9 files changed, 306 insertions, 227 deletions
diff --git a/gnu/packages/patches/libarchive-CVE-2017-14502.patch b/gnu/packages/patches/libarchive-CVE-2017-14502.patch
new file mode 100644
index 0000000000..8e0508afb5
--- /dev/null
+++ b/gnu/packages/patches/libarchive-CVE-2017-14502.patch
@@ -0,0 +1,40 @@
+Fix CVE-2017-14502:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573
+
+Patch copied from upstream source repository:
+
+https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6
+
+From 5562545b5562f6d12a4ef991fae158bf4ccf92b6 Mon Sep 17 00:00:00 2001
+From: Joerg Sonnenberger <joerg@bec.de>
+Date: Sat, 9 Sep 2017 17:47:32 +0200
+Subject: [PATCH] Avoid a read off-by-one error for UTF16 names in RAR
+ archives.
+
+Reported-By: OSS-Fuzz issue 573
+---
+ libarchive/archive_read_support_format_rar.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index cbb14c32..751de697 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct archive_entry *entry,
+         return (ARCHIVE_FATAL);
+       }
+       filename[filename_size++] = '\0';
+-      filename[filename_size++] = '\0';
++      /*
++       * Do not increment filename_size here as the computations below
++       * add the space for the terminating NUL explicitly.
++       */
++      filename[filename_size] = '\0';
+ 
+       /* Decoded unicode form is UTF-16BE, so we have to update a string
+        * conversion object for it. */
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/libexif-CVE-2017-7544.patch b/gnu/packages/patches/libexif-CVE-2017-7544.patch
new file mode 100644
index 0000000000..c4ea373dc5
--- /dev/null
+++ b/gnu/packages/patches/libexif-CVE-2017-7544.patch
@@ -0,0 +1,29 @@
+Fix CVE-2017-7544:
+
+https://sourceforge.net/p/libexif/bugs/130/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7544
+
+Patch copied from upstream bug tracker:
+
+https://sourceforge.net/p/libexif/bugs/130/#489a
+
+Index: libexif/exif-data.c
+===================================================================
+RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v
+retrieving revision 1.131
+diff -u -r1.131 exif-data.c
+--- a/libexif/exif-data.c	12 Jul 2012 17:28:26 -0000	1.131
++++ b/libexif/exif-data.c	25 Jul 2017 21:34:06 -0000
+@@ -255,6 +255,12 @@
+ 			exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ 			exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+ 			e->components = e->size;
++			if (exif_format_get_size (e->format) != 1) {
++				/* e->format is taken from input code,
++				 * but we need to make sure it is a 1 byte
++				 * entity due to the multiplication below. */
++				e->format = EXIF_FORMAT_UNDEFINED;
++			}
+ 		}
+ 	}
+ 
diff --git a/gnu/packages/patches/links-CVE-2017-11114.patch b/gnu/packages/patches/links-CVE-2017-11114.patch
new file mode 100644
index 0000000000..c5ac9884b5
--- /dev/null
+++ b/gnu/packages/patches/links-CVE-2017-11114.patch
@@ -0,0 +1,99 @@
+Fix CVE-2017-11114:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11114
+http://seclists.org/fulldisclosure/2017/Jul/76
+
+Patch copied from Debian:
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870299#12
+
+Origin: upstream, commit: fee5dca79a93a37024e494b985386a5fe60bc1b7
+Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870299#12
