Update for 2018.11.3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
board/pc: fix typo in board/pc/post-build.sh
2026-01-09 06:10:17 +03:00 · 2019-02-23 23:13:58 +01:00 · 2019-02-23 22:52:35 +01:00 · 2019-02-23 19:40:38 +01:00 · 2019-02-23 19:36:58 +01:00 · 2019-02-23 19:34:30 +01:00
307 changed files with 6798 additions and 1122 deletions
--- a/90
+++ b/90
@@ -1,3 +1,93 @@
+2018.11.3, Released February 23th, 2019
+
+	Important / security related fixes.
+
+	Ensure the PLATFORM and OS environment variables are not set,
+	as they cause build issues for some packages.
+
+	The package list infrastructure now correctly handles packages
+	installing files with old mtime.
+
+	Linux: Skip hash checks for user supplied downloadable
+	patches, as no hash checksums are available for those.
+
+	scanpypi: protect against zip-slip vulnerability in zip/tar
+	handling
+
+	Download: fixes for SSH/SCP support
+
+	SDK: Fix handling of relative symlinks (targets starting with
+	'.' or '..')
+
+	Updated/fixed packages: bind, dhcpcd, docker-compose,
+	docker-containerd, docker-engine, dovecot, dovecot-pigeonhole,
+	dtc, efivar, ghostscript, gnuradio, imagemagick, jpeg-turbo,
+	libarchive, libb64, libcurl, libgeotiff, libgpiod, libid3tag,
+	libupnp18, log4cplus, madplay, meson, mosquitto, openssh, php,
+	poco, postgresql, proftpd, pulseaudio, python, python-django,
+	python3, qt5base, reaver, runc, sg3_utils, sqlcipher,
+	swupdate, systemd, unzip, webkitgtk, xenomai
+
+2018.11.2, Released January 30th, 2019
+
+	Important / security related fixes.
+
+	Defconfigs: Fixes for imx6slevk, imx7dsabresd, imx8mqevk, Lego
+	EV3, QEMU AArch64-virt
+
+	Download: Fix scp download handling
+
+	check-package: fix Python 3 support
+
+	get-developers: Fix behaviour when called from elsewhere than
+	the toplevel directory.
+
+	kconfig: Fix for make linux-menuconfig / uboot-menuconfig from
+	a clean tree when ccache is enabled.
+
+	cmake: Also set CMAKE_SYSTEM_VERSION in toolchainfile.cmake
+
+	Updated/fixed packages: acpica, apache, apr, avrdude, cargo,
+	cc-tool, dash, dhcpdump, dmalloc, docker-containerd, efivar,
+	fwts, glibc, gnuchess, gnupg2, go, leveldb, libarchive,
+	libassuan, libftdi1, libgpg-error, libhttpparser, libkcapi,
+	libmad, libsndfile, libsquish, liburiparser, libwebsock,
+	libxml2, lighttpd, llvm, lm-sensors, lua-msgpack-native, lxc,
+	mariadb, mbedtls, meson, mosquitto, netatalk, nodejs, odhcp6c,
+	openresolv, openssh, pango, patchelf, php, python-django,
+	python-numpy, python-pyyaml, rauc, rp-pppoe, s6-networking,
+	samba4, sdl_sound, shairport-sync, sqlite, subversion,
+	sunxi-cedarx, swupdate, systemd, tcpreplay, tekui, tmp2-abrmd,
+	tpm2-tools, tpm2-tss, udisks, unixodbc, usb_modeswitch,
+	webkitgtk, wireshark, wolfssl, xapp_rgb, xenomai, xerces
+
+	Issues resolved (http://bugs.uclibc.org):
+
+	#11576: Unable to start apache with event MPM on raspberry pi 3
+
+2018.11.1, Released December 20th, 2018
+
+	Important / security related fixes.
+
+	defconfigs: Fixes for bananapi m2 ultra, ci20
+
+	Download wrapper: Fix for urlencode handling
+
+	Updated/fixed packages: asterisk, docker-compose,
+	docker-engine, dt-utils, gnutls, go, grub, libbsd, libcurl,
+	libpgpme, libiscsi, liblo, libmpd, libopenssl, liboping,
+	libpam-tacplus, libpjsip, linux-firmware, liquid-dsp,
+	lua-cqueue, luvi, lxc, lynx, nginx, nodejs, openzwave, php,
+	pps-tools, proftpd, prosody, sdl2_net, squashfs, swupdate,
+	uclibc, vtu, webkitgtk, wine, xen
+
+	New packages: docker-cli
+
+	Issues resolved (http://bugs.uclibc.org):
+
+	#11426: pps-tools bash dependency
+	#11536: dt-utils building fails with glibc 2.28
+
 2018.11, Released December 1st, 2018

 	Minor fixes.
--- a/Config.in.legacy
+++ b/Config.in.legacy
@@ -241,6 +241,15 @@ config BR2_PACKAGE_LIBNFTNL_XML
 ###############################################################################
 comment "Legacy options removed in 2018.08"

+config BR2_PACKAGE_DOCKER_ENGINE_STATIC_CLIENT
+	bool "docker-engine static client option renamed"
+	select BR2_LEGACY
+	select BR2_PACKAGE_DOCKER_CLI_STATIC
+	help
+	  BR2_PACKAGE_DOCKER_ENGINE_STATIC_CLIENT has been renamed to
+	  BR2_PACKAGE_DOCKER_CLI_STATIC, following the package split of
+	  docker-engine and docker-cli.
+
 config BR2_PACKAGE_XSERVER_XORG_SERVER_V_1_19
 	bool "Modular X.org server was updated to version 1.20.0"
 	select BR2_LEGACY
--- a/9
+++ b/9
@@ -851,7 +851,7 @@ F:	package/qt5/qt5webengine/
 F:	package/qt5/qt5webkit/
 F:	package/qt5/qt5webkit-examples/

-N:	Gary Bisson <gary.bisson@boundarydevices.com>
+N:	Gary Bisson <bisson.gary@gmail.com>
 F:	board/boundarydevices/
 F:	configs/nitrogen*
 F:	package/freescale-imx/
@@ -1859,13 +1859,6 @@ N:	Scott Fan <fancp2007@gmail.com>
 F:	package/libssh/
 F:	package/x11r7/xdriver_xf86-video-fbturbo/

-N:	Sebastien Bourdelin <sebastien.bourdelin@savoirfairelinux.com>
-F:	package/atf/
-F:	package/cppunit/
-F:	package/kyua/
-F:	package/lutok/
-F:	package/yaml-cpp/
-
 N:	Sébastien Szymanski <sebastien.szymanski@armadeus.com>
 F:	package/mmc-utils/
 F:	package/python-flask-jsonrpc/
--- a/12
+++ b/12
@@ -2,7 +2,7 @@
 #
 # Copyright (C) 1999-2005 by Erik Andersen <andersen@codepoet.org>
 # Copyright (C) 2006-2014 by the Buildroot developers <buildroot@uclibc.org>
-# Copyright (C) 2014-2018 by the Buildroot developers <buildroot@buildroot.org>
+# Copyright (C) 2014-2019 by the Buildroot developers <buildroot@buildroot.org>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -92,9 +92,9 @@ all:
 .PHONY: all

 # Set and export the version string
-export BR2_VERSION := 2018.11
+export BR2_VERSION := 2018.11.3
 # Actual time the release is cut (for reproducible builds)
-BR2_VERSION_EPOCH = 1543701000
+BR2_VERSION_EPOCH = 1550960000

 # Save running make version since it's clobbered by the make package
 RUNNING_MAKE_VERSION := $(MAKE_VERSION)
@@ -422,6 +422,8 @@ unexport TERMINFO
 unexport MACHINE
 unexport O
 unexport GCC_COLORS
+unexport PLATFORM
+unexport OS

 GNU_HOST_NAME := $(shell support/gnuconfig/config.guess)

@@ -602,8 +604,8 @@ sdk: prepare-sdk $(BR2_TAR_HOST_DEPENDENCY)
 	$(Q)mkdir -p $(BINARIES_DIR)
 	$(TAR) czf "$(BINARIES_DIR)/$(BR2_SDK_PREFIX).tar.gz" \
 		--owner=0 --group=0 --numeric-owner \
-		--transform='s#^\.#$(BR2_SDK_PREFIX)#' \
-		-C $(HOST_DIR) "."
+		--transform='s#^$(patsubst /%,%,$(HOST_DIR))#$(BR2_SDK_PREFIX)#' \
+		-C / $(patsubst /%,%,$(HOST_DIR))

 # Populating the staging with the base directories is handled by the skeleton package
 $(STAGING_DIR):
--- a/arch/Config.in.arm
+++ b/arch/Config.in.arm
@@ -376,25 +376,19 @@ config BR2_exynos_m1
 	select BR2_ARM_CPU_ARMV8A
 	select BR2_ARCH_HAS_MMU_OPTIONAL
 	select BR2_ARCH_NEEDS_GCC_AT_LEAST_5
+if BR2_ARCH_IS_64
 config BR2_falkor
 	bool "falkor"
-	select BR2_ARM_CPU_HAS_ARM if !BR2_ARCH_IS_64
-	select BR2_ARM_CPU_HAS_NEON if !BR2_ARCH_IS_64
-	select BR2_ARM_CPU_HAS_THUMB2 if !BR2_ARCH_IS_64
 	select BR2_ARM_CPU_HAS_FP_ARMV8
 	select BR2_ARM_CPU_ARMV8A
 	select BR2_ARCH_HAS_MMU_OPTIONAL
 	select BR2_ARCH_NEEDS_GCC_AT_LEAST_7
 config BR2_qdf24xx
 	bool "qdf24xx"
-	select BR2_ARM_CPU_HAS_ARM if !BR2_ARCH_IS_64
-	select BR2_ARM_CPU_HAS_NEON if !BR2_ARCH_IS_64
-	select BR2_ARM_CPU_HAS_THUMB2 if !BR2_ARCH_IS_64
 	select BR2_ARM_CPU_HAS_FP_ARMV8
 	select BR2_ARM_CPU_ARMV8A
 	select BR2_ARCH_HAS_MMU_OPTIONAL
 	select BR2_ARCH_NEEDS_GCC_AT_LEAST_6
-if BR2_ARCH_IS_64
 config BR2_thunderx
 	bool "thunderx"
 	select BR2_ARM_CPU_HAS_FP_ARMV8
--- a/board/ci20/patches/uboot/0001-mips-Remove-default-endiannes.patch
+++ b/board/ci20/patches/uboot/0001-mips-Remove-default-endiannes.patch
@@ -0,0 +1,66 @@
+From b3a1e97498e7987073775d49a703932c20f2df1d Mon Sep 17 00:00:00 2001
+From: Ezequiel Garcia <ezequiel@collabora.com>
+Date: Mon, 12 Nov 2018 14:04:46 -0300
+Subject: [PATCH] mips: Remove default endiannes
+
+Currently, trying to build ci20_mmc fails on little-endian
+toolchains. The problem seems to be that some targets don't
+have CONFIG_SYS_LITTLE_ENDIAN properly set, and therefore
+the default -EB switch is selected.
+
+Let's get rid of the default switch entirely, and fix this problem.
+While this may be a hack, it is a quick solution until
+U-Boot gets CI20 proper support.
+
+make ARCH=mips CROSS_COMPILE=mips-linux-gnu- ci20_mmc
+Configuring for ci20_mmc - Board: ci20, Options: SPL_MMC_SUPPORT,ENV_IS_IN_MMC
+make
+make[1]: Entering directory '/home/zeta/repos/u-boot-ci20'
+Generating include/autoconf.mk
+Generating include/autoconf.mk.dep
+mips-linux-gnu-gcc: error: may not use both -EB and -EL
+mips-linux-gnu-gcc: error: may not use both -EB and -EL
+Generating include/spl-autoconf.mk
+mips-linux-gnu-gcc: error: may not use both -EB and -EL
+Generating include/tpl-autoconf.mk
+mips-linux-gnu-gcc: error: may not use both -EB and -EL
+mips-linux-gnu-gcc -DDO_DEPS_ONLY \
+	-g  -Os   -ffunction-sections -fdata-sections -D__KERNEL__ -I/home/zeta/repos/u-boot-ci20/include -fno-builtin -ffreestanding -nostdinc -isystem /home/zeta/repos/buildroot/mips/output/host/opt/ext-toolchain/bin/../lib/gcc/mips-linux-gnu/5.3.0/include -pipe  -DCONFIG_MIPS -D__MIPS__ -G 0 -EB -msoft-float -fpic -mabicalls -march=mips32 -mabi=32 -DCONFIG_32BIT -mno-branch-likely -Wall -Wstrict-prototypes       \
+	-o lib/asm-offsets.s lib/asm-offsets.c -c -S
+if [ -f arch/mips/cpu/xburst/jz4780/asm-offsets.c ];then \
+	mips-linux-gnu-gcc -DDO_DEPS_ONLY \
+	-g  -Os   -ffunction-sections -fdata-sections -D__KERNEL__ -I/home/zeta/repos/u-boot-ci20/include -fno-builtin -ffreestanding -nostdinc -isystem /home/zeta/repos/buildroot/mips/output/host/opt/ext-toolchain/bin/../lib/gcc/mips-linux-gnu/5.3.0/include -pipe  -DCONFIG_MIPS -D__MIPS__ -G 0 -EB -msoft-float -fpic -mabicalls -march=mips32 -mabi=32 -DCONFIG_32BIT -mno-branch-likely -Wall -Wstrict-prototypes       \
+		-o arch/mips/cpu/xburst/jz4780/asm-offsets.s arch/mips/cpu/xburst/jz4780/asm-offsets.c -c -S; \
+else \
+	touch arch/mips/cpu/xburst/jz4780/asm-offsets.s; \
+fi
+mips-linux-gnu-gcc: error: may not use both -EB and -EL
+make[1]: *** [Makefile:747: lib/asm-offsets.s] Error 1
+make[1]: *** Waiting for unfinished jobs....
+make[1]: Leaving directory '/home/zeta/repos/u-boot-ci20'
+make: *** [.boards.depend:463: ci20_mmc] Error 2
+
+Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
+---
+https://github.com/MIPS/CI20_u-boot/pull/19
+
+ arch/mips/config.mk | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/mips/config.mk b/arch/mips/config.mk
+index c89279025507..43560abbc0e1 100644
+--- a/arch/mips/config.mk
+++ b/arch/mips/config.mk
+@@ -20,9 +20,6 @@ ifdef CONFIG_SYS_BIG_ENDIAN
+ ENDIANNESS := -EB
+ endif
+ 
+-# Default to EB if no endianess is configured
+-ENDIANNESS ?= -EB
+-
+ PLATFORM_CPPFLAGS += -DCONFIG_MIPS -D__MIPS__
+ 
+ #
+-- 
+2.19.1
+
--- a/board/freescale/common/imx/genimage.cfg.template_imx8
+++ b/board/freescale/common/imx/genimage.cfg.template_imx8
@@ -3,7 +3,7 @@
 # We mimic the .sdcard Freescale's image format:
 # * the SD card must have 33 kB free space at the beginning,
 # * U-Boot is integrated into imx8-boot-sd.bin and is dumped as is,
-# * a FAT partition at offset 32MB is containing Image and DTB files
+# * a FAT partition at offset 8MB is containing Image and DTB files
 # * a single root filesystem partition is required (ext2, ext3 or ext4)
 #

--- a/board/freescale/imx7dsdb/patches/uboot/0001-imx-Create-distinct-pre-processed-mkimage-config-fil.patch
+++ b/board/freescale/imx7dsdb/patches/uboot/0001-imx-Create-distinct-pre-processed-mkimage-config-fil.patch
@@ -0,0 +1,89 @@
+From 27a2cd6a1980adf3002412678c8fdec6528dc47d Mon Sep 17 00:00:00 2001
+From: Trent Piepho <tpiepho@impinj.com>
+Date: Fri, 6 Apr 2018 17:11:27 -0700
+Subject: [PATCH] imx: Create distinct pre-processed mkimage config files
+
+Each imx image is created by a separate sub-make and during this process
+the mkimage config file is run though cpp.
+
+The cpp output is to the same file no matter what imx image is being
+created.
+
+This means if two imx images are generated in parallel they will attempt
+to independently produce the same pre-processed mkimage config file at
+the same time.
+
+Avoid the problem by making the pre-processed config file name unique
+based on the imx image it will be used in.  This way each image will
+create a unique config file and they won't clobber each other when run
+in parallel.
+
+This should fixed the build bug referenced in b5b0e4e3 ("imximage:
+Remove failure when no IVT offset is found").
+
+Cc: Breno Lima <breno.lima@nxp.com>
+Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Cc: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Trent Piepho <tpiepho@impinj.com>
+Tested-by: Fabio Estevam <fabio.estevam@nxp.com>
+[fabio: Adapted to imx_v2017.03_4.9.11_1.0.0_ga]
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+---
+ arch/arm/imx-common/Makefile | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm/imx-common/Makefile b/arch/arm/imx-common/Makefile
+index d862258..f1bae8d 100644
+--- a/arch/arm/imx-common/Makefile
+++ b/arch/arm/imx-common/Makefile
+@@ -69,9 +69,11 @@ endif
+ quiet_cmd_cpp_cfg = CFGS    $@
+       cmd_cpp_cfg = $(CPP) $(cpp_flags) -x c -o $@ $<
+ 
+-IMX_CONFIG = $(CONFIG_IMX_CONFIG:"%"=%).cfgtmp
+# mkimage source config file
+IMX_CONFIG = $(CONFIG_IMX_CONFIG:"%"=%)
+ 
+-$(IMX_CONFIG): %.cfgtmp: % FORCE
+# How to create a cpp processed config file, they all use the same source
+%.cfgout: $(IMX_CONFIG) FORCE
+ 	$(Q)mkdir -p $(dir $@)
+ 	$(call if_changed_dep,cpp_cfg)
+ 
+@@ -79,7 +81,7 @@ MKIMAGEFLAGS_u-boot.imx = -n $(filter-out $(PLUGIN).bin $< $(PHONY),$^) -T imxim
+ 	-e $(CONFIG_SYS_TEXT_BASE)
+ u-boot.imx: MKIMAGEOUTPUT = u-boot.imx.log
+ 
+-u-boot.imx: u-boot.bin $(IMX_CONFIG) $(PLUGIN).bin FORCE
+u-boot.imx: u-boot.bin u-boot.cfgout $(PLUGIN).bin FORCE
+ 	$(call if_changed,mkimage)
+ 
+ ifeq ($(CONFIG_OF_SEPARATE),y)
+@@ -87,16 +89,15 @@ MKIMAGEFLAGS_u-boot-dtb.imx = -n $(filter-out $(PLUGIN).bin $< $(PHONY),$^) -T i
+ 	-e $(CONFIG_SYS_TEXT_BASE)
+ u-boot-dtb.imx: MKIMAGEOUTPUT = u-boot-dtb.imx.log
+ 
+-u-boot-dtb.imx: u-boot-dtb.bin $(IMX_CONFIG) $(PLUGIN).bin FORCE
+u-boot-dtb.imx: u-boot-dtb.bin u-boot-dtb.cfgout $(PLUGIN).bin FORCE
+ 	$(call if_changed,mkimage)
+ endif
+ 
+ MKIMAGEFLAGS_SPL = -n $(filter-out $(PLUGIN).bin $< $(PHONY),$^) -T imximage \
+ 	-e $(CONFIG_SPL_TEXT_BASE)
+-
+ SPL: MKIMAGEOUTPUT = SPL.log
+ 
+-SPL: spl/u-boot-spl.bin $(IMX_CONFIG) $(PLUGIN).bin FORCE
+SPL: spl/u-boot-spl.bin spl/u-boot-spl.cfgout $(PLUGIN).bin FORCE
+ 	$(call if_changed,mkimage)
+ 
+ MKIMAGEFLAGS_u-boot.uim = -A arm -O U-Boot -a $(CONFIG_SYS_TEXT_BASE) \
+@@ -124,4 +125,4 @@ cmd_u-boot-nand-spl_imx = (printf '\000\000\000\000\106\103\102\040\001' && \
+ spl/u-boot-nand-spl.imx: SPL FORCE
+ 	$(call if_changed,u-boot-nand-spl_imx)
+ 
+-targets += $(addprefix ../../../,$(IMX_CONFIG) SPL u-boot.uim spl/u-boot-nand-spl.imx)
+targets += $(addprefix ../../../,SPL spl/u-boot-spl.cfgout u-boot-dtb.cfgout u-boot.cfgout u-boot.uim spl/u-boot-nand-spl.imx)
+-- 
+2.7.4
+
--- a/board/freescale/imx8mqevk/readme.txt
+++ b/board/freescale/imx8mqevk/readme.txt
@@ -21,7 +21,7 @@ You will find in output/images/ the following files:
  - boot.vfat
  - fsl-imx8mq-evk.dtb
  - Image
-  - imx-boot-imx8mqevk-sd.bin
+  - imx8-boot-sd.bin
  - lpddr4_pmu_train_fw.bin
  - rootfs.ext2
  - rootfs.ext4
@@ -69,7 +69,7 @@ Enable HDMI output

