aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/arb-ldconfig.patch22
-rw-r--r--gnu/packages/patches/gnupg-2.1-fix-Y2038-test-failure.patch67
-rw-r--r--gnu/packages/patches/gst-plugins-base-fix-test-on-32bit.patch32
-rw-r--r--gnu/packages/patches/jacal-fix-texinfo.patch92
-rw-r--r--gnu/packages/patches/kio-CVE-2017-6410.patch53
-rw-r--r--gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch77
-rw-r--r--gnu/packages/patches/matplotlib-setupext-tk.patch34
-rw-r--r--gnu/packages/patches/mupdf-CVE-2017-5896.patch63
-rw-r--r--gnu/packages/patches/mupdf-CVE-2017-5991.patch101
-rw-r--r--gnu/packages/patches/nss-pkgconfig.patch4
-rw-r--r--gnu/packages/patches/pcre2-CVE-2016-3191.patch179
-rw-r--r--gnu/packages/patches/python-dendropy-fix-tests.patch41
-rw-r--r--gnu/packages/patches/python-fake-factory-fix-build-32bit.patch36
-rw-r--r--gnu/packages/patches/python-faker-fix-build-32bit.patch36
-rw-r--r--gnu/packages/patches/python-pandas-skip-failing-tests.patch59
-rw-r--r--gnu/packages/patches/python-pbr-fix-man-page-support.patch28
-rw-r--r--gnu/packages/patches/python-pygit2-disable-network-tests.patch64
-rw-r--r--gnu/packages/patches/python-pyopenssl-skip-network-test.patch50
-rw-r--r--gnu/packages/patches/python-statsmodels-fix-tests.patch224
-rw-r--r--gnu/packages/patches/python2-subprocess32-disable-input-test.patch18
-rw-r--r--gnu/packages/patches/screen-CVE-2017-5618.patch40
-rw-r--r--gnu/packages/patches/shadow-CVE-2017-2616.patch72
-rw-r--r--gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch18
-rw-r--r--gnu/packages/patches/util-linux-CVE-2017-2616.patch65
-rw-r--r--gnu/packages/patches/vdirsyncer-test-suite-slow-machines.patch42
-rw-r--r--gnu/packages/patches/vim-CVE-2017-5953.patch18
-rw-r--r--gnu/packages/patches/wxwidgets-fix-windowGTK.patch18
27 files changed, 924 insertions, 629 deletions
diff --git a/gnu/packages/patches/arb-ldconfig.patch b/gnu/packages/patches/arb-ldconfig.patch
deleted file mode 100644
index 478ec5a6f0..0000000000
--- a/gnu/packages/patches/arb-ldconfig.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff -u -r arb-2.8.1.orig/configure arb-2.8.1/configure
---- arb-2.8.1.orig/configure 2015-12-31 17:30:01.000000000 +0100
-+++ arb-2.8.1/configure 2016-01-20 16:41:41.336726596 +0100
-@@ -647,6 +647,7 @@
- echo "ARB_SHARED=$SHARED" >> Makefile
- echo "ARB_LIB=$ARB_LIB" >> Makefile
- echo "ARB_LIBNAME=$ARB_LIBNAME" >> Makefile
-+echo "ARB_MAJOR=$ARB_MAJOR" >> Makefile
- echo "ARB_SOLIB=$ARB_SOLIB" >> Makefile
- echo "EXEEXT=$EXEEXT" >> Makefile
- echo "PREFIX=$PREFIX" >> Makefile
-diff -u -r arb-2.8.1.orig/Makefile.in arb-2.8.1/Makefile.in
---- arb-2.8.1.orig/Makefile.in 2015-12-31 17:30:01.000000000 +0100
-+++ arb-2.8.1/Makefile.in 2016-01-20 16:30:32.575298517 +0100
-@@ -101,6 +101,7 @@
- $(LDCONFIG) -n "$(CURDIR)"; \
- fi
- ln -sf "$(ARB_LIB)" "$(ARB_LIBNAME)"; \
-+ ln -sf "$(ARB_LIB)" "$(ARB_LIBNAME).$(ARB_MAJOR)"; \
-
- libarb.a: $(OBJS) $(LIB_SOURCES) $(EXT_SOURCES) $(HEADERS) $(EXT_HEADERS) | build build/interfaces
- $(AT)$(foreach ext, $(EXTENSIONS), $(foreach dir, $(patsubst $(ext)/%.h, %, $(wildcard $(ext)/*.h)), mkdir -p build/$(dir); BUILD_DIR=$(CURDIR)/build/$(dir); export BUILD_DIR; MOD_DIR=$(dir); export MOD_DIR; $(MAKE) -f $(CURDIR)/Makefile.subdirs -C $(ext)/$(dir) static || exit $$?;))
diff --git a/gnu/packages/patches/gnupg-2.1-fix-Y2038-test-failure.patch b/gnu/packages/patches/gnupg-2.1-fix-Y2038-test-failure.patch
new file mode 100644
index 0000000000..b3a198c499
--- /dev/null
+++ b/gnu/packages/patches/gnupg-2.1-fix-Y2038-test-failure.patch
@@ -0,0 +1,67 @@
+Fix a Y2038 test failure on systems where time_t is a signed 32-bit value:
+
+https://bugs.gnupg.org/gnupg/issue2988
+
+Patch copied from upstream source repository:
+
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=de3838372ae3cdecbd83eea2c53c8e2656d93052
+
+From de3838372ae3cdecbd83eea2c53c8e2656d93052 Mon Sep 17 00:00:00 2001
+From: Justus Winter <justus@g10code.com>
+Date: Tue, 7 Mar 2017 12:18:59 +0100
+Subject: [PATCH] tests: Avoid overflowing signed 32 bit time_t.
+
+* tests/openpgp/quick-key-manipulation.scm: Use expiration times in
+the year 2038 instead of 2105 to avoid overflowing 32 bit time_t.
+time_t is used internally to parse the expiraton time from the iso
+timestamp.
+
+GnuPG-bug-id: 2988
+Signed-off-by: Justus Winter <justus@g10code.com>
+---
+ tests/openpgp/quick-key-manipulation.scm | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/tests/openpgp/quick-key-manipulation.scm b/tests/openpgp/quick-key-manipulation.scm
+index 10f0bfe21..08ef62613 100755
+--- a/tests/openpgp/quick-key-manipulation.scm
++++ b/tests/openpgp/quick-key-manipulation.scm
+@@ -125,8 +125,13 @@
+ (default default never)
+ (rsa "sign auth encr" "seconds=600") ;; GPGME uses this
+ (rsa "auth,encr" "2") ;; "without a letter, days is assumed"
+- (rsa "sign" "2105-01-01") ;; "last year GnuPG can represent is 2105"
+- (rsa "sign" "21050101T115500") ;; "last year GnuPG can represent is 2105"
++ ;; Sadly, the timestamp is truncated by the use of time_t on
++ ;; systems where time_t is a signed 32 bit value.
++ (rsa "sign" "2038-01-01") ;; unix millennium
++ (rsa "sign" "20380101T115500") ;; unix millennium
++ ;; Once fixed, we can use later timestamps:
++ ;; (rsa "sign" "2105-01-01") ;; "last year GnuPG can represent is 2105"
++ ;; (rsa "sign" "21050101T115500") ;; "last year GnuPG can represent is 2105"
+ (rsa sign "2d")
+ (rsa1024 sign "2w")
+ (rsa2048 encr "2m")
+@@ -157,7 +162,8 @@
+ (lambda (subkey)
+ (assert (= 1 (:alg subkey)))
+ (assert (string-contains? (:cap subkey) "s"))
+- (assert (time-matches? 4260207600 ;; 2105-01-01
++ (assert (time-matches? 2145916800 ;; 2038-01-01
++ ;; 4260207600 ;; 2105-01-01
+ (string->number (:expire subkey))
+ ;; This is off by 12h, but I guess it just
+ ;; choses the middle of the day.
+@@ -165,7 +171,8 @@
+ (lambda (subkey)
+ (assert (= 1 (:alg subkey)))
+ (assert (string-contains? (:cap subkey) "s"))
+- (assert (time-matches? 4260254100 ;; UTC 2105-01-01 11:55:00
++ (assert (time-matches? 2145959700 ;; UTC 2038-01-01 11:55:00
++ ;; 4260254100 ;; UTC 2105-01-01 11:55:00
+ (string->number (:expire subkey))
+ (minutes->seconds 5))))
+ (lambda (subkey)
+--
+2.12.0
+
diff --git a/gnu/packages/patches/gst-plugins-base-fix-test-on-32bit.patch b/gnu/packages/patches/gst-plugins-base-fix-test-on-32bit.patch
deleted file mode 100644
index 4c6c7ed06e..0000000000
--- a/gnu/packages/patches/gst-plugins-base-fix-test-on-32bit.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-This fixes a test failure on i686.