+Author: Mikulas Patocka <mikulas@twibright.com>
+Date:   Wed Aug 2 20:13:29 2017 +0200
+Subject: Fix read out of memory in case of corrupted UTF-8 data
+
+---
+ charsets.c |   37 +------------------------------------
+ links.h    |    9 ++++-----
+ 2 files changed, 5 insertions(+), 41 deletions(-)
+
+Index: links-2.14/charsets.c
+===================================================================
+--- links-2.14.orig/charsets.c
++++ links-2.14/charsets.c
+@@ -215,41 +215,6 @@ static struct conv_table *get_translatio
+ 	return utf_table;
+ }
+ 
+-unsigned short int utf8_2_uni_table[0x200] = {
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 128,	0, 0, 0, 192,	0,
+-	0, 0, 256,	0, 0, 0, 320,	0, 0, 0, 384,	0, 0, 0, 448,	0,
+-	0, 0, 512,	0, 0, 0, 576,	0, 0, 0, 640,	0, 0, 0, 704,	0,
+-	0, 0, 768,	0, 0, 0, 832,	0, 0, 0, 896,	0, 0, 0, 960,	0,
+-	0, 0, 1024,	0, 0, 0, 1088,	0, 0, 0, 1152,	0, 0, 0, 1216,	0,
+-	0, 0, 1280,	0, 0, 0, 1344,	0, 0, 0, 1408,	0, 0, 0, 1472,	0,
+-	0, 0, 1536,	0, 0, 0, 1600,	0, 0, 0, 1664,	0, 0, 0, 1728,	0,
+-	0, 0, 1792,	0, 0, 0, 1856,	0, 0, 0, 1920,	0, 0, 0, 1984,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-};
+-
+ unsigned char utf_8_1[256] = {
+ 	6, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
+ 	7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
+@@ -269,7 +234,7 @@ unsigned char utf_8_1[256] = {
+ 	3, 3, 3, 3, 3, 3, 3, 3, 2, 2, 2, 2, 1, 1, 6, 6,
+ };
+ 
+-static_const unsigned min_utf_8[9] = {
++static_const unsigned min_utf_8[8] = {
+ 	0, 0x4000000, 0x200000, 0x10000, 0x800, 0x80, 0x100, 0x1,
+ };
+ 
+Index: links-2.14/links.h
+===================================================================
+--- links-2.14.orig/links.h
++++ links-2.14/links.h
+@@ -3906,15 +3906,14 @@ unsigned char *cp_strchr(int charset, un
+ void init_charset(void);
+ 
+ unsigned get_utf_8(unsigned char **p);
+-extern unsigned short int utf8_2_uni_table[0x200];
+ #define GET_UTF_8(s, c)							\
+ do {									\
+ 	if ((unsigned char)(s)[0] < 0x80)				\
+ 		(c) = (s)++[0];						\
+-	else if (((c) = utf8_2_uni_table[((unsigned char)(s)[0] << 2) +	\
+-				((unsigned char)(s)[1] >> 6) - 0x200]))	\
+-		(c) += (unsigned char)(s)[1] & 0x3f, (s) += 2;		\
+-	else								\
++	else if ((unsigned char)(s)[0] >= 0xc2 && (unsigned char)(s)[0] < 0xe0 &&\
++	         ((unsigned char)(s)[1] & 0xc0) == 0x80) {		\
++		(c) = (unsigned char)(s)[0] * 0x40 + (unsigned char)(s)[1], (c) -= 0x3080, (s) += 2;\
++	} else								\
+ 		(c) = get_utf_8(&(s));					\
+ } while (0)
+ #define FWD_UTF_8(s)							\
diff --git a/gnu/packages/patches/mupdf-CVE-2017-14685.patch b/gnu/packages/patches/mupdf-CVE-2017-14685.patch
deleted file mode 100644
index 3fcce5fedf..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2017-14685.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Fix CVE-2017-14685:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14685
-
-Patch copied from upstream source repository:
-
-https://git.ghostscript.com/?p=mupdf.git;h=ab1a420613dec93c686acbee2c165274e922f82a
-
-From ab1a420613dec93c686acbee2c165274e922f82a Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Tue, 19 Sep 2017 15:23:04 +0200
-Subject: [PATCH] Fix 698539: Don't use xps font if it could not be loaded.
-
-xps_load_links_in_glyphs did not cope with font loading failures.
