aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2016-08-04 08:16:38 -0400
committerMark H Weaver <mhw@netris.org>2016-08-04 08:16:38 -0400
commit0832787e5c463c713d8f24fdec0f52900ff1c2bd (patch)
tree5ce20bef711d0d85a22cd041758278d7c176b0f3 /gnu/packages/patches
parent5b098cc4b937c05d6f685772c66e2aa04490710a (diff)
downloadguix-0832787e5c463c713d8f24fdec0f52900ff1c2bd.tar.gz
guix-0832787e5c463c713d8f24fdec0f52900ff1c2bd.zip
Revert "Merge branch 'core-updates'"
This reverts commit 455859a50f88f625d13fc2f304111f02369b366b.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/automake-test-gzip-warning.patch17
-rw-r--r--gnu/packages/patches/dealii-p4est-interface.patch62
-rw-r--r--gnu/packages/patches/dico-idxgcide-bug.patch21
-rw-r--r--gnu/packages/patches/expat-CVE-2015-1283-refix.patch27
-rw-r--r--gnu/packages/patches/expat-CVE-2015-1283.patch89
-rw-r--r--gnu/packages/patches/glibc-CVE-2015-7547.patch559
-rw-r--r--gnu/packages/patches/glibc-hurd-extern-inline.patch35
-rw-r--r--gnu/packages/patches/glibc-locale-incompatibility.patch23
-rw-r--r--gnu/packages/patches/glibc-locales.patch6
-rw-r--r--gnu/packages/patches/libarchive-CVE-2013-0211.patch21
-rw-r--r--gnu/packages/patches/libarchive-CVE-2016-1541.patch67
-rw-r--r--gnu/packages/patches/libarchive-bsdtar-test.patch74
-rw-r--r--gnu/packages/patches/libarchive-fix-lzo-test-case.patch83
-rw-r--r--gnu/packages/patches/libarchive-mtree-filename-length-fix.patch18
-rw-r--r--gnu/packages/patches/libpthread-glibc-preparation.patch146
-rw-r--r--gnu/packages/patches/libxslt-CVE-2015-7995.patch29
-rw-r--r--gnu/packages/patches/libxslt-generated-ids.patch173
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-8629.patch51
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-8630.patch81
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-8631.patch576
-rw-r--r--gnu/packages/patches/mit-krb5-init-context-null-spnego.patch49
-rw-r--r--gnu/packages/patches/procps-non-linux.patch40
-rw-r--r--gnu/packages/patches/rapicorn-isnan.patch87
-rw-r--r--gnu/packages/patches/tar-d_ino_in_dirent-fix.patch33
24 files changed, 2014 insertions, 353 deletions
diff --git a/gnu/packages/patches/automake-test-gzip-warning.patch b/gnu/packages/patches/automake-test-gzip-warning.patch
deleted file mode 100644
index bcc9c207ae..0000000000
--- a/gnu/packages/patches/automake-test-gzip-warning.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Adjust test to ignore gzip 1.8+ warnings.
-
---- automake-1.15/t/distcheck-no-prefix-or-srcdir-override.sh 2016-06-14 00:36:26.554218552 +0200
-+++ automake-1.15/t/distcheck-no-prefix-or-srcdir-override.sh 2016-06-14 00:37:52.903157770 +0200
-@@ -49,7 +49,11 @@ grep "cannot find sources.* in foobar" s
-
- ./configure
- run_make -E -O distcheck
--test ! -s stderr
-+
-+# Gzip 1.8+ emits warnings like "gzip: warning: GZIP environment
-+# variable is deprecated"; filter them out.
-+test `grep -v '^gzip: warning' stderr | wc -l` -eq 0
-+
- # Sanity check: the flags have been actually seen.
- $PERL -e 'undef $/; $_ = <>; s/ \\\n/ /g; print;' <stdout >t
- grep '/configure .* --srcdir am-src' t || exit 99
diff --git a/gnu/packages/patches/dealii-p4est-interface.patch b/gnu/packages/patches/dealii-p4est-interface.patch
new file mode 100644
index 0000000000..4c4125d16c
--- /dev/null
+++ b/gnu/packages/patches/dealii-p4est-interface.patch
@@ -0,0 +1,62 @@
+From upstream commit f764598c.
+
+The p4est_connectivity_load function used to take an unsigned long as argument,
+but this has been changed to size_t in p4est 1.0. This makes no difference on
+64 bit systems, but leads to compiler errors on 32 bit systems. Fix this.
+
+--- a/source/distributed/tria.cc
++++ b/source/distributed/tria.cc
+@@ -204,7 +204,11 @@ namespace internal
+ static
+ int (&connectivity_is_valid) (types<2>::connectivity *connectivity);
+
+-#if DEAL_II_P4EST_VERSION_GTE(0,3,4,3)
++#if DEAL_II_P4EST_VERSION_GTE(1,0,0,0)
++ static
++ types<2>::connectivity *(&connectivity_load) (const char *filename,
++ size_t *length);
++#elif DEAL_II_P4EST_VERSION_GTE(0,3,4,3)
+ static
+ types<2>::connectivity *(&connectivity_load) (const char *filename,
+ long unsigned *length);
+@@ -384,7 +388,12 @@ namespace internal
+ *connectivity)
+ = p4est_connectivity_is_valid;
+
+-#if DEAL_II_P4EST_VERSION_GTE(0,3,4,3)
++#if DEAL_II_P4EST_VERSION_GTE(1,0,0,0)
++ types<2>::connectivity *
++ (&functions<2>::connectivity_load) (const char *filename,
++ size_t *length)
++ = p4est_connectivity_load;
++#elif DEAL_II_P4EST_VERSION_GTE(0,3,4,3)
+ types<2>::connectivity *
+ (&functions<2>::connectivity_load) (const char *filename,
+ long unsigned *length)
+@@ -564,7 +573,11 @@ namespace internal
+ static
+ int (&connectivity_is_valid) (types<3>::connectivity *connectivity);
+
+-#if DEAL_II_P4EST_VERSION_GTE(0,3,4,3)
++#if DEAL_II_P4EST_VERSION_GTE(1,0,0,0)
++ static
++ types<3>::connectivity *(&connectivity_load) (const char *filename,
++ size_t *length);
++#elif DEAL_II_P4EST_VERSION_GTE(0,3,4,3)
+ static
+ types<3>::connectivity *(&connectivity_load) (const char *filename,
+ long unsigned *length);
+@@ -747,7 +760,12 @@ namespace internal
+ *connectivity)
+ = p8est_connectivity_is_valid;
+
+-#if DEAL_II_P4EST_VERSION_GTE(0,3,4,3)
++#if DEAL_II_P4EST_VERSION_GTE(1,0,0,0)
++ types<3>::connectivity *
++ (&functions<3>::connectivity_load) (const char *filename,
++ size_t *length)
++ = p8est_connectivity_load;
++#elif DEAL_II_P4EST_VERSION_GTE(0,3,4,3)
+ types<3>::connectivity *
+ (&functions<3>::connectivity_load) (const char *filename,
+ long unsigned *length)
diff --git a/gnu/packages/patches/dico-idxgcide-bug.patch b/gnu/packages/patches/dico-idxgcide-bug.patch
deleted file mode 100644
index 28cc8a6a08..0000000000
--- a/gnu/packages/patches/dico-idxgcide-bug.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Reported at <http://mail.gnu.org.ua/archives/bug-dico/2016-07/msg00000.html>.
-Patch the .c file to avoid depending on Flex.
-
-commit 4599abbda3b5979367138ea098e435c919fe93fc
-Author: Sergey Poznyakoff <gray@gnu.org>
-Date: Thu Jul 28 14:09:58 2016 +0300
-
- Bugfix
-
- * modules/gcide/idxgcide.l (main): Initialize ipg_header.
-
---- dico-2.2/modules/gcide/idxgcide.c 2016-07-28 14:15:07.823587004 +0200
-+++ dico-2.2/modules/gcide/idxgcide.c 2016-07-28 14:15:09.435600549 +0200
-@@ -2497,6 +2497,7 @@ main(int argc, char **argv)
- dico_log(L_ERR, 0, _("not enough memory"));
- exit(EX_UNAVAILABLE);
- }
-+ idx_page->ipg_header.hdr.phdr_numentries = 0;
- idx_page->ipg_header.hdr.phdr_text_offset = idx_header.ihdr_pagesize / 2;
-
- idx_header.ihdr_maxpageref = idx_header.ihdr_pagesize / 2 /
diff --git a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch b/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
index fc8d6291f5..af5e3bcc3e 100644
--- a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
+++ b/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
@@ -1,39 +1,42 @@
-Follow-up upstream fix for CVE-2015-1283 to not rely on undefined
-behavior.
+Update previous fix for CVE-2015-1283 to not rely on undefined behavior.
-Adapted from a patch from Debian (found in Debian package version
-2.1.0-6+deb8u2) to apply to upstream code:
+Copied from Debian, as found in Debian package version 2.1.0-6+deb8u2.
https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u2/debian/patches/CVE-2015-1283-refix.patch/
+From 29a11774d8ebbafe8418b4a5ffb4cc1160b194a1 Mon Sep 17 00:00:00 2001
+From: Pascal Cuoq <cuoq@trust-in-soft.com>
+Date: Sun, 15 May 2016 09:05:46 +0200
+Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix.
+
---
- lib/xmlparse.c | 6 ++++--
+ expat/lib/xmlparse.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 0f6f4cd..5c70c17 100644
+index 13e080d..cdb12ef 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
-@@ -1727,7 +1727,8 @@ XML_GetBuffer(XML_Parser parser, int len)
+@@ -1695,7 +1695,8 @@ XML_GetBuffer(XML_Parser parser, int len
}
if (len > bufferLim - bufferEnd) {
- int neededSize = len + (int)(bufferEnd - bufferPtr);
+ /* Do not invoke signed arithmetic overflow: */
+ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
+ /* BEGIN MOZILLA CHANGE (sanity check neededSize) */
if (neededSize < 0) {
errorCode = XML_ERROR_NO_MEMORY;
- return NULL;
-@@ -1759,7 +1760,8 @@ XML_GetBuffer(XML_Parser parser, int len)
+@@ -1729,7 +1730,8 @@ XML_GetBuffer(XML_Parser parser, int len
if (bufferSize == 0)
bufferSize = INIT_BUFFER_SIZE;
do {
- bufferSize *= 2;
+ /* Do not invoke signed arithmetic overflow: */
+ bufferSize = (int) (2U * (unsigned) bufferSize);
+ /* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
} while (bufferSize < neededSize && bufferSize > 0);
- if (bufferSize <= 0) {
- errorCode = XML_ERROR_NO_MEMORY;
+ /* END MOZILLA CHANGE */
--
-2.8.3
+2.8.2
diff --git a/gnu/packages/patches/expat-CVE-2015-1283.patch b/gnu/packages/patches/expat-CVE-2015-1283.patch
new file mode 100644
index 0000000000..f9065bea16
--- /dev/null
+++ b/gnu/packages/patches/expat-CVE-2015-1283.patch
@@ -0,0 +1,89 @@
+Copied from Debian.