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/gstreamer/gst-plugins-base/commit/?id=5e2e111627871c566ffc6607eda8f4ef4699d040
-
-From 5e2e111627871c566ffc6607eda8f4ef4699d040 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
-Date: Thu, 2 Feb 2017 14:56:39 +0200
-Subject: [PATCH] multifdsink: Make sure to use a 64 bit integer for the
- units-max property
-
----
- tests/check/elements/multifdsink.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/check/elements/multifdsink.c b/tests/check/elements/multifdsink.c
-index af138cc92..951b1b9fa 100644
---- a/tests/check/elements/multifdsink.c
-+++ b/tests/check/elements/multifdsink.c
-@@ -869,7 +869,7 @@ GST_START_TEST (test_client_kick)
- gint i, initial_buffers = 3, num_buffers = 0;
-
- sink = setup_multifdsink ();
-- g_object_set (sink, "units-max", initial_buffers, NULL);
-+ g_object_set (sink, "units-max", (gint64) initial_buffers, NULL);
-
- fail_if (pipe (pfd1) == -1);
- fail_if (pipe (pfd2) == -1);
---
-2.11.0
-
diff --git a/gnu/packages/patches/jacal-fix-texinfo.patch b/gnu/packages/patches/jacal-fix-texinfo.patch
new file mode 100644
index 0000000000..83e44a3164
--- /dev/null
+++ b/gnu/packages/patches/jacal-fix-texinfo.patch
@@ -0,0 +1,92 @@
+Fix the broken Texinfo in the Jacal package documentation
+
+--- jacal/jacal.texi,orig 2017-02-23 20:35:55.303980444 +0100
++++ jacal/jacal.texi 2017-02-23 20:53:14.539024674 +0100
+@@ -343,7 +343,7 @@
+
+ With the standard input grammar, the precedence of @samp{-} as a prefix
+ behaves strangely. @code{a^-b*c} becomes @code{a^(-b*c)} while
+-@code{@result{a^b*c} (a^b)*c}.
++@code{a^b*c @result{} (a^b)*c}.
+
+ Using @code{divide} to divide a polynomial by an integer does not work.
+
+@@ -675,8 +675,9 @@
+ e1: ---------
+ a
+ @end example
++@end deffn
+
+-@deffnx Command suchthat var exp
++@deffn Command suchthat var exp
+
+ If an expression rather than an equation is given to @code{suchthat}, it
+ is as though the equation @code{@var{exp}=0} was given.
+@@ -688,8 +689,9 @@
+ e2: ---------
+ a
+ @end example
++@end deffn
+
+-@deffnx Operator | var exp_or_eqn
++@deffn Operator | var exp_or_eqn
+
+ An alternative infix notation is also available for @code{suchthat}.
+
+@@ -857,8 +859,9 @@
+
+ Returns the degree of polynomial or equation @var{poly} in variable
+ @var{var}.
++@end deffn
+
+-@deffnx Operator degree poly
++@deffn Operator degree poly
+
+ Returns the total-degree, the degree of its highest degree monomial,
+ of polynomial or equation @var{poly}.
+@@ -1016,10 +1019,12 @@
+ Returns @var{poly1} reduced with respect to @var{poly2} (or @var{eqn})
+ and @var{var}. If @var{poly2} is univariate, the third argument is not
+ needed.
++@end deffn
+
+-@deffnx Command mod poly1 n
++@deffn Command mod poly1 n
+ Returns @var{poly1} with all the coefficients taken modulo @var{n}.
+-@deffnx Command mod poly1
++@end deffn
++@deffn Command mod poly1
+ Returns @var{poly1} with all the coefficients taken modulo the
+ current modulus.
+
+@@ -1220,8 +1225,9 @@
+ e1: -1 2 3 5
+ @end group
+ @end example
++@end deffn
+
+-@deffnx Command factor polyratio
++@deffn Command factor polyratio
+ Given a univariate ratio of polynomials @var{polyratio}, returns a
+ matrix of factors and exponents.
+
+@@ -2028,7 +2034,7 @@
+ formed from the pair-wise products of components of the inputs. For
+ example, for the input tensors @code{x[a,b]} and @code{y[c]}
+ @example
+-@result{z:tmult(x,y);} z[a,b,c] = x[a,b]*y[c]
++z:tmult(x,y); @result{} z[a,b,c] = x[a,b]*y[c]
+ @end example
+
+ With an additional argument, @code{tmult} will produce the inner product
+@@ -2464,8 +2470,9 @@
+ If you do not wish to return to Jacal but really want to terminate the
+ session and return to the operating system, then after typing
+ @code{qed();}, type @code{(slib:exit)} or use @code{quit}.
++@end deffn
+
+-@deffnx Command quit
++@deffn Command quit
+ Exit directly from Jacal to the operating system. You will not be able
+ to continue your Jacal session.
+
diff --git a/gnu/packages/patches/kio-CVE-2017-6410.patch b/gnu/packages/patches/kio-CVE-2017-6410.patch
new file mode 100644
index 0000000000..748636f806
--- /dev/null
+++ b/gnu/packages/patches/kio-CVE-2017-6410.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-6410, "Information Leak when accessing https when using a
+malicious PAC file":
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
+https://www.kde.org/info/security/advisory-20170228-1.txt
+
+Patch copied from upstream source repository:
+
+https://cgit.kde.org/kio.git/commit/?id=f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
+
+From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 28 Feb 2017 19:00:48 +0100
+Subject: Sanitize URLs before passing them to FindProxyForURL
+
+Remove user/password information
+For https: remove path and query
+
+Thanks to safebreach.com for reporting the problem
+
+CCMAIL: yoni.fridburg@safebreach.com
+CCMAIL: amit.klein@safebreach.com
+CCMAIL: itzik.kotler@safebreach.com
+---
+ src/kpac/script.cpp | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
+index a0235f7..2485c54 100644
+--- a/src/kpac/script.cpp
++++ b/src/kpac/script.cpp
+@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
+ }
+ }
+
++ QUrl cleanUrl = url;
++ cleanUrl.setUserInfo(QString());
++ if (cleanUrl.scheme() == QLatin1String("https")) {
++ cleanUrl.setPath(QString());
++ cleanUrl.setQuery(QString());
++ }
++
+ QScriptValueList args;
+- args << url.url();
+- args << url.host();
++ args << cleanUrl.url();
++ args << cleanUrl.host();
+
+ QScriptValue result = func.call(QScriptValue(), args);
+ if (result.isError()) {
+--
+cgit v0.11.2
+
diff --git a/gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch b/gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch
deleted file mode 100644
index a5fdd7ffff..0000000000
--- a/gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-Fix CVE-2016-0739 (Weak Diffie-Hellman secret generation in
-dh_generate_x() and dh_generate_y()).
-
-"Due to a byte/bit confusion, the DH secret was too short. This file was
-completely reworked and will be commited in a future version."
-Source:
-https://git.libssh.org/projects/libssh.git/commit/?id=f8d0026c65fc8a55748ae481758e2cf376c26c86
-
-This patch was created by upstream for libssh-0.7.3, but applied without
-modification to libssh-0.6.3 by Debian. In Guix, we apply it without
-modification to libssh-0.6.5.
-
-References:
-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0739
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0739
-https://security-tracker.debian.org/tracker/CVE-2016-0739
-
----
- src/dh.c | 22 +++++++++++++++++-----
- 1 file changed, 17 insertions(+), 5 deletions(-)
-
-diff --git a/src/dh.c b/src/dh.c
-index e489a1d..d27b66e 100644
---- a/src/dh.c
-+++ b/src/dh.c
-@@ -227,15 +227,21 @@ void ssh_crypto_finalize(void) {
- }
-
- int dh_generate_x(ssh_session session) {
-+ int keysize;
-+ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
-+ keysize = 1023;
-+ } else {
-+ keysize = 2047;
-+ }
- session->next_crypto->x = bignum_new();
- if (session->next_crypto->x == NULL) {
- return -1;
- }
-
- #ifdef HAVE_LIBGCRYPT
-- bignum_rand(session->next_crypto->x, 128);
-+ bignum_rand(session->next_crypto->x, keysize);
- #elif defined HAVE_LIBCRYPTO
-- bignum_rand(session->next_crypto->x, 128, 0, -1);
-+ bignum_rand(session->next_crypto->x, keysize, -1, 0);
- #endif
-
- /* not harder than this */
-@@ -248,15 +254,21 @@ int dh_generate_x(ssh_session session) {
-
- /* used by server */
- int dh_generate_y(ssh_session session) {
-- session->next_crypto->y = bignum_new();
-+ int keysize;
-+ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
-+ keysize = 1023;
-+ } else {
-+ keysize = 2047;
-+ }
-+ session->next_crypto->y = bignum_new();
- if (session->next_crypto->y == NULL) {
- return -1;
- }
-
- #ifdef HAVE_LIBGCRYPT
-- bignum_rand(session->next_crypto->y, 128);
-+ bignum_rand(session->next_crypto->y, keysize);
- #elif defined HAVE_LIBCRYPTO
-- bignum_rand(session->next_crypto->y, 128, 0, -1);
-+ bignum_rand(session->next_crypto->y, keysize, -1, 0);
- #endif
-
- /* not harder than this */
---
-cgit v0.12
-
diff --git a/gnu/packages/patches/matplotlib-setupext-tk.patch b/gnu/packages/patches/matplotlib-setupext-tk.patch
deleted file mode 100644
index 37c3d686e0..0000000000
--- a/gnu/packages/patches/matplotlib-setupext-tk.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Use 'pkg-config' instead of heuristics to find 'tk' flags.