 To enable HDMI output at boot you must provide the video kernel boot
 argument.  To set the video boot argument from U-Boot run after
-stoping in U-Boot prompt:
+stopping in U-Boot prompt:

 setenv mmcargs 'setenv bootargs console=${console} root=${mmcroot} video=HDMI-A-1:1920x1080-32@60'
 saveenv
--- a/board/lego/ev3/genimage.cfg
+++ b/board/lego/ev3/genimage.cfg
@@ -16,7 +16,7 @@ image flash.bin {
 	flashtype = "nor-16M-256"
 	partition uboot {
 		image = "u-boot.bin"
-		size = 320K
+		size = 256K
 	}
 	partition uimage {
 		image = "uImage.da850-lego-ev3"
--- a/board/pc/post-build.sh
+++ b/board/pc/post-build.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -e
+
+BOARD_DIR=$(dirname "$0")
+
+# Detect boot strategy, EFI or BIOS
+if [ -f "$BINARIES_DIR/efi-part/startup.nsh" ]; then
+    cp -f "$BOARD_DIR/grub-efi.cfg" "$BINARIES_DIR/efi-part/EFI/BOOT/grub.cfg"
+else
+    cp -f "$BOARD_DIR/grub-bios.cfg" "$TARGET_DIR/boot/grub/grub.cfg"
+
+    # Copy grub 1st stage to binaries, required for genimage
+    cp -f "$HOST_DIR/lib/grub/i386-pc/boot.img" "$BINARIES_DIR"
+fi
--- a/board/pc/post-image.sh
+++ b/board/pc/post-image.sh
@@ -1,14 +0,0 @@
-#!/bin/sh
-
-BOARD_DIR="$(dirname $0)"
-
-# Detect boot strategy, EFI or BIOS
-if [ -f ${BINARIES_DIR}/efi-part/startup.nsh ]; then
-  cp -f ${BOARD_DIR}/grub-efi.cfg ${BINARIES_DIR}/efi-part/EFI/BOOT/grub.cfg
-else
-  cp -f ${BOARD_DIR}/grub-bios.cfg ${TARGET_DIR}/boot/grub/grub.cfg
-  # Copy grub 1st stage to binaries, required for genimage
-  cp -f ${HOST_DIR}/lib/grub/i386-pc/boot.img ${BINARIES_DIR}
-fi
-
-exit $?
--- a/board/qemu/aarch64-virt/readme.txt
+++ b/board/qemu/aarch64-virt/readme.txt
@@ -1,6 +1,6 @@
 Run the emulation with:

-  qemu-system-aarch64 -M virt -cpu cortex-a57 -nographic -smp 1 -kernel output/images/Image -append "root=/dev/vda console=ttyAMA0" -netdev user,id=eth0 -device virtio-net-device,netdev=eth0 -drive file=output/images/rootfs.ext4,if=none,format=raw,id=hd0 -device virtio-blk-device,drive=hd0
+  qemu-system-aarch64 -M virt -cpu cortex-a53 -nographic -smp 1 -kernel output/images/Image -append "root=/dev/vda console=ttyAMA0" -netdev user,id=eth0 -device virtio-net-device,netdev=eth0 -drive file=output/images/rootfs.ext4,if=none,format=raw,id=hd0 -device virtio-blk-device,drive=hd0

 The login prompt will appear in the terminal that started Qemu.

--- a/boot/barebox/barebox.mk
+++ b/boot/barebox/barebox.mk
@@ -28,7 +28,7 @@ $(1)_SITE_METHOD = git
 else
 # Handle stable official Barebox versions
 $(1)_SOURCE = barebox-$$($(1)_VERSION).tar.bz2
-$(1)_SITE = http://www.barebox.org/download
+$(1)_SITE = https://www.barebox.org/download
 endif

 $(1)_DEPENDENCIES = host-lzop
--- a/boot/grub2/0001-x86-64-Treat-R_X86_64_PLT32-as-R_X86_64_PC32.patch
+++ b/boot/grub2/0001-x86-64-Treat-R_X86_64_PLT32-as-R_X86_64_PC32.patch
@@ -0,0 +1,74 @@
+From 842c390469e2c2e10b5aa36700324cd3bde25875 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Sat, 17 Feb 2018 06:47:28 -0800
+Subject: [PATCH] x86-64: Treat R_X86_64_PLT32 as R_X86_64_PC32
+
+Starting from binutils commit bd7ab16b4537788ad53521c45469a1bdae84ad4a:
+
+https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd7ab16b4537788ad53521c45469a1bdae84ad4a
+
+x86-64 assembler generates R_X86_64_PLT32, instead of R_X86_64_PC32, for
+32-bit PC-relative branches.  Grub2 should treat R_X86_64_PLT32 as
+R_X86_64_PC32.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Romain Naour <romain.naour@smile.fr>
+---
+ grub-core/efiemu/i386/loadcore64.c | 1 +
+ grub-core/kern/x86_64/dl.c         | 1 +
+ util/grub-mkimagexx.c              | 1 +
+ util/grub-module-verifier.c        | 1 +
+ 4 files changed, 4 insertions(+)
+
+diff --git a/grub-core/efiemu/i386/loadcore64.c b/grub-core/efiemu/i386/loadcore64.c
+index e49d0b6..18facf4 100644
+--- a/grub-core/efiemu/i386/loadcore64.c
+++ b/grub-core/efiemu/i386/loadcore64.c
+@@ -98,6 +98,7 @@ grub_arch_efiemu_relocate_symbols64 (grub_efiemu_segment_t segs,
+ 		    break;
+ 
+ 		  case R_X86_64_PC32:
+		  case R_X86_64_PLT32:
+ 		    err = grub_efiemu_write_value (addr,
+ 						   *addr32 + rel->r_addend
+ 						   + sym.off
+diff --git a/grub-core/kern/x86_64/dl.c b/grub-core/kern/x86_64/dl.c
+index 4406906..3a73e6e 100644
+--- a/grub-core/kern/x86_64/dl.c
+++ b/grub-core/kern/x86_64/dl.c
+@@ -70,6 +70,7 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
+ 	  break;
+ 
+ 	case R_X86_64_PC32:
+	case R_X86_64_PLT32:
+ 	  {
+ 	    grub_int64_t value;
+ 	    value = ((grub_int32_t) *addr32) + rel->r_addend + sym->st_value -
+diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
+index a2bb054..39d7efb 100644
+--- a/util/grub-mkimagexx.c
+++ b/util/grub-mkimagexx.c
+@@ -841,6 +841,7 @@ SUFFIX (relocate_addresses) (Elf_Ehdr *e, Elf_Shdr *sections,
+ 		  break;
+ 
+ 		case R_X86_64_PC32:
+		case R_X86_64_PLT32:
+ 		  {
+ 		    grub_uint32_t *t32 = (grub_uint32_t *) target;
+ 		    *t32 = grub_host_to_target64 (grub_target_to_host32 (*t32)
+diff --git a/util/grub-module-verifier.c b/util/grub-module-verifier.c
+index 9179285..a79271f 100644
+--- a/util/grub-module-verifier.c
+++ b/util/grub-module-verifier.c
+@@ -19,6 +19,7 @@ struct grub_module_verifier_arch archs[] = {
+       -1
+     }, (int[]){
+       R_X86_64_PC32,
+      R_X86_64_PLT32,
+       -1
+     }
+   },
+-- 
+2.7.4
+
--- a/boot/uboot/uboot.mk
+++ b/boot/uboot/uboot.mk
@@ -227,8 +227,9 @@ UBOOT_KCONFIG_EDITORS = menuconfig xconfig gconfig nconfig
 # (which is typically wchar) but link with
 # $(HOST_DIR)/lib/libncurses.so (which is not).  We don't actually
 # need any host-package for kconfig, so remove the HOSTCC/HOSTLDFLAGS
-# override again.
-UBOOT_KCONFIG_OPTS = $(UBOOT_MAKE_OPTS) HOSTCC="$(HOSTCC)" HOSTLDFLAGS=""
+# override again. In addition, host-ccache is not ready at kconfig
+# time, so use HOSTCC_NOCCACHE.
+UBOOT_KCONFIG_OPTS = $(UBOOT_MAKE_OPTS) HOSTCC="$(HOSTCC_NOCCACHE)" HOSTLDFLAGS=""
 define UBOOT_HELP_CMDS
 	@echo '  uboot-menuconfig       - Run U-Boot menuconfig'
 	@echo '  uboot-savedefconfig    - Run U-Boot savedefconfig'
--- a/configs/bananapi_m2_ultra_defconfig
+++ b/configs/bananapi_m2_ultra_defconfig
@@ -1,5 +1,6 @@
 BR2_arm=y
 BR2_cortex_a7=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_18=y
 BR2_TARGET_GENERIC_ISSUE="Welcome to Bananapi M2 Ultra"
 BR2_ROOTFS_POST_IMAGE_SCRIPT="support/scripts/genimage.sh"
 BR2_ROOTFS_POST_SCRIPT_ARGS="-c board/bananapi/bananapi-m2-ultra/genimage.cfg"
--- a/configs/ci20_defconfig
+++ b/configs/ci20_defconfig
@@ -27,6 +27,7 @@ BR2_TARGET_UBOOT_BOARDNAME="ci20_mmc"
 BR2_TARGET_UBOOT_CUSTOM_GIT=y
 BR2_TARGET_UBOOT_CUSTOM_REPO_URL="https://github.com/MIPS/CI20_u-boot"
 BR2_TARGET_UBOOT_CUSTOM_REPO_VERSION="dd3c1b95dac7d10b2ca5806f65e5c1050d7dd0fa"
+BR2_TARGET_UBOOT_PATCH="board/ci20/patches/uboot"
 BR2_TARGET_UBOOT_FORMAT_IMG=y
 BR2_TARGET_UBOOT_SPL=y
 BR2_TARGET_UBOOT_SPL_NAME="spl/u-boot-spl.bin"
--- a/configs/freescale_imx7dsabresd_defconfig
+++ b/configs/freescale_imx7dsabresd_defconfig
@@ -2,6 +2,9 @@
 BR2_arm=y
 BR2_cortex_a7=y

+# patches
+BR2_GLOBAL_PATCH_DIR="board/freescale/imx7dsdb/patches"
+
 # Linux headers same as kernel, a 4.9 series
 BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_9=y

--- a/configs/imx6slevk_defconfig
+++ b/configs/imx6slevk_defconfig
@@ -11,7 +11,7 @@ BR2_TARGET_ROOTFS_EXT2_4=y
 BR2_TARGET_UBOOT=y
 BR2_TARGET_UBOOT_BOARDNAME="mx6slevk"
 BR2_TARGET_UBOOT_CUSTOM_VERSION=y
-BR2_TARGET_UBOOT_CUSTOM_VERSION_VALUE="2017.11"
+BR2_TARGET_UBOOT_CUSTOM_VERSION_VALUE="2018.11"
 BR2_TARGET_UBOOT_FORMAT_IMX=y
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
--- a/configs/pc_x86_64_bios_defconfig
+++ b/configs/pc_x86_64_bios_defconfig
@@ -19,7 +19,8 @@ BR2_TARGET_ROOTFS_EXT2=y
 BR2_TARGET_ROOTFS_EXT2_4=y
 BR2_TARGET_ROOTFS_EXT2_SIZE="120M"
 # BR2_TARGET_ROOTFS_TAR is not set
-BR2_ROOTFS_POST_IMAGE_SCRIPT="board/pc/post-image.sh support/scripts/genimage.sh"
+BR2_ROOTFS_POST_BUILD_SCRIPT="board/pc/post-build.sh"
+BR2_ROOTFS_POST_IMAGE_SCRIPT="support/scripts/genimage.sh"
 BR2_ROOTFS_POST_SCRIPT_ARGS="-c board/pc/genimage-bios.cfg"

 # Linux headers same as kernel, a 4.18 series
--- a/configs/pc_x86_64_efi_defconfig
+++ b/configs/pc_x86_64_efi_defconfig
@@ -22,7 +22,8 @@ BR2_TARGET_ROOTFS_EXT2=y
 BR2_TARGET_ROOTFS_EXT2_4=y
 BR2_TARGET_ROOTFS_EXT2_SIZE="120M"
 # BR2_TARGET_ROOTFS_TAR is not set
-BR2_ROOTFS_POST_IMAGE_SCRIPT="board/pc/post-image.sh support/scripts/genimage.sh"
+BR2_ROOTFS_POST_BUILD_SCRIPT="board/pc/post-build.sh"
+BR2_ROOTFS_POST_IMAGE_SCRIPT="support/scripts/genimage.sh"
 BR2_ROOTFS_POST_SCRIPT_ARGS="-c board/pc/genimage-efi.cfg"

 # Linux headers same as kernel, a 4.18 series
--- a/configs/qemu_aarch64_virt_defconfig
+++ b/configs/qemu_aarch64_virt_defconfig
@@ -1,5 +1,6 @@
 # Architecture
 BR2_aarch64=y
+BR2_cortex_a53=y

 # System
 BR2_SYSTEM_DHCP="eth0"
--- a/docs/manual/adding-packages-waf.txt
+++ b/docs/manual/adding-packages-waf.txt
@@ -63,7 +63,7 @@ also be defined.
 * +LIBFOO_NEEDS_EXTERNAL_WAF+ can be set to +YES+ or +NO+ to tell
  Buildroot to use the bundled +waf+ executable. If set to +NO+, the
  default, then Buildroot will use the waf executable provided in the
-  package source tree; if set to +YES+, then Buidlroot will download,
+  package source tree; if set to +YES+, then Buildroot will download,
  install waf as a host tool and use it to build the package.

 * +LIBFOO_WAF_OPTS+, to specify additional options to pass to the
--- a/docs/manual/developers.txt
+++ b/docs/manual/developers.txt
@@ -6,7 +6,7 @@

 The main Buildroot directory contains a file named +DEVELOPERS+ that
 lists the developers involved with various areas of Buildroot. Thanks
-to this file, the +get-developer+ tool allows to:
+to this file, the +get-developers+ tool allows to:

 - Calculate the list of developers to whom patches should be sent, by
  parsing the patches and matching the modified files with the
@@ -26,21 +26,21 @@ to include in his patch the appropriate modification to the
 The +DEVELOPERS+ file format is documented in detail inside the file
 itself.

-The +get-developer+ tool, located in +utils/+ allows to use
+The +get-developers+ tool, located in +utils/+ allows to use
 the +DEVELOPERS+ file for various tasks:

 - When passing one or several patches as command line argument,
-  +get-developer+ will return the appropriate +git send-email+
+  +get-developers+ will return the appropriate +git send-email+
  command. If the +-e+ option is passed, only the email addresses are
  printed in a format suitable for +git send-email --cc-cmd+.

- When using the +-a <arch>+ command line option, +get-developer+ will
+- When using the +-a <arch>+ command line option, +get-developers+ will
  return the list of developers in charge of the given architecture.

- When using the +-p <package>+ command line option, +get-developer+
+- When using the +-p <package>+ command line option, +get-developers+
  will return the list of developers in charge of the given package.

- When using the +-c+ command line option, +get-developer+ will look
+- When using the +-c+ command line option, +get-developers+ will look
  at all files under version control in the Buildroot repository, and
  list the ones that are not handled by any developer. The purpose of
  this option is to help completing the +DEVELOPERS+ file.
--- a/docs/manual/manual.txt
+++ b/docs/manual/manual.txt
@@ -12,7 +12,7 @@ It is licensed under the GNU General Public License, version 2. Refer to the
 http://git.buildroot.org/buildroot/tree/COPYING?id={sys:git rev-parse HEAD}[COPYING]
 file in the Buildroot sources for the full text of this license.

-Copyright (C) 2004-2018 The Buildroot developers
+Copyright (C) 2004-2019 The Buildroot developers

 image::logo.png[]

--- a/docs/website/copyright.txt
+++ b/docs/website/copyright.txt
@@ -1,6 +1,6 @@

 The code and graphics on this website (and it's mirror sites, if any) are
-Copyright (c) 1999-2005 by Erik Andersen, 2006-2018 The Buildroot
+Copyright (c) 1999-2005 by Erik Andersen, 2006-2019 The Buildroot
 developers. All rights reserved.

 Documents on this Web site including their graphical elements, design, and
--- a/linux/Config.in
+++ b/linux/Config.in
@@ -33,7 +33,7 @@ config BR2_LINUX_KERNEL_LATEST_VERSION
 	bool "Latest version (4.18)"

 config BR2_LINUX_KERNEL_LATEST_CIP_VERSION
-	bool "Latest CIP SLTS version (v4.4.154-cip28)"
+	bool "Latest CIP SLTS version (v4.4.171-cip30)"
 	help
 	  CIP launched in the spring of 2016 to address the needs of
 	  organizations in industries such as power generation and
@@ -121,7 +121,7 @@ endif
 config BR2_LINUX_KERNEL_VERSION
 	string
 	default "4.18.20" if BR2_LINUX_KERNEL_LATEST_VERSION
-	default "v4.4.154-cip28" if BR2_LINUX_KERNEL_LATEST_CIP_VERSION
+	default "v4.4.171-cip30" if BR2_LINUX_KERNEL_LATEST_CIP_VERSION
 	default BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE \
 		if BR2_LINUX_KERNEL_CUSTOM_VERSION
 	default "custom" if BR2_LINUX_KERNEL_CUSTOM_TARBALL
--- a/linux/linux.hash
+++ b/linux/linux.hash
@@ -1,9 +1,9 @@
 # From https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
 sha256 68ac319e0fb7edd6b6051541d9cf112cd4f77a29e16a69ae1e133ff51117f653  linux-4.18.20.tar.xz
 sha256 41026d713ba4f7a5e9d514b876ce4ed28a1d993c0c58b42b2a2597d6a0e83021  linux-4.16.18.tar.xz
-sha256 701728de924e0ec4a6b7cf59252011f8268a1b70aaf02b8487c1b2190feb3f20  linux-4.14.83.tar.xz
-sha256 f888aef58c2c4d82c81511ad6a4528ee9a8241bb96c05c65e71224988782f943  linux-4.9.140.tar.xz
-sha256 9bb4a1757e67dbd0923dbdf7e7e0baa9baa53ac942471d8fbb8d35dd5b313c10  linux-4.4.164.tar.xz
+sha256 8ff98caed5b20b733dedcbe99559d71a0e09e239c0c2488b3fd799c96489eb0a  linux-4.14.99.tar.xz
+sha256 5eb1b9ba43370512ab637452089bb93f8c0fdd7d5399e99561d382f74517a816  linux-4.9.156.tar.xz
+sha256 be5211dd90142568199cd546c0893e1eb71c78774a11660a8bb8070bb9ebba39  linux-4.4.174.tar.xz
 sha256 6ad9389e55e0ea57768eae173747058a4487fa3630e10a7999cfec9f945e559c  linux-4.1.52.tar.xz
 # From https://www.kernel.org/pub/linux/kernel/v3.x/sha256sums.asc
 sha256 ad96d797571496c969aa71bf5d08e9d2a8c84458090d29a120f1b2981185a99e  linux-3.2.102.tar.xz
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -30,7 +30,7 @@ else ifeq ($(BR2_LINUX_KERNEL_CUSTOM_SVN),y)
 LINUX_SITE = $(call qstrip,$(BR2_LINUX_KERNEL_CUSTOM_REPO_URL))
 LINUX_SITE_METHOD = svn
 else ifeq ($(BR2_LINUX_KERNEL_LATEST_CIP_VERSION),y)
-LINUX_SITE = git://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-cip.git
+LINUX_SITE = git://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
 else ifneq ($(findstring -rc,$(LINUX_VERSION)),)
 # Since 4.12-rc1, -rc kernels are generated from cgit. This also works for
 # older -rc kernels.
@@ -55,6 +55,9 @@ endif

 LINUX_PATCHES = $(call qstrip,$(BR2_LINUX_KERNEL_PATCH))