----
- source/xps/xps-link.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/source/xps/xps-link.c b/source/xps/xps-link.c
-index c07e0d7..c26a8d9 100644
---- a/source/xps/xps-link.c
-+++ b/source/xps/xps-link.c
-@@ -91,6 +91,8 @@ xps_load_links_in_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ct
- 			bidi_level = atoi(bidi_level_att);
- 
- 		font = xps_lookup_font(ctx, doc, base_uri, font_uri_att, style_att);
-+		if (!font)
-+			return;
- 		text = xps_parse_glyphs_imp(ctx, doc, &local_ctm, font, fz_atof(font_size_att),
- 				fz_atof(origin_x_att), fz_atof(origin_y_att),
- 				is_sideways, bidi_level, indices_att, unicode_att);
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/mupdf-CVE-2017-14686.patch b/gnu/packages/patches/mupdf-CVE-2017-14686.patch
deleted file mode 100644
index e462a6ffeb..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2017-14686.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Fix CVE-2017-14686:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14686
-
-Patch copied from upstream source repository:
-
-https://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
-
-From 0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1 Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Tue, 19 Sep 2017 16:33:38 +0200
-Subject: [PATCH] Fix 698540: Check name, comment and meta size field signs.
-
----
- source/fitz/unzip.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/source/fitz/unzip.c b/source/fitz/unzip.c
-index f2d4f32..0bcce0f 100644
---- a/source/fitz/unzip.c
-+++ b/source/fitz/unzip.c
-@@ -141,6 +141,9 @@ static void read_zip_dir_imp(fz_context *ctx, fz_zip_archive *zip, int start_off
- 		(void) fz_read_int32_le(ctx, file); /* ext file atts */
- 		offset = fz_read_int32_le(ctx, file);
- 
-+		if (namesize < 0 || metasize < 0 || commentsize < 0)
-+			fz_throw(ctx, FZ_ERROR_GENERIC, "invalid size in zip entry");
-+
- 		name = fz_malloc(ctx, namesize + 1);
- 		n = fz_read(ctx, file, (unsigned char*)name, namesize);
- 		if (n < (size_t)namesize)
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/mupdf-CVE-2017-14687.patch b/gnu/packages/patches/mupdf-CVE-2017-14687.patch
deleted file mode 100644
index cdc41df813..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2017-14687.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-Fix CVE-2017-14687:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14687
-
-Patch copied from upstream source repository:
-
-https://git.ghostscript.com/?p=mupdf.git;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28
-
-From 2b16dbd8f73269cb15ca61ece75cf8d2d196ed28 Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Tue, 19 Sep 2017 17:17:12 +0200
-Subject: [PATCH] Fix 698558: Handle non-tags in tag name comparisons.
-
-Use fz_xml_is_tag instead of fz_xml_tag && !strcmp idiom.
----
- source/html/css-apply.c   | 2 +-
- source/svg/svg-run.c      | 2 +-
- source/xps/xps-common.c   | 6 +++---
- source/xps/xps-glyphs.c   | 2 +-
- source/xps/xps-path.c     | 4 ++--
- source/xps/xps-resource.c | 2 +-
- 6 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/source/html/css-apply.c b/source/html/css-apply.c
-index de55490..6a91df0 100644
---- a/source/html/css-apply.c
-+++ b/source/html/css-apply.c
-@@ -328,7 +328,7 @@ match_selector(fz_css_selector *sel, fz_xml *node)
- 
- 	if (sel->name)
- 	{
--		if (strcmp(sel->name, fz_xml_tag(node)))
-+		if (!fz_xml_is_tag(node, sel->name))
- 			return 0;
- 	}
- 
-diff --git a/source/svg/svg-run.c b/source/svg/svg-run.c
-index f974c67..5302c64 100644
---- a/source/svg/svg-run.c
-+++ b/source/svg/svg-run.c
-@@ -1044,7 +1044,7 @@ svg_run_use(fz_context *ctx, fz_device *dev, svg_document *doc, fz_xml *root, co
- 		fz_xml *linked = fz_tree_lookup(ctx, doc->idmap, xlink_href_att + 1);
- 		if (linked)
- 		{
--			if (!strcmp(fz_xml_tag(linked), "symbol"))
-+			if (fz_xml_is_tag(linked, "symbol"))
- 				svg_run_use_symbol(ctx, dev, doc, root, linked, &local_state);
- 			else
- 				svg_run_element(ctx, dev, doc, linked, &local_state);
-diff --git a/source/xps/xps-common.c b/source/xps/xps-common.c
-index cc7fed9..f2f9b93 100644
---- a/source/xps/xps-common.c
-+++ b/source/xps/xps-common.c
-@@ -47,7 +47,7 @@ xps_parse_brush(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, const
- 	else if (fz_xml_is_tag(node, "RadialGradientBrush"))
- 		xps_parse_radial_gradient_brush(ctx, doc, ctm, area, base_uri, dict, node);
