aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/java-jeromq-fix-tests.patch253
-rw-r--r--gnu/packages/patches/java-simple-xml-fix-tests.patch37
-rw-r--r--gnu/packages/patches/lrzip-CVE-2017-8842.patch23
-rw-r--r--gnu/packages/patches/shadow-CVE-2018-7169.patch191
-rw-r--r--gnu/packages/patches/util-linux-CVE-2018-7738.patch49
-rw-r--r--gnu/packages/patches/zsh-CVE-2018-7548.patch48
-rw-r--r--gnu/packages/patches/zsh-CVE-2018-7549.patch56
7 files changed, 657 insertions, 0 deletions
diff --git a/gnu/packages/patches/java-jeromq-fix-tests.patch b/gnu/packages/patches/java-jeromq-fix-tests.patch
new file mode 100644
index 0000000000..5466b92707
--- /dev/null
+++ b/gnu/packages/patches/java-jeromq-fix-tests.patch
@@ -0,0 +1,253 @@
+From 5803aadd3f209eba1ffbb2cf7bf16778019dbee1 Mon Sep 17 00:00:00 2001
+From: fredoboulo <fredoboulo@users.noreply.github.com>
+Date: Fri, 23 Feb 2018 23:55:57 +0100
+Subject: [PATCH] Fix #524 : V1 and V2 protocol downgrades handle received data
+ in handshake buffer
+
+This patch is upstream pull request, see:
+https://gihub.com/zeromq/jeromq/pull/527.
+
+It is merged on commit c2afa9c, and we can drop it on the
+0.4.4 release.
+
+---
+ src/main/java/zmq/io/StreamEngine.java | 21 ++++++++++--
+ src/test/java/zmq/io/AbstractProtocolVersion.java | 41 +++++++++++++----------
+ src/test/java/zmq/io/V0ProtocolTest.java | 12 +++++++
+ src/test/java/zmq/io/V1ProtocolTest.java | 16 +++++++--
+ src/test/java/zmq/io/V2ProtocolTest.java | 16 +++++++--
+ 5 files changed, 81 insertions(+), 25 deletions(-)
+
+diff --git a/src/main/java/zmq/io/StreamEngine.java b/src/main/java/zmq/io/StreamEngine.java
+index b8933c92..fe2f2d8d 100644
+--- a/src/main/java/zmq/io/StreamEngine.java
++++ b/src/main/java/zmq/io/StreamEngine.java
+@@ -816,9 +816,7 @@ private boolean handshake()
+ assert (bufferSize == headerSize);
+
+ // Make sure the decoder sees the data we have already received.
+- greetingRecv.flip();
+- inpos = greetingRecv;
+- insize = greetingRecv.limit();
++ decodeDataAfterHandshake(0);
+
+ // To allow for interoperability with peers that do not forward
+ // their subscriptions, we inject a phantom subscription message
+@@ -846,6 +844,8 @@ else if (greetingRecv.get(revisionPos) == Protocol.V1.revision) {
+ }
+ encoder = new V1Encoder(errno, Config.OUT_BATCH_SIZE.getValue());
+ decoder = new V1Decoder(errno, Config.IN_BATCH_SIZE.getValue(), options.maxMsgSize, options.allocator);
++
++ decodeDataAfterHandshake(V2_GREETING_SIZE);
+ }
+ else if (greetingRecv.get(revisionPos) == Protocol.V2.revision) {
+ // ZMTP/2.0 framing.
+@@ -859,6 +859,8 @@ else if (greetingRecv.get(revisionPos) == Protocol.V2.revision) {
+ }
+ encoder = new V2Encoder(errno, Config.OUT_BATCH_SIZE.getValue());
+ decoder = new V2Decoder(errno, Config.IN_BATCH_SIZE.getValue(), options.maxMsgSize, options.allocator);
++
++ decodeDataAfterHandshake(V2_GREETING_SIZE);
+ }
+ else {
+ zmtpVersion = Protocol.V3;
+@@ -904,6 +906,19 @@ else if (greetingRecv.get(revisionPos) == Protocol.V2.revision) {
+ return true;
+ }
+
++ private void decodeDataAfterHandshake(int greetingSize)
++ {
++ final int pos = greetingRecv.position();
++ if (pos > greetingSize) {
++ // data is present after handshake
++ greetingRecv.position(greetingSize).limit(pos);
++
++ // Make sure the decoder sees this extra data.
