aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/automake-regexp-syntax.patch34
-rw-r--r--gnu/packages/patches/automake-test-gzip-warning.patch17
-rw-r--r--gnu/packages/patches/coreutils-cut-huge-range-test.patch33
-rw-r--r--gnu/packages/patches/crypto++-fix-dos-in-asn.1-decoders.patch65
-rw-r--r--gnu/packages/patches/gcc-asan-powerpc-missing-include.patch20
-rw-r--r--gnu/packages/patches/gcc-fix-texi2pod.patch19
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2017-8291.patch195
-rw-r--r--gnu/packages/patches/glib-respect-datadir.patch21
-rw-r--r--gnu/packages/patches/glibc-CVE-2017-15670-15671.patch27
-rw-r--r--gnu/packages/patches/grep-gnulib-lock.patch32
-rw-r--r--gnu/packages/patches/icu4c-CVE-2017-14952.patch18
-rw-r--r--gnu/packages/patches/libvirt-CVE-2017-1000256.patch84
-rw-r--r--gnu/packages/patches/libxml2-CVE-2016-4658.patch257
-rw-r--r--gnu/packages/patches/libxml2-CVE-2016-5131.patch218
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-0663.patch53
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-7375.patch45
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-7376.patch41
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch130
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch319
-rw-r--r--gnu/packages/patches/libxslt-CVE-2016-4738.patch39
-rw-r--r--gnu/packages/patches/mupdf-CVE-2017-14685.patch34
-rw-r--r--gnu/packages/patches/mupdf-CVE-2017-14686.patch34
-rw-r--r--gnu/packages/patches/mupdf-CVE-2017-14687.patch130
-rw-r--r--gnu/packages/patches/musl-CVE-2016-8859.patch81
-rw-r--r--gnu/packages/patches/pcre-CVE-2017-7186.patch56
25 files changed, 432 insertions, 1570 deletions
diff --git a/gnu/packages/patches/automake-regexp-syntax.patch b/gnu/packages/patches/automake-regexp-syntax.patch
deleted file mode 100644
index 2e965c8c50..0000000000
--- a/gnu/packages/patches/automake-regexp-syntax.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From <https://lists.gnu.org/archive/html/automake-patches/2015-07/msg00000.html>.
-See also <http://bugs.gnu.org/22372>.
-
-From 34163794a58b5bd91c5d6bd9adf5437571c7a479 Mon Sep 17 00:00:00 2001
-From: Pavel Raiskup <praiskup@redhat.com>
-Date: Tue, 7 Jul 2015 10:54:24 +0200
-Subject: [PATCH] bin/automake: escape '{' in regexp pattern
-
-Based on perlre(1) documentation:
-.. in Perl v5.26, literal uses of a curly bracket will be required
-to be escaped, say by preceding them with a backslash ("\{" ) or
-enclosing them within square brackets ("[{]") ..
-
-References:
-https://bugzilla.redhat.com/1239379
-
-* bin/automake.in (substitute_ac_subst_variables): Escape the
-occurrence of '{' character.
----
- bin/automake.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/bin/automake.in b/bin/automake.in
-index 0c29184..c294ced 100644
---- a/bin/automake.in
-+++ b/bin/automake.in
-@@ -3898,7 +3898,7 @@ sub substitute_ac_subst_variables_worker
- sub substitute_ac_subst_variables
- {
- my ($text) = @_;
-- $text =~ s/\${([^ \t=:+{}]+)}/substitute_ac_subst_variables_worker ($1)/ge;
-+ $text =~ s/\$\{([^ \t=:+{}]+)}/substitute_ac_subst_variables_worker ($1)/ge;
- return $text;
- }
diff --git a/gnu/packages/patches/automake-test-gzip-warning.patch b/gnu/packages/patches/automake-test-gzip-warning.patch
deleted file mode 100644
index bcc9c207ae..0000000000
--- a/gnu/packages/patches/automake-test-gzip-warning.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Adjust test to ignore gzip 1.8+ warnings.
-
---- automake-1.15/t/distcheck-no-prefix-or-srcdir-override.sh 2016-06-14 00:36:26.554218552 +0200
-+++ automake-1.15/t/distcheck-no-prefix-or-srcdir-override.sh 2016-06-14 00:37:52.903157770 +0200
-@@ -49,7 +49,11 @@ grep "cannot find sources.* in foobar" s
-
- ./configure
- run_make -E -O distcheck
--test ! -s stderr
-+
-+# Gzip 1.8+ emits warnings like "gzip: warning: GZIP environment
-+# variable is deprecated"; filter them out.
-+test `grep -v '^gzip: warning' stderr | wc -l` -eq 0
-+
- # Sanity check: the flags have been actually seen.
- $PERL -e 'undef $/; $_ = <>; s/ \\\n/ /g; print;' <stdout >t
- grep '/configure .* --srcdir am-src' t || exit 99
diff --git a/gnu/packages/patches/coreutils-cut-huge-range-test.patch b/gnu/packages/patches/coreutils-cut-huge-range-test.patch
deleted file mode 100644
index e3a0ef28eb..0000000000
--- a/gnu/packages/patches/coreutils-cut-huge-range-test.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-This patch fixes 100% reproducible test failures on arm-linux-gnueabihf in our
-the build environment chroot, as reported at <https://bugs.gnu.org/26253>,
-and now on x86_64-linux-gnu as well. It is a variant of this upstream patch:
-
- commit f5422009389678680dba9ff4ecb7d33632ee3383
- Author: Ludovic Courtès <ludo@gnu.org>
- Date: Mon Mar 27 20:34:39 2017 -0700
-
- tests: avoid false ulimit failure on some systems
-
- * tests/misc/cut-huge-range.sh: On some systems returns_ may
- use more memory, so incorporate that in the determination
- of the ulimit value to use. Noticed on ARMv7 with bash-4.4.12,
- and x86_64 with bash-4.2.37.
- Fixes http://bugs.gnu.org/26253
-
-... which appeared to be insufficient.
-
-diff --git a/tests/misc/cut-huge-range.sh b/tests/misc/cut-huge-range.sh
-index 6b3c5b6ed..55b7b640e 100755
---- a/tests/misc/cut-huge-range.sh
-+++ b/tests/misc/cut-huge-range.sh
-@@ -20,9 +20,9 @@
- print_ver_ cut
- getlimits_
-
--vm=$(get_min_ulimit_v_ cut -b1 /dev/null) \
-+vm=$(get_min_ulimit_v_ sh -c 'cut -b1 /dev/null') \
- || skip_ "this shell lacks ulimit support"
- vm=$(($vm + 1000)) # avoid spurious failures
-
- # sed script to subtract one from the input.
- # Each input line should consist of a positive decimal number.
diff --git a/gnu/packages/patches/crypto++-fix-dos-in-asn.1-decoders.patch b/gnu/packages/patches/crypto++-fix-dos-in-asn.1-decoders.patch
new file mode 100644
index 0000000000..88b2e7f25a
--- /dev/null
+++ b/gnu/packages/patches/crypto++-fix-dos-in-asn.1-decoders.patch
@@ -0,0 +1,65 @@
+From 3d9181d7bdd8e491f745dbc9e34bd20b6f6da069 Mon Sep 17 00:00:00 2001
+From: Gergely Nagy <ngg@tresorit.com>
+Date: Wed, 14 Dec 2016 13:19:01 +0100
+Subject: [PATCH] Fix possible DoS in ASN.1 decoders (CVE-2016-9939)
+
+---
+ asn.cpp | 10 ++++++++++
+ asn.h | 2 ++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/asn.cpp b/asn.cpp
+index 297ff010..2e923ef7 100644
+--- a/asn.cpp
++++ b/asn.cpp
+@@ -123,6 +123,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, SecByteBlock &str)
+ size_t bc;
+ if (!BERLengthDecode(bt, bc))
+ BERDecodeError();
++ if (bc > bt.MaxRetrievable())
++ BERDecodeError();
+
+ str.New(bc);
+ if (bc != bt.Get(str, bc))
+@@ -139,6 +141,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, BufferedTransformation &
+ size_t bc;
+ if (!BERLengthDecode(bt, bc))
+ BERDecodeError();
++ if (bc > bt.MaxRetrievable())
++ BERDecodeError();
+
+ bt.TransferTo(str, bc);
+ return bc;
+@@ -161,6 +165,8 @@ size_t BERDecodeTextString(BufferedTransformation &bt, std::string &str, byte as
+ size_t bc;
+ if (!BERLengthDecode(bt, bc))
+ BERDecodeError();
++ if (bc > bt.MaxRetrievable())
++ BERDecodeError();
+
+ SecByteBlock temp(bc);
+ if (bc != bt.Get(temp, bc))
+@@ -188,6 +194,10 @@ size_t BERDecodeBitString(BufferedTransformation &bt, SecByteBlock &str, unsigne
+ size_t bc;
+ if (!BERLengthDecode(bt, bc))
+ BERDecodeError();
++ if (bc == 0)
++ BERDecodeError();
++ if (bc > bt.MaxRetrievable())
++ BERDecodeError();
+
+ byte unused;
+ if (!bt.Get(unused))
+diff --git a/asn.h b/asn.h
+index ed9de52c..33f0dd09 100644
+--- a/asn.h
++++ b/asn.h
+@@ -498,6 +498,8 @@ void BERDecodeUnsigned(BufferedTransformation &in, T &w, byte asnTag = INTEGER,
+ bool definite = BERLengthDecode(in, bc);
+ if (!definite)
+ BERDecodeError();
++ if (bc > in.MaxRetrievable())
++ BERDecodeError();
+
+ SecByteBlock buf(bc);
+
diff --git a/gnu/packages/patches/gcc-asan-powerpc-missing-include.patch b/gnu/packages/patches/gcc-asan-powerpc-missing-include.patch
deleted file mode 100644
index 74b10c4a44..0000000000
--- a/gnu/packages/patches/gcc-asan-powerpc-missing-include.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Add missing include that triggers a build failure on PowerPC:
-
- ../../../../gcc-5.4.0/libsanitizer/asan/asan_linux.cc: In function ‘bool __asan::AsanInterceptsSignal(int)’:
- ../../../../gcc-5.4.0/libsanitizer/asan/asan_linux.cc:222:20: error: ‘SIGSEGV’ was not declared in this scope
- return signum == SIGSEGV && common_flags()->handle_segv;
- ^
-From <https://patchwork.ozlabs.org/patch/725596/>.
