
-+ os_free(val);
- return -1;
- }
-
---
-1.9.1
-
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt4.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt4.patch
deleted file mode 100644
index 5f42aa9219..0000000000
--- a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt4.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Tue, 5 Apr 2016 23:55:48 +0300
-Subject: [PATCH 5/5] Reject SET commands with newline characters in the
- string values
-
-Many of the global configuration parameters are written as strings
-without filtering and if there is an embedded newline character in the
-value, unexpected configuration file data might be written.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file global parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the value of a parameter before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject almost arbitrary data
-into the configuration file. Such configuration file could result in
-wpa_supplicant trying to load a library (e.g., opensc_engine_path,
-pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
-controlled location when starting again. This would allow code from that
-library to be executed under the wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
----
- wpa_supplicant/config.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
-index 69152ef..d9a1603 100644
---- a/wpa_supplicant/config.c
-+++ b/wpa_supplicant/config.c
-@@ -3764,6 +3764,12 @@ static int wpa_global_config_parse_str(const struct global_parse_data *data,
- return -1;
- }
-
-+ if (has_newline(pos)) {
-+ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
-+ line, data->name);
-+ return -1;
-+ }
-+
- tmp = os_strdup(pos);
- if (tmp == NULL)
- return -1;
---
-1.9.1
-