+# We have no way to know the hashes for user-supplied patches.
+BR_NO_CHECK_HASH_FOR += $(notdir $(LINUX_PATCHES))
+
 # We rely on the generic package infrastructure to download and apply
 # remote patches (downloaded from ftp, http or https). For local
 # patches, we can't rely on that infrastructure, because there might
@@ -269,13 +272,16 @@ endif
 LINUX_KCONFIG_FRAGMENT_FILES = $(call qstrip,$(BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES))
 LINUX_KCONFIG_EDITORS = menuconfig xconfig gconfig nconfig

-# LINUX_MAKE_FLAGS overrides HOSTCC to allow the kernel build to find our
-# host-openssl and host-libelf. However, this triggers a bug in the kconfig
-# build script that causes it to build with /usr/include/ncurses.h (which is
-# typically wchar) but link with $(HOST_DIR)/lib/libncurses.so (which is not).
-# We don't actually need any host-package for kconfig, so remove the HOSTCC
-# override again.
-LINUX_KCONFIG_OPTS = $(LINUX_MAKE_FLAGS) HOSTCC="$(HOSTCC)"
+# LINUX_MAKE_FLAGS overrides HOSTCC to allow the kernel build to find
+# our host-openssl and host-libelf. However, this triggers a bug in
+# the kconfig build script that causes it to build with
+# /usr/include/ncurses.h (which is typically wchar) but link with
+# $(HOST_DIR)/lib/libncurses.so (which is not).  We don't actually
+# need any host-package for kconfig, so remove the HOSTCC override
+# again. In addition, even though linux depends on the toolchain and
+# therefore host-ccache would be ready, we use HOSTCC_NOCCACHE for
+# consistency with other kconfig packages.
+LINUX_KCONFIG_OPTS = $(LINUX_MAKE_FLAGS) HOSTCC="$(HOSTCC_NOCCACHE)"

 # If no package has yet set it, set it from the Kconfig option
 LINUX_NEEDS_MODULES ?= $(BR2_LINUX_NEEDS_MODULES)
@@ -311,6 +317,7 @@ define LINUX_KCONFIG_FIXUP_CMDS
 	# replaced later by the real cpio archive, and the kernel will be
 	# rebuilt using the linux-rebuild-with-initramfs target.
 	$(if $(BR2_TARGET_ROOTFS_INITRAMFS),
+		mkdir -p $(BINARIES_DIR)
 		touch $(BINARIES_DIR)/rootfs.cpio
 		$(call KCONFIG_SET_OPT,CONFIG_INITRAMFS_SOURCE,"$${BR_BINARIES_DIR}/rootfs.cpio",$(@D)/.config)
 		$(call KCONFIG_SET_OPT,CONFIG_INITRAMFS_ROOT_UID,0,$(@D)/.config)
--- a/package/Config.in
+++ b/package/Config.in
@@ -2106,6 +2106,7 @@ menu "System tools"
 	source "package/dcron/Config.in"
 	source "package/ddrescue/Config.in"
 	source "package/debianutils/Config.in"
+	source "package/docker-cli/Config.in"
 	source "package/docker-compose/Config.in"
 	source "package/docker-containerd/Config.in"
 	source "package/docker-engine/Config.in"
--- a/package/acpica/acpica.mk
+++ b/package/acpica/acpica.mk
@@ -10,6 +10,7 @@ ACPICA_SITE = https://acpica.org/sites/acpica/files
 ACPICA_LICENSE = BSD-3-Clause or GPL-2.0
 ACPICA_LICENSE_FILES = source/include/acpi.h
 ACPICA_DEPENDENCIES = host-bison host-flex
+HOST_ACPICA_DEPENDENCIES = host-bison host-flex

 define ACPICA_BUILD_CMDS
 	$(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) \
--- a/package/apache/apache.hash
+++ b/package/apache/apache.hash
@@ -1,4 +1,4 @@
-# From http://archive.apache.org/dist/httpd/httpd-2.4.35.tar.bz2.sha256
-sha256 3498dc5c6772fac2eb7307dc7963122ffe243b5e806e0be4fb51974ff759d726 httpd-2.4.37.tar.bz2
+# From http://archive.apache.org/dist/httpd/httpd-2.4.38.tar.bz2.sha256
+sha256 7dc65857a994c98370dc4334b260101a7a04be60e6e74a5c57a6dee1bc8f394a httpd-2.4.38.tar.bz2
 # Locally computed
 sha256 c49c0819a726b70142621715dae3159c47b0349c2bc9db079070f28dadac0229 LICENSE
--- a/package/apache/apache.mk
+++ b/package/apache/apache.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-APACHE_VERSION = 2.4.37
+APACHE_VERSION = 2.4.38
 APACHE_SOURCE = httpd-$(APACHE_VERSION).tar.bz2
 APACHE_SITE = http://archive.apache.org/dist/httpd
 APACHE_LICENSE = Apache-2.0
--- a/package/apr/apr.mk
+++ b/package/apr/apr.mk
@@ -26,7 +26,12 @@ APR_CONF_ENV = \
 	ac_cv_sizeof_pid_t=4 \
 	ac_cv_struct_rlimit=yes \
 	ac_cv_o_nonblock_inherited=no \
-	apr_cv_mutex_recursive=yes
+	apr_cv_mutex_recursive=yes \
+	apr_cv_epoll=yes \
+	apr_cv_epoll_create1=yes \
+	apr_cv_dup3=yes \
+	apr_cv_sock_cloexec=yes \
+	apr_cv_accept4=yes
 APR_CONFIG_SCRIPTS = apr-1-config

 # Doesn't even try to guess when cross compiling
--- a/package/asterisk/asterisk.mk
+++ b/package/asterisk/asterisk.mk
@@ -242,7 +242,8 @@ else
 ASTERISK_CONF_OPTS += --without-speex  --without-speexdsp
 endif

-ifeq ($(BR2_PACKAGE_LIBSRTP),y)
+# asterisk needs an openssl-enabled libsrtp
+ifeq ($(BR2_PACKAGE_LIBSRTP)$(BR2_PACKAGE_OPENSSL)x$(BR2_STATIC_LIBS),yyx)
 ASTERISK_DEPENDENCIES += libsrtp
 ASTERISK_CONF_OPTS += --with-srtp
 else
--- a/package/avrdude/avrdude.mk
+++ b/package/avrdude/avrdude.mk
@@ -15,8 +15,6 @@ AVRDUDE_AUTORECONF = YES
 AVRDUDE_CONF_OPTS = --enable-linuxgpio
 AVRDUDE_DEPENDENCIES = elfutils libusb libusb-compat ncurses \
 	host-flex host-bison
-AVRDUDE_LICENSE = GPL-2.0+
-AVRDUDE_LICENSE_FILES = avrdude/COPYING

 ifeq ($(BR2_PACKAGE_LIBFTDI1),y)
 AVRDUDE_DEPENDENCIES += libftdi1
--- a/package/bind/bind.hash
+++ b/package/bind/bind.hash
@@ -1,4 +1,4 @@
-# Verified from https://ftp.isc.org/isc/bind9/9.11.5/bind-9.11.5.tar.gz.asc
+# Verified from https://ftp.isc.org/isc/bind9/9.11.5-P4/bind-9.11.5-P4.tar.gz.asc
 # with key BE0E9748B718253A28BB89FFF1B11BF05CF02E57
-sha256 a4cae11dad954bdd4eb592178f875bfec09fcc7e29fe0f6b7a4e5b5c6bc61322 bind-9.11.5.tar.gz
-sha256 336f3c40e37a1a13690efb4c63e20908faa4c40498cc02f3579fb67d3a1933a5 COPYRIGHT
+sha256 7e8c08192bcbaeb6e9f2391a70e67583b027b90e8c4bc1605da6eb126edde434 bind-9.11.5-P4.tar.gz
+sha256 cd02c93b8dcda794f55dfd1231828d69633072a98eee4874f9cf732d22d9dcde COPYRIGHT
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################

-BIND_VERSION = 9.11.5
-BIND_SITE = http://ftp.isc.org/isc/bind9/$(BIND_VERSION)
+BIND_VERSION = 9.11.5-P4
+BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION)
 # bind does not support parallel builds.
 BIND_MAKE = $(MAKE1)
 BIND_INSTALL_STAGING = YES
--- a/package/cargo/cargo.mk
+++ b/package/cargo/cargo.mk
@@ -70,7 +70,7 @@ HOST_CARGO_SNAP_OPTS = \
 	$(if $(VERBOSE),--verbose)

 HOST_CARGO_ENV = \
-	RUSTFLAGS="-Clink-arg=-Wl,-rpath,$(HOST_DIR)/lib" \
+	RUSTFLAGS="$(addprefix -Clink-arg=,$(HOST_LDFLAGS))" \
 	CARGO_HOME=$(HOST_CARGO_HOME)

 define HOST_CARGO_BUILD_CMDS
--- a/package/cc-tool/Config.in
+++ b/package/cc-tool/Config.in
@@ -9,7 +9,6 @@ config BR2_PACKAGE_CC_TOOL
 	select BR2_PACKAGE_BOOST_SYSTEM
 	select BR2_PACKAGE_BOOST_REGEX
 	select BR2_PACKAGE_BOOST_FILESYSTEM
-	select BR2_PACKAGE_BOOST_SIGNALS
 	help
 	  cc-tool provides support for Texas Instruments CC Debugger
 	  for Linux OS in order to program 8051-based System-On-Chip
--- a/package/dash/dash.mk
+++ b/package/dash/dash.mk
@@ -28,7 +28,7 @@ DASH_CONF_OPTS += --without-libedit
 endif

 define DASH_INSTALL_TARGET_CMDS
-	$(INSTALL) -m 0755 $(@D)/src/dash $(TARGET_DIR)/bin/dash
+	$(INSTALL) -m 0755 -D $(@D)/src/dash $(TARGET_DIR)/bin/dash
 endef

 # Add /bin/dash to /etc/shells otherwise some login tools like dropbear
--- a/package/dhcpcd/dhcpcd.mk
+++ b/package/dhcpcd/dhcpcd.mk
@@ -36,6 +36,10 @@ define DHCPCD_INSTALL_TARGET_CMDS
 	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR)
 endef

+# When network-manager is enabled together with dhcpcd, it will use
+# dhcpcd as a DHCP client, and will be in charge of running, so we
+# don't want the init script or service file to be installed.
+ifeq ($(BR2_PACKAGE_NETWORK_MANAGER),)
 define DHCPCD_INSTALL_INIT_SYSV
 	$(INSTALL) -m 755 -D package/dhcpcd/S41dhcpcd \
 		$(TARGET_DIR)/etc/init.d/S41dhcpcd
@@ -48,6 +52,7 @@ define DHCPCD_INSTALL_INIT_SYSTEMD
 	ln -sf ../../../../usr/lib/systemd/system/dhcpcd.service \
 		$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/dhcpcd.service
 endef
+endif

 # NOTE: Even though this package has a configure script, it is not generated
 # using the autotools, so we have to use the generic package infrastructure.
--- a/package/dhcpdump/0002-fix-strsep-feature-test.patch
+++ b/package/dhcpdump/0002-fix-strsep-feature-test.patch
@@ -1,27 +0,0 @@
-Use the official _BSD_SOURCE feature test macro instead of the meaningless
-HAVE_STRSEP macro in order to detect the availability of strsep().
-
-This allows toolchains supporting strsep() to use it instead of the custom
-implementation from dhcpdump, which also avoids the following error with some
-toolchains:
-
-	In file included from dhcpdump.c:30:0:
-	dhcpdump.c: At top level:
-	strsep.c:65:23: error: register name not specified for ‘delim’
-	  register const char *delim;
-	                       ^
-
-Signed-off-by: Benoît Thébaudeau <benoit.thebaudeau@advansee.com>
-
-diff -Nrdup dhcpdump-1.8.orig/dhcpdump.c dhcpdump-1.8/dhcpdump.c
--- dhcpdump-1.8.orig/dhcpdump.c	2008-06-24 05:26:52.000000000 +0200
-+++ dhcpdump-1.8/dhcpdump.c	2011-05-31 19:22:15.987388498 +0200
-@@ -26,7 +26,7 @@
- #include <regex.h>
- #include "dhcp_options.h"
- 
-#ifndef HAVE_STRSEP
-+#ifndef _BSD_SOURCE
- #include "strsep.c"
- #endif
- 
--- a/package/dhcpdump/dhcpdump.mk
+++ b/package/dhcpdump/dhcpdump.mk
@@ -15,8 +15,11 @@ ifeq ($(BR2_STATIC_LIBS),y)
 DHCPDUMP_LIBS += `$(STAGING_DIR)/usr/bin/pcap-config --static --additional-libs`
 endif

+# glibc, uclibc and musl have strsep()
+DHCPDUMP_CFLAGS = $(TARGET_CFLAGS) -DHAVE_STRSEP
+
 define DHCPDUMP_BUILD_CMDS
-	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) CC="$(TARGET_CC) $(TARGET_CFLAGS) \
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) CC="$(TARGET_CC) $(DHCPDUMP_CFLAGS) \
 		-D_GNU_SOURCE" LIBS="$(DHCPDUMP_LIBS)"
 endef

--- a/package/dmalloc/0005-fix-strdup.patch
+++ b/package/dmalloc/0005-fix-strdup.patch
@@ -0,0 +1,24 @@
+From 59d73a473f1c1a31bcba90d314f956d0bcc3de95 Mon Sep 17 00:00:00 2001
+From: Siana Gearz <siana.sg@live.de>
+Date: Sat, 8 Sep 2012 22:55:17 +0200
+Subject: [PATCH] Fix strdup
+
+[Retrieved from:
+https://github.com/siana/dmalloc/commit/59d73a473f1c1a31bcba90d314f956d0bcc3de95]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ dmalloc.h.3 | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/dmalloc.h.3 b/dmalloc.h.3
+index d3d1c13..3fc573a 100644
+--- a/dmalloc.h.3
+++ b/dmalloc.h.3
+@@ -459,6 +459,7 @@ DMALLOC_PNT	valloc(DMALLOC_SIZE size);
+  *
+  * string -> String we are duplicating.
+  */
+#undef strdup
+ extern
+ char	*strdup(const char *string);
+ #endif /* ifndef DMALLOC_STRDUP_MACRO */
--- a/package/dmalloc/0006-fix-strndup.patch
+++ b/package/dmalloc/0006-fix-strndup.patch
@@ -0,0 +1,24 @@
+From 005d92c2cebbde5c8623daa29725f7a62b18df7c Mon Sep 17 00:00:00 2001
+From: Siana Gearz <siana.sg@live.de>
+Date: Sat, 8 Sep 2012 22:44:35 +0200
+Subject: [PATCH] Fix strndup
+
+[Retrieved from:
+https://github.com/siana/dmalloc/commit/005d92c2cebbde5c8623daa29725f7a62b18df7c]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ dmalloc.h.3 | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/dmalloc.h.3 b/dmalloc.h.3
+index 8bda997..fb538a8 100644
+--- a/dmalloc.h.3
+++ b/dmalloc.h.3
+@@ -429,6 +429,7 @@ char	*strdup(const char *string);
+  *
+  * len -> Length of the string to duplicate.
+  */
+#undef strndup
+ extern
+ char	*strndup(const char *string, const DMALLOC_SIZE len);
+ 
--- a/package/docker-cli/Config.in
+++ b/package/docker-cli/Config.in
@@ -0,0 +1,25 @@
+config BR2_PACKAGE_DOCKER_CLI
+	bool "docker-cli"
+	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	help
+	  Docker is a platform to build, ship,
+	  and run applications as lightweight containers.
+
+	  https://github.com/docker/cli
+
+if BR2_PACKAGE_DOCKER_CLI
+
+config BR2_PACKAGE_DOCKER_CLI_STATIC
+	bool "build static client"
+	depends on !BR2_STATIC_LIBS
+	help
+	  Build a static docker client.
+
+endif
+
+comment "docker-cli needs a toolchain w/ threads"
+	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
+	depends on !BR2_TOOLCHAIN_HAS_THREADS
--- a/package/docker-cli/docker-cli.hash
+++ b/package/docker-cli/docker-cli.hash
@@ -0,0 +1,3 @@
+# Locally calculated
+sha256	3e578406dead2fc72c4b52f77db39dc779fa8b460352116c06f1ae29219bd8c2  docker-cli-v18.09.0.tar.gz
+sha256	2d81ea060825006fc8f3fe28aa5dc0ffeb80faf325b612c955229157b8c10dc0  LICENSE
--- a/package/docker-cli/docker-cli.mk
+++ b/package/docker-cli/docker-cli.mk
@@ -0,0 +1,31 @@
+################################################################################
+#
+# docker-cli
+#
+################################################################################
+
+DOCKER_CLI_VERSION = v18.09.0
+DOCKER_CLI_SITE = $(call github,docker,cli,$(DOCKER_CLI_VERSION))
+DOCKER_CLI_WORKSPACE = gopath
+
+DOCKER_CLI_LICENSE = Apache-2.0
+DOCKER_CLI_LICENSE_FILES = LICENSE
+
+DOCKER_CLI_DEPENDENCIES = host-pkgconf
+
+DOCKER_CLI_TAGS = autogen
+DOCKER_CLI_BUILD_TARGETS = cmd/docker
+
+DOCKER_CLI_LDFLAGS = \
+	-X github.com/docker/cli/cli.GitCommit=$(DOCKER_CLI_VERSION) \
+	-X github.com/docker/cli/cli.Version=$(DOCKER_CLI_VERSION)
+
+ifeq ($(BR2_PACKAGE_DOCKER_CLI_STATIC),y)
+DOCKER_CLI_LDFLAGS += -extldflags '-static'
+DOCKER_CLI_TAGS += osusergo netgo
+DOCKER_CLI_GO_ENV = CGO_ENABLED=no
+endif
+
+DOCKER_CLI_INSTALL_BINS = $(notdir $(DOCKER_CLI_BUILD_TARGETS))
+
+$(eval $(golang-package))
--- a/package/docker-compose/0001-setup.py-allow-all-recent-2.x-requests-releases.patch
+++ b/package/docker-compose/0001-setup.py-allow-all-recent-2.x-requests-releases.patch
@@ -0,0 +1,34 @@
+From a79152d1d621ea9d477ecc6862a03cae80b2425b Mon Sep 17 00:00:00 2001
+From: Peter Korsgaard <peter@korsgaard.com>
+Date: Sat, 15 Dec 2018 14:04:57 +0100
+Subject: [PATCH] setup.py: allow all recent 2.x requests releases
+
+Instead of having to update this for each new requests release.
+
+It it not quite clear why the restriction was added in the first place in
+commit b0480b4d04e (Bump SDK version to latest), but change it to simply
+disallow the upcoming 3.0 release to match what is done for the other
+modules.
+
+Submitted upstream: https://github.com/docker/compose/pull/6415
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ setup.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/setup.py b/setup.py
+index 96530726..3c8c7d0e 100644
+--- a/setup.py
+++ b/setup.py
+@@ -33,7 +33,7 @@ install_requires = [
+     'cached-property >= 1.2.0, < 2',
+     'docopt >= 0.6.1, < 0.7',
+     'PyYAML >= 3.10, < 4',
+-    'requests >= 2.6.1, != 2.11.0, != 2.12.2, != 2.18.0, < 2.19',
+    'requests >= 2.6.1, != 2.11.0, != 2.12.2, != 2.18.0, < 3.0',
+     'texttable >= 0.9.0, < 0.10',
+     'websocket-client >= 0.32.0, < 1.0',
+     'docker >= 3.1.4, < 4.0',
+-- 
+2.11.0
+
--- a/package/docker-compose/0002-Upgrade-pyyaml-to-4.2b1.patch
+++ b/package/docker-compose/0002-Upgrade-pyyaml-to-4.2b1.patch
@@ -0,0 +1,27 @@
+From 8419a670aed3364c39b86a0608782aaeae3ce5df Mon Sep 17 00:00:00 2001
+From: Quentin Brunet <hello@quentinbrunet.com>
+Date: Tue, 8 Jan 2019 14:04:54 +0100
+Subject: [PATCH] Upgrade pyyaml to 4.2b1
+
+Signed-off-by: Quentin Brunet <hello@quentinbrunet.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ setup.py         | 2 +-
+ 1 file changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index 4c49bab7..8b5f9d99 100644
+--- a/setup.py
+++ b/setup.py
+@@ -32,7 +32,7 @@ def find_version(*file_paths):
+ install_requires = [
+     'cached-property >= 1.2.0, < 2',
+     'docopt >= 0.6.1, < 0.7',
+-    'PyYAML >= 3.10, < 4',
+    'PyYAML >= 3.10, < 4.3',
+     'requests >= 2.6.1, != 2.11.0, != 2.12.2, != 2.18.0, < 3.0',
+     'texttable >= 0.9.0, < 0.10',
+     'websocket-client >= 0.32.0, < 1.0',
+-- 
+2.11.0
+
--- a/package/docker-containerd/Config.in
+++ b/package/docker-containerd/Config.in
@@ -3,6 +3,7 @@ config BR2_PACKAGE_DOCKER_CONTAINERD
 	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
 	depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
 	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on !BR2_TOOLCHAIN_USES_UCLIBC # runc
 	depends on BR2_USE_MMU # util-linux
 	select BR2_PACKAGE_RUNC # runtime dependency
 	select BR2_PACKAGE_UTIL_LINUX # runtime dependency
@@ -27,8 +28,8 @@ config BR2_PACKAGE_DOCKER_CONTAINERD_DRIVER_BTRFS

 endif

-comment "docker-containerd needs a toolchain w/ threads"
+comment "docker-containerd needs a glibc or musl toolchain w/ threads"
 	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
 	depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
 	depends on BR2_USE_MMU
-	depends on !BR2_TOOLCHAIN_HAS_THREADS
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_TOOLCHAIN_USES_UCLIBC
--- a/package/docker-containerd/docker-containerd.mk
+++ b/package/docker-containerd/docker-containerd.mk
@@ -19,7 +19,7 @@ DOCKER_CONTAINERD_BUILD_TARGETS = cmd/ctr cmd/containerd cmd/containerd-shim
 DOCKER_CONTAINERD_INSTALL_BINS = containerd containerd-shim

 ifeq ($(BR2_PACKAGE_LIBSECCOMP),y)
-DOCKER_CONTAINERD_DEPENDENCIES += libseccomp
+DOCKER_CONTAINERD_DEPENDENCIES += libseccomp host-pkgconf
 DOCKER_CONTAINERD_TAGS += seccomp
 endif