- 	else
--		fz_warn(ctx, "unknown brush tag: %s", fz_xml_tag(node));
-+		fz_warn(ctx, "unknown brush tag");
- }
- 
- void
-@@ -85,7 +85,7 @@ xps_begin_opacity(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, cons
- 	if (opacity_att)
- 		opacity = fz_atof(opacity_att);
- 
--	if (opacity_mask_tag && !strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
-+	if (fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
- 	{
- 		char *scb_opacity_att = fz_xml_att(opacity_mask_tag, "Opacity");
- 		char *scb_color_att = fz_xml_att(opacity_mask_tag, "Color");
-@@ -129,7 +129,7 @@ xps_end_opacity(fz_context *ctx, xps_document *doc, char *base_uri, xps_resource
- 
- 	if (opacity_mask_tag)
- 	{
--		if (strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
-+		if (!fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
- 			fz_pop_clip(ctx, dev);
- 	}
- }
-diff --git a/source/xps/xps-glyphs.c b/source/xps/xps-glyphs.c
-index 29dc5b3..5b26d78 100644
---- a/source/xps/xps-glyphs.c
-+++ b/source/xps/xps-glyphs.c
-@@ -592,7 +592,7 @@ xps_parse_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ctm,
- 
- 	/* If it's a solid color brush fill/stroke do a simple fill */
- 
--	if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
-+	if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
- 	{
- 		fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
- 		fill_att = fz_xml_att(fill_tag, "Color");
-diff --git a/source/xps/xps-path.c b/source/xps/xps-path.c
-index 6faeb0c..021d202 100644
---- a/source/xps/xps-path.c
-+++ b/source/xps/xps-path.c
-@@ -879,14 +879,14 @@ xps_parse_path(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, char *b
- 	if (!data_att && !data_tag)
- 		return;
- 
--	if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
-+	if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
- 	{
- 		fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
- 		fill_att = fz_xml_att(fill_tag, "Color");
- 		fill_tag = NULL;
- 	}
- 
--	if (stroke_tag && !strcmp(fz_xml_tag(stroke_tag), "SolidColorBrush"))
-+	if (fz_xml_is_tag(stroke_tag, "SolidColorBrush"))
- 	{
- 		stroke_opacity_att = fz_xml_att(stroke_tag, "Opacity");
- 		stroke_att = fz_xml_att(stroke_tag, "Color");
-diff --git a/source/xps/xps-resource.c b/source/xps/xps-resource.c
-index c2292e6..8e81ab8 100644
---- a/source/xps/xps-resource.c
-+++ b/source/xps/xps-resource.c
-@@ -84,7 +84,7 @@ xps_parse_remote_resource_dictionary(fz_context *ctx, xps_document *doc, char *b
- 	if (!xml)
- 		return NULL;
- 
--	if (strcmp(fz_xml_tag(xml), "ResourceDictionary"))
-+	if (!fz_xml_is_tag(xml, "ResourceDictionary"))
- 	{
- 		fz_drop_xml(ctx, xml);
- 		fz_throw(ctx, FZ_ERROR_GENERIC, "expected ResourceDictionary element");
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/mupdf-CVE-2017-15587.patch b/gnu/packages/patches/mupdf-CVE-2017-15587.patch
deleted file mode 100644
index 7d24666756..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2017-15587.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Fix CVE-2017-15587.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15587
-https://nandynarwhals.org/CVE-2017-15587/
-
-This patch is these two upstream commits squashed together:
-<https://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8>
-<https://git.ghostscript.com/?p=mupdf.git;h=d18bc728e46c5a5708f14d27c2b6c44e1d0c3232>
-
-diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
-index 66bd0ed8..89499e61 100644
---- a/source/pdf/pdf-xref.c
-+++ b/source/pdf/pdf-xref.c
-@@ -924,7 +924,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz
- 	pdf_xref_entry *table;
- 	int i, n;
- 
--	if (i0 < 0 || i1 < 0)
-+	if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1)
- 		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
- 	//if (i0 + i1 > pdf_xref_len(ctx, doc))
- 	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
--- 
-2.15.0
-
diff --git a/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch b/gnu/packages/patches/mupdf-build-with-latest-openjpeg.patch
index 0b5b735ff3..d5c9c60242 100644
--- a/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch
+++ b/gnu/packages/patches/mupdf-build-with-latest-openjpeg.patch
@@ -1,4 +1,4 @@
-Make it possible to build MuPDF with OpenJPEG 2.1, which is the latest
+Make it possible to build MuPDF with OpenJPEG 2.3, which is the latest
 release series and contains many important bug fixes.