++ inpos = greetingRecv;
++ insize = greetingRecv.remaining();
++ }
++ }
++
+ private Msg identityMsg()
+ {
+ Msg msg = new Msg(options.identitySize);
+diff --git a/src/test/java/zmq/io/AbstractProtocolVersion.java b/src/test/java/zmq/io/AbstractProtocolVersion.java
+index e60db403..aa06b4a7 100644
+--- a/src/test/java/zmq/io/AbstractProtocolVersion.java
++++ b/src/test/java/zmq/io/AbstractProtocolVersion.java
+@@ -18,15 +18,18 @@
+ import zmq.SocketBase;
+ import zmq.ZError;
+ import zmq.ZMQ;
++import zmq.ZMQ.Event;
+ import zmq.util.Utils;
+
+ public abstract class AbstractProtocolVersion
+ {
++ protected static final int REPETITIONS = 1000;
++
+ static class SocketMonitor extends Thread
+ {
+- private final Ctx ctx;
+- private final String monitorAddr;
+- private final List<ZMQ.Event> events = new ArrayList<>();
++ private final Ctx ctx;
++ private final String monitorAddr;
++ private final ZMQ.Event[] events = new ZMQ.Event[1];
+
+ public SocketMonitor(Ctx ctx, String monitorAddr)
+ {
+@@ -41,15 +44,15 @@ public void run()
+ boolean rc = s.connect(monitorAddr);
+ assertThat(rc, is(true));
+ // Only some of the exceptional events could fire
+- while (true) {
+- ZMQ.Event event = ZMQ.Event.read(s);
+- if (event == null && s.errno() == ZError.ETERM) {
+- break;
+- }
+- assertThat(event, notNullValue());
+-
+- events.add(event);
++
++ ZMQ.Event event = ZMQ.Event.read(s);
++ if (event == null && s.errno() == ZError.ETERM) {
++ s.close();
++ return;
+ }
++ assertThat(event, notNullValue());
++
++ events[0] = event;
+ s.close();
+ }
+ }
+@@ -69,11 +72,12 @@ public void run()
+ boolean rc = ZMQ.setSocketOption(receiver, ZMQ.ZMQ_LINGER, 0);
+ assertThat(rc, is(true));
+
+- SocketMonitor monitor = new SocketMonitor(ctx, "inproc://monitor");
+- monitor.start();
+ rc = ZMQ.monitorSocket(receiver, "inproc://monitor", ZMQ.ZMQ_EVENT_HANDSHAKE_PROTOCOL);
+ assertThat(rc, is(true));
+
++ SocketMonitor monitor = new SocketMonitor(ctx, "inproc://monitor");
++ monitor.start();
++
+ rc = ZMQ.bind(receiver, host);
+ assertThat(rc, is(true));
+
+@@ -81,17 +85,18 @@ public void run()
+ OutputStream out = sender.getOutputStream();
+ for (ByteBuffer raw : raws) {
+ out.write(raw.array());
+- ZMQ.msleep(100);
+ }
+
+ Msg msg = ZMQ.recv(receiver, 0);
+ assertThat(msg, notNullValue());
+ assertThat(new String(msg.data(), ZMQ.CHARSET), is(payload));
+
+- ZMQ.msleep(500);
+- assertThat(monitor.events.size(), is(1));
+- assertThat(monitor.events.get(0).event, is(ZMQ.ZMQ_EVENT_HANDSHAKE_PROTOCOL));
+- assertThat((Integer) monitor.events.get(0).arg, is(version));
++ monitor.join();
++
++ final Event event = monitor.events[0];
++ assertThat(event, notNullValue());
++ assertThat(event.event, is(ZMQ.ZMQ_EVENT_HANDSHAKE_PROTOCOL));
++ assertThat((Integer) event.arg, is(version));
+
+ InputStream in = sender.getInputStream();
+ byte[] data = new byte[255];
+diff --git a/src/test/java/zmq/io/V0ProtocolTest.java b/src/test/java/zmq/io/V0ProtocolTest.java
+index bd547d23..1a5b7aef 100644
+--- a/src/test/java/zmq/io/V0ProtocolTest.java
++++ b/src/test/java/zmq/io/V0ProtocolTest.java
+@@ -10,6 +10,18 @@
+
+ public class V0ProtocolTest extends AbstractProtocolVersion
+ {
++ @Test