-
-diff --git a/libsanitizer/asan/asan_linux.cc b/libsanitizer/asan/asan_linux.cc
-index c504168..59087b9 100644
---- a/libsanitizer/asan/asan_linux.cc
-+++ b/libsanitizer/asan/asan_linux.cc
-@@ -29,6 +29,7 @@
- #include <dlfcn.h>
- #include <fcntl.h>
- #include <pthread.h>
-+#include <signal.h>
- #include <stdio.h>
- #include <unistd.h>
- #include <unwind.h>
diff --git a/gnu/packages/patches/gcc-fix-texi2pod.patch b/gnu/packages/patches/gcc-fix-texi2pod.patch
new file mode 100644
index 0000000000..28bd56a382
--- /dev/null
+++ b/gnu/packages/patches/gcc-fix-texi2pod.patch
@@ -0,0 +1,19 @@
+This patch was taken from the official GCC git repository.
+X-Git-Url: https://gcc.gnu.org/git/?p=gcc.git;a=blobdiff_plain;f=contrib%2Ftexi2pod.pl;h=91bdbb5cea933d0381f2924ab94490fca31d5800;hp=eba1bcaa3cffa78b46030b219d04fe7d68367658;hb=67b56c905078d49d3e4028085e5cb1e1fb87a8aa;hpb=2f508a78310caab123e9794d3dcfe41f2769449b
+
+It fixes a defect in the contrib/texi2pod.pl script that prevented generating
+manual pages. It was corrected in the GCC 6.X series.
+
+diff --git a/contrib/texi2pod.pl b/contrib/texi2pod.pl
+index eba1bca..91bdbb5 100755
+--- a/contrib/texi2pod.pl
++++ b/contrib/texi2pod.pl
+@@ -316,7 +316,7 @@ while(<$inf>) {
+ @columns = ();
+ for $column (split (/\s*\@tab\s*/, $1)) {
+ # @strong{...} is used a @headitem work-alike
+- $column =~ s/^\@strong{(.*)}$/$1/;
++ $column =~ s/^\@strong\{(.*)\}$/$1/;
+ push @columns, $column;
+ }
+ $_ = "\n=item ".join (" : ", @columns)."\n";
diff --git a/gnu/packages/patches/ghostscript-CVE-2017-8291.patch b/gnu/packages/patches/ghostscript-CVE-2017-8291.patch
deleted file mode 100644
index d38bd593c0..0000000000
--- a/gnu/packages/patches/ghostscript-CVE-2017-8291.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-Fix CVE-2017-8291:
-
-https://bugs.ghostscript.com/show_bug.cgi?id=697799
-https://bugs.ghostscript.com/show_bug.cgi?id=697808 (duplicate)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8291
-
-Patches copied from upstream source repository:
-
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce174eed24edec7ad5b920eb93db4d47d
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=57f20719e1cfaea77b67cb26e26de7fe4d7f9b2e
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ccfd2c75ac9be4cbd369e4cbdd40ba11a0c7bdad
-
-From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Thu, 27 Apr 2017 13:03:33 +0100
-Subject: [PATCH] Bug 697799: have .eqproc check its parameters
-
-The Ghostscript custom operator .eqproc was not check the number or type of
-the parameters it was given.
----
- psi/zmisc3.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/psi/zmisc3.c b/psi/zmisc3.c
-index 54b304246..37293ff4b 100644
---- a/psi/zmisc3.c
-+++ b/psi/zmisc3.c
-@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
- ref2_t stack[MAX_DEPTH + 1];
- ref2_t *top = stack;
-
-+ if (ref_stack_count(&o_stack) < 2)
-+ return_error(gs_error_stackunderflow);
-+ if (!r_is_array(op - 1) || !r_is_array(op)) {
-+ return_error(gs_error_typecheck);
-+ }
-+
- make_array(&stack[0].proc1, 0, 1, op - 1);
- make_array(&stack[0].proc2, 0, 1, op);
- for (;;) {
---
-2.13.0
-
-From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Thu, 27 Apr 2017 13:21:31 +0100
-Subject: [PATCH] Bug 697799: have .rsdparams check its parameters
-
-The Ghostscript internal operator .rsdparams wasn't checking the number or
-type of the operands it was being passed. Do so.
----
- psi/zfrsd.c | 22 +++++++++++++++-------
- 1 file changed, 15 insertions(+), 7 deletions(-)
-
-diff --git a/psi/zfrsd.c b/psi/zfrsd.c
-index 191107d8a..950588d69 100644
---- a/psi/zfrsd.c
-+++ b/psi/zfrsd.c
-@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
- ref *pFilter;
- ref *pDecodeParms;
- int Intent = 0;
-- bool AsyncRead;
-+ bool AsyncRead = false;
- ref empty_array, filter1_array, parms1_array;
- uint i;
-- int code;
-+ int code = 0;
-+
-+ if (ref_stack_count(&o_stack) < 1)
-+ return_error(gs_error_stackunderflow);
-+ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
-+ return_error(gs_error_typecheck);
-+ }
-
- make_empty_array(&empty_array, a_readonly);
-- if (dict_find_string(op, "Filter", &pFilter) > 0) {
-+ if (r_has_type(op, t_dictionary)
-+ && dict_find_string(op, "Filter", &pFilter) > 0) {
- if (!r_is_array(pFilter)) {
- if (!r_has_type(pFilter, t_name))
- return_error(gs_error_typecheck);
-@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
- return_error(gs_error_typecheck);
- }
- }
-- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
-+ if (r_has_type(op, t_dictionary))
-+ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
- if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */
- return code;
-- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
-- )
-- return code;
-+ if (r_has_type(op, t_dictionary))
-+ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
-+ return code;
- push(1);
- op[-1] = *pFilter;
- if (pDecodeParms)
---
-2.13.0
-
-From 57f20719e1cfaea77b67cb26e26de7fe4d7f9b2e Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Wed, 3 May 2017 12:05:45 +0100
-Subject: [PATCH] Bug 697846: revision to commit 4f83478c88 (.eqproc)
-
-When using the "DELAYBIND" feature, it turns out that .eqproc can be called with
-parameters that are not both procedures. In this case, it turns out, the
-expectation is for the operator to return 'false', rather than throw an error.
----
- psi/zmisc3.c | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/psi/zmisc3.c b/psi/zmisc3.c
-index 37293ff4b..3f01d39a3 100644
---- a/psi/zmisc3.c
-+++ b/psi/zmisc3.c
-@@ -38,6 +38,15 @@ zcliprestore(i_ctx_t *i_ctx_p)
- return gs_cliprestore(igs);
- }
-
-+static inline bool
-+eqproc_check_type(ref *r)
-+{
-+ return r_has_type(r, t_array)
-+ || r_has_type(r, t_mixedarray)
-+ || r_has_type(r, t_shortarray)
-+ || r_has_type(r, t_oparray);
-+}
-+
- /* <proc1> <proc2> .eqproc <bool> */
- /*
- * Test whether two procedures are equal to depth 10.
-@@ -58,8 +67,10 @@ zeqproc(i_ctx_t *i_ctx_p)
-
- if (ref_stack_count(&o_stack) < 2)
- return_error(gs_error_stackunderflow);
-- if (!r_is_array(op - 1) || !r_is_array(op)) {
-- return_error(gs_error_typecheck);
-+ if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) {
-+ make_false(op - 1);
-+ pop(1);
-+ return 0;
- }
-
- make_array(&stack[0].proc1, 0, 1, op - 1);
---
-2.13.0
-
-From ccfd2c75ac9be4cbd369e4cbdd40ba11a0c7bdad Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Thu, 11 May 2017 14:07:48 +0100
-Subject: [PATCH] Bug 697892: fix check for op stack underflow.