--- a/package/docker-engine/Config.in
+++ b/package/docker-engine/Config.in
@@ -3,6 +3,12 @@ config BR2_PACKAGE_DOCKER_ENGINE
 	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
 	depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
 	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on !BR2_TOOLCHAIN_USES_UCLIBC # docker-containerd -> runc
+	depends on BR2_USE_MMU # docker-containerd
+	select BR2_PACKAGE_DOCKER_CONTAINERD # runtime dependency
+	select BR2_PACKAGE_DOCKER_PROXY # runtime dependency
+	select BR2_PACKAGE_IPTABLES # runtime dependency
+	select BR2_PACKAGE_SQLITE # runtime dependency
 	help
 	  Docker is a platform to build, ship,
 	  and run applications as lightweight containers.
@@ -11,29 +17,9 @@ config BR2_PACKAGE_DOCKER_ENGINE

 if BR2_PACKAGE_DOCKER_ENGINE

-config BR2_PACKAGE_DOCKER_ENGINE_DAEMON
-	bool "docker daemon"
-	default y
-	depends on BR2_USE_MMU # docker-containerd
-	select BR2_PACKAGE_DOCKER_CONTAINERD # runtime dependency
-	select BR2_PACKAGE_DOCKER_PROXY # runtime dependency
-	select BR2_PACKAGE_IPTABLES # runtime dependency
-	select BR2_PACKAGE_SQLITE # runtime dependency
-	help
-	  Build the Docker system daemon.
-	  If not selected, will build client only.
-
 config BR2_PACKAGE_DOCKER_ENGINE_EXPERIMENTAL
 	bool "build experimental features"

-config BR2_PACKAGE_DOCKER_ENGINE_STATIC_CLIENT
-	bool "build static client"
-	depends on !BR2_STATIC_LIBS
-	help
-	  Build a static docker client.
-
-if BR2_PACKAGE_DOCKER_ENGINE_DAEMON
-
 config BR2_PACKAGE_DOCKER_ENGINE_DRIVER_BTRFS
 	bool "btrfs filesystem driver"
 	depends on BR2_USE_MMU # btrfs-progs
@@ -64,9 +50,8 @@ config BR2_PACKAGE_DOCKER_ENGINE_DRIVER_VFS

 endif

-endif
-
-comment "docker-engine needs a toolchain w/ threads"
+comment "docker-engine needs a glibc or musl toolchain w/ threads"
 	depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
 	depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
-	depends on !BR2_TOOLCHAIN_HAS_THREADS
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_TOOLCHAIN_USES_UCLIBC
+	depends on BR2_USE_MMU
--- a/package/docker-engine/docker-engine.hash
+++ b/package/docker-engine/docker-engine.hash
@@ -1,2 +1,3 @@
 # Locally calculated
-sha256	4716df117d867b82ddab2e82395cd40aa3d0925a689eedcec8919729e4c9f121	docker-engine-v17.05.0-ce.tar.gz
+sha256	b5278b3f2b460ea61f47833abd2a844f348b4518e73f309294ad178c205a48e1  docker-engine-v18.09.0.tar.gz
+sha256	2d81ea060825006fc8f3fe28aa5dc0ffeb80faf325b612c955229157b8c10dc0  LICENSE
--- a/package/docker-engine/docker-engine.mk
+++ b/package/docker-engine/docker-engine.mk
@@ -4,25 +4,21 @@
 #
 ################################################################################

-DOCKER_ENGINE_VERSION = v17.05.0-ce
-DOCKER_ENGINE_COMMIT = 89658bed64c2a8fe05a978e5b87dbec409d57a0f
-DOCKER_ENGINE_SITE = $(call github,docker,docker,$(DOCKER_ENGINE_VERSION))
+DOCKER_ENGINE_VERSION = v18.09.0
+DOCKER_ENGINE_SITE = $(call github,docker,engine,$(DOCKER_ENGINE_VERSION))

 DOCKER_ENGINE_LICENSE = Apache-2.0
 DOCKER_ENGINE_LICENSE_FILES = LICENSE

-DOCKER_ENGINE_DEPENDENCIES = host-go host-pkgconf
+DOCKER_ENGINE_DEPENDENCIES = host-pkgconf
+DOCKER_ENGINE_SRC_SUBDIR = github.com/docker/docker

 DOCKER_ENGINE_LDFLAGS = \
 	-X main.GitCommit=$(DOCKER_ENGINE_VERSION) \
 	-X main.Version=$(DOCKER_ENGINE_VERSION)

-ifeq ($(BR2_PACKAGE_DOCKER_ENGINE_STATIC_CLIENT),y)
-DOCKER_ENGINE_LDFLAGS += -extldflags '-static'
-endif
-
 DOCKER_ENGINE_TAGS = cgo exclude_graphdriver_zfs autogen
-DOCKER_ENGINE_BUILD_TARGETS = cmd/docker
+DOCKER_ENGINE_BUILD_TARGETS = cmd/dockerd

 ifeq ($(BR2_PACKAGE_LIBSECCOMP),y)
 DOCKER_ENGINE_TAGS += seccomp
@@ -30,15 +26,9 @@ DOCKER_ENGINE_DEPENDENCIES += libseccomp
 endif

 ifeq ($(BR2_INIT_SYSTEMD),y)
-DOCKER_ENGINE_TAGS += journald
 DOCKER_ENGINE_DEPENDENCIES += systemd
+DOCKER_ENGINE_TAGS += systemd journald
 endif
-
-ifeq ($(BR2_PACKAGE_DOCKER_ENGINE_DAEMON),y)
-DOCKER_ENGINE_TAGS += daemon
-DOCKER_ENGINE_BUILD_TARGETS += cmd/dockerd
-endif
-
 ifeq ($(BR2_PACKAGE_DOCKER_ENGINE_EXPERIMENTAL),y)
 DOCKER_ENGINE_TAGS += experimental
 endif
@@ -65,7 +55,6 @@ DOCKER_ENGINE_INSTALL_BINS = $(notdir $(DOCKER_ENGINE_BUILD_TARGETS))

 define DOCKER_ENGINE_RUN_AUTOGEN
 	cd $(@D) && \
-		GITCOMMIT="$$(echo $(DOCKER_ENGINE_COMMIT) | head -c7)" \
 		BUILDTIME="$$(date)" \
 		VERSION="$(patsubst v%,%,$(DOCKER_ENGINE_VERSION))" \
 		PKG_CONFIG="$(PKG_CONFIG_HOST_BINARY)" $(TARGET_MAKE_ENV) \
@@ -74,8 +63,6 @@ endef

 DOCKER_ENGINE_POST_CONFIGURE_HOOKS += DOCKER_ENGINE_RUN_AUTOGEN

-ifeq ($(BR2_PACKAGE_DOCKER_ENGINE_DAEMON),y)
-
 define DOCKER_ENGINE_INSTALL_INIT_SYSTEMD
 	$(INSTALL) -D -m 0644 $(@D)/contrib/init/systemd/docker.service \
 		$(TARGET_DIR)/usr/lib/systemd/system/docker.service
@@ -90,6 +77,4 @@ define DOCKER_ENGINE_USERS
 	- - docker -1 * - - - Docker Application Container Framework
 endef

-endif
-
 $(eval $(golang-package))
--- a/package/dovecot-pigeonhole/dovecot-pigeonhole.hash
+++ b/package/dovecot-pigeonhole/dovecot-pigeonhole.hash
@@ -1,3 +1,3 @@
 # Locally computed after checking signature
-sha256 e02f2741c05f9e2af1c5f46da35efb74997f9d4b941ba68936206d310ddf2622  dovecot-2.3-pigeonhole-0.5.3.tar.gz
+sha256 547999e67a001abc5e654c7e35653d3fe057fa9a47a24257e39a79c41ef08516  dovecot-2.3-pigeonhole-0.5.4.tar.gz
 sha256 fc9e9522216f2a9a28b31300e3c73c1df56acc27dfae951bf516e7995366b51a  COPYING
--- a/package/dovecot-pigeonhole/dovecot-pigeonhole.mk
+++ b/package/dovecot-pigeonhole/dovecot-pigeonhole.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-DOVECOT_PIGEONHOLE_VERSION = 0.5.3
+DOVECOT_PIGEONHOLE_VERSION = 0.5.4
 DOVECOT_PIGEONHOLE_SOURCE = dovecot-2.3-pigeonhole-$(DOVECOT_PIGEONHOLE_VERSION).tar.gz
 DOVECOT_PIGEONHOLE_SITE = https://pigeonhole.dovecot.org/releases/2.3
 DOVECOT_PIGEONHOLE_LICENSE = LGPL-2.1
--- a/package/dovecot/dovecot.hash
+++ b/package/dovecot/dovecot.hash
@@ -1,5 +1,5 @@
 # Locally computed after checking signature
-sha256 15af27ee25258afb4ad9581f8df681be998b763597086bbae54ca7d77a066d8e  dovecot-2.3.3.tar.gz
+sha256 b8873e2ce5c33e58963bb7a8d2ff8427c09dbfdd63e13a0b0f4502864043aa07  dovecot-2.3.4.1.tar.gz
 sha256 a363b132e494f662d98c820d1481297e6ae72f194c2c91b6c39e1518b86240a8  COPYING
 sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LGPL
 sha256 52b8c95fabb19575281874b661ef7968ea47e8f5d74ba0dd40ce512e52b3fc97  COPYING.MIT
--- a/package/dovecot/dovecot.mk
+++ b/package/dovecot/dovecot.mk
@@ -5,7 +5,7 @@
 ################################################################################

 DOVECOT_VERSION_MAJOR = 2.3
-DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).3
+DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).4.1
 DOVECOT_SITE = https://www.dovecot.org/releases/$(DOVECOT_VERSION_MAJOR)
 DOVECOT_INSTALL_STAGING = YES
 DOVECOT_LICENSE = LGPL-2.1, MIT, Public Domain, BSD-3-Clause, Unicode-DFS-2015
--- a/package/dt-utils/0001-src-fix-compilation-for-glibc-version-2.27.9000-36.f.patch
+++ b/package/dt-utils/0001-src-fix-compilation-for-glibc-version-2.27.9000-36.f.patch
@@ -0,0 +1,75 @@
+From 1c80e31872aec9f2ef7eca6a52aa89c0ea759d8f Mon Sep 17 00:00:00 2001
+From: Enrico Joerns <ejo@pengutronix.de>
+Date: Wed, 5 Sep 2018 12:28:28 +0200
+Subject: [PATCH] src: fix compilation for glibc version 2.27.9000-36.fc29 and
+ newer
+
+As recent glibc versions (>= 2.27.9000-36.fc29) also define 'struct
+statx' which is also defined in linux/stat.h, compilation fails with
+error:
+
+| In file included from ../dt-utils-2018.05.0/src/crypto/digest.c:24:
+| [..]/usr/include/linux/stat.h:56:8: error: redefinition of 'struct statx_timestamp'
+|  struct statx_timestamp {
+|         ^~~~~~~~~~~~~~~
+| In file included from [..]/usr/include/sys/stat.h:446,
+|                  from ../dt-utils-2018.05.0/src/dt/common.h:15,
+|                  from ../dt-utils-2018.05.0/src/crypto/digest.c:19:
+| [..]/usr/include/bits/statx.h:25:8: note: originally defined here
+|  struct statx_timestamp
+|         ^~~~~~~~~~~~~~~
+| In file included from ../dt-utils-2018.05.0/src/crypto/digest.c:24:
+| [..]/usr/include/linux/stat.h:99:8: error: redefinition of 'struct statx'
+|  struct statx {
+|         ^~~~~
+| In file included from [..]/usr/include/sys/stat.h:446,
+|                  from ../dt-utils-2018.05.0/src/dt/common.h:15,
+|                  from ../dt-utils-2018.05.0/src/crypto/digest.c:19:
+| [..]/usr/include/bits/statx.h:36:8: note: originally defined here
+|  struct statx
+|         ^~~~~
+
+The linux/stat.h originates from the code that was copied from barebox
+but is not explicitly required to be linux/stat.h instead of sys/stat.h
+and we do not actually use struct statx.
+
+Thus it is safe to simply replace occurrences of linux/stat.h by
+sys/stat.h to fix compilation.
+
+Signed-off-by: Enrico Joerns <ejo@pengutronix.de>
+[Thomas: backport from upstream.]
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ src/barebox-state/backend_storage.c | 2 +-
+ src/crypto/digest.c                 | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/barebox-state/backend_storage.c b/src/barebox-state/backend_storage.c
+index 53fe829..1052656 100644
+--- a/src/barebox-state/backend_storage.c
+++ b/src/barebox-state/backend_storage.c
+@@ -19,7 +19,7 @@
+ #include <linux/kernel.h>
+ #include <linux/list.h>
+ #include <linux/mtd/mtd-abi.h>
+-#include <linux/stat.h>
+#include <sys/stat.h>
+ #include <linux/fs.h>
+ #include <malloc.h>
+ #include <printk.h>
+diff --git a/src/crypto/digest.c b/src/crypto/digest.c
+index 7a8c3c0..8353412 100644
+--- a/src/crypto/digest.c
+++ b/src/crypto/digest.c
+@@ -21,7 +21,7 @@
+ #include <malloc.h>
+ #include <fs.h>
+ #include <fcntl.h>
+-#include <linux/stat.h>
+#include <sys/stat.h>
+ #include <errno.h>
+ #include <module.h>
+ #include <linux/err.h>
+-- 
+2.19.2
+
--- a/package/dtc/0002-Fix-include-guards-for-older-kernel-u-boot-sources.patch
+++ b/package/dtc/0002-Fix-include-guards-for-older-kernel-u-boot-sources.patch
@@ -1,7 +1,7 @@
-From b1f8b84489c96465b63485b884238b61d31ca84d Mon Sep 17 00:00:00 2001
+From 086283ed7f1886de05407bc75dd4c070c78a6f50 Mon Sep 17 00:00:00 2001
 From: Lothar Felten <lothar.felten@gmail.com>
 Date: Mon, 8 Oct 2018 13:29:44 +0200
-Subject: [PATCH 1/1] Fix include guards for older kernel/u-boot sources
+Subject: [PATCH] Fix include guards for older kernel/u-boot sources

 Linux kernels before 4.17 and U-Boot versions before 2018.07 use libfdt
 include guards with leading underscores.
@@ -12,11 +12,27 @@ This patch handles both include guard types and allows the compilation
 of older Linux kernel and u-boot sources.

 Signed-off-by: Lothar Felten <lothar.felten@gmail.com>
+[ThomasDS: also update fdt.h which has the same issue, seen on U-Boot
+2011.03]
+Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
 ---
+ libfdt/fdt.h        | 4 ++++
 libfdt/libfdt.h     | 4 ++++
 libfdt/libfdt_env.h | 4 ++++
- 2 files changed, 8 insertions(+)
+ 3 files changed, 12 insertions(+)

+diff --git a/libfdt/fdt.h b/libfdt/fdt.h
+index 74961f9..2904f48 100644
+--- a/libfdt/fdt.h
+++ b/libfdt/fdt.h
+@@ -1,3 +1,7 @@
+#ifdef _FDT_H
+#warning "Please consider updating your kernel and/or u-boot version"
+#define FDT_H
+#endif
+ #ifndef FDT_H
+ #define FDT_H
+ /*
 diff --git a/libfdt/libfdt.h b/libfdt/libfdt.h
 index 830b77e..bef4566 100644
 --- a/libfdt/libfdt.h
@@ -42,5 +58,5 @@ index eb20538..6a61e6a 100644
 #define LIBFDT_ENV_H
 /*
 -- 
-2.11.0
+2.19.2