+
+Description: fix multiple integer overflows in the XML_GetBuffer function
+ Multiple integer overflows in the XML_GetBuffer function in Expat through
+ 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products,
+ allow remote attackers to cause a denial of service (heap-based buffer
+ overflow) or possibly have unspecified other impact via crafted XML data,
+ a related issue to CVE-2015-2716.
+Origin: Mozilla, https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c
+Author: Eric Rahm <erahm@mozilla.com>
+Forwarded: not-needed
+Last-Update: 2015-07-24
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1673,29 +1673,40 @@ XML_ParseBuffer(XML_Parser parser, int l
+ XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);
+ positionPtr = bufferPtr;
+ return result;
+ }
+
+ void * XMLCALL
+ XML_GetBuffer(XML_Parser parser, int len)
+ {
++/* BEGIN MOZILLA CHANGE (sanity check len) */
++ if (len < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ switch (ps_parsing) {
+ case XML_SUSPENDED:
+ errorCode = XML_ERROR_SUSPENDED;
+ return NULL;
+ case XML_FINISHED:
+ errorCode = XML_ERROR_FINISHED;
+ return NULL;
+ default: ;
+ }
+
+ if (len > bufferLim - bufferEnd) {
+- /* FIXME avoid integer overflow */
+ int neededSize = len + (int)(bufferEnd - bufferPtr);
++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
++ if (neededSize < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ #ifdef XML_CONTEXT_BYTES
+ int keep = (int)(bufferPtr - buffer);
+
+ if (keep > XML_CONTEXT_BYTES)
+ keep = XML_CONTEXT_BYTES;
+ neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+ if (neededSize <= bufferLim - buffer) {
+@@ -1714,17 +1725,25 @@ XML_GetBuffer(XML_Parser parser, int len
+ }
+ else {
+ char *newBuf;
+ int bufferSize = (int)(bufferLim - bufferPtr);
+ if (bufferSize == 0)
+ bufferSize = INIT_BUFFER_SIZE;
+ do {
+ bufferSize *= 2;
+- } while (bufferSize < neededSize);
++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
++ } while (bufferSize < neededSize && bufferSize > 0);
++/* END MOZILLA CHANGE */
++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
++ if (bufferSize <= 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ newBuf = (char *)MALLOC(bufferSize);
+ if (newBuf == 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
+ bufferLim = newBuf + bufferSize;
+ #ifdef XML_CONTEXT_BYTES
+ if (bufferPtr) {
+
+
+
+
diff --git a/gnu/packages/patches/glibc-CVE-2015-7547.patch b/gnu/packages/patches/glibc-CVE-2015-7547.patch
new file mode 100644
index 0000000000..9a0909af74
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2015-7547.patch
@@ -0,0 +1,559 @@
+Copied from Fedora:
+http://pkgs.fedoraproject.org/cgit/rpms/glibc.git/tree/glibc-CVE-2015-7547.patch?h=f23&id=9f1734eb6ce3257b788d6e9203572e8204c6c584
+
+Adapted to apply cleanly to glibc-2.22.
+
+Index: b/resolv/nss_dns/dns-host.c
+===================================================================
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *an
+ int h_namelen = 0;
+
+ if (ancount == 0)
+- return NSS_STATUS_NOTFOUND;
++ {
++ *h_errnop = HOST_NOT_FOUND;
++ return NSS_STATUS_NOTFOUND;
++ }
+
+ while (ancount-- > 0 && cp < end_of_message && had_error == 0)
+ {
+@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *an
+ /* Special case here: if the resolver sent a result but it only
+ contains a CNAME while we are looking for a T_A or T_AAAA record,
+ we fail with NOTFOUND instead of TRYAGAIN. */
+- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
++ if (canon != NULL)
++ {
++ *h_errnop = HOST_NOT_FOUND;
++ return NSS_STATUS_NOTFOUND;
++ }
++
++ *h_errnop = NETDB_INTERNAL;
++ return NSS_STATUS_TRYAGAIN;
+ }
+
+
+@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1,
+
+ enum nss_status status = NSS_STATUS_NOTFOUND;
+
++ /* Combining the NSS status of two distinct queries requires some
++ compromise and attention to symmetry (A or AAAA queries can be
++ returned in any order). What follows is a breakdown of how this
++ code is expected to work and why. We discuss only SUCCESS,
++ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns
++ that apply (though RETURN and MERGE exist). We make a distinction
++ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable).
++ A recoverable TRYAGAIN is almost always due to buffer size issues
++ and returns ERANGE in errno and the caller is expected to retry
++ with a larger buffer.
++
++ Lastly, you may be tempted to make significant changes to the
++ conditions in this code to bring about symmetry between responses.
++ Please don't change anything without due consideration for
++ expected application behaviour. Some of the synthesized responses
++ aren't very well thought out and sometimes appear to imply that
++ IPv4 responses are always answer 1, and IPv6 responses are always
++ answer 2, but that's not true (see the implemetnation of send_dg
++ and send_vc to see response can arrive in any order, particlarly
++ for UDP). However, we expect it holds roughly enough of the time
++ that this code works, but certainly needs to be fixed to make this
++ a more robust implementation.
++
++ ----------------------------------------------
++ | Answer 1 Status / | Synthesized | Reason |
++ | Answer 2 Status | Status | |
++ |--------------------------------------------|
++ | SUCCESS/SUCCESS | SUCCESS | [1] |
++ | SUCCESS/TRYAGAIN | TRYAGAIN | [5] |
++ | SUCCESS/TRYAGAIN' | SUCCESS | [1] |
++ | SUCCESS/NOTFOUND | SUCCESS | [1] |
++ | SUCCESS/UNAVAIL | SUCCESS | [1] |
++ | TRYAGAIN/SUCCESS | TRYAGAIN | [2] |
++ | TRYAGAIN/TRYAGAIN | TRYAGAIN | [2] |
++ | TRYAGAIN/TRYAGAIN' | TRYAGAIN | [2] |
++ | TRYAGAIN/NOTFOUND | TRYAGAIN | [2] |
++ | TRYAGAIN/UNAVAIL | TRYAGAIN | [2] |
++ | TRYAGAIN'/SUCCESS | SUCCESS | [3] |
++ | TRYAGAIN'/TRYAGAIN | TRYAGAIN | [3] |
++ | TRYAGAIN'/TRYAGAIN' | TRYAGAIN' | [3] |
++ | TRYAGAIN'/NOTFOUND | TRYAGAIN' | [3] |
++ | TRYAGAIN'/UNAVAIL | UNAVAIL | [3] |
++ | NOTFOUND/SUCCESS | SUCCESS | [3] |
++ | NOTFOUND/TRYAGAIN | TRYAGAIN | [3] |
++ | NOTFOUND/TRYAGAIN' | TRYAGAIN' | [3] |
++ | NOTFOUND/NOTFOUND | NOTFOUND | [3] |
++ | NOTFOUND/UNAVAIL | UNAVAIL | [3] |
++ | UNAVAIL/SUCCESS | UNAVAIL | [4] |
++ | UNAVAIL/TRYAGAIN | UNAVAIL | [4] |
++ | UNAVAIL/TRYAGAIN' | UNAVAIL | [4] |
++ | UNAVAIL/NOTFOUND | UNAVAIL | [4] |
++ | UNAVAIL/UNAVAIL | UNAVAIL | [4] |
++ ----------------------------------------------
++
++ [1] If the first response is a success we return success.
++ This ignores the state of the second answer and in fact
++ incorrectly sets errno and h_errno to that of the second
++ answer. However because the response is a success we ignore
++ *errnop and *h_errnop (though that means you touched errno on
++ success). We are being conservative here and returning the
++ likely IPv4 response in the first answer as a success.
++
++ [2] If the first response is a recoverable TRYAGAIN we return
++ that instead of looking at the second response. The
++ expectation here is that we have failed to get an IPv4 response
++ and should retry both queries.
++
++ [3] If the first response was not a SUCCESS and the second
++ response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN,
++ or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the
++ result from the second response, otherwise the first responses
++ status is used. Again we have some odd side-effects when the
++ second response is NOTFOUND because we overwrite *errnop and
++ *h_errnop that means that a first answer of NOTFOUND might see
++ its *errnop and *h_errnop values altered. Whether it matters
++ in practice that a first response NOTFOUND has the wrong
++ *errnop and *h_errnop is undecided.
++
++ [4] If the first response is UNAVAIL we return that instead of
++ looking at the second response. The expectation here is that
++ it will have failed similarly e.g. configuration failure.
++
++ [5] Testing this code is complicated by the fact that truncated
++ second response buffers might be returned as SUCCESS if the
++ first answer is a SUCCESS. To fix this we add symmetry to
++ TRYAGAIN with the second response. If the second response
++ is a recoverable error we now return TRYAGIN even if the first
++ response was SUCCESS. */
++
+ if (anslen1 > 0)
+ status = gaih_getanswer_slice(answer1, anslen1, qname,
+ &pat, &buffer, &buflen,
+ errnop, h_errnop, ttlp,
+ &first);
++
+ if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND
+ || (status == NSS_STATUS_TRYAGAIN
+ /* We want to look at the second answer in case of an
+@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1,
+ &pat, &buffer, &buflen,
+ errnop, h_errnop, ttlp,
+ &first);
++ /* Use the second response status in some cases. */
+ if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND)
+ status = status2;
++ /* Do not return a truncated second response (unless it was
++ unavoidable e.g. unrecoverable TRYAGAIN). */
++ if (status == NSS_STATUS_SUCCESS
++ && (status2 == NSS_STATUS_TRYAGAIN
++ && *errnop == ERANGE && *h_errnop != NO_RECOVERY))
++ status = NSS_STATUS_TRYAGAIN;
+ }
+
+ return status;
+Index: b/resolv/res_query.c
+===================================================================
+--- a/resolv/res_query.c
++++ b/resolv/res_query.c
+@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp,
+ {
+ free (*answerp2);
+ *answerp2 = NULL;
++ *nanswerp2 = 0;
+ *answerp2_malloced = 0;
+ }
+ }
+@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp,
+ {
+ free (*answerp2);
+ *answerp2 = NULL;
++ *nanswerp2 = 0;
+ *answerp2_malloced = 0;
+ }
+
+@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp,
+ {
+ free (*answerp2);
+ *answerp2 = NULL;
++ *nanswerp2 = 0;
+ *answerp2_malloced = 0;
+ }
+ if (saved_herrno != -1)
+Index: b/resolv/res_send.c
+===================================================================
+--- a/resolv/res_send.c
++++ b/resolv/res_send.c
+@@ -1,3 +1,20 @@
++/* Copyright (C) 2016 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
+ /*
+ * Copyright (c) 1985, 1989, 1993
+ * The Regents of the University of California. All rights reserved.