-
-In the original fix, I used the wrong method to check for stack underflow, this
-is using the correct method.
----
- psi/zfrsd.c | 3 +--
- psi/zmisc3.c | 3 +--
- 2 files changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/psi/zfrsd.c b/psi/zfrsd.c
-index 950588d69..9c035b96d 100644
---- a/psi/zfrsd.c
-+++ b/psi/zfrsd.c
-@@ -54,8 +54,7 @@ zrsdparams(i_ctx_t *i_ctx_p)
- uint i;
- int code = 0;
-
-- if (ref_stack_count(&o_stack) < 1)
-- return_error(gs_error_stackunderflow);
-+ check_op(1);
- if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
- return_error(gs_error_typecheck);
- }
-diff --git a/psi/zmisc3.c b/psi/zmisc3.c
-index 3f01d39a3..43803b55b 100644
---- a/psi/zmisc3.c
-+++ b/psi/zmisc3.c
-@@ -65,8 +65,7 @@ zeqproc(i_ctx_t *i_ctx_p)
- ref2_t stack[MAX_DEPTH + 1];
- ref2_t *top = stack;
-
-- if (ref_stack_count(&o_stack) < 2)
-- return_error(gs_error_stackunderflow);
-+ check_op(2);
- if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) {
- make_false(op - 1);
- pop(1);
---
-2.13.0
-
diff --git a/gnu/packages/patches/glib-respect-datadir.patch b/gnu/packages/patches/glib-respect-datadir.patch
new file mode 100644
index 0000000000..309ce9fc0b
--- /dev/null
+++ b/gnu/packages/patches/glib-respect-datadir.patch
@@ -0,0 +1,21 @@
+On Guix, Python modules are in a different output from the executables,
+so searching "../share/glib-2.0" will not work.
+
+This patch restores behaviour prior to this commit:
+<https://git.gnome.org/browse/glib/commit/?id=fe2a9887a8ccb14f2386e01b14834e97a33bc2d7>
+
+--- a/gio/gdbus-2.0/codegen/gdbus-codegen.in
++++ b/gio/gdbus-2.0/codegen/gdbus-codegen.in
+@@ -25,9 +25,12 @@
+
+ srcdir = os.getenv('UNINSTALLED_GLIB_SRCDIR', None)
+ filedir = os.path.dirname(__file__)
++datadir = os.path.join('@datadir@', 'glib-2.0')
+
+ if srcdir is not None:
+ path = os.path.join(srcdir, 'gio', 'gdbus-2.0')
++elif os.path.exists(os.path.join(datadir, 'codegen')):
++ path = datadir
+ elif os.path.basename(filedir) == 'bin':
+ # Make the prefix containing gdbus-codegen 'relocatable' at runtime by
+ # adding /some/prefix/bin/../share/glib-2.0 to the python path
diff --git a/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch b/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
new file mode 100644
index 0000000000..76d688c517
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
@@ -0,0 +1,27 @@
+Fix CVE-2017-15670:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670
+https://sourceware.org/bugzilla/show_bug.cgi?id=22320
+https://bugzilla.redhat.com/show_bug.cgi?id=1504804
+
+And CVE-2017-15671:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671
+https://sourceware.org/bugzilla/show_bug.cgi?id=22325
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15671
+
+Copied from upstream:
+<https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=2d1bd71ec70a31b01d01b734faa66bb1ed28961f>
+
+diff --git a/posix/glob.c b/posix/glob.c
+--- a/posix/glob.c
++++ b/posix/glob.c
+@@ -843,7 +843,7 @@
+ *p = '\0';
+ }
+ else
+- *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
++ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
+ = '\0';
+ user_name = newp;
+ }
diff --git a/gnu/packages/patches/grep-gnulib-lock.patch b/gnu/packages/patches/grep-gnulib-lock.patch
deleted file mode 100644
index 68c33f1031..0000000000
--- a/gnu/packages/patches/grep-gnulib-lock.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-This patch fix error on 'gnulib' library required to build
-'grep' package on GNU/Hurd.
-The patch was adapted from upstream source repository:
-'<http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=4084b3a1094372b960ce4a97634e08f4538c8bdd>'
-
-Commit: 4084b3a1094372b960ce4a97634e08f4538c8bdd
-
-diff --git a/lib/glthread/lock.c b/lib/glthread/lock.c
-index 061562b..afc86f4 100644
---- a/lib/glthread/lock.c
-+++ b/lib/glthread/lock.c
-@@ -30,7 +30,7 @@
-
- /* ------------------------- gl_rwlock_t datatype ------------------------- */
-
--# if HAVE_PTHREAD_RWLOCK && (HAVE_PTHREAD_RWLOCK_RDLOCK_PREFER_WRITER || (__GNU_LIBRARY__ > 1))
-+# if HAVE_PTHREAD_RWLOCK && (HAVE_PTHREAD_RWLOCK_RDLOCK_PREFER_WRITER || (defined PTHREAD_RWLOCK_WRITER_NONRECURSIVE_INITIALIZER_NP && (__GNU_LIBRARY__ > 1)))
-
- # ifdef PTHREAD_RWLOCK_INITIALIZER
-
-diff --git a/lib/glthread/lock.h b/lib/glthread/lock.h
-index ec16d39..67932aa 100644
---- a/lib/glthread/lock.h
-+++ b/lib/glthread/lock.h
-@@ -179,7 +179,7 @@ typedef pthread_mutex_t gl_lock_t;
-
- /* ------------------------- gl_rwlock_t datatype ------------------------- */
-
--# if HAVE_PTHREAD_RWLOCK && (HAVE_PTHREAD_RWLOCK_RDLOCK_PREFER_WRITER || (__GNU_LIBRARY__ > 1))
-+# if HAVE_PTHREAD_RWLOCK && (HAVE_PTHREAD_RWLOCK_RDLOCK_PREFER_WRITER || (defined PTHREAD_RWLOCK_WRITER_NONRECURSIVE_INITIALIZER_NP && (__GNU_LIBRARY__ > 1)))
-
- # ifdef PTHREAD_RWLOCK_INITIALIZER
diff --git a/gnu/packages/patches/icu4c-CVE-2017-14952.patch b/gnu/packages/patches/icu4c-CVE-2017-14952.patch
new file mode 100644
index 0000000000..564f69d01d
--- /dev/null
+++ b/gnu/packages/patches/icu4c-CVE-2017-14952.patch
@@ -0,0 +1,18 @@
+Fix CVE-2017-14952:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14952
+
+Patch copied from upstream source repository:
+
+http://bugs.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp#file0
+
+Index: trunk/icu4c/source/i18n/zonemeta.cpp
+===================================================================
+--- icu/source/i18n/zonemeta.cpp (revision 40283)
++++ icu/source/i18n/zonemeta.cpp (revision 40324)
+@@ -691,5 +691,4 @@
+ if (U_FAILURE(status)) {
+ delete mzMappings;
+- deleteOlsonToMetaMappingEntry(entry);
+ uprv_free(entry);
+ break;
diff --git a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch b/gnu/packages/patches/libvirt-CVE-2017-1000256.patch
new file mode 100644
index 0000000000..d577e1eb50
--- /dev/null
+++ b/gnu/packages/patches/libvirt-CVE-2017-1000256.patch
@@ -0,0 +1,84 @@
+Fix CVE-2017-1000256:
+
+https://security.libvirt.org/2017/0002.html
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000256
+
+Patch copied from upstream source repository:
+
+https://libvirt.org/git/?p=libvirt.git;a=commit;h=dc6c41798d1eb5c52c75365ffa22f7672709dfa7
+
+From dc6c41798d1eb5c52c75365ffa22f7672709dfa7 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Thu, 5 Oct 2017 17:54:28 +0100
+Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate
+
+The default_tls_x509_verify (and related) parameters in qemu.conf
+control whether the QEMU TLS servers request & verify certificates
+from clients. This works as a simple access control system for
+servers by requiring the CA to issue certs to permitted clients.
+This use of client certificates is disabled by default, since it
+requires extra work to issue client certificates.
+
+Unfortunately the code was using this configuration parameter when
+setting up both TLS clients and servers in QEMU. The result was that
+TLS clients for character devices and disk devices had verification
+turned off, meaning they would ignore errors while validating the
+server certificate.
+
+This allows for trivial MITM attacks between client and server,
+as any certificate returned by the attacker will be accepted by
+the client.