--- a/package/efibootmgr/Config.in
+++ b/package/efibootmgr/Config.in
@@ -4,6 +4,7 @@ config BR2_PACKAGE_EFIBOOTMGR
 	depends on !BR2_STATIC_LIBS # efivar
 	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 # efivar
 	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # efivar
+	depends on BR2_HOST_GCC_AT_LEAST_4_8 # efivar
 	depends on !BR2_TOOLCHAIN_EXTERNAL_CODESOURCERY_MIPS
 	select BR2_PACKAGE_EFIVAR
 	select BR2_PACKAGE_POPT
@@ -15,9 +16,10 @@ config BR2_PACKAGE_EFIBOOTMGR

 	  https://github.com/rhboot/efibootmgr

-comment "efibootmgr needs a glibc or uClibc toolchain w/ dynamic library, headers >= 3.12, gcc >= 4.9"
+comment "efibootmgr needs a glibc or uClibc toolchain w/ dynamic library, headers >= 3.12, gcc >= 4.9, host gcc >= 4.8"
 	depends on BR2_PACKAGE_EFIVAR_ARCH_SUPPORTS
 	depends on BR2_STATIC_LIBS || \
 		!BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 || \
-		!BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+		!BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || \
+		!BR2_HOST_GCC_AT_LEAST_4_8
 	depends on !BR2_TOOLCHAIN_EXTERNAL_CODESOURCERY_MIPS
--- a/package/efivar/Config.in
+++ b/package/efivar/Config.in
@@ -17,14 +17,17 @@ config BR2_PACKAGE_EFIVAR
 	# toolchains.
 	depends on !BR2_TOOLCHAIN_EXTERNAL_CODESOURCERY_MIPS
 	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+	# needs __builtin_bswap16
+	depends on BR2_HOST_GCC_AT_LEAST_4_8
 	help
 	  Tools and libraries to manipulate EFI variables

 	  https://github.com/rhboot/efivar

-comment "efivar needs a toolchain w/ dynamic library, headers >= 3.12, gcc >= 4.9"
+comment "efivar needs a toolchain w/ dynamic library, headers >= 3.12, gcc >= 4.9, host gcc >= 4.8"
 	depends on BR2_PACKAGE_EFIVAR_ARCH_SUPPORTS
 	depends on BR2_STATIC_LIBS || \
 		!BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 || \
-		!BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+		!BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || \
+		!BR2_HOST_GCC_AT_LEAST_4_8
 	depends on !BR2_TOOLCHAIN_EXTERNAL_CODESOURCERY_MIPS
--- a/package/efivar/efivar.hash
+++ b/package/efivar/efivar.hash
@@ -1,3 +1,3 @@
 # locally computed hash
-sha256 9691399a424b8e3776b7ed2df1893c4162285a93697d781f387d0f0d258a7f4b  efivar-34.tar.gz
+sha256 747bc4d97b4bd74979e5356c44a172534a8a07184f130349fd201742e683d292  efivar-35.tar.gz
 sha256 91df770634adc2755e78cae33a0d01e702ce2f69046408ae93d0d934ff29691b  COPYING
--- a/package/efivar/efivar.mk
+++ b/package/efivar/efivar.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-EFIVAR_VERSION = 34
+EFIVAR_VERSION = 35
 EFIVAR_SITE = $(call github,rhboot,efivar,$(EFIVAR_VERSION))
 EFIVAR_LICENSE = LGPL-2.1
 EFIVAR_LICENSE_FILES = COPYING
--- a/package/freescale-imx/firmware-imx/firmware-imx.mk
+++ b/package/freescale-imx/firmware-imx/firmware-imx.mk
@@ -35,7 +35,7 @@ endef

 define FIRMWARE_IMX_INSTALL_IMAGES_CMDS
 	# Create padded versions of lpddr4_pmu_* and generate lpddr4_pmu_train_fw.bin.
-	# lpddr4_pmu_train_fw.bin isneeded when generating imx-boot-imx8mqevk-sd.bin
+	# lpddr4_pmu_train_fw.bin is needed when generating imx8-boot-sd.bin
 	# which is done in post-image script.
 	$(call FIRMWARE_IMX_PREPARE_LPDDR4_FW,1d)
 	$(call FIRMWARE_IMX_PREPARE_LPDDR4_FW,2d)
--- a/package/fwts/fwts.mk
+++ b/package/fwts/fwts.mk
@@ -11,6 +11,7 @@ FWTS_LICENSE = GPL-2.0, LGPL-2.1, Custom
 FWTS_LICENSE_FILES = debian/copyright
 FWTS_AUTORECONF = YES
 FWTS_DEPENDENCIES = host-bison host-flex host-pkgconf json-c libglib2 libbsd \
+	$(if $(BR2_PACKAGE_BASH_COMPLETION),bash-completion) \
 	$(if $(BR2_PACKAGE_DTC),dtc)