-
---- matplotlib-1.4.3/setupext.py.orig 2015-12-01 14:21:19.554417453 +0100
-+++ matplotlib-1.4.3/setupext.py 2015-12-02 10:39:47.282363530 +0100
-@@ -1457,7 +1457,7 @@
- p = subprocess.Popen(
- '. %s ; eval echo ${%s}' % (file, varname),
- shell=True,
-- executable="/bin/sh",
-+ executable="sh",
- stdout=subprocess.PIPE)
- result = p.communicate()[0]
- return result.decode('ascii')
-@@ -1601,8 +1601,19 @@
- # of distros.
-
- # Query Tcl/Tk system for library paths and version string
-+ def getoutput(s):
-+ ret = os.popen(s).read().strip()
-+ return ret
- try:
-- tcl_lib_dir, tk_lib_dir, tk_ver = self.query_tcltk()
-+ pkg_config_libs = getoutput('pkg-config --libs-only-L tk').split()
-+ # drop '-L' part of strings
-+ pkg_config_libs = [s[2:] for s in pkg_config_libs]
-+ pkg_config_ver = getoutput('pkg-config --modversion tk')
-+ tk_ver = re.match(r"(\d+.\d+)[\d.]*", pkg_config_ver).group(1)
-+ tcl_lib_dir = next(s for s in pkg_config_libs
-+ if re.match(r".*-tcl-.*", s)) + '/tcl' + tk_ver
-+ tk_lib_dir = next(s for s in pkg_config_libs
-+ if re.match(r".*-tk-.*", s)) + '/tk' + tk_ver
- except:
- tk_ver = ''
- result = self.hardcoded_tcl_config()
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5896.patch b/gnu/packages/patches/mupdf-CVE-2017-5896.patch
new file mode 100644
index 0000000000..1537ecc896
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5896.patch
@@ -0,0 +1,63 @@
+Fix CVE-2017-5896:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697515
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5896
+http://www.openwall.com/lists/oss-security/2017/02/10/1
+https://security-tracker.debian.org/tracker/CVE-2017-5896
+https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27
+
+From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 9 Feb 2017 07:12:16 -0800
+Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+---
+ source/fitz/pixmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index a8317127..f1291dc2 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ "@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
+ "ldr r4, [r13,#4*22] @ r4 = divXY \n"
+ "ldr r5, [r13,#4*11] @ for (nn = n; nn > 0; n--) { \n"
++ "ldr r8, [r13,#4*17] @ r8 = back4 \n"
+ "18: @ \n"
+ "mov r14,#0 @ r14= v = 0 \n"
+ "sub r5, r5, r1, LSL #8 @ for (xx = x; xx > 0; x--) { \n"
+@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ "mul r14,r4, r14 @ r14= v *= divX \n"
+ "mov r14,r14,LSR #16 @ r14= v >>= 16 \n"
+ "strb r14,[r9], #1 @ *d++ = r14 \n"
+- "sub r0, r0, r8 @ s -= back2 \n"
++ "sub r0, r0, r8 @ s -= back4 \n"
+ "subs r5, r5, #1 @ n-- \n"
+ "bgt 18b @ } \n"
+ "21: @ \n"
+@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ x += f;
+ if (x > 0)
+ {
++ int back4 = x * n - 1;
+ div = x * y;
+ for (nn = n; nn > 0; nn--)
+ {
+@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ s -= back5;
+ }
+ *d++ = v / div;
+- s -= back2;
++ s -= back4;
+ }
+ }
+ }
+--
+2.12.0
+
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5991.patch b/gnu/packages/patches/mupdf-CVE-2017-5991.patch
new file mode 100644
index 0000000000..1fa6dc3466
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5991.patch
@@ -0,0 +1,101 @@
+Fix CVE-2017-5991:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697500
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5991
+https://security-tracker.debian.org/tracker/CVE-2017-5991
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=1912de5f08e90af1d9d0a9791f58ba3afdb9d465
+
+From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001
+From: Robin Watts <robin.watts@artifex.com>
+Date: Thu, 9 Feb 2017 15:49:15 +0000
+Subject: [PATCH] Bug 697500: Fix NULL ptr access.
+
+Cope better with errors during rendering - avoid letting the
+gstate stack get out of sync.
+
+This avoids us ever getting into the situation of popping
+a clip when we should be popping a mask or a group. This was
+causing an unexpected case in the painting.
+---
+ source/pdf/pdf-op-run.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
+index a3ea895d..f1eac8d3 100644
+--- a/source/pdf/pdf-op-run.c
++++ b/source/pdf/pdf-op-run.c
+@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ pdf_run_processor *pr = (pdf_run_processor *)proc;
+ pdf_gstate *gstate = NULL;
+ int oldtop = 0;
++ int oldbot = -1;
+ fz_matrix local_transform = *transform;
+ softmask_save softmask = { NULL };
+ int gparent_save;
+@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ fz_var(cleanup_state);
+ fz_var(gstate);
+ fz_var(oldtop);
++ fz_var(oldbot);
+
+ gparent_save = pr->gparent;
+ pr->gparent = pr->gtop;
++ oldtop = pr->gtop;
+
+ fz_try(ctx)
+ {
+ pdf_gsave(ctx, pr);
+
+ gstate = pr->gstate + pr->gtop;
+- oldtop = pr->gtop;
+
+ pdf_xobject_bbox(ctx, xobj, &xobj_bbox);
+ pdf_xobject_matrix(ctx, xobj, &xobj_matrix);
+@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+
+ doc = pdf_get_bound_document(ctx, xobj->obj);
+
++ oldbot = pr->gbot;
++ pr->gbot = pr->gtop;
++
+ pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL);
+ }
+ fz_always(ctx)
+ {
++ /* Undo any gstate mismatches due to the pdf_process_contents call */
++ if (oldbot != -1)
++ {
++ while (pr->gtop > pr->gbot)
++ {
++ pdf_grestore(ctx, pr);
++ }
++ pr->gbot = oldbot;
++ }
++
+ if (cleanup_state >= 3)
+- pdf_grestore(ctx, pr); /* Remove the clippath */
++ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */
+
+ /* wrap up transparency stacks */
+ if (transparency)
+@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ pr->gstate[pr->gparent].ctm = gparent_save_ctm;
+ pr->gparent = gparent_save;
+
+- if (gstate)
+- {
+- while (oldtop < pr->gtop)
+- pdf_grestore(ctx, pr);
+-
++ while (oldtop < pr->gtop)
+ pdf_grestore(ctx, pr);
+- }
+
+ pdf_unmark_obj(ctx, xobj->obj);
+ }
+--
+2.12.0
+
diff --git a/gnu/packages/patches/nss-pkgconfig.patch b/gnu/packages/patches/nss-pkgconfig.patch
index e611f69bea..a33e05fcf2 100644
--- a/gnu/packages/patches/nss-pkgconfig.patch
+++ b/gnu/packages/patches/nss-pkgconfig.patch
@@ -221,5 +221,5 @@ Later adapted to apply cleanly to nss-3.21.
RELEASE = nss
--DIRS = coreconf lib cmd external_tests
-+DIRS = coreconf lib cmd external_tests config
+-DIRS = coreconf lib cmd gtests
++DIRS = coreconf lib cmd gtests config
diff --git a/gnu/packages/patches/pcre2-CVE-2016-3191.patch b/gnu/packages/patches/pcre2-CVE-2016-3191.patch
deleted file mode 100644
index 80f9d3d4f1..0000000000
--- a/gnu/packages/patches/pcre2-CVE-2016-3191.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-Fixes CVE-2016-3191 (remote execution of arbitrary code or denial of
-service (stack-based buffer overflow) via a crafted regular expression).
-
-See <https://bugzilla.redhat.com/show_bug.cgi?id=1311503>.
-
-This is svn r489 at <svn://vcs.exim.org/pcre2/code>, omitting the
-changes to 'testdata/testoutput8-16-4', which does not exist in the
-source tarball.
-
-git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@489 6239d852-aaf2-0410-a92c-79f79f948069
----
- ChangeLog | 4 ++++
- src/pcre2_compile.c | 16 ++++++++++++++--
- testdata/testinput8 | 2 ++
- testdata/testoutput8-16-2 | 3 +++
- testdata/testoutput8-16-3 | 3 +++
- testdata/testoutput8-16-4 | 3 +++
- testdata/testoutput8-32-2 | 3 +++
- testdata/testoutput8-32-3 | 3 +++
- testdata/testoutput8-32-4 | 3 +++
- testdata/testoutput8-8-2 | 3 +++
- testdata/testoutput8-8-3 | 3 +++
- testdata/testoutput8-8-4 | 3 +++
- 12 files changed, 47 insertions(+), 2 deletions(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index 3ce0207..65e333e 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -58,6 +58,10 @@ some head-scratching the next time this happens.
- assertion, caused pcre2test to output a very large number of spaces when the
- callout was taken, making the program appearing to loop.
-
-+12. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply
-+nested set of parentheses of sufficient size caused an overflow of the
-+compiling workspace (which was diagnosed, but of course is not desirable).