+
+This is assigned CVE-2017-1000256 / LSN-2017-0002
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157)
+---
+ src/qemu/qemu_command.c | 2 +-
+ .../qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +-
+ ...xml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index 9a27987..ae78cd1 100644
+--- a/src/qemu/qemu_command.c
++++ b/src/qemu/qemu_command.c
+@@ -718,7 +718,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
+ if (virJSONValueObjectCreate(propsret,
+ "s:dir", path,
+ "s:endpoint", (isListen ? "server": "client"),
+- "b:verify-peer", verifypeer,
++ "b:verify-peer", (isListen ? verifypeer : true),
+ NULL) < 0)
+ goto cleanup;
+
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+index 5aff773..ab5f7e2 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+@@ -26,7 +26,7 @@ server,nowait \
+ localport=1111 \
+ -device isa-serial,chardev=charserial0,id=serial0 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no \
++endpoint=client,verify-peer=yes \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+index 91f1fe0..2567abb 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+@@ -31,7 +31,7 @@ localport=1111 \
+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
+--
+1.7.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2016-4658.patch b/gnu/packages/patches/libxml2-CVE-2016-4658.patch
deleted file mode 100644
index a4e1f31fae..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2016-4658.patch
+++ /dev/null
@@ -1,257 +0,0 @@
-Fix CVE-2016-4658:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b
-
-From c1d1f7121194036608bf555f08d3062a36fd344b Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 18:34:52 +0200
-Subject: [PATCH] Disallow namespace nodes in XPointer ranges
-
-Namespace nodes must be copied to avoid use-after-free errors.
-But they don't necessarily have a physical representation in a
-document, so simply disallow them in XPointer ranges.
-
-Found with afl-fuzz.
-
-Fixes CVE-2016-4658.
----
- xpointer.c | 149 +++++++++++++++++++++++--------------------------------------
- 1 file changed, 56 insertions(+), 93 deletions(-)
-
-diff --git a/xpointer.c b/xpointer.c
-index a7b03fbd..694d120e 100644
---- a/xpointer.c
-+++ b/xpointer.c
-@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) {
- }
-
- /**
-+ * xmlXPtrNewRangeInternal:
-+ * @start: the starting node
-+ * @startindex: the start index
-+ * @end: the ending point
-+ * @endindex: the ending index
-+ *
-+ * Internal function to create a new xmlXPathObjectPtr of type range
-+ *
-+ * Returns the newly created object.
-+ */
-+static xmlXPathObjectPtr
-+xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex,
-+ xmlNodePtr end, int endindex) {
-+ xmlXPathObjectPtr ret;
-+
-+ /*
-+ * Namespace nodes must be copied (see xmlXPathNodeSetDupNs).
-+ * Disallow them for now.
-+ */
-+ if ((start != NULL) && (start->type == XML_NAMESPACE_DECL))
-+ return(NULL);
-+ if ((end != NULL) && (end->type == XML_NAMESPACE_DECL))
-+ return(NULL);
-+
-+ ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
-+ if (ret == NULL) {
-+ xmlXPtrErrMemory("allocating range");
-+ return(NULL);
-+ }
-+ memset(ret, 0, sizeof(xmlXPathObject));
-+ ret->type = XPATH_RANGE;
-+ ret->user = start;
-+ ret->index = startindex;
-+ ret->user2 = end;
-+ ret->index2 = endindex;
-+ return(ret);
-+}
-+
-+/**
- * xmlXPtrNewRange:
- * @start: the starting node
- * @startindex: the start index
-@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex,
- if (endindex < 0)
- return(NULL);
-
-- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
-- if (ret == NULL) {
-- xmlXPtrErrMemory("allocating range");
-- return(NULL);
-- }
-- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
-- ret->type = XPATH_RANGE;
-- ret->user = start;
-- ret->index = startindex;
-- ret->user2 = end;
-- ret->index2 = endindex;
-+ ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex);
- xmlXPtrRangeCheckOrder(ret);
- return(ret);
- }
-@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) {
- if (end->type != XPATH_POINT)
- return(NULL);
-
-- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
-- if (ret == NULL) {
-- xmlXPtrErrMemory("allocating range");
-- return(NULL);
-- }
-- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
-- ret->type = XPATH_RANGE;
-- ret->user = start->user;
-- ret->index = start->index;
-- ret->user2 = end->user;
-- ret->index2 = end->index;
-+ ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user,
-+ end->index);
- xmlXPtrRangeCheckOrder(ret);
- return(ret);
- }
-@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) {
- if (start->type != XPATH_POINT)
- return(NULL);
-
-- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
-- if (ret == NULL) {
-- xmlXPtrErrMemory("allocating range");
-- return(NULL);
-- }
-- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
-- ret->type = XPATH_RANGE;
-- ret->user = start->user;
-- ret->index = start->index;
-- ret->user2 = end;
-- ret->index2 = -1;
-+ ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1);
- xmlXPtrRangeCheckOrder(ret);
- return(ret);
- }
-@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) {
- if (end->type != XPATH_POINT)
- return(NULL);
-
-- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
-- if (ret == NULL) {
-- xmlXPtrErrMemory("allocating range");
-- return(NULL);
-- }
-- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
-- ret->type = XPATH_RANGE;
-- ret->user = start;
-- ret->index = -1;
-- ret->user2 = end->user;
-- ret->index2 = end->index;
-+ ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index);
- xmlXPtrRangeCheckOrder(ret);
- return(ret);
- }
-@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) {
- if (end == NULL)
- return(NULL);
-
-- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
-- if (ret == NULL) {
-- xmlXPtrErrMemory("allocating range");
-- return(NULL);
-- }
-- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
-- ret->type = XPATH_RANGE;
-- ret->user = start;
-- ret->index = -1;
-- ret->user2 = end;
-- ret->index2 = -1;
-+ ret = xmlXPtrNewRangeInternal(start, -1, end, -1);
- xmlXPtrRangeCheckOrder(ret);
- return(ret);
- }
-@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
- if (start == NULL)
- return(NULL);
-
-- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
-- if (ret == NULL) {
-- xmlXPtrErrMemory("allocating range");
-- return(NULL);
-- }
-- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
-- ret->type = XPATH_RANGE;
-- ret->user = start;
-- ret->index = -1;
-- ret->user2 = NULL;
-- ret->index2 = -1;
-+ ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1);
- return(ret);
- }
-
-@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
- */
- xmlXPathObjectPtr
- xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
-+ xmlNodePtr endNode;
-+ int endIndex;
- xmlXPathObjectPtr ret;
-
- if (start == NULL)
-@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
- return(NULL);
- switch (end->type) {
- case XPATH_POINT:
-+ endNode = end->user;
-+ endIndex = end->index;
-+ break;
- case XPATH_RANGE:
-+ endNode = end->user2;
-+ endIndex = end->index2;
- break;
- case XPATH_NODESET:
- /*
-@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
- */
- if (end->nodesetval->nodeNr <= 0)
- return(NULL);
-+ endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
-+ endIndex = -1;
- break;
- default:
- /* TODO */
- return(NULL);
- }
-
-- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
-- if (ret == NULL) {
-- xmlXPtrErrMemory("allocating range");
-- return(NULL);
-- }
-- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
-- ret->type = XPATH_RANGE;
-- ret->user = start;
-- ret->index = -1;
-- switch (end->type) {
-- case XPATH_POINT:
-- ret->user2 = end->user;
-- ret->index2 = end->index;
-- break;
-- case XPATH_RANGE:
-- ret->user2 = end->user2;
-- ret->index2 = end->index2;
-- break;
-- case XPATH_NODESET: {
-- ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
-- ret->index2 = -1;
-- break;
-- }
-- default:
-- STRANGE
-- return(NULL);
-- }
-+ ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex);
- xmlXPtrRangeCheckOrder(ret);
- return(ret);
- }
---
-2.11.0
-
diff --git a/gnu/packages/patches/libxml2-CVE-2016-5131.patch b/gnu/packages/patches/libxml2-CVE-2016-5131.patch
deleted file mode 100644
index 38938c8e3e..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2016-5131.patch
+++ /dev/null
@@ -1,218 +0,0 @@
-Fix CVE-2016-5131:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131
-
-Patches copied from upstream source repository (the test suite fails
-without the 2nd patch):
-
-https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
-https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8
-
-From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 14:22:23 +0200
-Subject: [PATCH] Fix XPointer paths beginning with range-to
-
-The old code would invoke the broken xmlXPtrRangeToFunction. range-to
-isn't really a function but a special kind of location step. Remove
-this function and always handle range-to in the XPath code.
-
-The old xmlXPtrRangeToFunction could also be abused to trigger a
-use-after-free error with the potential for remote code execution.
-
-Found with afl-fuzz.
-
-Fixes CVE-2016-5131.