+@@ -361,6 +378,8 @@ __libc_res_nsend(res_state statp, const
+ #ifdef USE_HOOKS
+ if (__glibc_unlikely (statp->qhook || statp->rhook)) {
+ if (anssiz < MAXPACKET && ansp) {
++ /* Always allocate MAXPACKET, callers expect
++ this specific size. */
+ u_char *buf = malloc (MAXPACKET);
+ if (buf == NULL)
+ return (-1);
+@@ -660,6 +679,77 @@ libresolv_hidden_def (res_nsend)
+
+ /* Private */
+
++/* The send_vc function is responsible for sending a DNS query over TCP
++ to the nameserver numbered NS from the res_state STATP i.e.
++ EXT(statp).nssocks[ns]. The function supports sending both IPv4 and
++ IPv6 queries at the same serially on the same socket.
++
++ Please note that for TCP there is no way to disable sending both
++ queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP
++ and sends the queries serially and waits for the result after each
++ sent query. This implemetnation should be corrected to honour these
++ options.
++
++ Please also note that for TCP we send both queries over the same
++ socket one after another. This technically violates best practice
++ since the server is allowed to read the first query, respond, and
++ then close the socket (to service another client). If the server
++ does this, then the remaining second query in the socket data buffer
++ will cause the server to send the client an RST which will arrive
++ asynchronously and the client's OS will likely tear down the socket
++ receive buffer resulting in a potentially short read and lost
++ response data. This will force the client to retry the query again,
++ and this process may repeat until all servers and connection resets
++ are exhausted and then the query will fail. It's not known if this
++ happens with any frequency in real DNS server implementations. This
++ implementation should be corrected to use two sockets by default for
++ parallel queries.
++
++ The query stored in BUF of BUFLEN length is sent first followed by
++ the query stored in BUF2 of BUFLEN2 length. Queries are sent
++ serially on the same socket.
++
++ Answers to the query are stored firstly in *ANSP up to a max of
++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP
++ is non-NULL (to indicate that modifying the answer buffer is allowed)
++ then malloc is used to allocate a new response buffer and ANSCP and
++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes
++ are needed but ANSCP is NULL, then as much of the response as
++ possible is read into the buffer, but the results will be truncated.
++ When truncation happens because of a small answer buffer the DNS
++ packets header feild TC will bet set to 1, indicating a truncated
++ message and the rest of the socket data will be read and discarded.
++
++ Answers to the query are stored secondly in *ANSP2 up to a max of
++ *ANSSIZP2 bytes, with the actual response length stored in
++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2
++ is non-NULL (required for a second query) then malloc is used to
++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer
++ size and *ANSP2_MALLOCED is set to 1.
++
++ The ANSP2_MALLOCED argument will eventually be removed as the
++ change in buffer pointer can be used to detect the buffer has
++ changed and that the caller should use free on the new buffer.
++
++ Note that the answers may arrive in any order from the server and
++ therefore the first and second answer buffers may not correspond to
++ the first and second queries.
++
++ It is not supported to call this function with a non-NULL ANSP2
++ but a NULL ANSCP. Put another way, you can call send_vc with a
++ single unmodifiable buffer or two modifiable buffers, but no other
++ combination is supported.
++
++ It is the caller's responsibility to free the malloc allocated
++ buffers by detecting that the pointers have changed from their
++ original values i.e. *ANSCP or *ANSP2 has changed.
++
++ If errors are encountered then *TERRNO is set to an appropriate
++ errno value and a zero result is returned for a recoverable error,
++ and a less-than zero result is returned for a non-recoverable error.
++
++ If no errors are encountered then *TERRNO is left unmodified and
++ a the length of the first response in bytes is returned. */
+ static int
+ send_vc(res_state statp,
+ const u_char *buf, int buflen, const u_char *buf2, int buflen2,
+@@ -669,11 +759,7 @@ send_vc(res_state statp,
+ {
+ const HEADER *hp = (HEADER *) buf;
+ const HEADER *hp2 = (HEADER *) buf2;
+- u_char *ans = *ansp;
+- int orig_anssizp = *anssizp;
+- // XXX REMOVE
+- // int anssiz = *anssizp;
+- HEADER *anhp = (HEADER *) ans;
++ HEADER *anhp = (HEADER *) *ansp;
+ struct sockaddr *nsap = get_nsaddr (statp, ns);
+ int truncating, connreset, n;
+ /* On some architectures compiler might emit a warning indicating
+@@ -766,6 +852,8 @@ send_vc(res_state statp,
+ * Receive length & response
+ */
+ int recvresp1 = 0;
++ /* Skip the second response if there is no second query.
++ To do that we mark the second response as received. */
+ int recvresp2 = buf2 == NULL;
+ uint16_t rlen16;
+ read_len:
+@@ -802,40 +890,14 @@ send_vc(res_state statp,
+ u_char **thisansp;
+ int *thisresplenp;
+ if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
++ /* We have not received any responses
++ yet or we only have one response to
++ receive. */
+ thisanssizp = anssizp;
+ thisansp = anscp ?: ansp;
+ assert (anscp != NULL || ansp2 == NULL);
+ thisresplenp = &resplen;
+ } else {
+- if (*anssizp != MAXPACKET) {
+- /* No buffer allocated for the first
+- reply. We can try to use the rest
+- of the user-provided buffer. */
+-#if __GNUC_PREREQ (4, 7)
+- DIAG_PUSH_NEEDS_COMMENT;
+- DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
+-#endif
+-#if _STRING_ARCH_unaligned
+- *anssizp2 = orig_anssizp - resplen;
+- *ansp2 = *ansp + resplen;
+-#else
+- int aligned_resplen
+- = ((resplen + __alignof__ (HEADER) - 1)
+- & ~(__alignof__ (HEADER) - 1));
+- *anssizp2 = orig_anssizp - aligned_resplen;
+- *ansp2 = *ansp + aligned_resplen;
+-#endif
+-#if __GNUC_PREREQ (4, 7)
+- DIAG_POP_NEEDS_COMMENT;
+-#endif
+- } else {
+- /* The first reply did not fit into the
+- user-provided buffer. Maybe the second
+- answer will. */
+- *anssizp2 = orig_anssizp;
+- *ansp2 = *ansp;
+- }
+-
+ thisanssizp = anssizp2;
+ thisansp = ansp2;
+ thisresplenp = resplen2;
+@@ -843,10 +905,14 @@ send_vc(res_state statp,
+ anhp = (HEADER *) *thisansp;
+
+ *thisresplenp = rlen;
+- if (rlen > *thisanssizp) {
+- /* Yes, we test ANSCP here. If we have two buffers
+- both will be allocatable. */
+- if (__glibc_likely (anscp != NULL)) {
++ /* Is the answer buffer too small? */
++ if (*thisanssizp < rlen) {
++ /* If the current buffer is non-NULL and it's not
++ pointing at the static user-supplied buffer then
++ we can reallocate it. */
++ if (thisansp != NULL && thisansp != ansp) {
++ /* Always allocate MAXPACKET, callers expect
++ this specific size. */
+ u_char *newp = malloc (MAXPACKET);
+ if (newp == NULL) {
+ *terrno = ENOMEM;
+@@ -858,6 +924,9 @@ send_vc(res_state statp,
+ if (thisansp == ansp2)
+ *ansp2_malloced = 1;
+ anhp = (HEADER *) newp;
++ /* A uint16_t can't be larger than MAXPACKET
++ thus it's safe to allocate MAXPACKET but
++ read RLEN bytes instead. */
+ len = rlen;
+ } else {
+ Dprint(statp->options & RES_DEBUG,
+@@ -1021,6 +1090,66 @@ reopen (res_state statp, int *terrno, in
+ return 1;
+ }
+
++/* The send_dg function is responsible for sending a DNS query over UDP
++ to the nameserver numbered NS from the res_state STATP i.e.
++ EXT(statp).nssocks[ns]. The function supports IPv4 and IPv6 queries
++ along with the ability to send the query in parallel for both stacks
++ (default) or serially (RES_SINGLKUP). It also supports serial lookup
++ with a close and reopen of the socket used to talk to the server
++ (RES_SNGLKUPREOP) to work around broken name servers.
++
++ The query stored in BUF of BUFLEN length is sent first followed by
++ the query stored in BUF2 of BUFLEN2 length. Queries are sent
++ in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP).
++
++ Answers to the query are stored firstly in *ANSP up to a max of
++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP
++ is non-NULL (to indicate that modifying the answer buffer is allowed)
++ then malloc is used to allocate a new response buffer and ANSCP and
++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes
++ are needed but ANSCP is NULL, then as much of the response as
++ possible is read into the buffer, but the results will be truncated.
++ When truncation happens because of a small answer buffer the DNS
++ packets header feild TC will bet set to 1, indicating a truncated
++ message, while the rest of the UDP packet is discarded.
++
++ Answers to the query are stored secondly in *ANSP2 up to a max of
++ *ANSSIZP2 bytes, with the actual response length stored in
++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2
++ is non-NULL (required for a second query) then malloc is used to
++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer
++ size and *ANSP2_MALLOCED is set to 1.
++
++ The ANSP2_MALLOCED argument will eventually be removed as the
++ change in buffer pointer can be used to detect the buffer has
++ changed and that the caller should use free on the new buffer.
++
++ Note that the answers may arrive in any order from the server and
++ therefore the first and second answer buffers may not correspond to
++ the first and second queries.
++
++ It is not supported to call this function with a non-NULL ANSP2
++ but a NULL ANSCP. Put another way, you can call send_vc with a
++ single unmodifiable buffer or two modifiable buffers, but no other
++ combination is supported.
++
++ It is the caller's responsibility to free the malloc allocated
++ buffers by detecting that the pointers have changed from their
++ original values i.e. *ANSCP or *ANSP2 has changed.
++
++ If an answer is truncated because of UDP datagram DNS limits then
++ *V_CIRCUIT is set to 1 and the return value non-zero to indicate to
++ the caller to retry with TCP. The value *GOTSOMEWHERE is set to 1
++ if any progress was made reading a response from the nameserver and
++ is used by the caller to distinguish between ECONNREFUSED and
++ ETIMEDOUT (the latter if *GOTSOMEWHERE is 1).
++
++ If errors are encountered then *TERRNO is set to an appropriate
++ errno value and a zero result is returned for a recoverable error,
++ and a less-than zero result is returned for a non-recoverable error.
++
++ If no errors are encountered then *TERRNO is left unmodified and
++ a the length of the first response in bytes is returned. */
+ static int
+ send_dg(res_state statp,
+ const u_char *buf, int buflen, const u_char *buf2, int buflen2,
+@@ -1030,8 +1159,6 @@ send_dg(res_state statp,
+ {
+ const HEADER *hp = (HEADER *) buf;
+ const HEADER *hp2 = (HEADER *) buf2;
+- u_char *ans = *ansp;
+- int orig_anssizp = *anssizp;
+ struct timespec now, timeout, finish;
+ struct pollfd pfd[1];
+ int ptimeout;
+@@ -1064,6 +1191,8 @@ send_dg(res_state statp,
+ int need_recompute = 0;
+ int nwritten = 0;
+ int recvresp1 = 0;
++ /* Skip the second response if there is no second query.