-+
-
- Version 10.21 12-January-2016
- -----------------------------
-diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
-index e33d620..887fbfd 100644
---- a/src/pcre2_compile.c
-+++ b/src/pcre2_compile.c
-@@ -5901,10 +5901,22 @@ for (;; ptr++)
- goto FAILED;
- }
- cb->had_accept = TRUE;
-+
-+ /* In the first pass, just accumulate the length required;
-+ otherwise hitting (*ACCEPT) inside many nested parentheses can
-+ cause workspace overflow. */
-+
- for (oc = cb->open_caps; oc != NULL; oc = oc->next)
- {
-- *code++ = OP_CLOSE;
-- PUT2INC(code, 0, oc->number);
-+ if (lengthptr != NULL)
-+ {
-+ *lengthptr += CU2BYTES(1) + IMM2_SIZE;
-+ }
-+ else
-+ {
-+ *code++ = OP_CLOSE;
-+ PUT2INC(code, 0, oc->number);
-+ }
- }
- setverb = *code++ =
- (cb->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT;
-diff --git a/testdata/testinput8 b/testdata/testinput8
-index ca3b1b9..7e2a1f0 100644
---- a/testdata/testinput8
-+++ b/testdata/testinput8
-@@ -182,4 +182,6 @@
-
- /((?1)(?2)(?3)(?4)(?5)(?6)(?7)(?8)(?9)(?9)(?8)(?7)(?6)(?5)(?4)(?3)(?2)(?1)(?0)){2,}()()()()()()()()()/debug
-
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+
- # End of testinput8
-diff --git a/testdata/testoutput8-16-2 b/testdata/testoutput8-16-2
-index 05669bb..a5e8dec 100644
---- a/testdata/testoutput8-16-2
-+++ b/testdata/testoutput8-16-2
-@@ -1027,4 +1027,7 @@ Capturing subpattern count = 10
- May match empty string
- Subject length lower bound = 0
-
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: error 186 at offset 490: regular expression is too complicated
-+
- # End of testinput8
-diff --git a/testdata/testoutput8-16-3 b/testdata/testoutput8-16-3
-index 31884e1..36133b3 100644
---- a/testdata/testoutput8-16-3
-+++ b/testdata/testoutput8-16-3
-@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
- May match empty string
- Subject length lower bound = 0
-
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: error 114 at offset 509: missing closing parenthesis
-+
- # End of testinput8
-diff --git a/testdata/testoutput8-32-2 b/testdata/testoutput8-32-2
-index babd0c7..99c4fad 100644
---- a/testdata/testoutput8-32-2
-+++ b/testdata/testoutput8-32-2
-@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
- May match empty string
- Subject length lower bound = 0
-
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: error 114 at offset 509: missing closing parenthesis
-+
- # End of testinput8
-diff --git a/testdata/testoutput8-32-3 b/testdata/testoutput8-32-3
-index babd0c7..99c4fad 100644
---- a/testdata/testoutput8-32-3
-+++ b/testdata/testoutput8-32-3
-@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
- May match empty string
- Subject length lower bound = 0
-
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: error 114 at offset 509: missing closing parenthesis
-+
- # End of testinput8
-diff --git a/testdata/testoutput8-32-4 b/testdata/testoutput8-32-4
-index babd0c7..99c4fad 100644
---- a/testdata/testoutput8-32-4
-+++ b/testdata/testoutput8-32-4
-@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
- May match empty string
- Subject length lower bound = 0
-
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: error 114 at offset 509: missing closing parenthesis
-+
- # End of testinput8
-diff --git a/testdata/testoutput8-8-2 b/testdata/testoutput8-8-2
-index 6a9aa0a..6dc1f42 100644
---- a/testdata/testoutput8-8-2
-+++ b/testdata/testoutput8-8-2
-@@ -1026,4 +1026,7 @@ Capturing subpattern count = 10
- May match empty string
- Subject length lower bound = 0
-
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: error 114 at offset 509: missing closing parenthesis
-+
- # End of testinput8
-diff --git a/testdata/testoutput8-8-3 b/testdata/testoutput8-8-3
-index 2fe1168..ae14946 100644
---- a/testdata/testoutput8-8-3
-+++ b/testdata/testoutput8-8-3
-@@ -1024,4 +1024,7 @@ Capturing subpattern count = 10
- May match empty string
- Subject length lower bound = 0
-
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: error 114 at offset 509: missing closing parenthesis
-+
- # End of testinput8
-diff --git a/testdata/testoutput8-8-4 b/testdata/testoutput8-8-4
-index 91993b2..6c79956 100644
---- a/testdata/testoutput8-8-4
-+++ b/testdata/testoutput8-8-4
-@@ -1022,4 +1022,7 @@ Capturing subpattern count = 10
- May match empty string
- Subject length lower bound = 0
-
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: error 114 at offset 509: missing closing parenthesis
-+
- # End of testinput8
---
-2.8.3
-
diff --git a/gnu/packages/patches/python-dendropy-fix-tests.patch b/gnu/packages/patches/python-dendropy-fix-tests.patch
new file mode 100644
index 0000000000..30ab618ff1
--- /dev/null
+++ b/gnu/packages/patches/python-dendropy-fix-tests.patch
@@ -0,0 +1,41 @@
+This patch fixes two test failures. It was downloaded from:
+https://github.com/jeetsukumaran/DendroPy/commit/93f984bba7a6c588a28ca87f4e557ce283809453
+
+From 93f984bba7a6c588a28ca87f4e557ce283809453 Mon Sep 17 00:00:00 2001
+From: jeetsukumaran <jeetsukumaran@gmail.com>
+Date: Tue, 21 Feb 2017 16:41:01 -0500
+Subject: [PATCH] Update to Python 3 container and iteration semantics
+
+---
+ dendropy/dataio/newickreader.py | 3 ++-
+ dendropy/datamodel/treemodel.py | 3 +++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/dendropy/dataio/newickreader.py b/dendropy/dataio/newickreader.py
+index 6dcf3c5..f978729 100644
+--- a/dendropy/dataio/newickreader.py
++++ b/dendropy/dataio/newickreader.py
+@@ -303,7 +303,8 @@ def tree_iter(self,
+ taxon_symbol_map_fn=taxon_symbol_mapper.require_taxon_for_symbol)
+ yield tree
+ if tree is None:
+- raise StopIteration
++ # raise StopIteration
++ return
+
+ def _read(self,
+ stream,
+diff --git a/dendropy/datamodel/treemodel.py b/dendropy/datamodel/treemodel.py
+index 0ecfe31..73146f0 100644
+--- a/dendropy/datamodel/treemodel.py
++++ b/dendropy/datamodel/treemodel.py
+@@ -772,6 +772,9 @@ def __hash__(self):
+ def __eq__(self, other):
+ return self is other
+
++ def __lt__(self, other):
++ return id(self) < id(other)
++
+ ###########################################################################
+ ### Basic Structure
+
diff --git a/gnu/packages/patches/python-fake-factory-fix-build-32bit.patch b/gnu/packages/patches/python-fake-factory-fix-build-32bit.patch
new file mode 100644
index 0000000000..cb60896fad
--- /dev/null
+++ b/gnu/packages/patches/python-fake-factory-fix-build-32bit.patch
@@ -0,0 +1,36 @@
+These tests fail on 32-bit due to an overflow.
+
+Upstream bug URL: https://github.com/joke2k/faker/issues/408
+
+diff --git a/faker/tests/__init__.py b/faker/tests/__init__.py
+index 6026772..58b6b83 100644
+--- a/faker/tests/__init__.py
++++ b/faker/tests/__init__.py
+@@ -384,7 +384,6 @@ class FactoryTestCase(unittest.TestCase):
+ provider = Provider
+ # test century
+ self.assertTrue(self._datetime_to_time(provider.date_time_this_century(after_now=False)) <= self._datetime_to_time(datetime.datetime.now()))
+- self.assertTrue(self._datetime_to_time(provider.date_time_this_century(before_now=False, after_now=True)) >= self._datetime_to_time(datetime.datetime.now()))
+ # test decade
+ self.assertTrue(self._datetime_to_time(provider.date_time_this_decade(after_now=False)) <= self._datetime_to_time(datetime.datetime.now()))
+ self.assertTrue(self._datetime_to_time(provider.date_time_this_decade(before_now=False, after_now=True)) >= self._datetime_to_time(datetime.datetime.now()))
+@@ -413,8 +412,6 @@ class FactoryTestCase(unittest.TestCase):
+
+ # ensure all methods provide timezone aware datetimes
+ with self.assertRaises(TypeError):
+- provider.date_time_this_century(before_now=False, after_now=True, tzinfo=utc) >= datetime.datetime.now()
+- with self.assertRaises(TypeError):
+ provider.date_time_this_decade(after_now=False, tzinfo=utc) <= datetime.datetime.now()
+ with self.assertRaises(TypeError):
+ provider.date_time_this_year(after_now=False, tzinfo=utc) <= datetime.datetime.now()
+@@ -423,7 +420,6 @@ class FactoryTestCase(unittest.TestCase):
+
+ # test century
+ self.assertTrue(provider.date_time_this_century(after_now=False, tzinfo=utc) <= datetime.datetime.now(utc))
+- self.assertTrue(provider.date_time_this_century(before_now=False, after_now=True, tzinfo=utc) >= datetime.datetime.now(utc))
+ # test decade
+ self.assertTrue(provider.date_time_this_decade(after_now=False, tzinfo=utc) <= datetime.datetime.now(utc))
+ self.assertTrue(provider.date_time_this_decade(before_now=False, after_now=True, tzinfo=utc) >= datetime.datetime.now(utc))
+--
+2.11.1
+
diff --git a/gnu/packages/patches/python-faker-fix-build-32bit.patch b/gnu/packages/patches/python-faker-fix-build-32bit.patch
new file mode 100644
index 0000000000..466b289012
--- /dev/null
+++ b/gnu/packages/patches/python-faker-fix-build-32bit.patch
@@ -0,0 +1,36 @@
+These tests fail on 32-bit due to an overflow.