----
- result/XPath/xptr/vidbase | 13 ++++++++
- test/XPath/xptr/vidbase | 1 +
- xpath.c | 7 ++++-
- xpointer.c | 76 ++++-------------------------------------------
- 4 files changed, 26 insertions(+), 71 deletions(-)
-
-diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase
-index 8b9e92d6..f19193e7 100644
---- a/result/XPath/xptr/vidbase
-+++ b/result/XPath/xptr/vidbase
-@@ -17,3 +17,16 @@ Object is a Location Set:
- To node
- ELEMENT p
-
-+
-+========================
-+Expression: xpointer(range-to(id('chapter2')))
-+Object is a Location Set:
-+1 : Object is a range :
-+ From node
-+ /
-+ To node
-+ ELEMENT chapter
-+ ATTRIBUTE id
-+ TEXT
-+ content=chapter2
-+
-diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase
-index b1463830..884b1065 100644
---- a/test/XPath/xptr/vidbase
-+++ b/test/XPath/xptr/vidbase
-@@ -1,2 +1,3 @@
- xpointer(id('chapter1')/p)
- xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))
-+xpointer(range-to(id('chapter2')))
-diff --git a/xpath.c b/xpath.c
-index d992841e..5a01b1b3 100644
---- a/xpath.c
-+++ b/xpath.c
-@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
- lc = 1;
- break;
- } else if ((NXT(len) == '(')) {
-- /* Note Type or Function */
-+ /* Node Type or Function */
- if (xmlXPathIsNodeType(name)) {
- #ifdef DEBUG_STEP
- xmlGenericError(xmlGenericErrorContext,
- "PathExpr: Type search\n");
- #endif
- lc = 1;
-+#ifdef LIBXML_XPTR_ENABLED
-+ } else if (ctxt->xptr &&
-+ xmlStrEqual(name, BAD_CAST "range-to")) {
-+ lc = 1;
-+#endif
- } else {
- #ifdef DEBUG_STEP
- xmlGenericError(xmlGenericErrorContext,
-diff --git a/xpointer.c b/xpointer.c
-index 676c5105..d74174a3 100644
---- a/xpointer.c
-+++ b/xpointer.c
-@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
- ret->here = here;
- ret->origin = origin;
-
-- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
-- xmlXPtrRangeToFunction);
- xmlXPathRegisterFunc(ret, (xmlChar *)"range",
- xmlXPtrRangeFunction);
- xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
-@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
- * @nargs: the number of args
- *
- * Implement the range-to() XPointer function
-+ *
-+ * Obsolete. range-to is not a real function but a special type of location
-+ * step which is handled in xpath.c.
- */
- void
--xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
-- xmlXPathObjectPtr range;
-- const xmlChar *cur;
-- xmlXPathObjectPtr res, obj;
-- xmlXPathObjectPtr tmp;
-- xmlLocationSetPtr newset = NULL;
-- xmlNodeSetPtr oldset;
-- int i;
--
-- if (ctxt == NULL) return;
-- CHECK_ARITY(1);
-- /*
-- * Save the expression pointer since we will have to evaluate
-- * it multiple times. Initialize the new set.
-- */
-- CHECK_TYPE(XPATH_NODESET);
-- obj = valuePop(ctxt);
-- oldset = obj->nodesetval;
-- ctxt->context->node = NULL;
--
-- cur = ctxt->cur;
-- newset = xmlXPtrLocationSetCreate(NULL);
--
-- for (i = 0; i < oldset->nodeNr; i++) {
-- ctxt->cur = cur;
--
-- /*
-- * Run the evaluation with a node list made of a single item
-- * in the nodeset.
-- */
-- ctxt->context->node = oldset->nodeTab[i];
-- tmp = xmlXPathNewNodeSet(ctxt->context->node);
-- valuePush(ctxt, tmp);
--
-- xmlXPathEvalExpr(ctxt);
-- CHECK_ERROR;
--
-- /*
-- * The result of the evaluation need to be tested to
-- * decided whether the filter succeeded or not
-- */
-- res = valuePop(ctxt);
-- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
-- if (range != NULL) {
-- xmlXPtrLocationSetAdd(newset, range);
-- }
--
-- /*
-- * Cleanup
-- */
-- if (res != NULL)
-- xmlXPathFreeObject(res);
-- if (ctxt->value == tmp) {
-- res = valuePop(ctxt);
-- xmlXPathFreeObject(res);
-- }
--
-- ctxt->context->node = NULL;
-- }
--
-- /*
-- * The result is used as the new evaluation set.
-- */
-- xmlXPathFreeObject(obj);
-- ctxt->context->node = NULL;
-- ctxt->context->contextSize = -1;
-- ctxt->context->proximityPosition = -1;
-- valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
-+xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
-+ int nargs ATTRIBUTE_UNUSED) {
-+ XP_ERROR(XPATH_EXPR_ERROR);
- }
-
- /**
---
-2.11.0
-
-From a005199330b86dada19d162cae15ef9bdcb6baa8 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 14:19:58 +0200
-Subject: [PATCH] Fix comparison with root node in xmlXPathCmpNodes
-
-This change has already been made in xmlXPathCmpNodesExt but not in
-xmlXPathCmpNodes.
----
- xpath.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/xpath.c b/xpath.c
-index 751665b8..d992841e 100644
---- a/xpath.c
-+++ b/xpath.c
-@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
- * compute depth to root
- */
- for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
-- if (cur == node1)
-+ if (cur->parent == node1)
- return(1);
- depth2++;
- }
- root = cur;
- for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
-- if (cur == node2)
-+ if (cur->parent == node2)
- return(-1);
- depth1++;
- }
---
-2.11.0
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-0663.patch b/gnu/packages/patches/libxml2-CVE-2017-0663.patch
deleted file mode 100644
index b0277a2d23..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-0663.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-Fix CVE-2017-0663:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=780228 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663
-https://security-tracker.debian.org/tracker/CVE-2017-0663
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66
-
-From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 6 Jun 2017 12:56:28 +0200
-Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace
-
-Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
-namespace declarations make no practical sense anyway.
-
-Fixes bug 780228.
-
-Found with libFuzzer and ASan.
----
- valid.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/valid.c b/valid.c
-index 8075d3a0..c51ea290 100644
---- a/valid.c
-+++ b/valid.c
-@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
- }
- }
-
-+ /*
-+ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
-+ * xmlAddID and xmlAddRef for namespace declarations, but it makes
-+ * no practical sense to use ID types anyway.
-+ */
-+#if 0
- /* Validity Constraint: ID uniqueness */
- if (attrDecl->atype == XML_ATTRIBUTE_ID) {
- if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
-@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
- if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
- ret = 0;
- }
-+#endif
-
- /* Validity Constraint: Notation Attributes */
- if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
---
-2.14.1
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7375.patch b/gnu/packages/patches/libxml2-CVE-2017-7375.patch
deleted file mode 100644
index 32af1ff6ba..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-7375.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Fix CVE-2017-7375:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=780691 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375
-https://security-tracker.debian.org/tracker/CVE-2017-7375
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e
-
-From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
-From: Neel Mehta <nmehta@google.com>
-Date: Fri, 7 Apr 2017 17:43:02 +0200
-Subject: [PATCH] Prevent unwanted external entity reference
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=780691
-
-* parser.c: add a specific check to avoid PE reference
----
- parser.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/parser.c b/parser.c
-index 609a2703..c2c812de 100644
---- a/parser.c
-+++ b/parser.c
-@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
- if (xmlPushInput(ctxt, input) < 0)
- return;
- } else {
-+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
-+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
-+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
-+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
-+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
-+ (ctxt->replaceEntities == 0) &&
-+ (ctxt->validate == 0))
-+ return;
-+
- /*
- * TODO !!!
- * handle the extra spaces added before and after
---
-2.14.1
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7376.patch b/gnu/packages/patches/libxml2-CVE-2017-7376.patch
deleted file mode 100644
index 5b9e45bd83..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-7376.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Fix CVE-2017-7376:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=780690 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7376
-https://security-tracker.debian.org/tracker/CVE-2017-7376
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e
-
-From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
-From: Daniel Veillard <veillard@redhat.com>
-Date: Fri, 7 Apr 2017 17:13:28 +0200
-Subject: [PATCH] Increase buffer space for port in HTTP redirect support
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=780690
-
-nanohttp.c: the code wrongly assumed a short int port value.
----
- nanohttp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/nanohttp.c b/nanohttp.c
-index e109ad75..373425de 100644
---- a/nanohttp.c
-+++ b/nanohttp.c
-@@ -1423,9 +1423,9 @@ retry:
- if (ctxt->port != 80) {
- /* reserve space for ':xxxxx', incl. potential proxy */
- if (proxy)
-- blen += 12;
-+ blen += 17;
- else
-- blen += 6;
-+ blen += 11;
- }
- bp = (char*)xmlMallocAtomic(blen);
- if ( bp == NULL ) {
---
-2.14.1
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
deleted file mode 100644
index 0a0e6d34cf..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-Fix CVE-2017-{9047,9048}:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=781333 (not yet public)
-https://bugzilla.gnome.org/show_bug.cgi?id=781701 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048
-http://www.openwall.com/lists/oss-security/2017/05/15/1
-https://security-tracker.debian.org/tracker/CVE-2017-9047
-https://security-tracker.debian.org/tracker/CVE-2017-9048
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
-
-From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Sat, 3 Jun 2017 02:01:29 +0200
-Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-xmlSnprintfElementContent failed to correctly check the available
-buffer space in two locations.
-
-Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
-
-Thanks to Marcel Böhme and Thuan Pham for the report.