++ public void testFixIssue524() throws IOException, InterruptedException
++ {
++ for (int idx = 0; idx < REPETITIONS; ++idx) {
++ if (idx % 100 == 0) {
++ System.out.print(idx + " ");
++ }
++ testProtocolVersion0short();
++ }
++ System.out.println();
++ }
++
+ @Test(timeout = 2000)
+ public void testProtocolVersion0short() throws IOException, InterruptedException
+ {
+diff --git a/src/test/java/zmq/io/V1ProtocolTest.java b/src/test/java/zmq/io/V1ProtocolTest.java
+index e1045f34..764159d0 100644
+--- a/src/test/java/zmq/io/V1ProtocolTest.java
++++ b/src/test/java/zmq/io/V1ProtocolTest.java
+@@ -10,7 +10,19 @@
+
+ public class V1ProtocolTest extends AbstractProtocolVersion
+ {
+- @Test(timeout = 2000)
++ @Test
++ public void testFixIssue524() throws IOException, InterruptedException
++ {
++ for (int idx = 0; idx < REPETITIONS; ++idx) {
++ if (idx % 100 == 0) {
++ System.out.print(idx + " ");
++ }
++ testProtocolVersion1short();
++ }
++ System.out.println();
++ }
++
++ @Test
+ public void testProtocolVersion1short() throws IOException, InterruptedException
+ {
+ List<ByteBuffer> raws = raws(0);
+@@ -25,7 +37,7 @@ public void testProtocolVersion1short() throws IOException, InterruptedException
+ assertProtocolVersion(1, raws, "abcdefg");
+ }
+
+- @Test(timeout = 2000)
++ @Test
+ public void testProtocolVersion1long() throws IOException, InterruptedException
+ {
+ List<ByteBuffer> raws = raws(0);
+diff --git a/src/test/java/zmq/io/V2ProtocolTest.java b/src/test/java/zmq/io/V2ProtocolTest.java
+index d5e64bce..7fda31bc 100644
+--- a/src/test/java/zmq/io/V2ProtocolTest.java
++++ b/src/test/java/zmq/io/V2ProtocolTest.java
+@@ -21,7 +21,19 @@ protected ByteBuffer identity()
+ .put((byte) 0);
+ }
+
+- @Test(timeout = 2000)
++ @Test
++ public void testFixIssue524() throws IOException, InterruptedException
++ {
++ for (int idx = 0; idx < REPETITIONS; ++idx) {
++ if (idx % 100 == 0) {
++ System.out.print(idx + " ");
++ }
++ testProtocolVersion2short();
++ }
++ System.out.println();
++ }
++
++ @Test
+ public void testProtocolVersion2short() throws IOException, InterruptedException
+ {
+ List<ByteBuffer> raws = raws(1);
+@@ -38,7 +50,7 @@ public void testProtocolVersion2short() throws IOException, InterruptedException
+ assertProtocolVersion(2, raws, "abcdefg");
+ }
+
+- @Test(timeout = 2000)
++ @Test
+ public void testProtocolVersion2long() throws IOException, InterruptedException
+ {
+ List<ByteBuffer> raws = raws(1);
diff --git a/gnu/packages/patches/java-simple-xml-fix-tests.patch b/gnu/packages/patches/java-simple-xml-fix-tests.patch
new file mode 100644
index 0000000000..6270b87009
--- /dev/null
+++ b/gnu/packages/patches/java-simple-xml-fix-tests.patch
@@ -0,0 +1,37 @@
+From b3b7a305f1278ec414500bf96c4c7a7f634c941b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jens=20Thee=C3=9F?= <theess@subshell.com>
+Date: Thu, 15 Sep 2016 13:08:26 +0200
+Subject: [PATCH] Dictionary uses stable order. This fixes unit tests.
+
+This is upstream pull request #15:
+https://github.com/ngallagher/simplexml/pull/15
+This software is unmaintained, this pull request will no get merged.
+The patch is modified, to match the directory layout of the tarball.