 
 Patch adapted from Debian:
@@ -10,16 +10,16 @@ And related to this upstream commit:
 http://git.ghostscript.com/?p=mupdf.git;a=commit;h=f88bfe2e62dbadb96d4f52d7aa025f0a516078da
 
 diff --git a/source/fitz/load-jpx.c b/source/fitz/load-jpx.c
-index 6b92e5c..72dea50 100644
+index 65699ba..ea84778 100644
 --- a/source/fitz/load-jpx.c
 +++ b/source/fitz/load-jpx.c
-@@ -444,11 +444,6 @@
+@@ -445,11 +445,6 @@ fz_load_jpx_info(fz_context *ctx, const unsigned char *data, size_t size, int *w
  
  #else /* HAVE_LURATECH */
  
 -#define OPJ_STATIC
 -#define OPJ_HAVE_INTTYPES_H
--#if !defined(_WIN32) && !defined(_WIN64)
+-#if !defined(_MSC_VER) || _MSC_VER >= 1600
 -#define OPJ_HAVE_STDINT_H
 -#endif
  #define USE_JPIP
diff --git a/gnu/packages/patches/xboing-CVE-2004-0149.patch b/gnu/packages/patches/xboing-CVE-2004-0149.patch
new file mode 100644
index 0000000000..b40146b434
--- /dev/null
+++ b/gnu/packages/patches/xboing-CVE-2004-0149.patch
@@ -0,0 +1,134 @@
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0149
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174924
+---
+ demo.c      |  2 +-
+ editor.c    | 12 ++++++------
+ file.c      |  2 +-
+ highscore.c |  6 +++---
+ misc.c      |  2 +-
+ preview.c   |  2 +-
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/demo.c b/demo.c
+index 9084e70..f4fc2cd 100644
+--- a/demo.c
++++ b/demo.c
+@@ -154,7 +154,7 @@ static void DoBlocks(display, window)
+ 
+     /* Construct the demo level filename */
+     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        sprintf(levelPath, "%s/demo.data", str);
++        snprintf(levelPath, sizeof(levelPath),"%s/demo.data", str);
+     else
+         sprintf(levelPath, "%s/demo.data", LEVEL_INSTALL_DIR);
+ 
+diff --git a/editor.c b/editor.c
+index f2bb9ed..66d0679 100644
+--- a/editor.c
++++ b/editor.c
+@@ -213,7 +213,7 @@ static void DoLoadLevel(display, window)
+ 
+     /* Construct the Edit level filename */
+     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        sprintf(levelPath, "%s/editor.data", str);
++        snprintf(levelPath,sizeof(levelPath)-1, "%s/editor.data", str);
+     else
+         sprintf(levelPath, "%s/editor.data", LEVEL_INSTALL_DIR);
+ 
+@@ -958,8 +958,8 @@ static void LoadALevel(display)
+     if ((num > 0) && (num <= MAX_NUM_LEVELS))
+     {
+ 	    /* Construct the Edit level filename */
+-   	 	if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        	sprintf(levelPath, "%s/level%02ld.data", str2, (u_long) num);
++        if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
++            snprintf(levelPath, sizeof(levelPath)-1,"%s/level%02ld.data", str2, (u_long) num);
+     	else
+         	sprintf(levelPath, "%s/level%02ld.data", 
+ 				LEVEL_INSTALL_DIR, (u_long) num);
+@@ -1017,9 +1017,9 @@ static void SaveALevel(display)
+     num = atoi(str);
+     if ((num > 0) && (num <= MAX_NUM_LEVELS))
+     {