++ To do that we mark the second response as received. */
+ int recvresp2 = buf2 == NULL;
+ pfd[0].fd = EXT(statp).nssocks[ns];
+ pfd[0].events = POLLOUT;
+@@ -1227,55 +1356,56 @@ send_dg(res_state statp,
+ int *thisresplenp;
+
+ if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
++ /* We have not received any responses
++ yet or we only have one response to
++ receive. */
+ thisanssizp = anssizp;
+ thisansp = anscp ?: ansp;
+ assert (anscp != NULL || ansp2 == NULL);
+ thisresplenp = &resplen;
+ } else {
+- if (*anssizp != MAXPACKET) {
+- /* No buffer allocated for the first
+- reply. We can try to use the rest
+- of the user-provided buffer. */
+-#if _STRING_ARCH_unaligned
+- *anssizp2 = orig_anssizp - resplen;
+- *ansp2 = *ansp + resplen;
+-#else
+- int aligned_resplen
+- = ((resplen + __alignof__ (HEADER) - 1)
+- & ~(__alignof__ (HEADER) - 1));
+- *anssizp2 = orig_anssizp - aligned_resplen;
+- *ansp2 = *ansp + aligned_resplen;
+-#endif
+- } else {
+- /* The first reply did not fit into the
+- user-provided buffer. Maybe the second
+- answer will. */
+- *anssizp2 = orig_anssizp;
+- *ansp2 = *ansp;
+- }
+-
+ thisanssizp = anssizp2;
+ thisansp = ansp2;
+ thisresplenp = resplen2;
+ }
+
+ if (*thisanssizp < MAXPACKET
+- /* Yes, we test ANSCP here. If we have two buffers
+- both will be allocatable. */
+- && anscp
++ /* If the current buffer is non-NULL and it's not
++ pointing at the static user-supplied buffer then
++ we can reallocate it. */
++ && (thisansp != NULL && thisansp != ansp)
+ #ifdef FIONREAD
++ /* Is the size too small? */
+ && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0
+ || *thisanssizp < *thisresplenp)
+ #endif
+ ) {
++ /* Always allocate MAXPACKET, callers expect
++ this specific size. */
+ u_char *newp = malloc (MAXPACKET);
+ if (newp != NULL) {
+- *anssizp = MAXPACKET;
+- *thisansp = ans = newp;
++ *thisanssizp = MAXPACKET;
++ *thisansp = newp;
+ if (thisansp == ansp2)
+ *ansp2_malloced = 1;
+ }
+ }
++ /* We could end up with truncation if anscp was NULL
++ (not allowed to change caller's buffer) and the
++ response buffer size is too small. This isn't a
++ reliable way to detect truncation because the ioctl
++ may be an inaccurate report of the UDP message size.
++ Therefore we use this only to issue debug output.
++ To do truncation accurately with UDP we need
++ MSG_TRUNC which is only available on Linux. We
++ can abstract out the Linux-specific feature in the
++ future to detect truncation. */
++ if (__glibc_unlikely (*thisanssizp < *thisresplenp)) {
++ Dprint(statp->options & RES_DEBUG,
++ (stdout, ";; response may be truncated (UDP)\n")
++ );
++ }
++
+ HEADER *anhp = (HEADER *) *thisansp;
+ socklen_t fromlen = sizeof(struct sockaddr_in6);
+ assert (sizeof(from) <= fromlen);
diff --git a/gnu/packages/patches/glibc-hurd-extern-inline.patch b/gnu/packages/patches/glibc-hurd-extern-inline.patch
new file mode 100644
index 0000000000..a609b1f54a
--- /dev/null
+++ b/gnu/packages/patches/glibc-hurd-extern-inline.patch
@@ -0,0 +1,35 @@
+This changes the way _EXTERN_INLINE is defined so we can
+avoid external definition errors.
+https://lists.gnu.org/archive/html/bug-hurd/2014-04/msg00002.html
+
+diff --git a/signal/sigsetops.c b/signal/sigsetops.c
+index 0317662..b92c296 100644
+--- a/signal/sigsetops.c
++++ b/signal/sigsetops.c
+@@ -3,7 +3,9 @@
+
+ #include <features.h>
+
+-#define _EXTERN_INLINE
++#ifndef _EXTERN_INLINE
++#define _EXTERN_INLINE __extern_inline
++#endif
+ #ifndef __USE_EXTERN_INLINES
+ # define __USE_EXTERN_INLINES 1
+ #endif
+
+Link libmachuser and libhurduser automatically with libc, since they are
+considered a standard part of the API in GNU-land.
+
+--- a/Makerules
++++ b/Makerules
+@@ -978,6 +978,9 @@
+ '$(libdir)/$(patsubst %,$(libtype.oS),$(libprefix)$(libc-name))'\
+ ' AS_NEEDED (' $(rtlddir)/$(rtld-installed-name) ') )' \
+ ) > $@.new
++ifeq ($(patsubst gnu%,,$(config-os)),)
++ echo 'INPUT ( AS_NEEDED ( -lmachuser -lhurduser ) )' >> $@.new
++endif
+ mv -f $@.new $@
+
+ endif \ No newline at end of file
diff --git a/gnu/packages/patches/glibc-locale-incompatibility.patch b/gnu/packages/patches/glibc-locale-incompatibility.patch
new file mode 100644
index 0000000000..baf30a79a7
--- /dev/null
+++ b/gnu/packages/patches/glibc-locale-incompatibility.patch
@@ -0,0 +1,23 @@
+This patch avoids an assertion failure when incompatible locale data
+is encountered:
+
+ https://sourceware.org/ml/libc-alpha/2015-09/msg00575.html
+
+--- glibc-2.22/locale/loadlocale.c 2015-09-22 17:16:02.321981548 +0200
++++ glibc-2.22/locale/loadlocale.c 2015-09-22 17:17:34.814659064 +0200
+@@ -120,10 +120,11 @@
+ _nl_value_type_LC_XYZ array. There are all pointers. */
+ switch (category)
+ {
+-#define CATTEST(cat) \
+- case LC_##cat: \
+- assert (cnt < (sizeof (_nl_value_type_LC_##cat) \
+- / sizeof (_nl_value_type_LC_##cat[0]))); \
++#define CATTEST(cat) \
++ case LC_##cat: \
++ if (cnt >= (sizeof (_nl_value_type_LC_##cat) \
++ / sizeof (_nl_value_type_LC_##cat[0]))) \
++ goto puntdata; \
+ break
+ CATTEST (NUMERIC);
+ CATTEST (TIME);
diff --git a/gnu/packages/patches/glibc-locales.patch b/gnu/packages/patches/glibc-locales.patch
index 3a125e845e..1bcf12bf6f 100644
--- a/gnu/packages/patches/glibc-locales.patch
+++ b/gnu/packages/patches/glibc-locales.patch
@@ -5,8 +5,8 @@ in a package separate from glibc.
2. Use '--no-archive' to avoid building the big locale archive, and
because the already-built 'localedef' would want to write it
to '/run/current-system/locale', which is not possible.
- 3. Pass $(inst_complocaledir)/$$locale to install files in the right
- place, and because otherwise, 'localedef' fails with:
+ 3. Pass $(localedir)/$$locale to install files in the right place, and
+ because otherwise, 'localedef' fails with:
"cannot write output files to `(null)'".
--- glibc-2.22/localedata/Makefile 1970-01-01 01:00:00.000000000 +0100
@@ -25,7 +25,7 @@ in a package separate from glibc.
$(LOCALEDEF) --alias-file=../intl/locale.alias \
-i locales/$$input -c -f charmaps/$$charset \
- $(addprefix --prefix=,$(install_root)) $$locale \
-+ $(addprefix --prefix=,$(install_root)) $(inst_complocaledir)/$$locale \
++ $(addprefix --prefix=,$(install_root)) $(localedir)/$$locale \
&& echo ' done'; \
tst-setlocale-ENV = LC_ALL=ja_JP.EUC-JP
diff --git a/gnu/packages/patches/libarchive-CVE-2013-0211.patch b/gnu/packages/patches/libarchive-CVE-2013-0211.patch
new file mode 100644
index 0000000000..b024a7d4a8
--- /dev/null
+++ b/gnu/packages/patches/libarchive-CVE-2013-0211.patch
@@ -0,0 +1,21 @@
+Description: Fix CVE-2013-0211: read buffer overflow on 64-bit systems
+Origin: upstream
+Bug-Debian: http://bugs.debian.org/703957
+Forwarded: not-needed
+
+--- libarchive-3.0.4.orig/libarchive/archive_write.c
++++ libarchive-3.0.4/libarchive/archive_write.c
+@@ -665,8 +665,13 @@ static ssize_t
+ _archive_write_data(struct archive *_a, const void *buff, size_t s)
+ {
+ struct archive_write *a = (struct archive_write *)_a;
++ const size_t max_write = INT_MAX;
++
+ archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC,
+ ARCHIVE_STATE_DATA, "archive_write_data");
++ /* In particular, this catches attempts to pass negative values. */
++ if (s > max_write)
++ s = max_write;
+ archive_clear_error(&a->archive);
+ return ((a->format_write_data)(a, buff, s));
+ }
diff --git a/gnu/packages/patches/libarchive-CVE-2016-1541.patch b/gnu/packages/patches/libarchive-CVE-2016-1541.patch
new file mode 100644
index 0000000000..6ac8773244
--- /dev/null
+++ b/gnu/packages/patches/libarchive-CVE-2016-1541.patch
@@ -0,0 +1,67 @@
+Fix CVE-2016-1541 (buffer overflow zip_read_mac_metadata)
+
+Taken from upstream source repository:
+https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7
+
+When reading OS X metadata entries in Zip archives that were stored
+without compression, libarchive would use the uncompressed entry size
+to allocate a buffer but would use the compressed entry size to limit
+the amount of data copied into that buffer. Since the compressed
+and uncompressed sizes are provided by data in the archive itself,
+an attacker could manipulate these values to write data beyond
+the end of the allocated buffer.
+
+This fix provides three new checks to guard against such
+manipulation and to make libarchive generally more robust when
+handling this type of entry:
+ 1. If an OS X metadata entry is stored without compression,
+ abort the entire archive if the compressed and uncompressed
+ data sizes do not match.
+ 2. When sanity-checking the size of an OS X metadata entry,
+ abort this entry if either the compressed or uncompressed
+ size is larger than 4MB.
+ 3. When copying data into the allocated buffer, check the copy
+ size against both the compressed entry size and uncompressed
+ entry size.