+
+---
+ src/main/java/org/simpleframework/xml/util/Dictionary.java | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/main/java/org/simpleframework/xml/util/Dictionary.java b/src/main/java/org/simpleframework/xml/util/Dictionary.java
+index 077d2514..c7327426 100644
+--- a/src/org/simpleframework/xml/util/Dictionary.java
++++ b/src/org/simpleframework/xml/util/Dictionary.java
+@@ -19,8 +19,8 @@
+ package org.simpleframework.xml.util;
+
+ import java.util.AbstractSet;
+-import java.util.HashMap;
+ import java.util.Iterator;
++import java.util.LinkedHashMap;
+
+ /**
+ * The <code>Dictionary</code> object represents a mapped set of entry
+@@ -134,7 +134,7 @@ public T remove(String name) {
+ *
+ * @see org.simpleframework.xml.util.Entry
+ */
+- private static class Table<T> extends HashMap<String, T> {
++ private static class Table<T> extends LinkedHashMap<String, T> {
+
+ /**
+ * Constructor for the <code>Table</code> object. This will
diff --git a/gnu/packages/patches/lrzip-CVE-2017-8842.patch b/gnu/packages/patches/lrzip-CVE-2017-8842.patch
new file mode 100644
index 0000000000..89b4f2f5d9
--- /dev/null
+++ b/gnu/packages/patches/lrzip-CVE-2017-8842.patch
@@ -0,0 +1,23 @@
+From 38386bd482c0a8102a79958cb3eddcb97a167ca3 Mon Sep 17 00:00:00 2001
+From: Con Kolivas <kernel@kolivas.org>
+Date: Fri, 9 Mar 2018 17:39:40 +1100
+Subject: [PATCH] CVE-2017-8842 Fix divide-by-zero in bufRead::get
+
+---
+ libzpaq/libzpaq.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libzpaq/libzpaq.h b/libzpaq/libzpaq.h
+index 93387da..cbe211d 100644
+--- a/libzpaq/libzpaq.h
++++ b/libzpaq/libzpaq.h
+@@ -465,7 +465,8 @@ struct bufRead: public libzpaq::Reader {
+
+ int get() {
+ if (progress && !(*s_len % 128)) {
+- int pct = (total_len - *s_len) * 100 / total_len;
++ int pct = (total_len > 0) ?
++ (total_len - *s_len) * 100 / total_len : 100;
+
+ if (pct / 10 != *last_pct / 10) {
+ int i;
diff --git a/gnu/packages/patches/shadow-CVE-2018-7169.patch b/gnu/packages/patches/shadow-CVE-2018-7169.patch
new file mode 100644
index 0000000000..eeae5b9b71
--- /dev/null
+++ b/gnu/packages/patches/shadow-CVE-2018-7169.patch
@@ -0,0 +1,191 @@
+Fix CVE-2018-7169:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7169
+
+Patch copied from upstream source repository:
+
+https://github.com/shadow-maint/shadow/commit/fb28c99b8a66ff2605c5cb96abc0a4d975f92de0
+
+From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Thu, 15 Feb 2018 23:49:40 +1100
+Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group
+
+This is necessary to match the kernel-side policy of "self-mapping in a
+user namespace is fine, but you cannot drop groups" -- a policy that was
+created in order to stop user namespaces from allowing trivial privilege
+escalation by dropping supplementary groups that were "blacklisted" from
+certain paths.
+
+This is the simplest fix for the underlying issue, and effectively makes
+it so that unless a user has a valid mapping set in /etc/subgid (which
+only administrators can modify) -- and they are currently trying to use
+that mapping -- then /proc/$pid/setgroups will be set to deny. This
+workaround is only partial, because ideally it should be possible to set
+an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
+administrators to further restrict newgidmap(1).
+
+We also don't write anything in the "allow" case because "allow" is the
+default, and users may have already written "deny" even if they
+technically are allowed to use setgroups. And we don't write anything if
+the setgroups policy is already "deny".
+
+Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
+Fixes: CVE-2018-7169
+Reported-by: Craig Furman <craig.furman89@gmail.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ src/newgidmap.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 80 insertions(+), 9 deletions(-)
+
+diff --git a/src/newgidmap.c b/src/newgidmap.c
+index b1e33513..59a2e75c 100644
+--- a/src/newgidmap.c
++++ b/src/newgidmap.c
+@@ -46,32 +46,37 @@
+ */
+ const char *Prog;
+
+-static bool verify_range(struct passwd *pw, struct map_range *range)
++
++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
+ {
+ /* An empty range is invalid */
+ if (range->count == 0)
+ return false;
+
+- /* Test /etc/subgid */
+- if (have_sub_gids(pw->pw_name, range->lower, range->count))
++ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
++ if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
++ *allow_setgroups = true;
+ return true;
++ }
+
+- /* Allow a process to map its own gid */
+- if ((range->count == 1) && (pw->pw_gid == range->lower))
++ /* Allow a process to map its own gid. */
++ if ((range->count == 1) && (pw->pw_gid == range->lower)) {
++ /* noop -- if setgroups is enabled already we won't disable it. */
+ return true;
++ }
+
+ return false;
+ }
+
+ static void verify_ranges(struct passwd *pw, int ranges,
+- struct map_range *mappings)
++ struct map_range *mappings, bool *allow_setgroups)
+ {
+ struct map_range *mapping;
+ int idx;
+
+ mapping = mappings;
+ for (idx = 0; idx < ranges; idx++, mapping++) {
+- if (!verify_range(pw, mapping)) {
++ if (!verify_range(pw, mapping, allow_setgroups)) {
+ fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
+ Prog,
+ mapping->upper,
+@@ -89,6 +94,70 @@ static void usage(void)
+ exit(EXIT_FAILURE);
+ }
+
++void write_setgroups(int proc_dir_fd, bool allow_setgroups)
++{
++ int setgroups_fd;
++ char *policy, policy_buffer[4096];
++
++ /*
++ * Default is "deny", and any "allow" will out-rank a "deny". We don't
++ * forcefully write an "allow" here because the process we are writing
++ * mappings for may have already set themselves to "deny" (and "allow"
++ * is the default anyway). So allow_setgroups == true is a noop.