----
- result/valid/781333.xml | 5 +++++
- result/valid/781333.xml.err | 3 +++
- result/valid/781333.xml.err.rdr | 6 ++++++
- test/valid/781333.xml | 4 ++++
- valid.c | 20 +++++++++++---------
- 5 files changed, 29 insertions(+), 9 deletions(-)
- create mode 100644 result/valid/781333.xml
- create mode 100644 result/valid/781333.xml.err
- create mode 100644 result/valid/781333.xml.err.rdr
- create mode 100644 test/valid/781333.xml
-
-diff --git a/result/valid/781333.xml b/result/valid/781333.xml
-new file mode 100644
-index 00000000..45dc451d
---- /dev/null
-+++ b/result/valid/781333.xml
-@@ -0,0 +1,5 @@
-+<?xml version="1.0"?>
-+<!DOCTYPE a [
-+<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
-+]>
-+<a/>
-diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err
-new file mode 100644
-index 00000000..b401b49a
---- /dev/null
-+++ b/result/valid/781333.xml.err
-@@ -0,0 +1,3 @@
-+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
-+<a/>
-+ ^
-diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr
-new file mode 100644
-index 00000000..5ff56992
---- /dev/null
-+++ b/result/valid/781333.xml.err.rdr
-@@ -0,0 +1,6 @@
-+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
-+<a/>
-+ ^
-+./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child
-+
-+^
-diff --git a/test/valid/781333.xml b/test/valid/781333.xml
-new file mode 100644
-index 00000000..b29e5a68
---- /dev/null
-+++ b/test/valid/781333.xml
-@@ -0,0 +1,4 @@
-+<!DOCTYPE a [
-+ <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
-+]>
-+<a/>
-diff --git a/valid.c b/valid.c
-index 19f84b82..9b2df56a 100644
---- a/valid.c
-+++ b/valid.c
-@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
- case XML_ELEMENT_CONTENT_PCDATA:
- strcat(buf, "#PCDATA");
- break;
-- case XML_ELEMENT_CONTENT_ELEMENT:
-+ case XML_ELEMENT_CONTENT_ELEMENT: {
-+ int qnameLen = xmlStrlen(content->name);
-+
-+ if (content->prefix != NULL)
-+ qnameLen += xmlStrlen(content->prefix) + 1;
-+ if (size - len < qnameLen + 10) {
-+ strcat(buf, " ...");
-+ return;
-+ }
- if (content->prefix != NULL) {
-- if (size - len < xmlStrlen(content->prefix) + 10) {
-- strcat(buf, " ...");
-- return;
-- }
- strcat(buf, (char *) content->prefix);
- strcat(buf, ":");
- }
-- if (size - len < xmlStrlen(content->name) + 10) {
-- strcat(buf, " ...");
-- return;
-- }
- if (content->name != NULL)
- strcat(buf, (char *) content->name);
- break;
-+ }
- case XML_ELEMENT_CONTENT_SEQ:
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
-@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
- xmlSnprintfElementContent(buf, size, content->c2, 0);
- break;
- }
-+ if (size - strlen(buf) <= 2) return;
- if (englob)
- strcat(buf, ")");
- switch (content->ocur) {
---
-2.14.1
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
deleted file mode 100644
index 890e9c2284..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
+++ /dev/null
@@ -1,319 +0,0 @@
-Fix CVE-2017-{9049,9050}:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=781205 (not yet public)
-https://bugzilla.gnome.org/show_bug.cgi?id=781361 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050
-http://www.openwall.com/lists/oss-security/2017/05/15/1
-https://security-tracker.debian.org/tracker/CVE-2017-9049
-https://security-tracker.debian.org/tracker/CVE-2017-9050
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
-
-Changes to 'runtest.c' are removed since they introduce test failure
-when applying to libxml2 2.9.4 release tarball.
-
-From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Mon, 5 Jun 2017 15:37:17 +0200
-Subject: [PATCH] Fix handling of parameter-entity references
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There were two bugs where parameter-entity references could lead to an
-unexpected change of the input buffer in xmlParseNameComplex and
-xmlDictLookup being called with an invalid pointer.
-
-Percent sign in DTD Names
-=========================
-
-The NEXTL macro used to call xmlParserHandlePEReference. When parsing
-"complex" names inside the DTD, this could result in entity expansion
-which created a new input buffer. The fix is to simply remove the call
-to xmlParserHandlePEReference from the NEXTL macro. This is safe because
-no users of the macro require expansion of parameter entities.
-
-- xmlParseNameComplex
-- xmlParseNCNameComplex
-- xmlParseNmtoken
-
-The percent sign is not allowed in names, which are grammatical tokens.
-
-- xmlParseEntityValue
-
-Parameter-entity references in entity values are expanded but this
-happens in a separate step in this function.
-
-- xmlParseSystemLiteral
-
-Parameter-entity references are ignored in the system literal.
-
-- xmlParseAttValueComplex
-- xmlParseCharDataComplex
-- xmlParseCommentComplex
-- xmlParsePI
-- xmlParseCDSect
-
-Parameter-entity references are ignored outside the DTD.
-
-- xmlLoadEntityContent
-
-This function is only called from xmlStringLenDecodeEntities and
-entities are replaced in a separate step immediately after the function
-call.
-
-This bug could also be triggered with an internal subset and double
-entity expansion.
-
-This fixes bug 766956 initially reported by Wei Lei and independently by
-Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
-involved.
-
-xmlParseNameComplex with XML_PARSE_OLD10
-========================================
-
-When parsing Names inside an expanded parameter entity with the
-XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
-GROW macro if the input buffer was exhausted. At the end of the
-parameter entity's replacement text, this function would then call
-xmlPopInput which invalidated the input buffer.
-
-There should be no need to invoke GROW in this situation because the
-buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
-at least for UTF-8, in xmlCurrentChar. This also matches the code path
-executed when XML_PARSE_OLD10 is not set.
-
-This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
-Thanks to Marcel Böhme and Thuan Pham for the report.
-
-Additional hardening
-====================
-
-A separate check was added in xmlParseNameComplex to validate the
-buffer size.
----
- Makefile.am | 18 ++++++++++++++++++
- parser.c | 18 ++++++++++--------
- result/errors10/781205.xml | 0
- result/errors10/781205.xml.err | 21 +++++++++++++++++++++
- result/errors10/781361.xml | 0
- result/errors10/781361.xml.err | 13 +++++++++++++
- result/valid/766956.xml | 0
- result/valid/766956.xml.err | 9 +++++++++
- result/valid/766956.xml.err.rdr | 10 ++++++++++
- runtest.c | 3 +++
- test/errors10/781205.xml | 3 +++
- test/errors10/781361.xml | 3 +++
- test/valid/766956.xml | 2 ++
- test/valid/dtds/766956.dtd | 2 ++
- 14 files changed, 94 insertions(+), 8 deletions(-)
- create mode 100644 result/errors10/781205.xml
- create mode 100644 result/errors10/781205.xml.err
- create mode 100644 result/errors10/781361.xml
- create mode 100644 result/errors10/781361.xml.err
- create mode 100644 result/valid/766956.xml
- create mode 100644 result/valid/766956.xml.err
- create mode 100644 result/valid/766956.xml.err.rdr
- create mode 100644 test/errors10/781205.xml
- create mode 100644 test/errors10/781361.xml
- create mode 100644 test/valid/766956.xml
- create mode 100644 test/valid/dtds/766956.dtd
-
-diff --git a/Makefile.am b/Makefile.am
-index 6fc8ffa9..10e716a5 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT)
- if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
- rm result.$$name error.$$name ; \
- fi ; fi ; done)
-+ @echo "## Error cases regression tests (old 1.0)"
-+ -@(for i in $(srcdir)/test/errors10/*.xml ; do \
-+ name=`basename $$i`; \
-+ if [ ! -d $$i ] ; then \
-+ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
-+ echo New test file $$name ; \
-+ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
-+ 2> $(srcdir)/result/errors10/$$name.err \
-+ > $(srcdir)/result/errors10/$$name ; \
-+ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
-+ else \
-+ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
-+ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
-+ diff $(srcdir)/result/errors10/$$name result.$$name ; \
-+ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
-+ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
-+ rm result.$$name error.$$name ; \
-+ fi ; fi ; done)
- @echo "## Error cases stream regression tests"
- -@(for i in $(srcdir)/test/errors/*.xml ; do \
- name=`basename $$i`; \
-diff --git a/parser.c b/parser.c
-index df2efa55..a175ac4e 100644
---- a/parser.c
-+++ b/parser.c
-@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
- ctxt->input->line++; ctxt->input->col = 1; \
- } else ctxt->input->col++; \
- ctxt->input->cur += l; \
-- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \
- } while (0)
-
- #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
-@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
- len += l;
- NEXTL(l);
- c = CUR_CHAR(l);
-- if (c == 0) {
-- count = 0;
-- GROW;
-- if (ctxt->instate == XML_PARSER_EOF)
-- return(NULL);
-- c = CUR_CHAR(l);
-- }
- }
- }
- if ((len > XML_MAX_NAME_LENGTH) &&
-@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
- return(NULL);
- }
-+ if (ctxt->input->cur - ctxt->input->base < len) {
-+ /*
-+ * There were a couple of bugs where PERefs lead to to a change
-+ * of the buffer. Check the buffer size to avoid passing an invalid
-+ * pointer to xmlDictLookup.