+
+Upstream bug URL: https://github.com/joke2k/faker/issues/408
+
+diff --git a/tests/__init__.py b/tests/__init__.py
+index 6026772..58b6b83 100644
+--- a/tests/__init__.py
++++ b/tests/__init__.py
+@@ -384,7 +384,6 @@ class FactoryTestCase(unittest.TestCase):
+ provider = Provider
+ # test century
+ self.assertTrue(self._datetime_to_time(provider.date_time_this_century(after_now=False)) <= self._datetime_to_time(datetime.datetime.now()))
+- self.assertTrue(self._datetime_to_time(provider.date_time_this_century(before_now=False, after_now=True)) >= self._datetime_to_time(datetime.datetime.now()))
+ # test decade
+ self.assertTrue(self._datetime_to_time(provider.date_time_this_decade(after_now=False)) <= self._datetime_to_time(datetime.datetime.now()))
+ self.assertTrue(self._datetime_to_time(provider.date_time_this_decade(before_now=False, after_now=True)) >= self._datetime_to_time(datetime.datetime.now()))
+@@ -413,8 +412,6 @@ class FactoryTestCase(unittest.TestCase):
+
+ # ensure all methods provide timezone aware datetimes
+ with self.assertRaises(TypeError):
+- provider.date_time_this_century(before_now=False, after_now=True, tzinfo=utc) >= datetime.datetime.now()
+- with self.assertRaises(TypeError):
+ provider.date_time_this_decade(after_now=False, tzinfo=utc) <= datetime.datetime.now()
+ with self.assertRaises(TypeError):
+ provider.date_time_this_year(after_now=False, tzinfo=utc) <= datetime.datetime.now()
+@@ -423,7 +420,6 @@ class FactoryTestCase(unittest.TestCase):
+
+ # test century
+ self.assertTrue(provider.date_time_this_century(after_now=False, tzinfo=utc) <= datetime.datetime.now(utc))
+- self.assertTrue(provider.date_time_this_century(before_now=False, after_now=True, tzinfo=utc) >= datetime.datetime.now(utc))
+ # test decade
+ self.assertTrue(provider.date_time_this_decade(after_now=False, tzinfo=utc) <= datetime.datetime.now(utc))
+ self.assertTrue(provider.date_time_this_decade(before_now=False, after_now=True, tzinfo=utc) >= datetime.datetime.now(utc))
+--
+2.11.1
+
diff --git a/gnu/packages/patches/python-pandas-skip-failing-tests.patch b/gnu/packages/patches/python-pandas-skip-failing-tests.patch
new file mode 100644
index 0000000000..31fc912d00
--- /dev/null
+++ b/gnu/packages/patches/python-pandas-skip-failing-tests.patch
@@ -0,0 +1,59 @@
+These tests fail on 32bit architectures.
+
+Upstream bug URL: https://github.com/pandas-dev/pandas/issues/14866
+
+--- a/pandas/tests/test_base.py 2017-03-08 17:49:44.422282717 +0100
++++ b/pandas/tests/test_base.py 2017-03-08 17:50:59.476701799 +0100
+@@ -363,30 +363,6 @@
+ self.assertFalse(result.iat[0])
+ self.assertFalse(result.iat[1])
+
+- def test_ndarray_compat_properties(self):
+-
+- for o in self.objs:
+-
+- # check that we work
+- for p in ['shape', 'dtype', 'flags', 'T', 'strides', 'itemsize',
+- 'nbytes']:
+- self.assertIsNotNone(getattr(o, p, None))
+- self.assertTrue(hasattr(o, 'base'))
+-
+- # if we have a datetimelike dtype then needs a view to work
+- # but the user is responsible for that
+- try:
+- self.assertIsNotNone(o.data)
+- except ValueError:
+- pass
+-
+- self.assertRaises(ValueError, o.item) # len > 1
+- self.assertEqual(o.ndim, 1)
+- self.assertEqual(o.size, len(o))
+-
+- self.assertEqual(Index([1]).item(), 1)
+- self.assertEqual(Series([1]).item(), 1)
+-
+ def test_ops(self):
+ for op in ['max', 'min']:
+ for o in self.objs:
+--- a/pandas/tools/tests/test_tile.py 2017-03-08 17:47:39.762261841 +0100
++++ b/pandas/tools/tests/test_tile.py 2017-03-08 17:48:26.831780495 +0100
+@@ -271,19 +271,6 @@
+ np.array([0, 0, 1, 1], dtype=np.int8))
+ tm.assert_numpy_array_equal(bins, np.array([0, 1.5, 3]))
+
+- def test_single_bin(self):
+- # issue 14652
+- expected = Series([0, 0])
+-
+- s = Series([9., 9.])
+- result = cut(s, 1, labels=False)
+- tm.assert_series_equal(result, expected)
+-
+- s = Series([-9., -9.])
+- result = cut(s, 1, labels=False)
+- tm.assert_series_equal(result, expected)
+-
+-
+ def curpath():
+ pth, _ = os.path.split(os.path.abspath(__file__))
+ return pth
diff --git a/gnu/packages/patches/python-pbr-fix-man-page-support.patch b/gnu/packages/patches/python-pbr-fix-man-page-support.patch
new file mode 100644
index 0000000000..b9036f5b01
--- /dev/null
+++ b/gnu/packages/patches/python-pbr-fix-man-page-support.patch
@@ -0,0 +1,28 @@
+See: https://bugs.launchpad.net/oslosphinx/+bug/1661861
+diff -ur orig/pbr-1.10.0/pbr/builddoc.py pbr-1.10.0/pbr/builddoc.py
+--- orig/pbr-1.10.0/pbr/builddoc.py 2016-05-23 21:38:18.000000000 +0200
++++ pbr-1.10.0/pbr/builddoc.py 2017-02-18 14:01:37.424434317 +0100
+@@ -138,7 +138,8 @@
+ sphinx_config.init_values(warnings.warn)
+ else:
+ sphinx_config.init_values()
+- if self.builder == 'man' and len(sphinx_config.man_pages) == 0:
++ if self.builder == 'man' and len(
++ getattr(sphinx_config, 'man_pages', '')) == 0:
+ return
+ app = application.Sphinx(
+ self.source_dir, self.config_dir,
+diff -ur orig/pbr-1.10.0/pbr/util.py pbr-1.10.0/pbr/util.py
+--- orig/pbr-1.10.0/pbr/util.py 2016-05-23 21:38:18.000000000 +0200
++++ pbr-1.10.0/pbr/util.py 2017-02-18 15:36:32.951196795 +0100
+@@ -211,7 +211,9 @@
+ parser.read(path)
+ config = {}
+ for section in parser.sections():
+- config[section] = dict(parser.items(section))
++ config[section] = dict()
++ for k, value in parser.items(section):
++ config[section][k.replace('-', '_')] = value
+
+ # Run setup_hooks, if configured
+ setup_hooks = has_get_option(config, 'global', 'setup_hooks')
diff --git a/gnu/packages/patches/python-pygit2-disable-network-tests.patch b/gnu/packages/patches/python-pygit2-disable-network-tests.patch
new file mode 100644
index 0000000000..e46d244807
--- /dev/null
+++ b/gnu/packages/patches/python-pygit2-disable-network-tests.patch
@@ -0,0 +1,64 @@
+Disable tests trying to look up remote servers.