++ */
++ policy = "deny\n";
++ if (allow_setgroups)
++ return;
++
++ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
++ if (setgroups_fd < 0) {
++ /*
++ * If it's an ENOENT then we are on too old a kernel for the setgroups
++ * code to exist. Emit a warning and bail on this.
++ */
++ if (ENOENT == errno) {
++ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
++ goto out;
++ }
++ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
++ Prog,
++ strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++
++ /*
++ * Check whether the policy is already what we want. /proc/self/setgroups
++ * is write-once, so attempting to write after it's already written to will
++ * fail.
++ */
++ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
++ fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
++ Prog,
++ strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++ if (!strncmp(policy_buffer, policy, strlen(policy)))
++ goto out;
++
++ /* Write the policy. */
++ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
++ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
++ Prog,
++ strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++ if (dprintf(setgroups_fd, "%s", policy) < 0) {
++ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
++ Prog,
++ policy,
++ strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++
++out:
++ close(setgroups_fd);
++}
++
+ /*
+ * newgidmap - Set the gid_map for the specified process
+ */
+@@ -103,6 +172,7 @@ int main(int argc, char **argv)
+ struct stat st;
+ struct passwd *pw;
+ int written;
++ bool allow_setgroups = false;
+
+ Prog = Basename (argv[0]);
+
+@@ -145,7 +215,7 @@ int main(int argc, char **argv)
+ (unsigned long) getuid ()));
+ return EXIT_FAILURE;
+ }
+-
++
+ /* Get the effective uid and effective gid of the target process */
+ if (fstat(proc_dir_fd, &st) < 0) {
+ fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
+@@ -177,8 +247,9 @@ int main(int argc, char **argv)
+ if (!mappings)
+ usage();
+
+- verify_ranges(pw, ranges, mappings);
++ verify_ranges(pw, ranges, mappings, &allow_setgroups);
+
++ write_setgroups(proc_dir_fd, allow_setgroups);
+ write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
+ sub_gid_close();
+
+--
+2.16.2
+
diff --git a/gnu/packages/patches/util-linux-CVE-2018-7738.patch b/gnu/packages/patches/util-linux-CVE-2018-7738.patch
new file mode 100644
index 0000000000..080e2f56ba
--- /dev/null
+++ b/gnu/packages/patches/util-linux-CVE-2018-7738.patch
@@ -0,0 +1,49 @@
+Fix CVE-2018-7738:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738
+
+Patch copied from upstream source repository:
+
+https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55
+
+From 75f03badd7ed9f1dd951863d75e756883d3acc55 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 16 Nov 2017 16:27:32 +0100
+Subject: [PATCH] bash-completion: (umount) use findmnt, escape a space in
+ paths
+
+ # mount /dev/sdc1 /mnt/test/foo\ bar
+ # umount <tab>
+
+has to return "/mnt/test/foo\ bar".