-+ */
-+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
-+ "unexpected change of input buffer");
-+ return (NULL);
-+ }
- if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
-diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
-new file mode 100644
-index 00000000..da15c3f7
---- /dev/null
-+++ b/result/errors10/781205.xml.err
-@@ -0,0 +1,21 @@
-+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
-+
-+ %a;
-+ ^
-+Entity: line 1:
-+<:0000
-+^
-+Entity: line 1: parser error : DOCTYPE improperly terminated
-+ %a;
-+ ^
-+Entity: line 1:
-+<:0000
-+^
-+namespace error : Failed to parse QName ':0000'
-+ %a;
-+ ^
-+<:0000
-+ ^
-+./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
-+
-+^
-diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
-new file mode 100644
-index 00000000..655f41a2
---- /dev/null
-+++ b/result/errors10/781361.xml.err
-@@ -0,0 +1,13 @@
-+./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
-+
-+^
-+./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
-+
-+
-+^
-+./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
-+
-+^
-+./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
-+
-+^
-diff --git a/result/valid/766956.xml b/result/valid/766956.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
-new file mode 100644
-index 00000000..34b1dae6
---- /dev/null
-+++ b/result/valid/766956.xml.err
-@@ -0,0 +1,9 @@
-+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
-+%ä%ent;
-+ ^
-+Entity: line 1: parser error : Content error in the external subset
-+ %ent;
-+ ^
-+Entity: line 1:
-+value
-+^
-diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
-new file mode 100644
-index 00000000..77603462
---- /dev/null
-+++ b/result/valid/766956.xml.err.rdr
-@@ -0,0 +1,10 @@
-+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
-+%ä%ent;
-+ ^
-+Entity: line 1: parser error : Content error in the external subset
-+ %ent;
-+ ^
-+Entity: line 1:
-+value
-+^
-+./test/valid/766956.xml : failed to parse
-diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
-new file mode 100644
-index 00000000..d9e9e839
---- /dev/null
-+++ b/test/errors10/781205.xml
-@@ -0,0 +1,3 @@
-+<!DOCTYPE D [
-+ <!ENTITY % a "<:0000">
-+ %a;
-diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
-new file mode 100644
-index 00000000..67476bcb
---- /dev/null
-+++ b/test/errors10/781361.xml
-@@ -0,0 +1,3 @@
-+<!DOCTYPE doc [
-+ <!ENTITY % elem "<!ELEMENT e0000000000">
-+ %elem;
-diff --git a/test/valid/766956.xml b/test/valid/766956.xml
-new file mode 100644
-index 00000000..19a95a0e
---- /dev/null
-+++ b/test/valid/766956.xml
-@@ -0,0 +1,2 @@
-+<!DOCTYPE test SYSTEM "dtds/766956.dtd">
-+<test/>
-diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
-new file mode 100644
-index 00000000..dddde68b
---- /dev/null
-+++ b/test/valid/dtds/766956.dtd
-@@ -0,0 +1,2 @@
-+<!ENTITY % ent "value">
-+%ä%ent;
---
-2.14.1
-
diff --git a/gnu/packages/patches/libxslt-CVE-2016-4738.patch b/gnu/packages/patches/libxslt-CVE-2016-4738.patch
deleted file mode 100644
index a7537c66ca..0000000000
--- a/gnu/packages/patches/libxslt-CVE-2016-4738.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Fix CVE-2016-4738:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4738
-https://bugs.chromium.org/p/chromium/issues/detail?id=619006
-
-Patch copied from upstream source repository:
-https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880
-
-From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Fri, 10 Jun 2016 14:23:58 +0200
-Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
-
-An empty decimal-separator could cause a heap overread. This can be
-exploited to leak a couple of bytes after the buffer that holds the
-pattern string.
-
-Found with afl-fuzz and ASan.
----
- libxslt/numbers.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index d1549b4..e78c46b 100644
---- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
- }
-
- /* We have finished the integer part, now work on fraction */
-- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
-+ if ( (*the_format != 0) &&
-+ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
- format_info.add_decimal = TRUE;
- the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
- }
---
-2.10.2
-
diff --git a/gnu/packages/patches/mupdf-CVE-2017-14685.patch b/gnu/packages/patches/mupdf-CVE-2017-14685.patch
new file mode 100644
index 0000000000..3fcce5fedf
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-14685.patch
@@ -0,0 +1,34 @@
+Fix CVE-2017-14685:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14685
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=mupdf.git;h=ab1a420613dec93c686acbee2c165274e922f82a
+
+From ab1a420613dec93c686acbee2c165274e922f82a Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 19 Sep 2017 15:23:04 +0200
+Subject: [PATCH] Fix 698539: Don't use xps font if it could not be loaded.
+
+xps_load_links_in_glyphs did not cope with font loading failures.
+---
+ source/xps/xps-link.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source/xps/xps-link.c b/source/xps/xps-link.c
+index c07e0d7..c26a8d9 100644
+--- a/source/xps/xps-link.c
++++ b/source/xps/xps-link.c
+@@ -91,6 +91,8 @@ xps_load_links_in_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ct
+ bidi_level = atoi(bidi_level_att);
+
+ font = xps_lookup_font(ctx, doc, base_uri, font_uri_att, style_att);
++ if (!font)
++ return;
+ text = xps_parse_glyphs_imp(ctx, doc, &local_ctm, font, fz_atof(font_size_att),
+ fz_atof(origin_x_att), fz_atof(origin_y_att),
+ is_sideways, bidi_level, indices_att, unicode_att);
+--
+2.9.1
+
diff --git a/gnu/packages/patches/mupdf-CVE-2017-14686.patch b/gnu/packages/patches/mupdf-CVE-2017-14686.patch
new file mode 100644
index 0000000000..e462a6ffeb
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-14686.patch
@@ -0,0 +1,34 @@
+Fix CVE-2017-14686:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14686
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
+
+From 0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 19 Sep 2017 16:33:38 +0200
+Subject: [PATCH] Fix 698540: Check name, comment and meta size field signs.
+
+---
+ source/fitz/unzip.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source/fitz/unzip.c b/source/fitz/unzip.c
+index f2d4f32..0bcce0f 100644
+--- a/source/fitz/unzip.c
++++ b/source/fitz/unzip.c
+@@ -141,6 +141,9 @@ static void read_zip_dir_imp(fz_context *ctx, fz_zip_archive *zip, int start_off
+ (void) fz_read_int32_le(ctx, file); /* ext file atts */
+ offset = fz_read_int32_le(ctx, file);
+
++ if (namesize < 0 || metasize < 0 || commentsize < 0)
++ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid size in zip entry");
++
+ name = fz_malloc(ctx, namesize + 1);
+ n = fz_read(ctx, file, (unsigned char*)name, namesize);
+ if (n < (size_t)namesize)
+--
+2.9.1
+
diff --git a/gnu/packages/patches/mupdf-CVE-2017-14687.patch b/gnu/packages/patches/mupdf-CVE-2017-14687.patch
new file mode 100644
index 0000000000..cdc41df813
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-14687.patch
@@ -0,0 +1,130 @@
+Fix CVE-2017-14687:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14687
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=mupdf.git;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28
+
+From 2b16dbd8f73269cb15ca61ece75cf8d2d196ed28 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 19 Sep 2017 17:17:12 +0200
+Subject: [PATCH] Fix 698558: Handle non-tags in tag name comparisons.
+
+Use fz_xml_is_tag instead of fz_xml_tag && !strcmp idiom.