 ifdef BR2_PACKAGE_FWTS_EFI_RUNTIME_MODULE
--- a/package/ghostscript/0002-Sanitize-op-stack-for-error-conditions.patch
+++ b/package/ghostscript/0002-Sanitize-op-stack-for-error-conditions.patch
@@ -0,0 +1,176 @@
+From a1de1e6ab51ab37a17975aad1193f2523e7e7e84 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 5 Dec 2018 12:22:13 +0000
+Subject: [PATCH] Sanitize op stack for error conditions
+
+We save the stacks to an array and store the array for the error handler to
+access.
+
+For SAFER, we traverse the array, and deep copy any op arrays (procedures). As
+we make these copies, we check for operators that do *not* exist in systemdict,
+when we find one, we replace the operator with a name object (of the form
+"/--opname--").
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 13b0a36f818
+
+ psi/int.mak  |  3 +-
+ psi/interp.c |  8 ++++++
+ psi/istack.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ psi/istack.h |  3 ++
+ 4 files changed, 91 insertions(+), 1 deletion(-)
+
+diff --git a/psi/int.mak b/psi/int.mak
+index 6ab5bf0069dd..6b349cb042dd 100644
+--- a/psi/int.mak
+++ b/psi/int.mak
+@@ -204,7 +204,8 @@ $(PSOBJ)iparam.$(OBJ) : $(PSSRC)iparam.c $(GH)\
+ $(PSOBJ)istack.$(OBJ) : $(PSSRC)istack.c $(GH) $(memory__h)\
+  $(ierrors_h) $(gsstruct_h) $(gsutil_h)\
+  $(ialloc_h) $(istack_h) $(istkparm_h) $(istruct_h) $(iutil_h) $(ivmspace_h)\
+- $(store_h) $(INT_MAK) $(MAKEDIRS)
+ $(store_h) $(icstate_h) $(iname_h) $(dstack_h) $(idict_h) \
+ $(INT_MAK) $(MAKEDIRS)
+ 	$(PSCC) $(PSO_)istack.$(OBJ) $(C_) $(PSSRC)istack.c
+ 
+ $(PSOBJ)iutil.$(OBJ) : $(PSSRC)iutil.c $(GH) $(math__h) $(memory__h) $(string__h)\
+diff --git a/psi/interp.c b/psi/interp.c
+index 6dc0ddae1b3c..aa5779c51420 100644
+--- a/psi/interp.c
+++ b/psi/interp.c
+@@ -761,6 +761,7 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr)
+     uint size = ref_stack_count(pstack) - skip;
+     uint save_space = ialloc_space(idmemory);
+     int code, i;
+    ref *safety, *safe;
+ 
+     if (size > 65535)
+         size = 65535;
+@@ -778,6 +779,13 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr)
+                 make_null(&arr->value.refs[i]);
+         }
+     }
+    if (pstack == &o_stack && dict_find_string(systemdict, "SAFETY", &safety) > 0 &&
+        dict_find_string(safety, "safe", &safe) > 0 && r_has_type(safe, t_boolean) &&
+        safe->value.boolval == true) {
+        code = ref_stack_array_sanitize(i_ctx_p, arr, arr);
+        if (code < 0)
+            return code;
+    }
+     ialloc_set_space(idmemory, save_space);
+     return code;
+ }
+diff --git a/psi/istack.c b/psi/istack.c
+index 8fe151fa5628..f1a3e511534d 100644
+--- a/psi/istack.c
+++ b/psi/istack.c
+@@ -27,6 +27,10 @@
+ #include "iutil.h"
+ #include "ivmspace.h"		/* for local/global test */
+ #include "store.h"
+#include "icstate.h"
+#include "iname.h"
+#include "dstack.h"
+#include "idict.h"
+ 
+ /* Forward references */
+ static void init_block(ref_stack_t *pstack, const ref *pblock_array,
+@@ -294,6 +298,80 @@ ref_stack_store_check(const ref_stack_t *pstack, ref *parray, uint count,
+     return 0;
+ }
+ 
+int
+ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr)
+{
+    int i, code;
+    ref obj, arr2;
+    ref *pobj2;
+    gs_memory_t *mem = (gs_memory_t *)idmemory->current;
+
+    if (!r_is_array(sarr) || !r_has_type(darr, t_array))
+        return_error(gs_error_typecheck);
+
+    for (i = 0; i < r_size(sarr); i++) {
+        code = array_get(mem, sarr, i, &obj);
+        if (code < 0)
+            make_null(&obj);
+        switch(r_type(&obj)) {
+          case t_operator:
+          {
+            int index = op_index(&obj);
+
+            if (index > 0 && index < op_def_count) {
+                const byte *data = (const byte *)(op_index_def(index)->oname + 1);
+                if (dict_find_string(systemdict, (const char *)data, &pobj2) <= 0) {
+                    byte *s = gs_alloc_bytes(mem, strlen((char *)data) + 5, "ref_stack_array_sanitize");
+                    if (s) {
+                        s[0] =  '\0';
+                        strcpy((char *)s, "--");
+                        strcpy((char *)s + 2, (char *)data);
+                        strcpy((char *)s + strlen((char *)data) + 2, "--");
+                    }
+                    else {
+                        s = (byte *)data;
+                    }
+                    code = name_ref(imemory, s, strlen((char *)s), &obj, 1);
+                    if (code < 0) make_null(&obj);
+                    if (s != data)
+                        gs_free_object(mem, s, "ref_stack_array_sanitize");
+                }
+            }
+            else {
+                make_null(&obj);
+            }
+            ref_assign(darr->value.refs + i, &obj);
+            break;
+          }
+          case t_array:
+          case t_shortarray:
+          case t_mixedarray:
+          {
+            int attrs = r_type_attrs(&obj) & (a_write | a_read | a_execute | a_executable);
+            /* We only want to copy executable arrays */
+            if (attrs & (a_execute | a_executable)) {
+                code = ialloc_ref_array(&arr2, attrs, r_size(&obj), "ref_stack_array_sanitize");
+                if (code < 0) {
+                    make_null(&arr2);
+                }
+                else {
+                    code = ref_stack_array_sanitize(i_ctx_p, &obj, &arr2);
+                }
+                ref_assign(darr->value.refs + i, &arr2);
+            }
+            else {
+                ref_assign(darr->value.refs + i, &obj);
+            }
+            break;
+          }
+          default:
+            ref_assign(darr->value.refs + i, &obj);
+        }
+    }
+    return 0;
+}
+
+
+ /*
+  * Store the top 'count' elements of a stack, starting 'skip' elements below
+  * the top, into an array, with or without store/undo checking.  age=-1 for
+diff --git a/psi/istack.h b/psi/istack.h
+index 051dcbe216cf..54be405adfb3 100644
+--- a/psi/istack.h
+++ b/psi/istack.h
+@@ -129,6 +129,9 @@ int ref_stack_store(const ref_stack_t *pstack, ref *parray, uint count,
+                     uint skip, int age, bool check,
+                     gs_dual_memory_t *idmem, client_name_t cname);
+ 
+int
+ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr);
+
+ /*
+  * Pop the top N elements off a stack.
+  * The number must not exceed the number of elements in use.
+-- 
+2.20.1
+
--- a/package/ghostscript/0003-Any-transient-procedures-that-call-.force-operators.patch
+++ b/package/ghostscript/0003-Any-transient-procedures-that-call-.force-operators.patch
@@ -0,0 +1,441 @@
+From f0397dbfbe5eea325613ff375b30eb0db5551ffe Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 13 Dec 2018 15:28:34 +0000
+Subject: [PATCH] Any transient procedures that call .force* operators
+
+(i.e. for conditionals or loops) make them executeonly.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 2db98f9c661
+
+ Resource/Init/gs_diskn.ps |  2 +-
+ Resource/Init/gs_dps1.ps  |  4 ++--
+ Resource/Init/gs_fntem.ps |  4 ++--
+ Resource/Init/gs_fonts.ps | 12 ++++++------
+ Resource/Init/gs_init.ps  |  4 ++--
+ Resource/Init/gs_lev2.ps  | 11 ++++++-----
+ Resource/Init/gs_pdfwr.ps |  2 +-
+ Resource/Init/gs_res.ps   |  4 ++--
+ Resource/Init/gs_setpd.ps |  2 +-
+ Resource/Init/pdf_base.ps | 13 ++++++++-----
+ Resource/Init/pdf_draw.ps | 16 +++++++++-------
+ Resource/Init/pdf_font.ps |  6 +++---
+ Resource/Init/pdf_main.ps |  4 ++--
+ Resource/Init/pdf_ops.ps  |  7 ++++---
+ 14 files changed, 49 insertions(+), 42 deletions(-)
+
+diff --git a/Resource/Init/gs_diskn.ps b/Resource/Init/gs_diskn.ps
+index fd694bc44b5a..8bf20542040d 100644
+--- a/Resource/Init/gs_diskn.ps
+++ b/Resource/Init/gs_diskn.ps
+@@ -51,7 +51,7 @@ systemdict begin
+     mark 5 1 roll ] mark exch { { } forall } forall ]
+     //systemdict /.searchabledevs 2 index .forceput
+     exch .setglobal
+-  }
+  } executeonly
+   if
+ } .bind executeonly odef % must be bound and hidden for .forceput
+ 
+diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
+index ec5db61b9f03..4fae2839940c 100644
+--- a/Resource/Init/gs_dps1.ps
+++ b/Resource/Init/gs_dps1.ps
+@@ -78,7 +78,7 @@ level2dict begin
+    .currentglobal
+     {		% Current mode is global; delete from local directory too.
+       //systemdict /LocalFontDirectory .knownget
+-       { 1 index .forceundef }		% LocalFontDirectory is readonly
+       { 1 index .forceundef } executeonly		% LocalFontDirectory is readonly
+       if
+     }
+     {		% Current mode is local; if there was a shadowed global
+@@ -126,7 +126,7 @@ level2dict begin
+           }
+          ifelse
+        } forall
+-      pop counttomark 2 idiv { .forceundef } repeat pop		% readonly
+      pop counttomark 2 idiv { .forceundef } executeonly repeat pop		% readonly
+     }
+    if
+    //SharedFontDirectory exch .forcecopynew pop
+diff --git a/Resource/Init/gs_fntem.ps b/Resource/Init/gs_fntem.ps
+index c1f7651f18cc..6eb672a6840e 100644
+--- a/Resource/Init/gs_fntem.ps
+++ b/Resource/Init/gs_fntem.ps
+@@ -401,12 +401,12 @@ currentdict end def
+       .forceput % FontInfo can be read-only.
+       pop                                                        % bool <font>
+       exit
+-    } if
+    } executeonly if
+     dup /FontInfo get                                            % bool <font> <FI>
+     /GlyphNames2Unicode /Unicode /Decoding findresource
+     .forceput % FontInfo can be read-only.
+     exit
+-  } loop
+  } executeonly loop
+   exch setglobal
+ } .bind executeonly odef % must be bound and hidden for .forceput
+ 
+diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
+index 803faca4918d..290da0cd6819 100644
+--- a/Resource/Init/gs_fonts.ps
+++ b/Resource/Init/gs_fonts.ps
+@@ -374,7 +374,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+ /.setnativefontmapbuilt { % set whether we've been run
+   dup type /booleantype eq {
+       systemdict exch /.nativefontmapbuilt exch .forceput
+-  }
+  } executeonly
+   {pop}
+   ifelse
+ } .bind executeonly odef
+@@ -1007,11 +1007,11 @@ $error /SubstituteFont { } put
+ { 2 index gcheck currentglobal
+   2 copy eq {
+     pop pop .forceput
+-  } {
+  } executeonly {
+     5 1 roll setglobal
+     dup length string copy
+     .forceput setglobal
+-  } ifelse
+  } executeonly ifelse
+ } .bind executeonly odef % must be bound and hidden for .forceput
+ 
+ % Attempt to load a font from a file.
+@@ -1084,7 +1084,7 @@ $error /SubstituteFont { } put
+            .FontDirectory 3 index .forceundef		% readonly
+            1 index (r) file .loadfont .FontDirectory exch
+            /.setglobal .systemvar exec
+-         }
+         } executeonly
+          { .loadfont .FontDirectory
+          }
+         ifelse
+@@ -1105,7 +1105,7 @@ $error /SubstituteFont { } put
+         dup 3 index .fontknownget
+          { dup /PathLoad 4 index .putgstringcopy
+            4 1 roll pop pop pop //true exit
+-         } if
+         } executeonly if
+ 
+                 % Maybe the file had a different FontName.
+                 % See if we can get a FontName from the file, and if so,
+@@ -1134,7 +1134,7 @@ $error /SubstituteFont { } put
+               ifelse  % Stack: origfontname fontdict
+               exch pop //true exit
+                       % Stack: fontdict
+-            }
+            } executeonly
+            if pop % Stack: origfontname fontdirectory path
+          }
+         if pop pop  % Stack: origfontname
+diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
+index d733124b96d1..56c0bd268b53 100644
+--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
+@@ -2357,7 +2357,7 @@ SAFER { .setsafeglobal } if
+         % Update the copy of the user parameters.
+   mark .currentuserparams counttomark 2 idiv {
+     userparams 3 1 roll .forceput	% userparams is read-only
+-  } repeat pop
+  } executeonly repeat pop
+         % Turn on idiom recognition, if available.
+   currentuserparams /IdiomRecognition known {
+     /IdiomRecognition //true .definepsuserparam
+@@ -2376,7 +2376,7 @@ SAFER { .setsafeglobal } if
+         % Remove real system params from pssystemparams.
+   mark .currentsystemparams counttomark 2 idiv {
+     pop pssystemparams exch .forceundef
+-  } repeat pop
+  } executeonly repeat pop
+ } if
+ 
+ % Set up AlignToPixels :
+diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
+index 44fe61956659..0f0d57331c23 100644
+--- a/Resource/Init/gs_lev2.ps
+++ b/Resource/Init/gs_lev2.ps
+@@ -154,7 +154,8 @@ end
+       % protect top level of parameters that we copied
+       dup type dup /arraytype eq exch /stringtype eq or { readonly } if
+       /userparams .systemvar 3 1 roll .forceput  % userparams is read-only
+-    } {
+    } executeonly
+    {
+       pop pop
+     } ifelse
+   } forall
+@@ -224,7 +225,7 @@ end
+          % protect top level parameters that we copied
+          dup type dup /arraytype eq exch /stringtype eq or { readonly } if
+          //pssystemparams 3 1 roll .forceput	% pssystemparams is read-only
+-       }
+       } executeonly
+        { pop pop
+        }
+       ifelse
+@@ -934,7 +935,7 @@ mark
+   dup /PaintProc get
+   1 index /Implementation known not {
+     1 index dup /Implementation //null .forceput readonly pop
+-  } if
+  } executeonly if
+   exec
+ }.bind odef
+ 
+@@ -958,7 +959,7 @@ mark
+   dup /PaintProc get
+   1 index /Implementation known not {
+     1 index dup /Implementation //null .forceput readonly pop
+-  } if
+  } executeonly if
+   /UNROLLFORMS where {/UNROLLFORMS get}{false}ifelse not
+   %% [CTM] <<Form>> PaintProc .beginform -
+   {
+@@ -1005,7 +1006,7 @@ mark
+         %% Form dictioanry using the /Implementation key).
+         1 dict dup /FormID 4 -1 roll put
+         1 index exch /Implementation exch .forceput readonly pop
+-      }
+      } executeonly
+       ifelse
+     }
+     {
+diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
+index 58e75d3a4831..b425103d1cf3 100644
+--- a/Resource/Init/gs_pdfwr.ps
+++ b/Resource/Init/gs_pdfwr.ps
+@@ -650,7 +650,7 @@ currentdict /.pdfmarkparams .undef
+             } ifelse
+           } bind .makeoperator .forceput
+           systemdict /.pdf_hooked_DSC_Creator //true .forceput
+-        } if
+        } executeonly if
+         pop
+       } if
+     } {
+diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
+index 8eb8bb0e5829..d9b34599e7c2 100644
+--- a/Resource/Init/gs_res.ps
+++ b/Resource/Init/gs_res.ps
+@@ -152,7 +152,7 @@ setglobal
+                 % use .forceput / .forcedef later to replace the dummy,
+                 % empty .Instances dictionary with the real one later.
+           readonly
+-        } {
+        }{
+           /defineresource cvx /typecheck signaloperror
+         } ifelse
+ } bind executeonly odef
+@@ -424,7 +424,7 @@ status {
+                         % As noted above, Category dictionaries are read-only,
+                         % so we have to use .forcedef here.
+                   /.Instances 1 index .forcedef	% Category dict is read-only
+-                } if
+                } executeonly if
+               }
+               { .LocalInstances dup //.emptydict eq
+                  { pop 3 dict localinstancedict Category 2 index put
+diff --git a/Resource/Init/gs_setpd.ps b/Resource/Init/gs_setpd.ps
+index e22597ebb5f3..7875d1f2f131 100644
+--- a/Resource/Init/gs_setpd.ps
+++ b/Resource/Init/gs_setpd.ps
+@@ -634,7 +634,7 @@ NOMEDIAATTRS {
+   SETPDDEBUG { (Rolling back.) = pstack flush } if
+   3 index 2 index 3 -1 roll .forceput
+   4 index 1 index .knownget
+-  { 4 index 3 1 roll .forceput }
+  { 4 index 3 1 roll .forceput } executeonly
+   { 3 index exch .undef }
+   ifelse
+ } bind executeonly odef
+diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
+index b45e9803165e..73127296c221 100644
+--- a/Resource/Init/pdf_base.ps
+++ b/Resource/Init/pdf_base.ps
+@@ -130,26 +130,29 @@ currentdict /num-chars-dict .undef
+ 
+ /.pdfexectoken {		% <count> <opdict> <exectoken> .pdfexectoken ?
+   PDFDEBUG {
+-    pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } if
+    pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if
+     PDFSTEP {
+       pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
+       PDFSTEPcount 1 gt {
+         pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
+-      } {
+      } executeonly
+      {
+         dup ==only
+         (    step # ) print PDFtokencount =only
+         ( ? ) print flush 1 //false .outputpage
+         (%stdin) (r) file 255 string readline {
+           token {
+             exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput
+-          } {
+          } executeonly
+          {
+             pdfdict /PDFSTEPcount 1 .forceput
+-          } ifelse % token
+          } executeonly ifelse % token
+         } {
+           pop /PDFSTEP //false def	 % EOF on stdin
+         } ifelse % readline
+       } ifelse % PDFSTEPcount > 1
+-    } {
+    } executeonly
+    {
+       dup ==only () = flush
+     } ifelse % PDFSTEP
+   } if % PDFDEBUG
+diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
+index 6b0ba93e1e73..40c6ac80acce 100644
+--- a/Resource/Init/pdf_draw.ps
+++ b/Resource/Init/pdf_draw.ps
+@@ -1118,14 +1118,14 @@ currentdict end readonly def
+           pdfdict /.Qqwarning_issued //true .forceput
+           .setglobal
+           pdfformaterror
+-        } ifelse
+        } executeonly ifelse
+       }
+       {
+         currentglobal pdfdict gcheck .setglobal
+         pdfdict /.Qqwarning_issued //true .forceput
+         .setglobal
+         pdfformaterror
+-      } ifelse
+      } executeonly ifelse
+       end
+     } ifelse
+   } loop
+@@ -1141,14 +1141,14 @@ currentdict end readonly def
+         pdfdict /.Qqwarning_issued //true .forceput
+         .setglobal
+         pdfformaterror
+-      } ifelse
+      } executeonly ifelse
+     }
+     {
+       currentglobal pdfdict gcheck .setglobal
+       pdfdict /.Qqwarning_issued //true .forceput
+       .setglobal
+       pdfformaterror
+-    } ifelse
+    } executeonly ifelse
+   } if
+   pop
+ 
+@@ -2350,9 +2350,10 @@ currentdict /last-ditch-bpc-csp undef
+ /IncrementAppearanceNumber {
+   pdfdict /AppearanceNumber .knownget {
+     1 add pdfdict /AppearanceNumber 3 -1 roll .forceput
+-  }{
+  } executeonly
+  {
+     pdfdict /AppearanceNumber 0 .forceput
+-  } ifelse
+  } executeonly ifelse
+ }bind executeonly odef
+ 
+ /MakeAppearanceName {
+@@ -2510,7 +2511,8 @@ currentdict /last-ditch-bpc-csp undef
+     %% want to preserve it.
+     pdfdict /.PreservePDFForm false .forceput
+     /q cvx /execform cvx 5 -2 roll
+-  }{
+  } executeonly
+  {
+     /q cvx /PDFexecform cvx 5 -2 roll
+   } ifelse
+ 
+diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
+index bea9ea95ad1d..4cd62b9d9bb4 100644
+--- a/Resource/Init/pdf_font.ps
+++ b/Resource/Init/pdf_font.ps
+@@ -714,7 +714,7 @@ currentdict end readonly def
+     pop pop pop
+     currentdict /.stackdepth .forceundef
+     currentdict /.dstackdepth .forceundef
+-  }
+  } executeonly
+   {pop pop pop}
+   ifelse
+ 
+@@ -1232,7 +1232,7 @@ currentdict /eexec_pdf_param_dict .undef
+                 (\n   **** Warning: Type 3 glyph has unbalanced q/Q operators \(too many q's\)\n               Output may be incorrect.\n)
+                 pdfformatwarning
+                 pdfdict /.Qqwarning_issued //true .forceput
+-              } if
+              } executeonly if
+               Q
+             } repeat
+             Q
+@@ -2016,7 +2016,7 @@ currentdict /CMap_read_dict undef
+               /CIDFallBack /CIDFont findresource
+             } if
+             exit
+-          } if
+          } executeonly if
+         } if
+       } if
+ 
+diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
+index 00da47a48711..37e69b39ac98 100644
+--- a/Resource/Init/pdf_main.ps
+++ b/Resource/Init/pdf_main.ps
+@@ -2701,14 +2701,14 @@ currentdict /PDF2PS_matrix_key undef
+           pdfdict /.Qqwarning_issued //true .forceput
+           .setglobal
+           pdfformaterror
+-        } ifelse
+        } executeonly ifelse
+       }
+       {
+         currentglobal pdfdict gcheck .setglobal
+         pdfdict /.Qqwarning_issued //true .forceput
+         .setglobal
+         pdfformaterror
+-      } ifelse
+      } executeonly ifelse
+     } if
+   } if
+   pop
+diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
+index 8672d617f363..aa0964139a56 100644
+--- a/Resource/Init/pdf_ops.ps
+++ b/Resource/Init/pdf_ops.ps
+@@ -184,14 +184,14 @@ currentdict /gput_always_allow .undef
+         pdfdict /.Qqwarning_issued //true .forceput
+         .setglobal
+         pdfformaterror
+-      } ifelse
+      } executeonly ifelse
+     }
+     {
+       currentglobal pdfdict gcheck .setglobal
+       pdfdict /.Qqwarning_issued //true .forceput
+       .setglobal
+       pdfformaterror
+-    } ifelse
+    } executeonly ifelse
+   } if
+ } bind executeonly odef
+ 
+@@ -439,7 +439,8 @@ currentdict /gput_always_allow .undef
+   dup type /booleantype eq {
+     .currentSMask type /dicttype eq {
+       .currentSMask /Processed 2 index .forceput
+-    } {
+  } executeonly
+  {
+       .setSMask
+   }ifelse
+   }{
+-- 
+2.20.1
+
--- a/package/ghostscript/0004-Bug700317-Fix-logic-for-an-older-change.patch
+++ b/package/ghostscript/0004-Bug700317-Fix-logic-for-an-older-change.patch
@@ -0,0 +1,31 @@
+From af9a9dceb7be7df743d55c4d078a1ae846b6f556 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Sat, 15 Dec 2018 09:08:32 +0000
+Subject: [PATCH] Bug700317: Fix logic for an older change
+
+Unlike almost every other function in gs, dict_find_string() returns 1 on
+success 0 or <0 on failure. The logic for this case was wrong.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 99f13091a3
+
+ psi/interp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psi/interp.c b/psi/interp.c
+index aa5779c51420..f6c45bbe24dc 100644
+--- a/psi/interp.c
+++ b/psi/interp.c
+@@ -703,7 +703,7 @@ again:
+                  * i.e. it's an internal operator we have hidden
+                  */
+                 code = dict_find_string(systemdict, (const char *)bufptr, &tobj);
+-                if (code < 0) {
+                if (code <= 0) {
+                     buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-';
+                     rlen += 4;
+                     bufptr = buf;
+-- 
+2.20.1
+
--- a/package/ghostscript/0005-Harden-some-uses-of-.force-operators.patch
+++ b/package/ghostscript/0005-Harden-some-uses-of-.force-operators.patch
@@ -0,0 +1,135 @@
+From b197ea0e528c20b7ee67785c50b4e06e0aa990f8 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 18 Dec 2018 10:42:10 +0000
+Subject: [PATCH] Harden some uses of .force* operators
+
+by adding a few immediate evalutions
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 59d8f4deef90
+
+ Resource/Init/gs_dps1.ps  |  4 ++--
+ Resource/Init/gs_fonts.ps | 20 ++++++++++----------
+ Resource/Init/gs_init.ps  |  6 +++---
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
+index 4fae2839940c..b75ea14e77a3 100644
+--- a/Resource/Init/gs_dps1.ps
+++ b/Resource/Init/gs_dps1.ps
+@@ -74,7 +74,7 @@ level2dict begin
+  } odef
+ % undefinefont has to take local/global VM into account.
+ /undefinefont		% <fontname> undefinefont -
+- { .FontDirectory 1 .argindex .forceundef	% FontDirectory is readonly
+ { //.FontDirectory 1 .argindex .forceundef	% FontDirectory is readonly
+    .currentglobal
+     {		% Current mode is global; delete from local directory too.
+       //systemdict /LocalFontDirectory .knownget
+@@ -85,7 +85,7 @@ level2dict begin
+                 % definition, copy it into the local directory.
+       //systemdict /SharedFontDirectory .knownget
+        { 1 index .knownget
+-          { .FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
+          { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
+          if
+        }
+       if
+diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
+index 290da0cd6819..c13a2fcc2d43 100644
+--- a/Resource/Init/gs_fonts.ps
+++ b/Resource/Init/gs_fonts.ps
+@@ -516,7 +516,7 @@ buildfontdict 3 /.buildfont3 cvx put
+       if
+     }
+    if
+-   dup .FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse	% readonly
+   dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse	% readonly
+                 % If the font originated as a resource, register it.
+    currentfile .currentresourcefile eq { dup .registerfont } if
+    readonly
+@@ -943,7 +943,7 @@ $error /SubstituteFont { } put
+ % Try to find a font using only the present contents of Fontmap.
+ /.tryfindfont {         % <fontname> .tryfindfont <font> true
+                         % <fontname> .tryfindfont false
+-  .FontDirectory 1 index .fontknownget
+  //.FontDirectory 1 index .fontknownget
+     {                   % Already loaded
+       exch pop //true
+     }
+@@ -975,7 +975,7 @@ $error /SubstituteFont { } put
+                {                % Font with a procedural definition
+                  exec           % The procedure will load the font.
+                                 % Check to make sure this really happened.
+-                 .FontDirectory 1 index .knownget
+                 //.FontDirectory 1 index .knownget
+                   { exch pop //true exit }
+                  if
+                }
+@@ -1081,11 +1081,11 @@ $error /SubstituteFont { } put
+                 % because it's different depending on language level.
+            .currentglobal exch /.setglobal .systemvar exec
+                 % Remove the fake definition, if any.
+-           .FontDirectory 3 index .forceundef		% readonly
+-           1 index (r) file .loadfont .FontDirectory exch
+           //.FontDirectory 3 index .forceundef		% readonly
+           1 index (r) file .loadfont //.FontDirectory exch
+            /.setglobal .systemvar exec
+          } executeonly
+-         { .loadfont .FontDirectory
+         { .loadfont //.FontDirectory
+          }
+         ifelse
+                 % Stack: fontname fontfilename fontdirectory
+@@ -1119,8 +1119,8 @@ $error /SubstituteFont { } put
+                       % Stack: origfontname fontdirectory filefontname fontdict
+               3 -1 roll pop
+                       % Stack: origfontname filefontname fontdict
+-              dup /FontName get dup FontDirectory exch .forceundef
+-              GlobalFontDirectory exch .forceundef
+              dup /FontName get dup //.FontDirectory exch .forceundef
+              /GlobalFontDirectory .systemvar exch .forceundef
+               dup length dict .copydict dup 3 index /FontName exch put
+               2 index exch definefont
+               exch
+@@ -1176,10 +1176,10 @@ currentdict /.putgstringcopy .undef
+       {
+         {
+           pop dup type /stringtype eq { cvn } if
+-          .FontDirectory 1 index known not {
+          //.FontDirectory 1 index known not {
+             2 dict dup /FontName 3 index put
+             dup /FontType 1 put
+-            .FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse   % readonly
+            //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse   % readonly
+           } {
+             pop
+           } ifelse
+diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
+index 56c0bd268b53..d9a0829f7f97 100644
+--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
+@@ -1168,8 +1168,8 @@ errordict /unknownerror .undef
+     }ifelse
+   }forall
+   noaccess pop
+-  systemdict /.setsafeerrors .forceundef
+-  systemdict /.SAFERERRORLIST .forceundef
+  //systemdict /.setsafeerrors .forceundef
+  //systemdict /.SAFERERRORLIST .forceundef
+ } bind executeonly odef
+ 
+ SAFERERRORS {.setsafererrors} if
+@@ -2114,7 +2114,7 @@ currentdict /tempfilepaths undef
+ 
+ /.locksafe {
+   .locksafe_userparams
+-  systemdict /getenv {pop //false} .forceput
+  //systemdict /getenv {pop //false} .forceput
+   % setpagedevice has the side effect of clearing the page, but
+   % we will just document that. Using setpagedevice keeps the device
+   % properties and pagedevice .LockSafetyParams in agreement even
+-- 
+2.20.1
+
--- a/package/ghostscript/0006-Undefine-a-bunch-of-gs_fonts.ps-specific-procs.patch
+++ b/package/ghostscript/0006-Undefine-a-bunch-of-gs_fonts.ps-specific-procs.patch
@@ -0,0 +1,587 @@
+From 5628be1c41d23298aa5fce2f6dd48e2eb81f4be1 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 9 Jan 2019 14:24:07 +0000
+Subject: [PATCH] Undefine a bunch of gs_fonts.ps specific procs
+
+Also reorder and add some immediate evaluation, so it still works with the
+undefining.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 2768d1a6dddb
+
+ Resource/Init/gs_dps1.ps  |   3 +-
+ Resource/Init/gs_fonts.ps | 275 +++++++++++++++++++++-----------------
+ Resource/Init/gs_res.ps   |   6 +-
+ 3 files changed, 156 insertions(+), 128 deletions(-)
+
+diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
+index b75ea14e77a3..8700c8cb304b 100644
+--- a/Resource/Init/gs_dps1.ps
+++ b/Resource/Init/gs_dps1.ps
+@@ -67,7 +67,8 @@ level2dict begin
+ 
+ /selectfont		% <fontname> <size> selectfont -
+  {
+-   { 1 .argindex findfont
+   {
+     1 .argindex findfont
+      1 index dup type /arraytype eq { makefont } { scalefont } ifelse
+      setfont pop pop
+    } stopped { /selectfont .systemvar $error /errorname get signalerror } if
+diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
+index c13a2fcc2d43..056223544340 100644
+--- a/Resource/Init/gs_fonts.ps
+++ b/Resource/Init/gs_fonts.ps
+@@ -100,7 +100,7 @@ userdict /.nativeFontmap .FontDirectory maxlength dict put
+        { 2 index token not
+           { (Fontmap entry for ) print 1 index =only
+             ( ends prematurely!  Giving up.) = flush
+-            {.loadFontmap} 0 get 1 .quit
+            {//.loadFontmap exec} 0 get 1 .quit
+           } if
+          dup /; eq { pop 3 index 3 1 roll .growput exit } if
+          pop
+@@ -202,6 +202,14 @@ NOFONTPATH { /FONTPATH () def } if
+  { pop }
+  { /FONTPATH (GS_FONTPATH) getenv not { () } if def }
+ ifelse
+
+% The following are dummy definitions that, if we have a FONTPATH, will
+% be replaced in the following section.
+% They are here so immediately evaulation will work, and allow them to
+% undefined at the bottom of the file.
+/.scanfontbegin{} bind def
+/.scanfontdir {} bind def
+
+ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+ /FONTPATH [ FONTPATH .pathlist ] def
+ 
+@@ -242,12 +250,12 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+ /.scanfontbegin
+  {      % Construct the table of all file names already in Fontmap.
+    currentglobal //true setglobal
+-   .scanfontdict dup maxlength Fontmap length 2 add .max .setmaxlength
+   //.scanfontdict dup maxlength Fontmap length 2 add .max .setmaxlength
+    Fontmap
+     { exch pop
+        { dup type /stringtype eq
+-          { .splitfilename pop .fonttempstring copy .lowerstring cvn
+-            .scanfontdict exch //true put
+          { //.splitfilename exec pop //.fonttempstring copy //.lowerstring exec cvn
+            //.scanfontdict exch //true put
+           }
+           { pop
+           }
+@@ -280,9 +288,9 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+   /txt //true
+ .dicttomark def
+ /.scan1fontstring 8192 string def
+-% %%BeginFont: is not per Adobe documentation, but a few fonts have it.
+% BeginFont: is not per Adobe documentation, but a few fonts have it.
+ /.scanfontheaders [(%!PS-Adobe*) (%!FontType*) (%%BeginFont:*)] def
+-0 .scanfontheaders { length .max } forall 6 add % extra for PFB header
+0 //.scanfontheaders { length .max } forall 6 add % extra for PFB header
+ /.scan1fontfirst exch string def
+ /.scanfontdir           % <dirname> .scanfontdir -
+  { currentglobal exch //true setglobal
+@@ -291,10 +299,10 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+    0 0 0 4 -1 roll      % found scanned files
+     {           % stack: <fontcount> <scancount> <filecount> <filename>
+       exch 1 add exch                   % increment filecount
+-      dup .splitfilename .fonttempstring copy .lowerstring
+      dup //.splitfilename exec //.fonttempstring copy //.lowerstring exec
+                 % stack: <fontcount> <scancount> <filecount+1> <filename>
+                 %       <BASE> <ext>
+-      .scanfontskip exch known exch .scanfontdict exch known or
+      //.scanfontskip exch known exch //.scanfontdict exch known or
+        { pop
+                 % stack: <fontcount> <scancount> <filecount+1>
+        }
+@@ -309,7 +317,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+                 % On some platforms, the file operator will open directories,
+                 % but an error will occur if we try to read from one.
+                 % Handle this possibility here.
+-            dup .scan1fontfirst { readstring } .internalstopped
+            dup //.scan1fontfirst { readstring } .internalstopped
+              { pop pop () }
+              { pop }
+             ifelse
+@@ -322,7 +330,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+           { dup length 6 sub 6 exch getinterval }
+          if
+                 % Check for font file headers.
+-         //false .scanfontheaders
+         //false //.scanfontheaders
+           { 2 index exch .stringmatch or
+           }
+          forall exch pop
+@@ -335,7 +343,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+                 { exch copystring exch
+                   DEBUG { ( ) print dup =only flush } if
+                   1 index .definenativefontmap
+-                  .splitfilename pop //true .scanfontdict 3 1 roll .growput
+                  //.splitfilename exec pop //true //.scanfontdict 3 1 roll .growput
+                         % Increment fontcount.
+                   3 -1 roll 1 add 3 1 roll
+                 }
+@@ -352,7 +360,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+        }
+       ifelse
+     }
+-   .scan1fontstring filenameforall
+   //.scan1fontstring filenameforall
+    QUIET
+     { pop pop pop }
+     { ( ) print =only ( files, ) print =only ( scanned, ) print
+@@ -422,7 +430,6 @@ systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt
+     //true .setnativefontmapbuilt
+   } ifelse
+ } bind def
+-currentdict /.setnativefontmapbuilt .forceundef
+ 
+ % Create the dictionary that registers the .buildfont procedure
+ % (called by definefont) for each FontType.
+@@ -526,7 +533,8 @@ buildfontdict 3 /.buildfont3 cvx put
+ % We use this only for explicitly aliased fonts, not substituted fonts:
+ % we think this matches the observed behavior of Adobe interpreters.
+ /.aliasfont             % <name> <font> .aliasfont <newFont>
+- { .currentglobal 3 1 roll dup .gcheck .setglobal
+ {
+   currentglobal 3 1 roll dup gcheck setglobal
+                              % <bool> <name> <font>
+    dup length 2 add dict     % <bool> <name> <font> <dict>
+    dup 3 -1 roll             % <bool> <name> <dict> <dict> <font>