+---
+ libarchive/archive_read_support_format_zip.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
+index 0f8262c..0a0be96 100644
+--- a/libarchive/archive_read_support_format_zip.c
++++ b/libarchive/archive_read_support_format_zip.c
+@@ -2778,6 +2778,11 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry,
+
+ switch(rsrc->compression) {
+ case 0: /* No compression. */
++ if (rsrc->uncompressed_size != rsrc->compressed_size) {
++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++ "Malformed OS X metadata entry: inconsistent size");
++ return (ARCHIVE_FATAL);
++ }
+ #ifdef HAVE_ZLIB_H
+ case 8: /* Deflate compression. */
+ #endif
+@@ -2798,6 +2803,12 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry,
+ (intmax_t)rsrc->uncompressed_size);
+ return (ARCHIVE_WARN);
+ }
++ if (rsrc->compressed_size > (4 * 1024 * 1024)) {
++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++ "Mac metadata is too large: %jd > 4M bytes",
++ (intmax_t)rsrc->compressed_size);
++ return (ARCHIVE_WARN);
++ }
+
+ metadata = malloc((size_t)rsrc->uncompressed_size);
+ if (metadata == NULL) {
+@@ -2836,6 +2847,8 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry,
+ bytes_avail = remaining_bytes;
+ switch(rsrc->compression) {
+ case 0: /* No compression. */
++ if ((size_t)bytes_avail > metadata_bytes)
++ bytes_avail = metadata_bytes;
+ memcpy(mp, p, bytes_avail);
+ bytes_used = (size_t)bytes_avail;
+ metadata_bytes -= bytes_used;
diff --git a/gnu/packages/patches/libarchive-bsdtar-test.patch b/gnu/packages/patches/libarchive-bsdtar-test.patch
new file mode 100644
index 0000000000..6a533a9a07
--- /dev/null
+++ b/gnu/packages/patches/libarchive-bsdtar-test.patch
@@ -0,0 +1,74 @@
+commit b539b2e597b566fe3c4b49cb61c9eef83e5e052d
+Author: Pavel Raiskup <praiskup@redhat.com>
+Date: Thu Jun 27 16:01:30 2013 +0200
+
+ Use ustar format in the test_option_b test
+
+ .. because the ustar archive does not store SELinux context. As the default
+ format for bsdtar is "restricted pax" (trying to store xattrs and other
+ things by default), the test failed on Fedora because our files have by
+ default SELinux context set. This results in additional data in tested
+ archive ~> and the test failed because the archive was unexpectedly big:
+
+ tar/test/test_option_b.c:41: File archive1.tar has size 3072, expected 2048
+
+ Reviewed by Konrad Kleine <konrad.wilhelm.kleine@gmail.com>
+
+diff --git a/tar/test/test_option_b.c b/tar/test/test_option_b.c
+index be2ae65..6fea474 100644
+--- a/tar/test/test_option_b.c
++++ b/tar/test/test_option_b.c
+@@ -25,8 +25,14 @@
+ #include "test.h"
+ __FBSDID("$FreeBSD$");
+
++#define USTAR_OPT " --format=ustar"
++
+ DEFINE_TEST(test_option_b)
+ {
++ char *testprog_ustar = malloc(strlen(testprog) + sizeof(USTAR_OPT) + 1);
++ strcpy(testprog_ustar, testprog);
++ strcat(testprog_ustar, USTAR_OPT);
++
+ assertMakeFile("file1", 0644, "file1");
+ if (systemf("cat file1 > test_cat.out 2> test_cat.err") != 0) {
+ skipping("Platform doesn't have cat");
+@@ -36,7 +42,7 @@ DEFINE_TEST(test_option_b)
+ /*
+ * Bsdtar does not pad if the output is going directly to a disk file.
+ */
+- assertEqualInt(0, systemf("%s -cf archive1.tar file1 >test1.out 2>test1.err", testprog));
++ assertEqualInt(0, systemf("%s -cf archive1.tar file1 >test1.out 2>test1.err", testprog_ustar));
+ failure("bsdtar does not pad archives written directly to regular files");
+ assertFileSize("archive1.tar", 2048);
+ assertEmptyFile("test1.out");
+@@ -46,24 +52,24 @@ DEFINE_TEST(test_option_b)
+ * Bsdtar does pad to the block size if the output is going to a socket.
+ */
+ /* Default is -b 20 */
+- assertEqualInt(0, systemf("%s -cf - file1 2>test2.err | cat >archive2.tar ", testprog));
++ assertEqualInt(0, systemf("%s -cf - file1 2>test2.err | cat >archive2.tar ", testprog_ustar));
+ failure("bsdtar does pad archives written to pipes");
+ assertFileSize("archive2.tar", 10240);
+ assertEmptyFile("test2.err");
+
+- assertEqualInt(0, systemf("%s -cf - -b 20 file1 2>test3.err | cat >archive3.tar ", testprog));
++ assertEqualInt(0, systemf("%s -cf - -b 20 file1 2>test3.err | cat >archive3.tar ", testprog_ustar));
+ assertFileSize("archive3.tar", 10240);
+ assertEmptyFile("test3.err");
+
+- assertEqualInt(0, systemf("%s -cf - -b 10 file1 2>test4.err | cat >archive4.tar ", testprog));
++ assertEqualInt(0, systemf("%s -cf - -b 10 file1 2>test4.err | cat >archive4.tar ", testprog_ustar));
+ assertFileSize("archive4.tar", 5120);
+ assertEmptyFile("test4.err");
+
+- assertEqualInt(0, systemf("%s -cf - -b 1 file1 2>test5.err | cat >archive5.tar ", testprog));
++ assertEqualInt(0, systemf("%s -cf - -b 1 file1 2>test5.err | cat >archive5.tar ", testprog_ustar));
+ assertFileSize("archive5.tar", 2048);
+ assertEmptyFile("test5.err");
+
+- assertEqualInt(0, systemf("%s -cf - -b 8192 file1 2>test6.err | cat >archive6.tar ", testprog));
++ assertEqualInt(0, systemf("%s -cf - -b 8192 file1 2>test6.err | cat >archive6.tar ", testprog_ustar));
+ assertFileSize("archive6.tar", 4194304);
+ assertEmptyFile("test6.err");
+
diff --git a/gnu/packages/patches/libarchive-fix-lzo-test-case.patch b/gnu/packages/patches/libarchive-fix-lzo-test-case.patch
new file mode 100644
index 0000000000..ffdc0db922
--- /dev/null
+++ b/gnu/packages/patches/libarchive-fix-lzo-test-case.patch
@@ -0,0 +1,83 @@
+Description: This patch fixes test cases for LZO write support in various
+ architectures, such as armhf. Writing a certain amount of files would
+ cause the LZO compressor level 9 to produce a bigger archive than the
+ default compressor level.
+Author: Andres Mejia <amejia@debian.org>
+
+--- a/libarchive/test/test_write_filter_lzop.c
++++ b/libarchive/test/test_write_filter_lzop.c
+@@ -39,7 +39,7 @@
+ size_t buffsize, datasize;
+ char path[16];
+ size_t used1, used2;
+- int i, r, use_prog = 0;
++ int i, r, use_prog = 0, filecount;
+
+ assert((a = archive_write_new()) != NULL);
+ r = archive_write_add_filter_lzop(a);
+@@ -58,9 +58,10 @@
+
+ datasize = 10000;
+ assert(NULL != (data = (char *)calloc(1, datasize)));
++ filecount = 10;
+
+ /*
+- * Write a 100 files and read them all back.
++ * Write a filecount files and read them all back.
+ */
+ assert((a = archive_write_new()) != NULL);
+ assertEqualIntA(a, ARCHIVE_OK, archive_write_set_format_ustar(a));
+@@ -77,7 +78,7 @@
+ assert((ae = archive_entry_new()) != NULL);
+ archive_entry_set_filetype(ae, AE_IFREG);
+ archive_entry_set_size(ae, datasize);
+- for (i = 0; i < 100; i++) {
++ for (i = 0; i < filecount; i++) {
+ sprintf(path, "file%03d", i);
+ archive_entry_copy_pathname(ae, path);
+ assertEqualIntA(a, ARCHIVE_OK, archive_write_header(a, ae));
+@@ -97,7 +98,7 @@
+ } else {
+ assertEqualIntA(a, ARCHIVE_OK,
+ archive_read_open_memory(a, buff, used1));
+- for (i = 0; i < 100; i++) {
++ for (i = 0; i < filecount; i++) {
+ sprintf(path, "file%03d", i);
+ if (!assertEqualInt(ARCHIVE_OK,
+ archive_read_next_header(a, &ae)))
+@@ -133,7 +134,7 @@
+ archive_write_set_options(a, "lzop:compression-level=9"));
+ assertEqualIntA(a, ARCHIVE_OK,
+ archive_write_open_memory(a, buff, buffsize, &used2));
+- for (i = 0; i < 100; i++) {
++ for (i = 0; i < filecount; i++) {
+ sprintf(path, "file%03d", i);
+ assert((ae = archive_entry_new()) != NULL);
+ archive_entry_copy_pathname(ae, path);
+@@ -161,7 +162,7 @@
+ archive_read_support_filter_all(a));
+ assertEqualIntA(a, ARCHIVE_OK,
+ archive_read_open_memory(a, buff, used2));
+- for (i = 0; i < 100; i++) {
++ for (i = 0; i < filecount; i++) {
+ sprintf(path, "file%03d", i);
+ if (!assertEqualInt(ARCHIVE_OK,
+ archive_read_next_header(a, &ae)))
+@@ -186,7 +187,7 @@
+ archive_write_set_filter_option(a, NULL, "compression-level", "1"));
+ assertEqualIntA(a, ARCHIVE_OK,
+ archive_write_open_memory(a, buff, buffsize, &used2));
+- for (i = 0; i < 100; i++) {
++ for (i = 0; i < filecount; i++) {
+ sprintf(path, "file%03d", i);
+ assert((ae = archive_entry_new()) != NULL);
+ archive_entry_copy_pathname(ae, path);
+@@ -216,7 +217,7 @@
+ } else {
+ assertEqualIntA(a, ARCHIVE_OK,
+ archive_read_open_memory(a, buff, used2));
+- for (i = 0; i < 100; i++) {
++ for (i = 0; i < filecount; i++) {
+ sprintf(path, "file%03d", i);
+ if (!assertEqualInt(ARCHIVE_OK,
+ archive_read_next_header(a, &ae)))
diff --git a/gnu/packages/patches/libarchive-mtree-filename-length-fix.patch b/gnu/packages/patches/libarchive-mtree-filename-length-fix.patch
new file mode 100644
index 0000000000..ad94592c05
--- /dev/null
+++ b/gnu/packages/patches/libarchive-mtree-filename-length-fix.patch
@@ -0,0 +1,18 @@
+Description: Patch to fix filename length calculation when writing mtree archives.
+Author: Dave Reisner <dreisner@archlinux.org>
+Origin: upstream
+
+--- a/libarchive/archive_write_set_format_mtree.c
++++ b/libarchive/archive_write_set_format_mtree.c
+@@ -1855,9 +1855,9 @@
+ return (ret);
+ }
+
+- /* Make a basename from dirname and slash */
++ /* Make a basename from file->parentdir.s and slash */
+ *slash = '\0';
+- file->parentdir.length = slash - dirname;
++ file->parentdir.length = slash - file->parentdir.s;
+ archive_strcpy(&(file->basename), slash + 1);
+ return (ret);
+ }
diff --git a/gnu/packages/patches/libpthread-glibc-preparation.patch b/gnu/packages/patches/libpthread-glibc-preparation.patch
new file mode 100644
index 0000000000..a43245436c
--- /dev/null
+++ b/gnu/packages/patches/libpthread-glibc-preparation.patch
@@ -0,0 +1,146 @@
+This patch helps to integrate the Hurd's libpthread as a libc add-on.