+
+diff --git a/test/test_credentials.py b/test/test_credentials.py
+index 92482d9..9a281e5 100644
+--- a/test/test_credentials.py
++++ b/test/test_credentials.py
+@@ -68,39 +68,5 @@ class CredentialCreateTest(utils.NoRepoTestCase):
+ self.assertEqual((username, None, None, None), cred.credential_tuple)
+
+
+-class CredentialCallback(utils.RepoTestCase):
+- def test_callback(self):
+- class MyCallbacks(pygit2.RemoteCallbacks):
+- @staticmethod
+- def credentials(url, username, allowed):
+- self.assertTrue(allowed & GIT_CREDTYPE_USERPASS_PLAINTEXT)
+- raise Exception("I don't know the password")
+-
+- url = "https://github.com/github/github"
+- remote = self.repo.create_remote("github", url)
+-
+- self.assertRaises(Exception, lambda: remote.fetch(callbacks=MyCallbacks()))
+-
+- def test_bad_cred_type(self):
+- class MyCallbacks(pygit2.RemoteCallbacks):
+- @staticmethod
+- def credentials(url, username, allowed):
+- self.assertTrue(allowed & GIT_CREDTYPE_USERPASS_PLAINTEXT)
+- return Keypair("git", "foo.pub", "foo", "sekkrit")
+-
+- url = "https://github.com/github/github"
+- remote = self.repo.create_remote("github", url)
+- self.assertRaises(TypeError, lambda: remote.fetch(callbacks=MyCallbacks()))
+-
+-class CallableCredentialTest(utils.RepoTestCase):
+-
+- def test_user_pass(self):
+- credentials = UserPass("libgit2", "libgit2")
+- callbacks = pygit2.RemoteCallbacks(credentials=credentials)
+-
+- url = "https://bitbucket.org/libgit2/testgitrepository.git"
+- remote = self.repo.create_remote("bb", url)
+- remote.fetch(callbacks=callbacks)
+-
+ if __name__ == '__main__':
+ unittest.main()
+diff --git a/test/test_repository.py b/test/test_repository.py
+index cfdf01e..c0d8de4 100644
+--- a/test/test_repository.py
++++ b/test/test_repository.py
+@@ -538,13 +538,6 @@ class CloneRepositoryTest(utils.NoRepoTestCase):
+ self.assertTrue('refs/remotes/custom_remote/master' in repo.listall_references())
+ self.assertIsNotNone(repo.remotes["custom_remote"])
+
+- def test_clone_with_credentials(self):
+- repo = clone_repository(
+- "https://bitbucket.org/libgit2/testgitrepository.git",
+- self._temp_dir, callbacks=pygit2.RemoteCallbacks(credentials=pygit2.UserPass("libgit2", "libgit2")))
+-
+- self.assertFalse(repo.is_empty)
+-
+ def test_clone_with_checkout_branch(self):
+ # create a test case which isolates the remote
+ test_repo = clone_repository('./test/data/testrepo.git',
diff --git a/gnu/packages/patches/python-pyopenssl-skip-network-test.patch b/gnu/packages/patches/python-pyopenssl-skip-network-test.patch
new file mode 100644
index 0000000000..a24eaf69a0
--- /dev/null
+++ b/gnu/packages/patches/python-pyopenssl-skip-network-test.patch
@@ -0,0 +1,50 @@
+This test tries connecting to an external server which is not supported
+in the build environment. See discussion at:
+
+https://lists.gnu.org/archive/html/guix-devel/2016-12/msg00650.html
+
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index ee849fd..60048b8 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -1180,40 +1180,6 @@ class ContextTests(TestCase, _LoopbackMixin):
+ TypeError, context.load_verify_locations, None, None, None
+ )
+
+- @pytest.mark.skipif(
+- platform == "win32",
+- reason="set_default_verify_paths appears not to work on Windows. "
+- "See LP#404343 and LP#404344."
+- )
+- def test_set_default_verify_paths(self):
+- """
+- :py:obj:`Context.set_default_verify_paths` causes the
+- platform-specific CA certificate locations to be used for
+- verification purposes.
+- """
+- # Testing this requires a server with a certificate signed by one
+- # of the CAs in the platform CA location. Getting one of those
+- # costs money. Fortunately (or unfortunately, depending on your
+- # perspective), it's easy to think of a public server on the
+- # internet which has such a certificate. Connecting to the network
+- # in a unit test is bad, but it's the only way I can think of to
+- # really test this. -exarkun
+-
+- # Arg, verisign.com doesn't speak anything newer than TLS 1.0
+- context = Context(SSLv23_METHOD)
+- context.set_default_verify_paths()
+- context.set_verify(
+- VERIFY_PEER,
+- lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
+-
+- client = socket()
+- client.connect(("encrypted.google.com", 443))
+- clientSSL = Connection(context, client)
+- clientSSL.set_connect_state()
+- clientSSL.do_handshake()
+- clientSSL.send(b"GET / HTTP/1.0\r\n\r\n")
+- self.assertTrue(clientSSL.recv(1024))
+-
+ def test_set_default_verify_paths_signature(self):
+ """
+ :py:obj:`Context.set_default_verify_paths` takes no arguments and
diff --git a/gnu/packages/patches/python-statsmodels-fix-tests.patch b/gnu/packages/patches/python-statsmodels-fix-tests.patch
index 3315ddbd5f..f910b4b5a5 100644
--- a/gnu/packages/patches/python-statsmodels-fix-tests.patch
+++ b/gnu/packages/patches/python-statsmodels-fix-tests.patch
@@ -1,196 +1,28 @@
-This patch fixes a couple of test failures introduced by changes to the pandas
-package. It was extracted from this pull request:
-
-https://github.com/statsmodels/statsmodels/pull/2675
-
-
-From c9ef60a7bc4407766ab9e9f12c8a6b89013046ee Mon Sep 17 00:00:00 2001
-From: Ralf Gommers <ralf.gommers@gmail.com>
-Date: Tue, 20 Oct 2015 07:34:11 +0200
-Subject: [PATCH 1/4] MAINT: fix use of old_behavior kw for numpy.correlate.
- Was removed in 1.10.0
-
-Numpy PR that removed it: https://github.com/numpy/numpy/pull/5991
-
-Closes gh-2667.
----
- statsmodels/tsa/ar_model.py | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/statsmodels/tsa/ar_model.py b/statsmodels/tsa/ar_model.py
-index 087a9e0..02984bd 100644
---- a/statsmodels/tsa/ar_model.py
-+++ b/statsmodels/tsa/ar_model.py
-@@ -261,10 +261,8 @@ def _presample_varcov(self, params):
-
- Vpinv = np.zeros((p, p), dtype=params.dtype)
- for i in range(1, p1):
-- Vpinv[i-1, i-1:] = np.correlate(params0, params0[:i],
-- old_behavior=False)[:-1]
-- Vpinv[i-1, i-1:] -= np.correlate(params0[-i:], params0,
-- old_behavior=False)[:-1]
-+ Vpinv[i-1, i-1:] = np.correlate(params0, params0[:i],)[:-1]
-+ Vpinv[i-1, i-1:] -= np.correlate(params0[-i:], params0,)[:-1]
-
- Vpinv = Vpinv + Vpinv.T - np.diag(Vpinv.diagonal())
- return Vpinv
-
-From f1dc8979b09bc1736149993f895943b3158ee2db Mon Sep 17 00:00:00 2001
-From: Ralf Gommers <ralf.gommers@gmail.com>
-Date: Wed, 21 Oct 2015 22:05:52 +0200
-Subject: [PATCH 2/4] MAINT: fix graphics module for changes in recent pandas
- versions.
-
----
- statsmodels/graphics/tests/test_mosaicplot.py | 2 +-
- statsmodels/graphics/tests/test_tsaplots.py | 6 +++---
- statsmodels/graphics/tsaplots.py | 2 +-
- 3 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/statsmodels/graphics/tests/test_mosaicplot.py b/statsmodels/graphics/tests/test_mosaicplot.py
-index cb9bbbe..e41020e 100644
---- a/statsmodels/graphics/tests/test_mosaicplot.py
-+++ b/statsmodels/graphics/tests/test_mosaicplot.py
-@@ -113,7 +113,7 @@ def test_mosaic():
- # sort by the marriage quality and give meaningful name
- # [rate_marriage, age, yrs_married, children,
- # religious, educ, occupation, occupation_husb]
-- datas = datas.sort(['rate_marriage', 'religious'])
-+ datas = datas.sort_values(by=['rate_marriage', 'religious'])
- num_to_desc = {1: 'awful', 2: 'bad', 3: 'intermediate',
- 4: 'good', 5: 'wonderful'}
- datas['rate_marriage'] = datas['rate_marriage'].map(num_to_desc)
-diff --git a/statsmodels/graphics/tests/test_tsaplots.py b/statsmodels/graphics/tests/test_tsaplots.py
-index 511f18f..365be82 100644
---- a/statsmodels/graphics/tests/test_tsaplots.py
-+++ b/statsmodels/graphics/tests/test_tsaplots.py
-@@ -1,4 +1,4 @@
--from statsmodels.compat.python import lmap, lzip, map
-+from statsmodels.compat.python import lmap, map
- import numpy as np
- import pandas as pd
- from numpy.testing import dec
-@@ -51,8 +51,8 @@ def test_plot_month():
- dta = sm.datasets.elnino.load_pandas().data
- dta['YEAR'] = dta.YEAR.astype(int).apply(str)
- dta = dta.set_index('YEAR').T.unstack()
-- dates = lmap(lambda x : pd.datetools.parse('1 '+' '.join(x)),
-- dta.index.values)
-+ dates = lmap(lambda x : pd.datetools.parse_time_string('1 '+' '.join(x))[0],
-+ dta.index.values)
-
- # test dates argument
- fig = month_plot(dta.values, dates=dates, ylabel='el nino')
-diff --git a/statsmodels/graphics/tsaplots.py b/statsmodels/graphics/tsaplots.py
-index 3d04692..94626c9 100644
---- a/statsmodels/graphics/tsaplots.py
-+++ b/statsmodels/graphics/tsaplots.py
-@@ -200,7 +200,7 @@ def seasonal_plot(grouped_x, xticklabels, ylabel=None, ax=None):
- ticks = []
- for season, df in grouped_x:
- df = df.copy() # or sort balks for series. may be better way
-- df.sort()
-+ df.sort_values(inplace=True)
- nobs = len(df)
- x_plot = np.arange(start, start + nobs)
- ticks.append(x_plot.mean())
-
-From 4cfbef6af137629c6953f1f025d9cfc781874256 Mon Sep 17 00:00:00 2001
-From: Ralf Gommers <ralf.gommers@gmail.com>
-Date: Wed, 21 Oct 2015 22:15:25 +0200
-Subject: [PATCH 3/4] MAINT: work around pandas breaking backwards compat for
- pandas.version
-
----
- setup.py | 5 ++++-
- statsmodels/tools/testing.py | 6 ++----
- 2 files changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/setup.py b/setup.py
-index 0002840..74aefb8 100644
---- a/setup.py
-+++ b/setup.py
-@@ -134,7 +134,10 @@ def check_dependency_versions(min_versions):
- (spversion, min_versions['scipy']))
-
- try:
-- from pandas.version import short_version as pversion
-+ import pandas
-+ #FIXME: this will break for pandas 1.0.0. Needs elaborate parsing now,
-+ # due to pandas removing version.short_version
-+ pversion = pandas.__version__[:6]
- except ImportError:
- install_requires.append('pandas')
- else:
-diff --git a/statsmodels/tools/testing.py b/statsmodels/tools/testing.py
-index e207e44..643f79f 100644
---- a/statsmodels/tools/testing.py
-+++ b/statsmodels/tools/testing.py
-@@ -16,10 +16,8 @@ def strip_rc(version):
-
-
- def is_pandas_min_version(min_version):
-- '''check whether pandas is at least min_version
-- '''
-- from pandas.version import short_version as pversion
-- return StrictVersion(strip_rc(pversion)) >= min_version
-+ '''check whether pandas is at least min_version '''
-+ return StrictVersion((pandas.__version__[:6])) >= min_version
-
-
- # local copies, all unchanged
-
-From c894c3f4882d570efb517950069d83afa9794db8 Mon Sep 17 00:00:00 2001
-From: Ralf Gommers <ralf.gommers@gmail.com>
-Date: Mon, 26 Oct 2015 20:47:51 +0100
-Subject: [PATCH 4/4] BUG: fix use of Series.sort_values for older pandas.