+@@ -541,7 +549,7 @@ buildfontdict 3 /.buildfont3 cvx put
+                 % whose FontName is a local non-string, if someone passed a
+                 % garbage value to findfont.  In this case, just don't
+                 % call definefont at all.
+-   2 index dup type /stringtype eq exch .gcheck or 1 index .gcheck not or
+    2 index dup type /stringtype eq exch gcheck or 1 index gcheck not or
+     { pop                              % <bool> <name> <dict>
+       1 index dup type /stringtype eq { cvn } if
+                                        % <bool> <name> <dict> <name1>
+@@ -566,10 +574,11 @@ buildfontdict 3 /.buildfont3 cvx put
+                 % Don't bind in definefont, since Level 2 redefines it.
+       /definefont .systemvar exec
+     }
+-    { /findfont cvx {.completefont} .errorexec pop exch pop
+    {
+      /findfont cvx {.completefont} //.errorexec exec pop exch pop
+     }
+    ifelse
+-   exch .setglobal
+   exch setglobal
+  } odef         % so findfont will bind it
+ 
+ % Define .loadfontfile for loading a font.  If we recognize Type 1 and/or
+@@ -669,10 +678,19 @@ buildfontdict 3 /.buildfont3 cvx put
+   [(Cn) 4] [(Cond) 4] [(Narrow) 4] [(Pkg) 4] [(Compr) 4]
+   [(Serif) 8] [(Sans) -8]
+ ] readonly def
+
+/.fontnamestring {              % <fontname> .fontnamestring <string|name>
+  dup type dup /nametype eq {
+    pop .namestring
+  } {
+    /stringtype ne { pop () } if
+  } ifelse
+} bind def
+
+ /.fontnameproperties {          % <int> <string|name> .fontnameproperties
+                                 %   <int'>
+-  .fontnamestring
+-  .substituteproperties {
+  //.fontnamestring exec
+  //.substituteproperties {
+     2 copy 0 get search {
+       pop pop pop dup length 1 sub 1 exch getinterval 3 -1 roll exch {
+         dup 0 ge { or } { neg not and } ifelse
+@@ -710,13 +728,7 @@ buildfontdict 3 /.buildfont3 cvx put
+                                 % <other> .nametostring <other>
+   dup type /nametype eq { .namestring } if
+ } bind def
+-/.fontnamestring {              % <fontname> .fontnamestring <string|name>
+-  dup type dup /nametype eq {
+-    pop .namestring
+-  } {
+-    /stringtype ne { pop () } if
+-  } ifelse
+-} bind def
+
+ /.substitutefontname {          % <fontname> <properties> .substitutefontname
+                                 %   <altname|null>
+         % Look for properties and/or a face name in the font name.
+@@ -724,7 +736,7 @@ buildfontdict 3 /.buildfont3 cvx put
+         % base font; otherwise, use the default font.
+         % Note that the "substituted" font name may be the same as
+         % the requested one; the caller must check this.
+-  exch .fontnamestring {
+  exch //.fontnamestring exec {
+     defaultfontname /Helvetica-Oblique /Helvetica-Bold /Helvetica-BoldOblique
+     /Helvetica-Narrow /Helvetica-Narrow-Oblique
+     /Helvetica-Narrow-Bold /Helvetica-Narrow-BoldOblique
+@@ -734,12 +746,12 @@ buildfontdict 3 /.buildfont3 cvx put
+   } 3 1 roll
+         % Stack: facelist properties fontname
+         % Look for a face name.
+-  .substitutefaces {
+  //.substitutefaces {
+     2 copy 0 get search {
+       pop pop pop
+         % Stack: facelist properties fontname [(pattern) family properties]
+       dup 2 get 4 -1 roll or 3 1 roll
+-      1 get .substitutefamilies exch get
+      1 get //.substitutefamilies exch get
+       4 -1 roll pop 3 1 roll
+     } {
+       pop pop
+@@ -748,7 +760,7 @@ buildfontdict 3 /.buildfont3 cvx put
+   1 index length mod get exec
+ } bind def
+ /.substitutefont {              % <fontname> .substitutefont <altname>
+-  dup 0 exch .fontnameproperties .substitutefontname
+  dup 0 exch //.fontnameproperties exec .substitutefontname
+         % Only accept fonts known in the Fontmap.
+    Fontmap 1 index known not
+    {
+@@ -814,7 +826,7 @@ FAKEFONTS not { (%END FAKEFONTS) .skipeof } if
+   counttomark 1 sub { .aliasfont } repeat end
+                       % <fontname> mark <font>
+   exch pop exch pop
+-} odef
+} bind odef
+ /findfont {
+   .findfont
+ } bind def
+@@ -860,7 +872,7 @@ FAKEFONTS not { (%END FAKEFONTS) .skipeof } if
+       } {
+         dup .substitutefont
+         2 copy eq { pop defaultfontname } if
+-        .checkalias
+        //.checkalias exec
+         QUIET not {
+           SHORTERRORS {
+             (%%[) print 1 index =only
+@@ -886,8 +898,8 @@ $error /SubstituteFont { } put
+   //null 0 1 FONTPATH length 1 sub {
+     FONTPATH 1 index get //null ne { exch pop exit } if pop
+   } for dup //null ne {
+-    dup 0 eq { .scanfontbegin } if
+-    FONTPATH 1 index get .scanfontdir
+    dup 0 eq { //.scanfontbegin exec} if
+    FONTPATH 1 index get //.scanfontdir exec
+     FONTPATH exch //null put //true
+   } {
+     pop //false
+@@ -897,11 +909,10 @@ $error /SubstituteFont { } put
+ % scanning of FONTPATH.
+ /.dofindfont {   %  mark <fontname> .dofindfont % mark <alias> ... <font>
+   .tryfindfont not {
+-
+                         % We didn't find the font.  If we haven't scanned
+                         % all the directories in FONTPATH, scan the next one
+                         % now and look for the font again.
+-    .scannextfontdir {
+    //.scannextfontdir exec {
+                         % Start over with an empty alias list.
+       counttomark 1 sub { pop } repeat    % mark <fontname>
+       .dofindfont
+@@ -927,6 +938,7 @@ $error /SubstituteFont { } put
+         } if
+                         % Substitute for the font.  Don't alias.
+                         % Same stack as at the beginning of .dofindfont.
+
+         $error /SubstituteFont get exec
+                          %
+                          % igorm: I guess the surrounding code assumes that .stdsubstfont
+@@ -935,72 +947,11 @@ $error /SubstituteFont { } put
+                          % used in .dofindfont and through .stdsubstfont
+                          % just to represent a simple iteration,
+                          % which accumulates the aliases after the mark.
+-        .stdsubstfont
+        //.stdsubstfont exec
+       } ifelse
+     } ifelse
+   } if
+ } bind def
+-% Try to find a font using only the present contents of Fontmap.
+-/.tryfindfont {         % <fontname> .tryfindfont <font> true
+-                        % <fontname> .tryfindfont false
+-  //.FontDirectory 1 index .fontknownget
+-    {                   % Already loaded
+-      exch pop //true
+-    }
+-    {
+-       dup Fontmap exch .knownget
+-       { //true //true }
+-       {                % Unknown font name.  Look for a file with the
+-                        % same name as the requested font.
+-         dup .tryloadfont
+-         { exch pop //true //false }
+-         {
+-           % if we can't load by name check the native font map
+-           dup .nativeFontmap exch .knownget
+-           { //true //true }
+-           { //false //false } ifelse
+-         } ifelse
+-       } ifelse
+-
+-       {                % Try each element of the Fontmap in turn.
+-         pop
+-         //false exch   % (in case we exhaust the list)
+-                        % Stack: fontname false fontmaplist
+-         { exch pop
+-           dup type /nametype eq
+-            {                   % Font alias
+-              .checkalias .tryfindfont exit
+-            }
+-            { dup dup type dup /arraytype eq exch /packedarraytype eq or exch xcheck and
+-               {                % Font with a procedural definition
+-                 exec           % The procedure will load the font.
+-                                % Check to make sure this really happened.
+-                 //.FontDirectory 1 index .knownget
+-                  { exch pop //true exit }
+-                 if
+-               }
+-               {                % Font file name
+-                 //true .loadfontloop { //true exit } if
+-               }
+-              ifelse
+-            }
+-           ifelse //false
+-         }
+-         forall
+-                        % Stack: font true -or- fontname false
+-         { //true
+-         }
+-         {                      % None of the Fontmap entries worked.
+-                                % Try loading a file with the same name
+-                                % as the requested font.
+-           .tryloadfont
+-         }
+-        ifelse
+-       }
+-      if
+-    }
+-   ifelse
+- } bind def
+ 
+ % any user of .putgstringcopy must use bind and executeonly
+ /.putgstringcopy  %   <dict> <name> <string> .putgstringcopy -
+@@ -1014,25 +965,6 @@ $error /SubstituteFont { } put
+   } executeonly ifelse
+ } .bind executeonly odef % must be bound and hidden for .forceput
+ 
+-% Attempt to load a font from a file.
+-/.tryloadfont {         % <fontname> .tryloadfont <font> true
+-                        % <fontname> .tryloadfont false
+-  dup .nametostring
+-                % Hack: check for the presence of the resource machinery.
+-  /.genericrfn where {
+-    pop
+-    pop dup .fonttempstring /FontResourceDir getsystemparam .genericrfn
+-    {//false .loadfontloop} .internalstopped {//false} if {
+-      //true
+-    } {
+-      dup .nametostring
+-      {//true .loadfontloop} .internalstopped {//false} if
+-    } ifelse
+-  } {
+-    {//true .loadfontloop} .internalstopped {//false} if
+-  } ifelse
+-} bind def
+-
+ /.loadfontloop {        % <fontname> <filename> <libflag> .loadfontloop
+                         %   <font> true
+                         % -or-
+@@ -1102,7 +1034,7 @@ $error /SubstituteFont { } put
+          } if
+ 
+                 % Check to make sure the font was actually loaded.
+-        dup 3 index .fontknownget
+        dup 3 index //.fontknownget exec
+          { dup /PathLoad 4 index .putgstringcopy
+            4 1 roll pop pop pop //true exit
+          } executeonly if
+@@ -1113,7 +1045,7 @@ $error /SubstituteFont { } put
+         exch dup      % Stack: origfontname fontdirectory path path
+         (r) file .findfontname
+          {            % Stack: origfontname fontdirectory path filefontname
+-           2 index 1 index .fontknownget
+           2 index 1 index //.fontknownget exec
+             {   % Yes.  Stack: origfontname fontdirectory path filefontname fontdict
+               dup 4 -1 roll /PathLoad exch .putgstringcopy
+                       % Stack: origfontname fontdirectory filefontname fontdict
+@@ -1136,7 +1068,7 @@ $error /SubstituteFont { } put
+                       % Stack: fontdict
+             } executeonly
+            if pop % Stack: origfontname fontdirectory path
+-         }
+         } executeonly
+         if pop pop  % Stack: origfontname
+ 
+                 % The font definitely did not load correctly.
+@@ -1150,7 +1082,87 @@ $error /SubstituteFont { } put
+ 
+  } bind executeonly odef % must be bound and hidden for .putgstringcopy
+ 
+-currentdict /.putgstringcopy .undef
+% Attempt to load a font from a file.
+/.tryloadfont {         % <fontname> .tryloadfont <font> true
+                        % <fontname> .tryloadfont false
+  dup //.nametostring exec
+                % Hack: check for the presence of the resource machinery.
+  /.genericrfn where {
+    pop
+    pop dup //.fonttempstring /FontResourceDir getsystemparam .genericrfn
+    {//false .loadfontloop} .internalstopped {//false} if {
+      //true
+    } {
+      dup //.nametostring exec
+      {//true .loadfontloop} .internalstopped {//false} if
+    } ifelse
+  } {
+    {//true .loadfontloop} .internalstopped {//false} if
+  } ifelse
+} bind def
+
+% Try to find a font using only the present contents of Fontmap.
+/.tryfindfont {         % <fontname> .tryfindfont <font> true
+                        % <fontname> .tryfindfont false
+  //.FontDirectory 1 index //.fontknownget exec
+    {                   % Already loaded
+      exch pop //true
+    }
+    {
+       dup Fontmap exch .knownget
+       { //true //true }
+       {                % Unknown font name.  Look for a file with the
+                        % same name as the requested font.
+         dup //.tryloadfont exec
+         { exch pop //true //false }
+         {
+           % if we can't load by name check the native font map
+           dup .nativeFontmap exch .knownget
+           { //true //true }
+           { //false //false } ifelse
+         } ifelse
+       } ifelse
+
+       {                % Try each element of the Fontmap in turn.
+         pop
+         //false exch   % (in case we exhaust the list)
+                        % Stack: fontname false fontmaplist
+         { exch pop
+           dup type /nametype eq
+            {                   % Font alias
+              //.checkalias exec
+              .tryfindfont exit
+            }
+            { dup dup type dup /arraytype eq exch /packedarraytype eq or exch xcheck and
+               {                % Font with a procedural definition
+                 exec           % The procedure will load the font.
+                                % Check to make sure this really happened.
+                 //.FontDirectory 1 index .knownget
+                  { exch pop //true exit }
+                 if
+               }
+               {                % Font file name
+                 //true .loadfontloop { //true exit } if
+               }
+              ifelse
+            }
+           ifelse //false
+         }
+         forall
+                        % Stack: font true -or- fontname false
+         { //true
+         }
+         {                      % None of the Fontmap entries worked.
+                                % Try loading a file with the same name
+                                % as the requested font.
+           //.tryloadfont exec
+         }
+        ifelse
+       }
+      if
+    }
+   ifelse
+ } bind def
+ 
+ % Define a procedure to load all known fonts.
+ % This isn't likely to be very useful.
+@@ -1192,9 +1204,9 @@ FAKEFONTS { exch } if pop def   % don't bind, .current/setglobal get redefined
+ /.loadinitialfonts
+  { NOFONTMAP not
+     { /FONTMAP where
+-          { pop [ FONTMAP .pathlist ]
+          { pop [ FONTMAP //.pathlist exec]
+              { dup VMDEBUG findlibfile
+-                { exch pop .loadFontmap }
+                { exch pop //.loadFontmap exec }
+                 { /undefinedfilename signalerror }
+                ifelse
+              }
+@@ -1208,7 +1220,7 @@ FAKEFONTS { exch } if pop def   % don't bind, .current/setglobal get redefined
+                    pop pop
+                    defaultfontmap_content { .definefontmap } forall
+                  } {
+-                   .loadFontmap
+                   //.loadFontmap exec
+                  } ifelse
+                } {
+                  pop pop
+@@ -1272,3 +1284,18 @@ FAKEFONTS { exch } if pop def   % don't bind, .current/setglobal get redefined
+  { .makemodifiedfont
+    dup /FontName get exch definefont pop
+  } bind def
+
+% Undef these, not needed outside this file
+[
+ % /.fonttempstring /.scannextfontdir - are also used in gs_res.ps, so are undefined there
+ % /.fontnameproperties - is used in pdf_font.ps
+ % /.scanfontheaders - used in gs_cff.ps, gs_ttf.ps
+ /.loadfontloop /.tryloadfont /.findfont /.pathlist /.loadFontmap /.lowerstring
+ /.splitfilename /.scanfontdict /.scanfontbegin
+ /.scanfontskip /.scan1fontstring
+ /.scan1fontfirst /.scanfontdir
+ /.setnativefontmapbuilt /.aliasfont
+ /.setloadingfont /.substitutefaces /.substituteproperties /.substitutefamilies
+ /.nametostring /.fontnamestring /.checkalias /.fontknownget /.stdsubstfont
+ /.putgstringcopy
+] {systemdict exch .forceundef} forall
+diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
+index d9b34599e7c2..fd7eaf953ae9 100644
+--- a/Resource/Init/gs_res.ps
+++ b/Resource/Init/gs_res.ps
+@@ -961,7 +961,7 @@ userdict /.localcsdefaults //false put
+     dup type /nametype eq { .namestring } if
+     dup type /stringtype ne { //false exit } if
+                 % Check the resource directory.
+-    dup .fonttempstring /FontResourceDir getsystemparam .genericrfn
+    dup //.fonttempstring /FontResourceDir getsystemparam .genericrfn
+     status {
+       pop pop pop pop //true exit
+     } if
+@@ -969,7 +969,7 @@ userdict /.localcsdefaults //false put
+                 % as the font.
+     findlibfile { closefile //true exit } if
+                 % Scan a FONTPATH directory and try again.
+-    .scannextfontdir not { //false exit } if
+    //.scannextfontdir exec not { //false exit } if
+   } loop
+ } bind def
+ 
+@@ -1008,7 +1008,7 @@ currentdict /.fontstatusaux .undef
+         } ifelse
+ } bind executeonly
+ /ResourceForAll {
+-        { .scannextfontdir not { exit } if } loop
+        { //.scannextfontdir exec not { exit } if } loop
+         /Generic /Category findresource /ResourceForAll get exec
+ } bind executeonly
+ /.ResourceFileStatus {
+-- 
+2.20.1
+
--- a/package/ghostscript/0007-Remove-.forcedef-and-harden-.force-ops-more.patch
+++ b/package/ghostscript/0007-Remove-.forcedef-and-harden-.force-ops-more.patch
@@ -0,0 +1,345 @@
+From ba2336b3b1ca5cfe1e67dbe37a084c9644a65ac7 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 11 Jan 2019 13:36:36 +0000
+Subject: [PATCH] Remove .forcedef, and harden .force* ops more
+
+Remove .forcedef and replace all uses with a direct call to .forceput instead.
+
+Ensure every procedure (named and trasient) that calls .forceput is
+executeonly.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 49c8092da88e
+
+ Resource/Init/gs_dps1.ps  | 15 +++++++-----
+ Resource/Init/gs_init.ps  | 28 ++++++++-------------
+ Resource/Init/gs_lev2.ps  | 51 +++++++++++++++++++--------------------
+ Resource/Init/gs_ll3.ps   |  5 ++--
+ Resource/Init/gs_res.ps   | 29 +++++++++++-----------
+ Resource/Init/gs_statd.ps |  4 +--
+ 6 files changed, 63 insertions(+), 69 deletions(-)
+
+diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
+index 8700c8cb304b..3d2cf7a1ad01 100644
+--- a/Resource/Init/gs_dps1.ps
+++ b/Resource/Init/gs_dps1.ps
+@@ -33,14 +33,17 @@ systemdict begin
+ 
+ /SharedFontDirectory .FontDirectory .gcheck
+  { .currentglobal //false .setglobal
+   currentdict
+    /LocalFontDirectory .FontDirectory dup maxlength dict copy
+-   .forcedef	% LocalFontDirectory is local, systemdict is global
+   .forceput	% LocalFontDirectory is local, systemdict is global
+    .setglobal .FontDirectory
+- }
+- { /LocalFontDirectory .FontDirectory
+-   .forcedef	% LocalFontDirectory is local, systemdict is global
+ } executeonly
+ {
+   currentdict
+   /LocalFontDirectory .FontDirectory
+   .forceput	% LocalFontDirectory is local, systemdict is global
+    50 dict
+- }
+ }executeonly
+ ifelse def
+ 
+ end				% systemdict
+@@ -55,7 +58,7 @@ level2dict begin
+     { //SharedFontDirectory }
+     { /LocalFontDirectory .systemvar }	% can't embed ref to local VM
+    ifelse .forceput pop	% LocalFontDirectory is local, systemdict is global
+- } .bind odef
+ } .bind executeonly odef
+ % Don't just copy (load) the definition of .setglobal:
+ % it gets redefined for LL3.
+ /setshared { /.setglobal .systemvar exec } odef
+diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
+index d9a0829f7f97..45bebf479bae 100644
+--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
+@@ -54,7 +54,7 @@ systemdict exch
+    dup /userdict
+    currentdict dup 200 .setmaxlength		% userdict
+    .forceput			% userdict is local, systemdict is global
+- }
+ } executeonly
+ if begin
+ 
+ % Define dummy local/global operators if needed.
+@@ -299,13 +299,6 @@ QUIET not { printgreeting flush } if
+   1 index exch .makeoperator def
+ } .bind def
+ 
+-% Define a special version of def for storing local objects into global
+-% dictionaries.  Like .forceput, this exists only during initialization.
+-/.forcedef {		% <key> <value> .forcedef -
+-  1 .argindex pop	% check # of args
+-  currentdict 3 1 roll .forceput
+-} .bind odef
+-
+ % Define procedures for accessing variables in systemdict and userdict
+ % regardless of the contents of the dictionary stack.
+ /.systemvar {		% <name> .systemvar <value>
+@@ -347,7 +340,7 @@ DELAYBIND
+        }
+       ifelse
+     } .bind def
+-} if
+} executeonly if
+ 
+ %**************** BACKWARD COMPATIBILITY ****************
+ /hwsizedict mark /HWSize //null .dicttomark readonly def
+@@ -655,7 +648,7 @@ currentdict /.typenames .undef
+       /ifelse .systemvar
+     ] cvx executeonly
+   exch .setglobal
+-} odef
+} executeonly odef
+ systemdict /internaldict dup .makeinternaldict .makeoperator
+ .forceput		% proc is local, systemdict is global
+ 
+@@ -1093,7 +1086,7 @@ def
+ 
+ % Define $error.  This must be in local VM.
+ .currentglobal //false .setglobal
+-/$error 40 dict .forcedef	% $error is local, systemdict is global
+currentdict /$error 40 dict .forceput	% $error is local, systemdict is global
+                 % newerror, errorname, command, errorinfo,
+                 % ostack, estack, dstack, recordstacks,
+                 % binary, globalmode,
+@@ -1112,8 +1105,8 @@ end
+ % Define errordict similarly.  It has one entry per error name,
+ %   plus handleerror.  However, some astonishingly badly written PostScript
+ %   files require it to have at least one empty slot.
+-/errordict ErrorNames length 3 add dict
+-.forcedef		% errordict is local, systemdict is global
+currentdict /errordict ErrorNames length 3 add dict
+.forceput		% errordict is local, systemdict is global
+ .setglobal		% back to global VM
+ %  gserrordict contains all the default error handling methods, but unlike
+ %  errordict it is noaccess after creation (also it is in global VM).
+@@ -1273,8 +1266,9 @@ end
+ (END PROCS) VMDEBUG
+ 
+ % Define the font directory.
+currentdict
+ /FontDirectory //false .setglobal 100 dict //true .setglobal
+-.forcedef		% FontDirectory is local, systemdict is global
+.forceput		% FontDirectory is local, systemdict is global
+ 
+ % Define the encoding dictionary.
+ /EncodingDirectory 16 dict def	% enough for Level 2 + PDF standard encodings
+@@ -2333,7 +2327,6 @@ SAFER { .setsafeglobal } if
+   //systemdict /UndefinePostScriptOperators get exec
+   //systemdict /UndefinePDFOperators get exec
+   //systemdict /.forcecopynew .forceundef	% remove temptation
+-  //systemdict /.forcedef .forceundef		% ditto
+   //systemdict /.forceput .forceundef		% ditto
+   //systemdict /.undef .forceundef		    % ditto
+   //systemdict /.forceundef .forceundef		% ditto
+@@ -2368,9 +2361,9 @@ SAFER { .setsafeglobal } if
+         % (and, if implemented, context switching).
+   .currentglobal //false .setglobal
+      mark userparams { } forall .dicttomark readonly
+-     /userparams exch .forcedef		% systemdict is read-only
+     currentdict exch /userparams exch .forceput		% systemdict is read-only
+   .setglobal
+-} if
+} executeonly if
+ /.currentsystemparams where {
+   pop
+         % Remove real system params from pssystemparams.
+@@ -2458,7 +2451,6 @@ end
+ DELAYBIND not {
+   systemdict /.bindnow .undef       % We only need this for DELAYBIND
+   systemdict /.forcecopynew .undef	% remove temptation
+-  systemdict /.forcedef .undef		% ditto
+   systemdict /.forceput .undef		% ditto
+   systemdict /.forceundef .undef	% ditto
+ } if
+diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
+index 0f0d57331c23..9c0c3a6fc485 100644
+--- a/Resource/Init/gs_lev2.ps
+++ b/Resource/Init/gs_lev2.ps
+@@ -304,31 +304,30 @@ end
+     psuserparams exch /.checkFilePermitparams load put
+   .setglobal
+ 
+-pssystemparams begin
+-  /CurDisplayList 0 .forcedef
+-  /CurFormCache 0 .forcedef
+-  /CurInputDevice () .forcedef
+-  /CurOutlineCache 0 .forcedef
+-  /CurOutputDevice () .forcedef
+-  /CurPatternCache 0 .forcedef
+-  /CurUPathCache 0 .forcedef
+-  /CurScreenStorage 0 .forcedef
+-  /CurSourceList 0 .forcedef
+-  /DoPrintErrors //false .forcedef
+-  /JobTimeout 0 .forcedef
+-  /LicenseID (LN-001) .forcedef     % bogus
+-  /MaxDisplayList 140000 .forcedef
+-  /MaxFormCache 100000 .forcedef
+-  /MaxImageBuffer 524288 .forcedef
+-  /MaxOutlineCache 65000 .forcedef
+-  /MaxPatternCache 100000 .forcedef
+-  /MaxUPathCache 300000 .forcedef
+-  /MaxScreenStorage 84000 .forcedef
+-  /MaxSourceList 25000 .forcedef
+-  /PrinterName product .forcedef
+-  /RamSize 4194304 .forcedef
+-  /WaitTimeout 40 .forcedef
+-end
+pssystemparams
+dup /CurDisplayList 0 .forceput
+dup /CurFormCache 0 .forceput
+dup /CurInputDevice () .forceput
+dup /CurOutlineCache 0 .forceput
+dup /CurOutputDevice () .forceput
+dup /CurPatternCache 0 .forceput
+dup /CurUPathCache 0 .forceput
+dup /CurScreenStorage 0 .forceput
+dup /CurSourceList 0 .forceput
+dup /DoPrintErrors //false .forceput
+dup /JobTimeout 0 .forceput
+dup /LicenseID (LN-001) .forceput     % bogus
+dup /MaxDisplayList 140000 .forceput
+dup /MaxFormCache 100000 .forceput
+dup /MaxImageBuffer 524288 .forceput
+dup /MaxOutlineCache 65000 .forceput
+dup /MaxPatternCache 100000 .forceput
+dup /MaxUPathCache 300000 .forceput
+dup /MaxScreenStorage 84000 .forceput
+dup /MaxSourceList 25000 .forceput
+dup /PrinterName product .forceput
+dup /RamSize 4194304 .forceput
+    /WaitTimeout 40 .forceput
+ 
+ % Define the procedures for handling comment scanning.  The names
+ % %ProcessComment and %ProcessDSCComment are known to the interpreter.
+@@ -710,7 +709,7 @@ pop		% currentsystemparams
+ /statusdict currentdict def
+ 
+ currentdict end
+-/statusdict exch .forcedef	% statusdict is local, systemdict is global
+currentdict exch /statusdict exch .forceput	% statusdict is local, systemdict is global
+ 
+ % The following compatibility operators are in systemdict.  They are
+ % defined here, rather than in gs_init.ps, because they require the
+diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps
+index c86721f39fc0..881af44e9fd2 100644
+--- a/Resource/Init/gs_ll3.ps
+++ b/Resource/Init/gs_ll3.ps
+@@ -521,9 +521,8 @@ end
+ % Define additional user and system parameters.
+ /HalftoneMode 0 .definepsuserparam
+ /MaxSuperScreen 1016 .definepsuserparam
+-pssystemparams begin		% read-only, so use .forcedef
+-  /MaxDisplayAndSourceList 160000 .forcedef
+-end
+% read-only, so use .forceput
+pssystemparams  /MaxDisplayAndSourceList 160000 .forceput
+ 
+ % Define the IdiomSet resource category.
+ { /IdiomSet } {
+diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
+index fd7eaf953ae9..0b4e0514b2a1 100644
+--- a/Resource/Init/gs_res.ps
+++ b/Resource/Init/gs_res.ps
+@@ -41,10 +41,10 @@ level2dict begin
+ % However, Ed Taft of Adobe says their interpreters don't implement this
+ % either, so we aren't going to worry about it for a while.
+ 
+-currentglobal //false setglobal systemdict begin
+-  /localinstancedict 5 dict
+-  .forcedef	% localinstancedict is local, systemdict is global
+-end //true setglobal
+currentglobal //false setglobal
+  systemdict /localinstancedict 5 dict
+  .forceput	% localinstancedict is local, systemdict is global
+//true setglobal
+ /.emptydict 0 dict readonly def
+ setglobal
+ 
+@@ -149,7 +149,7 @@ setglobal
+           dup [ exch 0 -1 ] exch
+           .Instances 4 2 roll put
+                 % Make the Category dictionary read-only.  We will have to
+-                % use .forceput / .forcedef later to replace the dummy,
+                % use .forceput / .forceput later to replace the dummy,
+                 % empty .Instances dictionary with the real one later.
+           readonly
+         }{
+@@ -304,7 +304,8 @@ systemdict begin
+      dup () ne {
+      .file_name_directory_separator concatstrings
+     } if
+-    2 index exch //false .file_name_combine not {
+    2 index exch //false
+    .file_name_combine not {
+       (Error: .default_resource_dir returned ) print exch print ( that can't combine with ) print =
+       /.default_resource_dir cvx /configurationerror signalerror
+     } if
+@@ -317,14 +318,14 @@ currentdict /pssystemparams known not {
+ pssystemparams begin
+   .default_resource_dir
+   /FontResourceDir (Font) .resource_dir_name
+-     readonly .forcedef	% pssys'params is r-o
+     readonly currentdict 3 1 roll .forceput	% pssys'params is r-o
+   /GenericResourceDir () .resource_dir_name
+-     readonly .forcedef	% pssys'params is r-o
+     readonly currentdict 3 1 roll .forceput	% pssys'params is r-o
+   pop % .default_resource_dir
+   /GenericResourcePathSep
+-        .file_name_separator readonly .forcedef		% pssys'params is r-o
+-  (%diskFontResourceDir) cvn (/Resource/Font/) readonly .forcedef	% pssys'params is r-o
+-  (%diskGenericResourceDir) cvn (/Resource/) readonly .forcedef	% pssys'params is r-o
+        .file_name_separator readonly currentdict 3 1 roll .forceput		% pssys'params is r-o
+  currentdict (%diskFontResourceDir) cvn (/Resource/Font/) readonly .forceput	% pssys'params is r-o
+  currentdict (%diskGenericResourceDir) cvn (/Resource/) readonly .forceput	% pssys'params is r-o
+ end
+ end
+ 
+@@ -422,8 +423,8 @@ status {
+                 .Instances dup //.emptydict eq {
+                   pop 3 dict
+                         % As noted above, Category dictionaries are read-only,
+-                        % so we have to use .forcedef here.
+-                  /.Instances 1 index .forcedef	% Category dict is read-only
+                        % so we have to use .forceput here.
+                  currentdict /.Instances 2 index .forceput	% Category dict is read-only
+                 } executeonly if
+               }
+               { .LocalInstances dup //.emptydict eq
+@@ -441,7 +442,7 @@ status {
+            { /defineresource cvx /typecheck signaloperror
+            }
+         ifelse
+-} .bind executeonly .makeoperator		% executeonly to prevent access to .forcedef
+} .bind executeonly .makeoperator		% executeonly to prevent access to .forceput
+ /UndefineResource
+         {  { dup 2 index .knownget
+               { dup 1 get 1 ge
+diff --git a/Resource/Init/gs_statd.ps b/Resource/Init/gs_statd.ps
+index 20d4c96c4f8f..b6a76590dd09 100644
+--- a/Resource/Init/gs_statd.ps
+++ b/Resource/Init/gs_statd.ps
+@@ -21,10 +21,10 @@ systemdict begin
+         % We make statusdict a little larger for Level 2 stuff.
+         % Note that it must be allocated in local VM.
+  .currentglobal //false .setglobal
+- /statusdict 91 dict .forcedef		% statusdict is local, sys'dict global
+ currentdict /statusdict 91 dict .forceput		% statusdict is local, sys'dict global
+         % To support the Level 2 job control features,
+         % serverdict must also be in local VM.
+- /serverdict 10 dict .forcedef		% serverdict is local, sys'dict global
+ currentdict /serverdict 10 dict .forceput		% serverdict is local, sys'dict global
+  .setglobal
+ end
+ 
+-- 
+2.20.1
+
--- a/package/glibc/glibc-2.28-50-gb8dd0f42780a3133c02f064a2c0c5c4e7ab61aaa/0001-sysdeps-ieee754-soft-fp-ignore-maybe-uninitialized-w.patch
+++ b/package/glibc/glibc-2.28-50-gb8dd0f42780a3133c02f064a2c0c5c4e7ab61aaa/0001-sysdeps-ieee754-soft-fp-ignore-maybe-uninitialized-w.patch
@@ -1,88 +0,0 @@
-From 4a06ceea33ecc220bbfe264d8f1e74de2f04e90d Mon Sep 17 00:00:00 2001
-From: Martin Jansa <Martin.Jansa@gmail.com>
-Date: Tue, 2 Oct 2018 15:38:43 +0000
-Subject: [PATCH] sysdeps/ieee754/soft-fp: ignore maybe-uninitialized with -O
- [BZ #19444]
-
-* with -O, -O1, -Os it fails with:
-
-In file included from ../soft-fp/soft-fp.h:318,
-                 from ../sysdeps/ieee754/soft-fp/s_fdiv.c:28:
-../sysdeps/ieee754/soft-fp/s_fdiv.c: In function '__fdiv':
-../soft-fp/op-2.h:98:25: error: 'R_f1' may be used uninitialized in this function [-Werror=maybe-uninitialized]
-        X##_f0 = (X##_f1 << (_FP_W_TYPE_SIZE - (N)) | X##_f0 >> (N) \
-                         ^~
-../sysdeps/ieee754/soft-fp/s_fdiv.c:38:14: note: 'R_f1' was declared here
-   FP_DECL_D (R);
-              ^
-../soft-fp/op-2.h:37:36: note: in definition of macro '_FP_FRAC_DECL_2'
-   _FP_W_TYPE X##_f0 _FP_ZERO_INIT, X##_f1 _FP_ZERO_INIT
-                                    ^
-../soft-fp/double.h:95:24: note: in expansion of macro '_FP_DECL'
- # define FP_DECL_D(X)  _FP_DECL (2, X)
-                        ^~~~~~~~
-../sysdeps/ieee754/soft-fp/s_fdiv.c:38:3: note: in expansion of macro 'FP_DECL_D'
-   FP_DECL_D (R);
-   ^~~~~~~~~
-../soft-fp/op-2.h:101:17: error: 'R_f0' may be used uninitialized in this function [-Werror=maybe-uninitialized]
-       : (X##_f0 << (_FP_W_TYPE_SIZE - (N))) != 0)); \
-                 ^~
-../sysdeps/ieee754/soft-fp/s_fdiv.c:38:14: note: 'R_f0' was declared here
-   FP_DECL_D (R);
-              ^
-../soft-fp/op-2.h:37:14: note: in definition of macro '_FP_FRAC_DECL_2'
-   _FP_W_TYPE X##_f0 _FP_ZERO_INIT, X##_f1 _FP_ZERO_INIT
-              ^
-../soft-fp/double.h:95:24: note: in expansion of macro '_FP_DECL'
- # define FP_DECL_D(X)  _FP_DECL (2, X)
-                        ^~~~~~~~
-../sysdeps/ieee754/soft-fp/s_fdiv.c:38:3: note: in expansion of macro 'FP_DECL_D'
-   FP_DECL_D (R);
-   ^~~~~~~~~
-
-Build tested with Yocto for ARM, AARCH64, X86, X86_64, PPC, MIPS, MIPS64
-with -O, -O1, -Os.
-For AARCH64 it needs one more fix in locale for -Os.
-
-	[BZ #19444]
-	* sysdeps/ieee754/soft-fp/s_fdiv.c: Include <libc-diag.h> and use
-	DIAG_PUSH_NEEDS_COMMENT, DIAG_IGNORE_NEEDS_COMMENT and
-	DIAG_POP_NEEDS_COMMENT to disable -Wmaybe-uninitialized.
-
-
-Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
---
- sysdeps/ieee754/soft-fp/s_fdiv.c | 12 ++++++++++++
- 1 files changed, 12 insertions(+)
-
-diff --git a/sysdeps/ieee754/soft-fp/s_fdiv.c b/sysdeps/ieee754/soft-fp/s_fdiv.c
-index 341339f5ed..7a15cbeee6 100644
--- a/sysdeps/ieee754/soft-fp/s_fdiv.c
-+++ b/sysdeps/ieee754/soft-fp/s_fdiv.c
-@@ -25,6 +25,16 @@
- #undef fdivl
- 
- #include <math-narrow.h>
-+#include <libc-diag.h>
-+
-+/* R_f[01] are not set in cases where they are not used in packing,
-+   but the compiler does not see that they are set in all cases where
-+   they are used, resulting in warnings that they may be used
-+   uninitialized.  The location of the warning differs in different
-+   versions of GCC, it may be where R is defined using a macro or it
-+   may be where the macro is defined.  This happens only with -O1.  */
-+DIAG_PUSH_NEEDS_COMMENT;
-+DIAG_IGNORE_NEEDS_COMMENT (8, "-Wmaybe-uninitialized");
- #include <soft-fp.h>
- #include <single.h>
- #include <double.h>
-@@ -53,4 +63,6 @@ __fdiv (double x, double y)
-   CHECK_NARROW_DIV (ret, x, y);
-   return ret;
- }
-+DIAG_POP_NEEDS_COMMENT;
-+
- libm_alias_float_double (div)
-- 
-2.17.0
-
--- a/package/glibc/glibc-2.28-69-g1e5c5303a522764d7e9d2302a60e4a32cdb902f1/glibc.hash
+++ b/package/glibc/glibc-2.28-69-g1e5c5303a522764d7e9d2302a60e4a32cdb902f1/glibc.hash
@@ -1,5 +1,5 @@
 # Locally calculated (fetched from Github)
-sha256  b070f746f932cfce107bb9be2d59ded5b44b25ddafb480c9110c52b88cc2dec1  glibc-glibc-2.28-50-gb8dd0f42780a3133c02f064a2c0c5c4e7ab61aaa.tar.gz
+sha256  ebf04c7b00153d6df8beceec0666d4b13e1ac613b40d5774d1b8c6f61c1686e6  glibc-glibc-2.28-69-g1e5c5303a522764d7e9d2302a60e4a32cdb902f1.tar.gz