+
+It writes the configure file, removes an rpc call not yet
+implemented on the version of gnumach we use and defines
+a missing macro.
+
+diff --git a/libpthread/configure b/libpthread/configure
+new file mode 100644
+index 0000000..2cdbc71
+--- /dev/null
++++ b/libpthread/configure
+@@ -0,0 +1,2 @@
++libc_add_on_canonical=libpthread
++libc_add_on_subdirs=.
+--
+1.9.0
+
+We are using a version of GNU Mach that lacks 'thread_terminate_release'
+(not introduced yet). The 'thread_terminate' RPC call will be enough for
+our needs.
+See <http://lists.gnu.org/archive/html/bug-hurd/2014-05/msg00127.html>.
+
+diff --git a/libpthread/sysdeps/mach/pt-thread-terminate.c b/libpthread/sysdeps/mach/pt-thread-terminate.c
+index 6672065..129a611 100644
+--- a/libpthread/sysdeps/mach/pt-thread-terminate.c
++++ b/libpthread/sysdeps/mach/pt-thread-terminate.c
+@@ -70,9 +70,9 @@ __pthread_thread_terminate (struct __pthread *thread)
+ __mach_port_destroy (__mach_task_self (), wakeup_port);
+
+ /* Terminate and release all that's left. */
+- err = __thread_terminate_release (kernel_thread, mach_task_self (),
+- kernel_thread, reply_port,
+- stackaddr, stacksize);
++ /* err = __thread_terminate_release (kernel_thread, mach_task_self (), */
++ /* kernel_thread, reply_port, */
++ /* stackaddr, stacksize); */
+
+ /* The kernel does not support it yet. Leak but at least terminate
+ correctly. */
+--
+1.9.2
+
+The __PTHREAD_SPIN_LOCK_INITIALIZER definition is missing, so we
+define it to __SPIN_LOCK_INITIALIZER which already exists.
+See <http://lists.gnu.org/archive/html/commit-hurd/2009-04/msg00006.html>.
+
+diff --git a/libpthread/sysdeps/mach/bits/spin-lock.h b/libpthread/sysdeps/mach/bits/spin-lock.h
+index 537dac9..fca0e5a 100644
+--- a/libpthread/sysdeps/mach/bits/spin-lock.h
++++ b/libpthread/sysdeps/mach/bits/spin-lock.h
+@@ -30,7 +30,7 @@ typedef __spin_lock_t __pthread_spinlock_t;
+
+ /* Initializer for a spin lock object. */
+ #ifndef __PTHREAD_SPIN_LOCK_INITIALIZER
+-#error __PTHREAD_SPIN_LOCK_INITIALIZER undefined: should be defined by <lock-intern.h>.
++#define __PTHREAD_SPIN_LOCK_INITIALIZER __SPIN_LOCK_INITIALIZER
+ #endif
+
+ __END_DECLS
+
+The version of the glibc we use doesn't include the shm-directory.c file and does
+not yet support IS_IN.
+See <https://lists.gnu.org/archive/html/bug-hurd/2015-03/msg00078.html>
+
+diff --git a/libpthread/Makefile b/libpthread/Makefile
+index 2906788..b8dee58 100644
+--- a/libpthread/Makefile
++++ b/libpthread/Makefile
+@@ -149,8 +149,6 @@ libpthread-routines := pt-attr pt-attr-destroy pt-attr-getdetachstate \
+ sem-post sem-timedwait sem-trywait sem-unlink \
+ sem-wait \
+ \
+- shm-directory \
+- \
+ cthreads-compat \
+ $(SYSDEPS)
+
+--
+2.3.6
+
+diff --git a/libpthread/pthread/pt-create.c b/libpthread/pthread/pt-create.c
+index d88afae..84044dc 100644
+--- a/libpthread/pthread/pt-create.c
++++ b/libpthread/pthread/pt-create.c
+@@ -28,7 +28,7 @@
+
+ #include <pt-internal.h>
+
+-#if IS_IN (libpthread)
++#ifdef IS_IN_libpthread
+ # include <ctype.h>
+ #endif
+ #ifdef HAVE_USELOCALE
+@@ -50,7 +50,7 @@ entry_point (struct __pthread *self, void *(*start_routine)(void *), void *arg)
+ __resp = &self->res_state;
+ #endif
+
+-#if IS_IN (libpthread)
++#ifdef IS_IN_libpthread
+ /* Initialize pointers to locale data. */
+ __ctype_init ();
+ #endif
+diff --git a/libpthread/pthread/pt-initialize.c b/libpthread/pthread/pt-initialize.c
+index 9e5404b..b9cacbd 100644
+--- a/libpthread/pthread/pt-initialize.c
++++ b/libpthread/pthread/pt-initialize.c
+@@ -28,7 +28,7 @@
+
+ DEFINE_HOOK (__pthread_init, (void));
+
+-#if IS_IN (libpthread)
++#ifdef IS_IN_libpthread
+ static const struct pthread_functions pthread_functions =
+ {
+ .ptr_pthread_attr_destroy = __pthread_attr_destroy,
+@@ -81,7 +81,7 @@ static const struct pthread_functions pthread_functions =
+ void
+ ___pthread_init (void)
+ {
+-#if IS_IN (libpthread)
++#ifdef IS_IN_libpthread
+ __libc_pthread_init(&pthread_functions);
+ #endif
+ RUN_HOOK (__pthread_init, ());
+diff --git a/libpthread/pthread/pt-internal.h b/libpthread/pthread/pt-internal.h
+index 18b5b4c..8cdcfce 100644
+--- a/libpthread/pthread/pt-internal.h
++++ b/libpthread/pthread/pt-internal.h
+@@ -35,7 +35,7 @@
+ #include <pt-sysdep.h>
+ #include <pt-machdep.h>
+
+-#if IS_IN (libpthread)
++#ifdef IS_IN_libpthread
+ # include <ldsodefs.h>
+ #endif
+
+@@ -60,7 +60,7 @@ enum pthread_state
+ # define PTHREAD_SYSDEP_MEMBERS
+ #endif
+
+-#if !(IS_IN (libpthread))
++#ifndef IS_IN_libpthread
+ #ifdef ENABLE_TLS
+ /* Type of the TCB. */
+ typedef struct
diff --git a/gnu/packages/patches/libxslt-CVE-2015-7995.patch b/gnu/packages/patches/libxslt-CVE-2015-7995.patch
new file mode 100644
index 0000000000..f291d5b387
--- /dev/null
+++ b/gnu/packages/patches/libxslt-CVE-2015-7995.patch
@@ -0,0 +1,29 @@
+From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 29 Oct 2015 19:33:23 +0800
+Subject: [PATCH] Fix for type confusion in preprocessing attributes
+
+CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
+We need to check that the parent node is an element before dereferencing
+its namespace
+---
+ libxslt/preproc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/preproc.c b/libxslt/preproc.c
+index 0eb80a0..7f69325 100644
+--- a/libxslt/preproc.c
++++ b/libxslt/preproc.c
+@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) {
+ } else if (IS_XSLT_NAME(inst, "attribute")) {
+ xmlNodePtr parent = inst->parent;
+
+- if ((parent == NULL) || (parent->ns == NULL) ||
++ if ((parent == NULL) ||
++ (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
+ ((parent->ns != inst->ns) &&
+ (!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
+ (!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
+--
+2.6.3
+
diff --git a/gnu/packages/patches/libxslt-generated-ids.patch b/gnu/packages/patches/libxslt-generated-ids.patch
deleted file mode 100644
index 4273875c7c..0000000000
--- a/gnu/packages/patches/libxslt-generated-ids.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-This makes generated IDs deterministic.
-
-Written by Daniel Veillard.
-
-This should be fixed in next release (2.29).
-See https://bugzilla.gnome.org/show_bug.cgi?id=751621.
-
-diff --git a/libxslt/functions.c b/libxslt/functions.c
-index 6448bde..5b00a6d 100644
---- a/libxslt/functions.c
-+++ b/libxslt/functions.c
-@@ -651,6 +651,63 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
- }
-
- /**
-+ * xsltCleanupIds:
-+ * @ctxt: the transformation context
-+ * @root: the root of the resulting document
-+ *
-+ * This clean up ids which may have been saved in Element contents
-+ * by xsltGenerateIdFunction() to provide stable IDs on elements.
-+ *
-+ * Returns the number of items cleaned or -1 in case of error
-+ */
-+int
-+xsltCleanupIds(xsltTransformContextPtr ctxt, xmlNodePtr root) {
-+ xmlNodePtr cur;
-+ int count = 0;
-+
-+ if ((ctxt == NULL) || (root == NULL))
-+ return(-1);
-+ if (root->type != XML_ELEMENT_NODE)
-+ return(-1);
-+
-+ cur = root;
-+ while (cur != NULL) {
-+ if (cur->type == XML_ELEMENT_NODE) {
-+ if (cur->content != NULL) {
-+ cur->content = NULL;
-+ count++;
-+ }
-+ if (cur->children != NULL) {
-+ cur = cur->children;
-+ continue;
-+ }
-+ }
-+ if (cur->next != NULL) {
-+ cur = cur->next;
-+ continue;
-+ }
-+ do {
-+ cur = cur->parent;
-+ if (cur == NULL)
-+ break;
-+ if (cur == (xmlNodePtr) root) {
-+ cur = NULL;
-+ break;
-+ }
-+ if (cur->next != NULL) {
-+ cur = cur->next;
-+ break;
-+ }
-+ } while (cur != NULL);
-+ }
-+
-+fprintf(stderr, "Attributed %d IDs for element, cleaned up %d\n",
-+ ctxt->nextid, count);
-+
-+ return(count);
-+}
-+
-+/**
- * xsltGenerateIdFunction:
- * @ctxt: the XPath Parser context
- * @nargs: the number of arguments
-@@ -701,7 +758,39 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
- if (obj)
- xmlXPathFreeObject(obj);
-
-- val = (long)((char *)cur - (char *)&base_address);
-+ /*
-+ * Try to provide stable ID for generated document:
-+ * - usually ID are computed to be placed on elements via attributes
-+ * so using the element as the node for the ID
-+ * - the cur->content should be a correct placeholder for this, we use
-+ * it to hold element node numbers in xmlXPathOrderDocElems to
-+ * speed up XPath too
-+ * - xsltCleanupIds() clean them up before handing the XSLT output
-+ * to the API client.