-
-Some failing tests in the previous commits because older ``pandas`` versions
-don't have ``Series.sort_values``. That method was only added in pandas 0.17,
-in https://github.com/pydata/pandas/pull/10726
----
- statsmodels/graphics/tests/test_mosaicplot.py | 6 +++++-
- statsmodels/graphics/tsaplots.py | 6 +++++-
- 2 files changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/statsmodels/graphics/tests/test_mosaicplot.py b/statsmodels/graphics/tests/test_mosaicplot.py
-index e41020e..2a873e7 100644
---- a/statsmodels/graphics/tests/test_mosaicplot.py
-+++ b/statsmodels/graphics/tests/test_mosaicplot.py
-@@ -113,7 +113,11 @@ def test_mosaic():
- # sort by the marriage quality and give meaningful name
- # [rate_marriage, age, yrs_married, children,
- # religious, educ, occupation, occupation_husb]
-- datas = datas.sort_values(by=['rate_marriage', 'religious'])
-+ if pandas.__version__ < '0.17.0':
-+ datas = datas.sort(['rate_marriage', 'religious'])
-+ else:
-+ datas = datas.sort_values(by=['rate_marriage', 'religious'])
-+
- num_to_desc = {1: 'awful', 2: 'bad', 3: 'intermediate',
- 4: 'good', 5: 'wonderful'}
- datas['rate_marriage'] = datas['rate_marriage'].map(num_to_desc)
-diff --git a/statsmodels/graphics/tsaplots.py b/statsmodels/graphics/tsaplots.py
-index 94626c9..217724f 100644
---- a/statsmodels/graphics/tsaplots.py
-+++ b/statsmodels/graphics/tsaplots.py
-@@ -2,6 +2,7 @@
-
-
- import numpy as np
-+import pandas
-
- from statsmodels.graphics import utils
- from statsmodels.tsa.stattools import acf, pacf
-@@ -200,7 +201,10 @@ def seasonal_plot(grouped_x, xticklabels, ylabel=None, ax=None):
- ticks = []
- for season, df in grouped_x:
- df = df.copy() # or sort balks for series. may be better way
-- df.sort_values(inplace=True)
-+ if pandas.__version__ < '0.17.0':
-+ df.sort()
-+ else:
-+ df.sort_values(inplace=True)
- nobs = len(df)
- x_plot = np.arange(start, start + nobs)
- ticks.append(x_plot.mean())
+This drops a test that fails with numpy 1.12.
+
+Upstream bug URL: https://github.com/statsmodels/statsmodels/issues/3541
+
+--- a/statsmodels/discrete/tests/test_discrete.py 2017-03-06 15:29:19.947343331 +0000
++++ b/statsmodels/discrete/tests/test_discrete.py 2017-03-06 15:29:37.759328845 +0000
+@@ -1329,21 +1329,6 @@
+ res = mod.fit(start_params=-np.ones(4), method='newton', disp=0)
+ assert_(not res.mle_retvals['converged'])
+
+-def test_issue_339():
+- # make sure MNLogit summary works for J != K.
+- data = sm.datasets.anes96.load()
+- exog = data.exog
+- # leave out last exog column
+- exog = exog[:,:-1]
+- exog = sm.add_constant(exog, prepend=True)
+- res1 = sm.MNLogit(data.endog, exog).fit(method="newton", disp=0)
+- # strip the header from the test
+- smry = "\n".join(res1.summary().as_text().split('\n')[9:])
+- cur_dir = os.path.dirname(os.path.abspath(__file__))
+- test_case_file = os.path.join(cur_dir, 'results', 'mn_logit_summary.txt')
+- test_case = open(test_case_file, 'r').read()
+- np.testing.assert_equal(smry, test_case[:-1])
+-
+ def test_issue_341():
+ data = sm.datasets.anes96.load()
+ exog = data.exog
diff --git a/gnu/packages/patches/python2-subprocess32-disable-input-test.patch b/gnu/packages/patches/python2-subprocess32-disable-input-test.patch
new file mode 100644
index 0000000000..05b4eef1ba
--- /dev/null
+++ b/gnu/packages/patches/python2-subprocess32-disable-input-test.patch
@@ -0,0 +1,18 @@
+This test tries to send a KeyboardInterrupt, which does
+not work in the build environment.
+
+--- a/test_subprocess32.py 2017-03-06 22:21:49.334045485 +0100
++++ b/test_subprocess32.py 2017-03-06 22:22:02.490439949 +0100
+@@ -1299,12 +1299,6 @@
+ getattr(p, method)(*args)
+ return p
+
+- def test_send_signal(self):
+- p = self._kill_process('send_signal', signal.SIGINT)
+- _, stderr = p.communicate()
+- self.assertIn('KeyboardInterrupt', stderr)
+- self.assertNotEqual(p.wait(), 0)
+-
+ def test_kill(self):
+ p = self._kill_process('kill')
+ _, stderr = p.communicate()
diff --git a/gnu/packages/patches/screen-CVE-2017-5618.patch b/gnu/packages/patches/screen-CVE-2017-5618.patch
deleted file mode 100644
index 1b95e428c8..0000000000
--- a/gnu/packages/patches/screen-CVE-2017-5618.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Fixes CVE-2017-5618 (privilege escalation via opening the logfile when
-screen is installed setuid root):
-
-https://savannah.gnu.org/bugs/?50142
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5618
-
-This patch reverts the upstream commit that introduced the bug:
-
-https://git.savannah.gnu.org/cgit/screen.git/commit/?id=5460f5d28c01a9a58e021eb1dffef2965e629d58
-
-From f55b0cc29a0ac2a1c54e8a5e886b7393edd4a76c Mon Sep 17 00:00:00 2001
-From: Leo Famulari <leo@famulari.name>
-Date: Sat, 11 Feb 2017 22:40:24 -0500
-Subject: [PATCH] Revert "adding permissions check for the logfile name"
-
-This reverts commit 5460f5d28c01a9a58e021eb1dffef2965e629d58.