+-	    /* Construct the Edit level filename */
+-   	 	if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        	sprintf(levelPath, "%s/level%02ld.data", str2, (u_long) num);
++        /* Construct the Edit level filename */
++        if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
++            snprintf(levelPath, sizeof(levelPath)-1,"%s/level%02ld.data", str2, (u_long) num);
+     	else
+         	sprintf(levelPath, "%s/level%02ld.data", 
+ 				LEVEL_INSTALL_DIR, (u_long) num);
+diff --git a/file.c b/file.c
+index 4c043cd..99a0854 100644
+--- a/file.c
++++ b/file.c
+@@ -139,7 +139,7 @@ void SetupStage(display, window)
+ 
+     /* Construct the level filename */
+     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        sprintf(levelPath, "%s/level%02ld.data", str, newLevel);
++        snprintf(levelPath,sizeof(levelPath), "%s/level%02ld.data", str, newLevel);
+     else
+         sprintf(levelPath, "%s/level%02ld.data", LEVEL_INSTALL_DIR, newLevel);
+ 
+diff --git a/highscore.c b/highscore.c
+index f0db3e9..792273e 100644
+--- a/highscore.c
++++ b/highscore.c
+@@ -1023,7 +1023,7 @@ int ReadHighScoreTable(type)
+ 	{
+ 		/* Use the environment variable if it exists */
+ 		if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
+-			strcpy(filename, str);
++            strncpy(filename, str, sizeof(filename)-1);
+ 		else
+ 			strcpy(filename, HIGH_SCORE_FILE);
+ 	}
+@@ -1095,7 +1095,7 @@ int WriteHighScoreTable(type)
+ 	{
+ 		/* Use the environment variable if it exists */
+ 		if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
+-			strcpy(filename, str);
++            strncpy(filename, str, sizeof(filename)-1);
+ 		else
+ 			strcpy(filename, HIGH_SCORE_FILE);
+ 	}	
+@@ -1218,7 +1218,7 @@ static int LockUnlock(cmd)
+ 
+ 	/* Use the environment variable if it exists */
+ 	if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
+-		strcpy(filename, str);
++        strncpy(filename, str, sizeof(filename)-1);
+ 	else
+ 		strcpy(filename, HIGH_SCORE_FILE);
+ 
+diff --git a/misc.c b/misc.c
+index f3ab37e..7f3ddce 100644
+--- a/misc.c
++++ b/misc.c
+@@ -427,7 +427,7 @@ char *GetHomeDir()
+      */
+ 
+     if ((ptr = getenv("HOME")) != NULL)
+-        (void) strcpy(dest, ptr);
++        (void) strncpy(dest, ptr,sizeof(dest)-1);
+     else
+     {
+         /* HOME variable is not present so get USER var */
+diff --git a/preview.c b/preview.c
+index 41c1187..687f566 100644
+--- a/preview.c
++++ b/preview.c
+@@ -139,7 +139,7 @@ static void DoLoadLevel(display, window)
+ 
+     /* Construct the Preview level filename */
+     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        sprintf(levelPath, "%s/level%02d.data", str, lnum);
++        snprintf(levelPath, sizeof(levelPath)-1, "%s/level%02d.data", str, lnum);
+     else
+         sprintf(levelPath, "%s/level%02d.data", LEVEL_INSTALL_DIR, lnum);
+ 
+-- 
+2.15.1
+