-+ * - other nodes types use the node address method but that should
-+ * not end up in resulting document ID
-+ * - we can enable this by default without risk of performance issues
-+ * only the one pass xsltCleanupIds() is added
-+ */
-+ if (cur->type == XML_ELEMENT_NODE) {
-+ if (cur->content == NULL) {
-+ xsltTransformContextPtr tctxt;
-+
-+ tctxt = xsltXPathGetTransformContext(ctxt);
-+ if (tctxt == NULL) {
-+ val = (long)((char *)cur - (char *)&base_address);
-+ } else {
-+ tctxt->nextid++;
-+ val = tctxt->nextid;
-+ cur->content = (void *) (val);
-+ }
-+ } else {
-+ val = (long) cur->content;
-+ }
-+ } else {
-+ val = (long)((char *)cur - (char *)&base_address);
-+ }
-+
- if (val >= 0) {
- sprintf((char *)str, "idp%ld", val);
- } else {
-diff --git a/libxslt/functions.h b/libxslt/functions.h
-index e0e0bf9..4a1e163 100644
---- a/libxslt/functions.h
-+++ b/libxslt/functions.h
-@@ -64,6 +64,13 @@ XSLTPUBFUN void XSLTCALL
- int nargs);
-
- /*
-+ * Cleanup for ID generation
-+ */
-+XSLTPUBFUN int XSLTCALL
-+ xsltCleanupIds (xsltTransformContextPtr ctxt,
-+ xmlNodePtr root);
-+
-+/*
- * And the registration
- */
-
-diff --git a/libxslt/transform.c b/libxslt/transform.c
-index 24f9eb2..2bdf6bf 100644
---- a/libxslt/transform.c
-+++ b/libxslt/transform.c
-@@ -700,6 +700,7 @@ xsltNewTransformContext(xsltStylesheetPtr style, xmlDocPtr doc) {
- cur->traceCode = (unsigned long*) &xsltDefaultTrace;
- cur->xinclude = xsltGetXIncludeDefault();
- cur->keyInitLevel = 0;
-+ cur->nextid = 0;
-
- return(cur);
-
-@@ -6092,6 +6093,13 @@ xsltApplyStylesheetInternal(xsltStylesheetPtr style, xmlDocPtr doc,
- if (root != NULL) {
- const xmlChar *doctype = NULL;
-
-+ /*
-+ * cleanup ids which may have been saved in Elements content ptrs
-+ */
-+ if (ctxt->nextid != 0) {
-+ xsltCleanupIds(ctxt, root);
-+ }
-+
- if ((root->ns != NULL) && (root->ns->prefix != NULL))
- doctype = xmlDictQLookup(ctxt->dict, root->ns->prefix, root->name);
- if (doctype == NULL)
-diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
-index 95e8fe6..8eedae4 100644
---- a/libxslt/xsltInternals.h
-+++ b/libxslt/xsltInternals.h
-@@ -1786,6 +1786,8 @@ struct _xsltTransformContext {
- int funcLevel; /* Needed to catch recursive functions issues */
- int maxTemplateDepth;
- int maxTemplateVars;
-+
-+ unsigned long nextid;/* for generating stable ids */
- };
-
- /**
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch
new file mode 100644
index 0000000000..a296d8cb1b
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch
@@ -0,0 +1,51 @@
+Copied from Fedora.
+http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5-CVE-2015-8629.patch?h=f22
+
+From df17a1224a3406f57477bcd372c61e04c0e5a5bb Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 8 Jan 2016 12:45:25 -0500
+Subject: [PATCH 1/3] Verify decoded kadmin C strings [CVE-2015-8629]
+
+In xdr_nullstring(), check that the decoded string is terminated with
+a zero byte and does not contain any internal zero bytes.
+
+CVE-2015-8629:
+
+In all versions of MIT krb5, an authenticated attacker can cause
+kadmind to read beyond the end of allocated memory by sending a string
+without a terminating zero byte. Information leakage may be possible
+for an attacker with permission to modify the database.
+
+ CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
+
+ticket: 8341 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+---
+ src/lib/kadm5/kadm_rpc_xdr.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 2bef858..ba67084 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
++++ b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp)
+ return FALSE;
+ }
+ }
+- return (xdr_opaque(xdrs, *objp, size));
++ if (!xdr_opaque(xdrs, *objp, size))
++ return FALSE;
++ /* Check that the unmarshalled bytes are a C string. */
++ if ((*objp)[size - 1] != '\0')
++ return FALSE;
++ if (memchr(*objp, '\0', size - 1) != NULL)
++ return FALSE;
++ return TRUE;
+
+ case XDR_ENCODE:
+ if (size != 0)
+--
+2.7.0.rc3
+
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch
new file mode 100644
index 0000000000..c21d84b1e7
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch
@@ -0,0 +1,81 @@
+Copied from Fedora.
+http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5-CVE-2015-8630.patch?h=f22
+
+From b863de7fbf080b15e347a736fdda0a82d42f4f6b Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 8 Jan 2016 12:52:28 -0500
+Subject: [PATCH 2/3] Check for null kadm5 policy name [CVE-2015-8630]
+
+In kadm5_create_principal_3() and kadm5_modify_principal(), check for
+entry->policy being null when KADM5_POLICY is included in the mask.
+
+CVE-2015-8630:
+
+In MIT krb5 1.12 and later, an authenticated attacker with permission
+to modify a principal entry can cause kadmind to dereference a null
+pointer by supplying a null policy value but including KADM5_POLICY in
+the mask.
+
+ CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+ticket: 8342 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+---
+ src/lib/kadm5/srv/svr_principal.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
+index 5b95fa3..1d4365c 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
++++ b/src/lib/kadm5/srv/svr_principal.c
+@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle,
+ /*
+ * Argument sanity checking, and opening up the DB
+ */
++ if (entry == NULL)
++ return EINVAL;
+ if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) ||
+ (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) ||
+ (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
+@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle,
+ return KADM5_BAD_MASK;
+ if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0)
+ return KADM5_BAD_MASK;
++ if((mask & KADM5_POLICY) && entry->policy == NULL)
++ return KADM5_BAD_MASK;
+ if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
+ return KADM5_BAD_MASK;
+ if((mask & ~ALL_PRINC_MASK))
+ return KADM5_BAD_MASK;
+- if (entry == NULL)
+- return EINVAL;
+
+ /*
+ * Check to see if the principal exists
+@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle,
+
+ krb5_clear_error_message(handle->context);
+
++ if(entry == NULL)
++ return EINVAL;
+ if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) ||
+ (mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) ||
+ (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
+@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle,
+ return KADM5_BAD_MASK;
+ if((mask & ~ALL_PRINC_MASK))
+ return KADM5_BAD_MASK;
++ if((mask & KADM5_POLICY) && entry->policy == NULL)
++ return KADM5_BAD_MASK;
+ if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
+ return KADM5_BAD_MASK;
+- if(entry == (kadm5_principal_ent_t) NULL)
+- return EINVAL;
+ if (mask & KADM5_TL_DATA) {
+ tl_data_orig = entry->tl_data;
+ while (tl_data_orig) {
+--
+2.7.0.rc3
+
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8631.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8631.patch
new file mode 100644
index 0000000000..dd1eb2945c
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-8631.patch
@@ -0,0 +1,576 @@
+Copied from Fedora.
+http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5-CVE-2015-8631.patch?h=f22
+
+From 83ed75feba32e46f736fcce0d96a0445f29b96c2 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 8 Jan 2016 13:16:54 -0500
+Subject: [PATCH 3/3] Fix leaks in kadmin server stubs [CVE-2015-8631]
+
+In each kadmind server stub, initialize the client_name and
+server_name variables, and release them in the cleanup handler. Many
+of the stubs will otherwise leak the client and server name if
+krb5_unparse_name() fails. Also make sure to free the prime_arg
+variables in rename_principal_2_svc(), or we can leak the first one if
+unparsing the second one fails. Discovered by Simo Sorce.
+
+CVE-2015-8631:
+
+In all versions of MIT krb5, an authenticated attacker can cause
+kadmind to leak memory by supplying a null principal name in a request
+which uses one. Repeating these requests will eventually cause
+kadmind to exhaust all available memory.
+
+ CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+ticket: 8343 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+---
+ src/kadmin/server/server_stubs.c | 151 ++++++++++++++++++++-------------------
+ 1 file changed, 77 insertions(+), 74 deletions(-)
+
+diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
+index 1879dc6..6ac797e 100644
+--- a/src/kadmin/server/server_stubs.c
++++ b/src/kadmin/server/server_stubs.c
+@@ -334,7 +334,8 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name, service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ restriction_t *rp;
+@@ -382,10 +383,10 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
+- gss_release_buffer(&minor_stat, &client_name);
+- gss_release_buffer(&minor_stat, &service_name);
+
+ exit_func:
++ gss_release_buffer(&minor_stat, &client_name);
++ gss_release_buffer(&minor_stat, &service_name);
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -395,7 +396,8 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name, service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ restriction_t *rp;
+@@ -444,10 +446,10 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
+- gss_release_buffer(&minor_stat, &client_name);
+- gss_release_buffer(&minor_stat, &service_name);
+
+ exit_func:
++ gss_release_buffer(&minor_stat, &client_name);
++ gss_release_buffer(&minor_stat, &service_name);
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -457,8 +459,8 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -501,10 +503,10 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
+
+ }
+ free(prime_arg);
+- gss_release_buffer(&minor_stat, &client_name);
+- gss_release_buffer(&minor_stat, &service_name);
+
+ exit_func:
++ gss_release_buffer(&minor_stat, &client_name);
++ gss_release_buffer(&minor_stat, &service_name);
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -514,8 +516,8 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ restriction_t *rp;
+@@ -559,9 +561,9 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -570,10 +572,9 @@ generic_ret *
+ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+- char *prime_arg1,
+- *prime_arg2;
+- gss_buffer_desc client_name,
+- service_name;
++ char *prime_arg1 = NULL, *prime_arg2 = NULL;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ restriction_t *rp;
+@@ -655,11 +656,11 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+
+ }
++exit_func:
+ free(prime_arg1);
+ free(prime_arg2);
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -669,8 +670,8 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
+ {
+ static gprinc_ret ret;
+ char *prime_arg, *funcname;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -719,9 +720,9 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -731,8 +732,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
+ {
+ static gprincs_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -777,9 +778,9 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+
+ }
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -789,8 +790,8 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -840,9 +841,9 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
+ }
+
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -852,8 +853,8 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -909,9 +910,9 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
+ }
+
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -921,8 +922,8 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -969,9 +970,9 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
+ }
+
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -981,8 +982,8 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1029,9 +1030,9 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
+ }
+
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1041,8 +1042,8 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1092,9 +1093,9 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
+ }
+
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1106,8 +1107,8 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
+ krb5_keyblock *k;
+ int nkeys;
+ char *prime_arg, *funcname;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1164,9 +1165,9 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1178,8 +1179,8 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
+ krb5_keyblock *k;
+ int nkeys;
+ char *prime_arg, *funcname;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1241,9 +1242,9 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1253,8 +1254,8 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1295,9 +1296,9 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+ }
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1307,8 +1308,8 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1347,9 +1348,9 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+ }
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1359,8 +1360,8 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1400,9 +1401,9 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+ }
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1413,8 +1414,8 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
+ static gpol_ret ret;
+ kadm5_ret_t ret2;
+ char *prime_arg, *funcname;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_principal_ent_rec caller_ent;
+ kadm5_server_handle_t handle;
+@@ -1475,9 +1476,9 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
+ log_unauth(funcname, prime_arg,
+ &client_name, &service_name, rqstp);
+ }
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+
+@@ -1488,8 +1489,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
+ {
+ static gpols_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1531,9 +1532,9 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+ }
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1541,7 +1542,8 @@ exit_func:
+ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
+ {
+ static getprivs_ret ret;
+- gss_buffer_desc client_name, service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1571,9 +1573,9 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1583,7 +1585,8 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg, *funcname;
+- gss_buffer_desc client_name, service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+
+@@ -1629,9 +1632,9 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1641,8 +1644,8 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
+ {
+ static gstrings_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1688,9 +1691,9 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1700,8 +1703,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1744,9 +1747,9 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1754,8 +1757,8 @@ exit_func:
+ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ kadm5_server_handle_t handle;
+ OM_uint32 minor_stat;
+ const char *errmsg = NULL;
+@@ -1797,10 +1800,10 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
+ rqstp->rq_cred.oa_flavor);
+ if (errmsg != NULL)
+ krb5_free_error_message(NULL, errmsg);
+- gss_release_buffer(&minor_stat, &client_name);
+- gss_release_buffer(&minor_stat, &service_name);
+
+ exit_func:
++ gss_release_buffer(&minor_stat, &client_name);
++ gss_release_buffer(&minor_stat, &service_name);
+ return(&ret);
+ }
+
+--
+2.7.0.rc3
+
diff --git a/gnu/packages/patches/mit-krb5-init-context-null-spnego.patch b/gnu/packages/patches/mit-krb5-init-context-null-spnego.patch
new file mode 100644
index 0000000000..195db38d08
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-init-context-null-spnego.patch
@@ -0,0 +1,49 @@
+Copied from Fedora.