+---
+ source/html/css-apply.c | 2 +-
+ source/svg/svg-run.c | 2 +-
+ source/xps/xps-common.c | 6 +++---
+ source/xps/xps-glyphs.c | 2 +-
+ source/xps/xps-path.c | 4 ++--
+ source/xps/xps-resource.c | 2 +-
+ 6 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/source/html/css-apply.c b/source/html/css-apply.c
+index de55490..6a91df0 100644
+--- a/source/html/css-apply.c
++++ b/source/html/css-apply.c
+@@ -328,7 +328,7 @@ match_selector(fz_css_selector *sel, fz_xml *node)
+
+ if (sel->name)
+ {
+- if (strcmp(sel->name, fz_xml_tag(node)))
++ if (!fz_xml_is_tag(node, sel->name))
+ return 0;
+ }
+
+diff --git a/source/svg/svg-run.c b/source/svg/svg-run.c
+index f974c67..5302c64 100644
+--- a/source/svg/svg-run.c
++++ b/source/svg/svg-run.c
+@@ -1044,7 +1044,7 @@ svg_run_use(fz_context *ctx, fz_device *dev, svg_document *doc, fz_xml *root, co
+ fz_xml *linked = fz_tree_lookup(ctx, doc->idmap, xlink_href_att + 1);
+ if (linked)
+ {
+- if (!strcmp(fz_xml_tag(linked), "symbol"))
++ if (fz_xml_is_tag(linked, "symbol"))
+ svg_run_use_symbol(ctx, dev, doc, root, linked, &local_state);
+ else
+ svg_run_element(ctx, dev, doc, linked, &local_state);
+diff --git a/source/xps/xps-common.c b/source/xps/xps-common.c
+index cc7fed9..f2f9b93 100644
+--- a/source/xps/xps-common.c
++++ b/source/xps/xps-common.c
+@@ -47,7 +47,7 @@ xps_parse_brush(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, const
+ else if (fz_xml_is_tag(node, "RadialGradientBrush"))
+ xps_parse_radial_gradient_brush(ctx, doc, ctm, area, base_uri, dict, node);
+ else
+- fz_warn(ctx, "unknown brush tag: %s", fz_xml_tag(node));
++ fz_warn(ctx, "unknown brush tag");
+ }
+
+ void
+@@ -85,7 +85,7 @@ xps_begin_opacity(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, cons
+ if (opacity_att)
+ opacity = fz_atof(opacity_att);
+
+- if (opacity_mask_tag && !strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
++ if (fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
+ {
+ char *scb_opacity_att = fz_xml_att(opacity_mask_tag, "Opacity");
+ char *scb_color_att = fz_xml_att(opacity_mask_tag, "Color");
+@@ -129,7 +129,7 @@ xps_end_opacity(fz_context *ctx, xps_document *doc, char *base_uri, xps_resource
+
+ if (opacity_mask_tag)
+ {
+- if (strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
++ if (!fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
+ fz_pop_clip(ctx, dev);
+ }
+ }
+diff --git a/source/xps/xps-glyphs.c b/source/xps/xps-glyphs.c
+index 29dc5b3..5b26d78 100644
+--- a/source/xps/xps-glyphs.c
++++ b/source/xps/xps-glyphs.c
+@@ -592,7 +592,7 @@ xps_parse_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ctm,
+
+ /* If it's a solid color brush fill/stroke do a simple fill */
+
+- if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
++ if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
+ {
+ fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
+ fill_att = fz_xml_att(fill_tag, "Color");
+diff --git a/source/xps/xps-path.c b/source/xps/xps-path.c
+index 6faeb0c..021d202 100644
+--- a/source/xps/xps-path.c
++++ b/source/xps/xps-path.c
+@@ -879,14 +879,14 @@ xps_parse_path(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, char *b
+ if (!data_att && !data_tag)
+ return;
+
+- if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
++ if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
+ {
+ fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
+ fill_att = fz_xml_att(fill_tag, "Color");
+ fill_tag = NULL;
+ }
+
+- if (stroke_tag && !strcmp(fz_xml_tag(stroke_tag), "SolidColorBrush"))
++ if (fz_xml_is_tag(stroke_tag, "SolidColorBrush"))
+ {
+ stroke_opacity_att = fz_xml_att(stroke_tag, "Opacity");
+ stroke_att = fz_xml_att(stroke_tag, "Color");
+diff --git a/source/xps/xps-resource.c b/source/xps/xps-resource.c
+index c2292e6..8e81ab8 100644
+--- a/source/xps/xps-resource.c
++++ b/source/xps/xps-resource.c
+@@ -84,7 +84,7 @@ xps_parse_remote_resource_dictionary(fz_context *ctx, xps_document *doc, char *b
+ if (!xml)
+ return NULL;
+
+- if (strcmp(fz_xml_tag(xml), "ResourceDictionary"))
++ if (!fz_xml_is_tag(xml, "ResourceDictionary"))
+ {
+ fz_drop_xml(ctx, xml);
+ fz_throw(ctx, FZ_ERROR_GENERIC, "expected ResourceDictionary element");
+--
+2.9.1
+
diff --git a/gnu/packages/patches/musl-CVE-2016-8859.patch b/gnu/packages/patches/musl-CVE-2016-8859.patch
deleted file mode 100644
index 7bb5b892dd..0000000000
--- a/gnu/packages/patches/musl-CVE-2016-8859.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-Fix CVE-2016-8859:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8859
-
-Patch copied from upstream source repository:
-
-http://git.musl-libc.org/cgit/musl/commit/?id=c3edc06d1e1360f3570db9155d6b318ae0d0f0f7
-
-From c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 Mon Sep 17 00:00:00 2001
-From: Rich Felker <dalias@aerifal.cx>
-Date: Thu, 6 Oct 2016 18:34:58 -0400
-Subject: [PATCH] fix missing integer overflow checks in regexec buffer size
- computations
-
-most of the possible overflows were already ruled out in practice by
-regcomp having already succeeded performing larger allocations.
-however at least the num_states*num_tags multiplication can clearly
-overflow in practice. for safety, check them all, and use the proper
-type, size_t, rather than int.
-
-also improve comments, use calloc in place of malloc+memset, and
-remove bogus casts.
----
- src/regex/regexec.c | 23 ++++++++++++++++++-----
- 1 file changed, 18 insertions(+), 5 deletions(-)
-
-diff --git a/src/regex/regexec.c b/src/regex/regexec.c
-index 16c5d0a..dd52319 100644
---- a/src/regex/regexec.c
-+++ b/src/regex/regexec.c
-@@ -34,6 +34,7 @@
- #include <wchar.h>
- #include <wctype.h>
- #include <limits.h>
-+#include <stdint.h>
-
- #include <regex.h>
-
-@@ -206,11 +207,24 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
-
- /* Allocate memory for temporary data required for matching. This needs to
- be done for every matching operation to be thread safe. This allocates
-- everything in a single large block from the stack frame using alloca()
-- or with malloc() if alloca is unavailable. */
-+ everything in a single large block with calloc(). */
- {
-- int tbytes, rbytes, pbytes, xbytes, total_bytes;
-+ size_t tbytes, rbytes, pbytes, xbytes, total_bytes;
- char *tmp_buf;
-+
-+ /* Ensure that tbytes and xbytes*num_states cannot overflow, and that
-+ * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
-+ if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states))
-+ goto error_exit;
-+
-+ /* Likewise check rbytes. */
-+ if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
-+ goto error_exit;
-+
-+ /* Likewise check pbytes. */
-+ if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
-+ goto error_exit;
-+
- /* Compute the length of the block we need. */
- tbytes = sizeof(*tmp_tags) * num_tags;
- rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);
-@@ -221,10 +235,9 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
- + (rbytes + xbytes * tnfa->num_states) * 2 + tbytes + pbytes;
-
- /* Allocate the memory. */
-- buf = xmalloc((unsigned)total_bytes);
-+ buf = calloc(total_bytes, 1);
- if (buf == NULL)
- return REG_ESPACE;
-- memset(buf, 0, (size_t)total_bytes);
-
- /* Get the various pointers within tmp_buf (properly aligned). */
- tmp_tags = (void *)buf;
---
-2.10.1
-
diff --git a/gnu/packages/patches/pcre-CVE-2017-7186.patch b/gnu/packages/patches/pcre-CVE-2017-7186.patch
deleted file mode 100644
index d23aa10374..0000000000
--- a/gnu/packages/patches/pcre-CVE-2017-7186.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-Patch for <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>
-from <https://vcs.pcre.org/pcre?view=revision&revision=1688>.
-
---- trunk/pcre_internal.h 2016/05/21 13:34:44 1649
-+++ trunk/pcre_internal.h 2017/02/24 17:30:30 1688
-@@ -2772,6 +2772,9 @@
- extern const pcre_uint16 PRIV(ucd_stage2)[];
- extern const pcre_uint32 PRIV(ucp_gentype)[];
- extern const pcre_uint32 PRIV(ucp_gbtable)[];
-+#ifdef COMPILE_PCRE32
-+extern const ucd_record PRIV(dummy_ucd_record)[];
-+#endif
- #ifdef SUPPORT_JIT
- extern const int PRIV(ucp_typerange)[];
- #endif
-@@ -2780,9 +2783,15 @@
- /* UCD access macros */
-
- #define UCD_BLOCK_SIZE 128
--#define GET_UCD(ch) (PRIV(ucd_records) + \
-+#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
- PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
- UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
-+
-+#ifdef COMPILE_PCRE32
-+#define GET_UCD(ch) ((ch > 0x10ffff)? PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
-+#else
-+#define GET_UCD(ch) REAL_GET_UCD(ch)
-+#endif
-
- #define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype
- #define UCD_SCRIPT(ch) GET_UCD(ch)->script
-
---- trunk/pcre_ucd.c 2014/06/19 07:51:39 1490
-+++ trunk/pcre_ucd.c 2017/02/24 17:30:30 1688
-@@ -38,6 +38,20 @@
- const pcre_uint32 PRIV(ucd_caseless_sets)[] = {0};
- #else
-
-+/* If the 32-bit library is run in non-32-bit mode, character values
-+greater than 0x10ffff may be encountered. For these we set up a
-+special record. */
-+
-+#ifdef COMPILE_PCRE32
-+const ucd_record PRIV(dummy_ucd_record)[] = {{
-+ ucp_Common, /* script */
-+ ucp_Cn, /* type unassigned */
-+ ucp_gbOther, /* grapheme break property */
-+ 0, /* case set */
-+ 0, /* other case */
-+ }};
-+#endif
-+
- /* When recompiling tables with a new Unicode version, please check the
- types in this structure definition from pcre_internal.h (the actual
- field names will be different):