----
- src/screen.c | 6 ------
- 1 file changed, 6 deletions(-)
-
-diff --git a/src/screen.c b/src/screen.c
-index 64650e9..283c305 100644
---- a/src/screen.c
-+++ b/src/screen.c
-@@ -673,12 +673,6 @@ int main(int ac, char** av)
- Panic(0, "-L: logfile name can not start with \"-\" symbol");
- if (strlen(screenlogfile) > PATH_MAX)
- Panic(0, "-L: logfile name too long. (max. %d char)", PATH_MAX);
--
-- FILE *w_check;
-- if ((w_check = fopen(screenlogfile, "w")) == NULL)
-- Panic(0, "-L: logfile name access problem");
-- else
-- fclose(w_check);
- }
- nwin_options.Lflag = 1;
- break;
---
-2.11.1
-
diff --git a/gnu/packages/patches/shadow-CVE-2017-2616.patch b/gnu/packages/patches/shadow-CVE-2017-2616.patch
new file mode 100644
index 0000000000..f88aac40bc
--- /dev/null
+++ b/gnu/packages/patches/shadow-CVE-2017-2616.patch
@@ -0,0 +1,72 @@
+Fix CVE-2017-2616:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616
+http://seclists.org/oss-sec/2017/q1/490
+http://seclists.org/oss-sec/2017/q1/474
+
+Patch copied from upstream source repository:
+
+https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686
+
+From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index f20d230..d86aa86 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -379,11 +379,13 @@ static void prepare_pam_close_session (void)
+ /* wake child when resumed */
+ kill (pid, SIGCONT);
+ stop = false;
++ } else {
++ pid_child = 0;
+ }
+ } while (!stop);
+ }
+
+- if (0 != caught) {
++ if (0 != caught && 0 != pid_child) {
+ (void) fputs ("\n", stderr);
+ (void) fputs (_("Session terminated, terminating shell..."),
+ stderr);
+@@ -393,9 +395,22 @@ static void prepare_pam_close_session (void)
+ snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n"));
+
+ (void) signal (SIGALRM, kill_child);
++ (void) signal (SIGCHLD, catch_signals);
+ (void) alarm (2);
+
+- (void) wait (&status);
++ sigemptyset (&ourset);
++ if ((sigaddset (&ourset, SIGALRM) != 0)
++ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
++ kill_child (0);
++ } else {
++ while (0 == waitpid (pid_child, &status, WNOHANG)) {
++ sigsuspend (&ourset);
++ }
++ pid_child = 0;
++ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++ }
++
+ (void) fputs (_(" ...terminated.\n"), stderr);
+ }
+
diff --git a/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch
new file mode 100644
index 0000000000..3a9ae993f6
--- /dev/null
+++ b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch
@@ -0,0 +1,18 @@
+Fix CVE-2016-10243:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10243
+
+Patch adapted from upstream commit:
+
+https://www.tug.org/svn/texlive?view=revision&revision=42605
+
+--- trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:10:33 42604
++++ trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:27:53 42605
+@@ -568,7 +568,6 @@ extractbb,\
+ gregorio,\
+ kpsewhich,\
+ makeindex,\
+-mpost,\
+ repstopdf,\
+
+ % we'd like to allow:
diff --git a/gnu/packages/patches/util-linux-CVE-2017-2616.patch b/gnu/packages/patches/util-linux-CVE-2017-2616.patch
new file mode 100644
index 0000000000..2c82fb06d2
--- /dev/null
+++ b/gnu/packages/patches/util-linux-CVE-2017-2616.patch
@@ -0,0 +1,65 @@
+Fix CVE-2017-2616:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616
+http://seclists.org/oss-sec/2017/q1/474
+
+Patch copied from upstream source repository:
+
+https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit/?id=dffab154d29a288aa171ff50263ecc8f2e14a891
+
+From b018571132cb8c9fece3d75ed240cc74cdb5f0f7 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Wed, 1 Feb 2017 11:58:09 +0100
+Subject: [PATCH] su: properly clear child PID
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported-by: Tobias Stöckmann <tobias@stoeckmann.org>
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ login-utils/su-common.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/login-utils/su-common.c b/login-utils/su-common.c
+index 0ea4e40bd..b1720f037 100644
+--- a/login-utils/su-common.c
++++ b/login-utils/su-common.c
+@@ -376,6 +376,9 @@ create_watching_parent (void)
+ }
+ else
+ status = WEXITSTATUS (status);
++
++ /* child is gone, don't use the PID anymore */
++ child = (pid_t) -1;
+ }
+ else if (caught_signal)
+ status = caught_signal + 128;
+@@ -385,7 +388,7 @@ create_watching_parent (void)
+ else
+ status = 1;
+
+- if (caught_signal)
++ if (caught_signal && child != (pid_t)-1)
+ {
+ fprintf (stderr, _("\nSession terminated, killing shell..."));
+ kill (child, SIGTERM);
+@@ -395,9 +398,12 @@ create_watching_parent (void)
+
+ if (caught_signal)
+ {
+- sleep (2);
+- kill (child, SIGKILL);
+- fprintf (stderr, _(" ...killed.\n"));
++ if (child != (pid_t)-1)
++ {
++ sleep (2);
++ kill (child, SIGKILL);
++ fprintf (stderr, _(" ...killed.\n"));
++ }
+
+ /* Let's terminate itself with the received signal.
+ *
+--
+2.11.1
+
diff --git a/gnu/packages/patches/vdirsyncer-test-suite-slow-machines.patch b/gnu/packages/patches/vdirsyncer-test-suite-slow-machines.patch
deleted file mode 100644
index 03093e8330..0000000000
--- a/gnu/packages/patches/vdirsyncer-test-suite-slow-machines.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Fix test failures caused by some build machines running more slowly than
-expected, which manifest like this:
-
-------
-> raise FailedHealthCheck(message)
-E hypothesis.errors.FailedHealthCheck: Data generation is extremely slow: Only produced 4 valid examples in 1.08 seconds (1 invalid ones and 0 exceeded maximum size). Try decreasing size of the data you're generating (with e.g.average_size or max_leaves parameters).
-E See http://hypothesis.readthedocs.org/en/latest/healthchecks.html for more information about this. If you want to disable just this health check, add HealthCheck.too_slowto the suppress_health_check settings for this test.
-
-/gnu/store/b8d1r8bilvm3jkncgrpvmg3dni9cgcr1-python-hypothesis-3.1.0/lib/python3.5/site-packages/hypothesis/core.py:296: FailedHealthCheck
-------
-
-Patch copied from upstream source repository:
-
-https://github.com/pimutils/vdirsyncer/commit/10490a12f13f03495e0945eb9d45d7aed9ab0a6c
-
-From 10490a12f13f03495e0945eb9d45d7aed9ab0a6c Mon Sep 17 00:00:00 2001
-From: Markus Unterwaditzer <markus@unterwaditzer.net>
-Date: Sat, 18 Feb 2017 15:45:06 +0100
-Subject: [PATCH] Unconditionally disable HealthCheck.too_slow
-
----
- tests/conftest.py | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/tests/conftest.py b/tests/conftest.py
-index e0a07d5..3afd7cd 100644
---- a/tests/conftest.py
-+++ b/tests/conftest.py
-@@ -26,10 +26,12 @@ def benchmark():
- else:
- del pytest_benchmark
-
-+
-+settings.suppress_health_check = [HealthCheck.too_slow]
-+
- settings.register_profile("ci", settings(
- max_examples=1000,
- verbosity=Verbosity.verbose,
-- suppress_health_check=[HealthCheck.too_slow]
- ))
- settings.register_profile("deterministic", settings(
- derandomize=True,
diff --git a/gnu/packages/patches/vim-CVE-2017-5953.patch b/gnu/packages/patches/vim-CVE-2017-5953.patch
index 7b66f1bf16..070f98c2cb 100644
--- a/gnu/packages/patches/vim-CVE-2017-5953.patch
+++ b/gnu/packages/patches/vim-CVE-2017-5953.patch
@@ -3,20 +3,28 @@ Fix CVE-2017-5953:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953
https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY
-Patch adapted from upstream commit, correcting the transcription error
-in the bounds check:
+This change is adapted from the upstream source repository:
-https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d
+https://github.com/vim/vim/commit/6d3c8586fc81b022e9f06c611b9926108fb878c7
diff --git a/src/spellfile.c b/src/spellfile.c
-index c7d87c6..8b1a3a6 100644
+index c7d87c6..00ef019 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
+@@ -1585,7 +1585,7 @@ spell_read_tree(
+ int prefixtree, /* TRUE for the prefix tree */
+ int prefixcnt) /* when "prefixtree" is TRUE: prefix count */
+ {
+- int len;
++ long len;
+ int idx;
+ char_u *bp;
+ idx_T *ip;
@@ -1595,6 +1595,9 @@ spell_read_tree(
len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
-+ if (len >= 0x3fffffff)
++ if (len >= LONG_MAX / (long)sizeof(int))
+ /* Invalid length, multiply with sizeof(int) would overflow. */
+ return SP_FORMERROR;
if (len > 0)
diff --git a/gnu/packages/patches/wxwidgets-fix-windowGTK.patch b/gnu/packages/patches/wxwidgets-fix-windowGTK.patch
new file mode 100644
index 0000000000..1255835d01
--- /dev/null
+++ b/gnu/packages/patches/wxwidgets-fix-windowGTK.patch
@@ -0,0 +1,18 @@
+This patch allow Filezilla client to resize window.
+The patch was adapted from upstream source repository:
+'<http://trac.wxwidgets.org/changeset/4793e5b0a4e189e492287305859b278fed780080/git-wxWidgets>'
+
+--- a/src/gtk/toplevel.cpp 2014-10-06 16:33:44.000000000 -0500
++++ b/src/gtk/toplevel.cpp 2017-02-16 21:33:27.779907810 -0600
+@@ -1216,8 +1216,9 @@
+ int hints_mask = GDK_HINT_MIN_SIZE | GDK_HINT_MAX_SIZE;
+ hints.min_width = 1;
+ hints.min_height = 1;
+- hints.max_width = INT_MAX;
+- hints.max_height = INT_MAX;
++ // using INT_MAX for size will lead to integer overflow with HiDPI scaling
++ hints.max_width = INT_MAX / 16;
++ hints.max_height = INT_MAX / 16;
+ const int decorSize_x = m_decorSize.left + m_decorSize.right;
+ const int decorSize_y = m_decorSize.top + m_decorSize.bottom;
+ if (minSize.x > decorSize_x)