+http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5-init_context_null_spnego.patch?h=f22
+
+From 3beb564cea3d219efcf71682b6576cad548c2d23 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 5 Jan 2016 12:11:59 -0500
+Subject: [PATCH] Check internal context on init context errors
+
+If the mechanism deletes the internal context handle on error, the
+mechglue must do the same with the union context, to avoid crashes if
+the application calls other functions with this invalid union context.
+
+[ghudson@mit.edu: edit commit message and code comment]
+
+ticket: 8337 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+---
+ src/lib/gssapi/mechglue/g_init_sec_context.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/gssapi/mechglue/g_init_sec_context.c b/src/lib/gssapi/mechglue/g_init_sec_context.c
+index aaae767..9f154b8 100644
+--- a/src/lib/gssapi/mechglue/g_init_sec_context.c
++++ b/src/lib/gssapi/mechglue/g_init_sec_context.c
+@@ -224,12 +224,15 @@ OM_uint32 * time_rec;
+
+ if (status != GSS_S_COMPLETE && status != GSS_S_CONTINUE_NEEDED) {
+ /*
+- * the spec says (the preferred) method is to delete all
+- * context info on the first call to init, and on all
+- * subsequent calls make the caller responsible for
+- * calling gss_delete_sec_context
++ * The spec says the preferred method is to delete all context info on
++ * the first call to init, and on all subsequent calls make the caller
++ * responsible for calling gss_delete_sec_context. However, if the
++ * mechanism decided to delete the internal context, we should also
++ * delete the union context.
+ */
+ map_error(minor_status, mech);
++ if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT)
++ *context_handle = GSS_C_NO_CONTEXT;
+ if (*context_handle == GSS_C_NO_CONTEXT) {
+ free(union_ctx_id->mech_type->elements);
+ free(union_ctx_id->mech_type);
+--
+2.6.4
+
diff --git a/gnu/packages/patches/procps-non-linux.patch b/gnu/packages/patches/procps-non-linux.patch
deleted file mode 100644
index 9d369aeb2c..0000000000
--- a/gnu/packages/patches/procps-non-linux.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From aa9bd38d0a6fe53aff7f78fb2d9f61e55677c7b5 Mon Sep 17 00:00:00 2001
-From: Craig Small <csmall@enc.com.au>
-Date: Sun, 17 Apr 2016 09:09:41 +1000
-Subject: [PATCH] tests: Conditionally add prctl to test process
-
-prctl was already bypassed on Cygwin systems. This extends to
-non-Linux systems such as kFreeBSD and Hurd.
-
----
- lib/test_process.c | 4 ++--
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/lib/test_process.c b/lib/test_process.c
-index 6e652ed..6a4776c 100644
---- a/lib/test_process.c
-+++ b/lib/test_process.c
-@@ -21,7 +21,9 @@
- #include <stdlib.h>
- #include <unistd.h>
- #include <signal.h>
-+#ifdef __linux__
- #include <sys/prctl.h>
-+#endif
- #include "c.h"
-
- #define DEFAULT_SLEEPTIME 300
-@@ -78,8 +80,10 @@
- sigaction(SIGUSR1, &signal_action, NULL);
- sigaction(SIGUSR2, &signal_action, NULL);
-
-+#ifdef __linux__
- /* set process name */
- prctl(PR_SET_NAME, MY_NAME, NULL, NULL, NULL);
-+#endif
-
- while (sleep_time > 0) {
- sleep_time = sleep(sleep_time);
---
-2.8.2
-
diff --git a/gnu/packages/patches/rapicorn-isnan.patch b/gnu/packages/patches/rapicorn-isnan.patch
deleted file mode 100644
index b0e7819e64..0000000000
--- a/gnu/packages/patches/rapicorn-isnan.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From e0c8341b3e4e13778bcde00d477e461ea8e94306 Mon Sep 17 00:00:00 2001
-From: Stefan Westerfeld <stefan@space.twc.de>
-Date: Fri, 22 Apr 2016 18:03:37 +0200
-Subject: [PATCH 031/176] RCORE: compile fixes for KUbuntu 16.04/gcc
- 5.3.1-14ubuntu2
-
-Rapicorn uses isnan(...) and isinf(...) from cmath.h, however on KUbuntu 16.04
-it should use std::isnan(...) and std::isinf(...) instead. Patch below.
-
-Acked-by: Tim Janik <timj@gnu.org>
----
- rcore/strings.cc | 10 +++++-----
- rcore/tests/benchrcore.cc | 4 ++--
- rcore/tests/strings.cc | 4 ++--
- 3 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/rcore/strings.cc b/rcore/strings.cc
-index d5b0216..8b3bc3f 100644
---- a/rcore/strings.cc
-+++ b/rcore/strings.cc
-@@ -437,7 +437,7 @@ static long double
- libc_strtold (const char *nptr, char **endptr)
- {
- const long double result = strtold (nptr, endptr);
-- if (isnan (result) && std::signbit (result) == 0)
-+ if (std::isnan (result) && std::signbit (result) == 0)
- {
- const char *p = nptr;
- while (isspace (*p))
-@@ -500,9 +500,9 @@ string_to_double (const char *dblstring, const char **endptr)
- String
- string_from_float (float value)
- {
-- if (isnan (value))
-+ if (std::isnan (value))
- return std::signbit (value) ? "-NaN" : "+NaN";
-- if (isinf (value))
-+ if (std::isinf (value))
- return std::signbit (value) ? "-Infinity" : "+Infinity";
- return string_format ("%.7g", value);
- }
-@@ -511,9 +511,9 @@ string_from_float (float value)
- String
- string_from_double (double value)
- {
-- if (isnan (value))
-+ if (std::isnan (value))
- return std::signbit (value) ? "-NaN" : "+NaN";
-- if (isinf (value))
-+ if (std::isinf (value))
- return std::signbit (value) ? "-Infinity" : "+Infinity";
- return string_format ("%.17g", value);
- }
-diff --git a/rcore/tests/benchrcore.cc b/rcore/tests/benchrcore.cc
-index 3899a08..12fde16 100644
---- a/rcore/tests/benchrcore.cc
-+++ b/rcore/tests/benchrcore.cc
-@@ -188,8 +188,8 @@ test_random_numbers()
- const double rf = random_frange (989617512, 9876547656);
- TASSERT (rf >= 989617512 && rf < 9876547656);
- }
-- TASSERT (isnan (random_frange (NAN, 1)));
-- TASSERT (isnan (random_frange (0, NAN)));
-+ TASSERT (std::isnan (random_frange (NAN, 1)));
-+ TASSERT (std::isnan (random_frange (0, NAN)));
- #if 0 // example penalty paid in random_int64()
- size_t i, j = 0;
- for (i = 0; i < 100; i++)
-diff --git a/rcore/tests/strings.cc b/rcore/tests/strings.cc
-index 468a6e6..dae3e3d 100644
---- a/rcore/tests/strings.cc
-+++ b/rcore/tests/strings.cc
-@@ -311,9 +311,9 @@ string_conversions (void)
- TCMP (string_to_double ("-0.5"), ==, -0.5);
- double tfloat;
- tfloat = string_to_double ("+NAN");
-- assert (isnan (tfloat) && std::signbit (tfloat) == 0);
-+ assert (std::isnan (tfloat) && std::signbit (tfloat) == 0);
- tfloat = string_to_double ("-NAN");
-- assert (isnan (tfloat) && std::signbit (tfloat) == 1);
-+ assert (std::isnan (tfloat) && std::signbit (tfloat) == 1);
- TCMP (string_capitalize ("fOO bar"), ==, "Foo Bar");
- TCMP (string_capitalize ("foo BAR BAZ", 2), ==, "Foo Bar BAZ");
- }
---
-2.9.1
-
diff --git a/gnu/packages/patches/tar-d_ino_in_dirent-fix.patch b/gnu/packages/patches/tar-d_ino_in_dirent-fix.patch
new file mode 100644
index 0000000000..39d8e2b20a
--- /dev/null
+++ b/gnu/packages/patches/tar-d_ino_in_dirent-fix.patch
@@ -0,0 +1,33 @@
+commit e9ddc08da0982f36581ae5a8c7763453ff41cfe8
+Author: Sergey Poznyakoff <gray@gnu.org>
+Date: Thu Sep 25 00:22:16 2014 +0300
+
+ Bugfixes.
+
+ * doc/tar.1: Fix typo in font spec.
+ * src/tar.c (sort_mode_arg, sort_mode_flag): Protect "inode"
+ (SAVEDIR_SORT_INODE) with D_INO_IN_DIRENT
+
+diff --git a/src/tar.c b/src/tar.c
+index 225c624..f8102e0 100644
+--- a/src/tar.c
++++ b/src/tar.c
+@@ -1341,14 +1341,18 @@ static char filename_terminator;
+ static char const *const sort_mode_arg[] = {
+ "none",
+ "name",
++#if D_INO_IN_DIRENT
+ "inode",
++#endif
+ NULL
+ };
+
+ static int sort_mode_flag[] = {
+ SAVEDIR_SORT_NONE,
+ SAVEDIR_SORT_NAME,
++#if D_INO_IN_DIRENT
+ SAVEDIR_SORT_INODE
++#endif
+ };
+
+ ARGMATCH_VERIFY (sort_mode_arg, sort_mode_flag); \ No newline at end of file