+
+Changes:
+
+ * don't use mount | awk output, we have findmnt
+ * force compgen use \n as entries separator
+
+Addresses: https://github.com/karelzak/util-linux/issues/539
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ bash-completion/umount | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/bash-completion/umount b/bash-completion/umount
+index d76cb9fff..98c90d61a 100644
+--- a/bash-completion/umount
++++ b/bash-completion/umount
+@@ -40,9 +40,10 @@ _umount_module()
+ return 0
+ ;;
+ esac
+- local DEVS_MPOINTS
+- DEVS_MPOINTS="$(mount | awk '{print $1, $3}')"
+- COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) )
+- return 0
++
++ local oldifs=$IFS
++ IFS=$'\n'
++ COMPREPLY=( $( compgen -W '$(findmnt -lno TARGET | sed "s/\([[:blank:]]\)/\\\\\1/g")' -- "$cur" ) )
++ IFS=$oldifs
+ }
+ complete -F _umount_module umount
diff --git a/gnu/packages/patches/zsh-CVE-2018-7548.patch b/gnu/packages/patches/zsh-CVE-2018-7548.patch
new file mode 100644
index 0000000000..1ee15fad73
--- /dev/null
+++ b/gnu/packages/patches/zsh-CVE-2018-7548.patch
@@ -0,0 +1,48 @@
+Fix CVE-2018-7548:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7548
+
+Patch copied from upstream source repository:
+
+https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102
+
+From 110b13e1090bc31ac1352b28adc2d02b6d25a102 Mon Sep 17 00:00:00 2001
+From: Joey Pabalinas <joeypabalinas@gmail.com>
+Date: Tue, 23 Jan 2018 22:28:08 -0800
+Subject: [PATCH] 42313: avoid null-pointer deref when using ${(PA)...} on an
+ empty array result
+
+---
+ ChangeLog | 5 +++++
+ Src/subst.c | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index d2ba94afc..3037edda4 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,3 +1,8 @@
+#+2018-01-23 Barton E. Schaefer <schaefer@zsh.org>
+#+
+#+ * Joey Pabalinas: 42313: Src/subst.c: avoid null-pointer deref
+#+ when using ${(PA)...} on an empty array result
+#+
+# 2018-01-23 Oliver Kiddle <okiddle@yahoo.co.uk>
+#
+# * 42317: Completion/Linux/Command/_cryptsetup,
+diff --git a/Src/subst.c b/Src/subst.c
+index d027e3d83..a265a187e 100644
+--- a/Src/subst.c
++++ b/Src/subst.c
+@@ -2430,7 +2430,7 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags,
+ val = aval[0];
+ isarr = 0;
+ }
+- s = dyncat(val, s);
++ s = val ? dyncat(val, s) : dupstring(s);
+ /* Now behave po-faced as if it was always like that... */
+ subexp = 0;
+ /*
+--
+2.16.2
+
diff --git a/gnu/packages/patches/zsh-CVE-2018-7549.patch b/gnu/packages/patches/zsh-CVE-2018-7549.patch
new file mode 100644
index 0000000000..abefcdf2f9
--- /dev/null
+++ b/gnu/packages/patches/zsh-CVE-2018-7549.patch
@@ -0,0 +1,56 @@
+Fix CVE-2018-7549:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7549
+
+Patch copied from upstream source repository:
+
+https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd
+
+From c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd Mon Sep 17 00:00:00 2001
+From: Stephane Chazelas <stephane.chazelas@gmail.com>
+Date: Fri, 22 Dec 2017 22:17:09 +0000
+Subject: [PATCH] Avoid crash copying empty hash table.
+
+Visible with typeset -p.
+---
+ ChangeLog | 2 ++
+ Src/params.c | 11 +++++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index f74c26b88..e3628cfa7 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,5 +1,7 @@
+# 2018-01-04 Peter Stephenson <p.stephenson@samsung.com>
+#
+#+ * Stephane: 42159: Src/params.c: avoid crash copying empty hash table.
+#+
+# * Sebastian: 42188: Src/Modules/system.c: It is necessary to
+# close the lock descriptor in some failure cases.
+#
+diff --git a/Src/params.c b/Src/params.c
+index 31ff0445b..de7730ae7 100644
+--- a/Src/params.c
++++ b/Src/params.c
+@@ -549,10 +549,13 @@ scancopyparams(HashNode hn, UNUSED(int flags))
+ HashTable
+ copyparamtable(HashTable ht, char *name)
+ {
+- HashTable nht = newparamtable(ht->hsize, name);
+- outtable = nht;
+- scanhashtable(ht, 0, 0, 0, scancopyparams, 0);
+- outtable = NULL;
++ HashTable nht = 0;
++ if (ht) {
++ nht = newparamtable(ht->hsize, name);
++ outtable = nht;
++ scanhashtable(ht, 0, 0, 0, scancopyparams, 0);
++ outtable = NULL;
++ }
+ return nht;
+ }
+
+--
+2.16.2
+