 # Hashes for license files
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -10,7 +10,7 @@ GLIBC_SITE = $(call github,foss-for-synopsys-dwc-arc-processors,glibc,$(GLIBC_VE
 else
 # Generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master
-GLIBC_VERSION = glibc-2.28-50-gb8dd0f42780a3133c02f064a2c0c5c4e7ab61aaa
+GLIBC_VERSION = glibc-2.28-69-g1e5c5303a522764d7e9d2302a60e4a32cdb902f1
 # Upstream doesn't officially provide an https download link.
 # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
 # sometimes the connection times out. So use an unofficial github mirror.
--- a/package/gnuchess/gnuchess.hash
+++ b/package/gnuchess/gnuchess.hash
@@ -1,2 +1,3 @@
 # sha256 locally computed
 sha256 3c425c0264f253fc5cc2ba969abe667d77703c728770bd4b23c456cbe5e082ef  gnuchess-6.2.4.tar.gz
+sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903  COPYING
--- a/package/gnuchess/gnuchess.mk
+++ b/package/gnuchess/gnuchess.mk
@@ -6,7 +6,7 @@

 GNUCHESS_VERSION = 6.2.4
 GNUCHESS_SITE = $(BR2_GNU_MIRROR)/chess
-GNUCHESS_LICENSE = GPL-2.0+
+GNUCHESS_LICENSE = GPL-3.0+
 GNUCHESS_LICENSE_FILES = COPYING

 GNUCHESS_DEPENDENCIES = host-flex flex
--- a/package/gnupg2/gnupg2.hash
+++ b/package/gnupg2/gnupg2.hash
@@ -1,7 +1,7 @@
-# From https://lists.gnupg.org/pipermail/gnupg-announce/2018q3/000428.html
-sha1 3e87504e2ca317718aa9b6299947ebf7e906b54e  gnupg-2.2.10.tar.bz2
+# From https://lists.gnupg.org/pipermail/gnupg-announce/2018q4/000433.html
+sha1 2aeccc35ea8034306ff7a1072b84abbaa79619c3  gnupg-2.2.12.tar.bz2
 # Calculated based on the hash above and signature
-# https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.10.tar.bz2.sig
+# https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.12.tar.bz2.sig
 # using key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
-sha256 799dd37a86a1448732e339bd20440f4f5ee6e69755f6fd7a73ee8af30840c915  gnupg-2.2.10.tar.bz2
+sha256 db030f8b4c98640e91300d36d516f1f4f8fe09514a94ea9fc7411ee1a34082cb  gnupg-2.2.12.tar.bz2
 sha256 bc2d6664f6276fa0a72d57633b3ae68dc7dcb677b71018bf08c8e93e509f1357  COPYING
--- a/package/gnupg2/gnupg2.mk
+++ b/package/gnupg2/gnupg2.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GNUPG2_VERSION = 2.2.10
+GNUPG2_VERSION = 2.2.12
 GNUPG2_SOURCE = gnupg-$(GNUPG2_VERSION).tar.bz2
 GNUPG2_SITE = https://gnupg.org/ftp/gcrypt/gnupg
 GNUPG2_LICENSE = GPL-3.0+
--- a/package/gnuradio/gnuradio.mk
+++ b/package/gnuradio/gnuradio.mk
@@ -25,7 +25,8 @@ endif
 GNURADIO_CONF_OPTS = \
 	-DENABLE_DEFAULT=OFF \
 	-DENABLE_VOLK=ON \
-	-DENABLE_GNURADIO_RUNTIME=ON
+	-DENABLE_GNURADIO_RUNTIME=ON \
+	-DXMLTO_EXECUTABLE=NOTFOUND

 # For third-party blocks, the gnuradio libraries are mandatory at
 # compile time.
--- a/package/gnutls/gnutls.mk
+++ b/package/gnutls/gnutls.mk
@@ -95,4 +95,11 @@ else
 GNUTLS_CONF_OPTS += --without-zlib
 endif

+# Provide a default CA cert location
+ifeq ($(BR2_PACKAGE_P11_KIT),y)
+GNUTLS_CONF_OPTS += --with-default-trust-store-pkcs11=pkcs11:model=p11-kit-trust
+else ifeq ($(BR2_PACKAGE_CA_CERTIFICATES),y)
+GNUTLS_CONF_OPTS += --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt
+endif
+
 $(eval $(autotools-package))
--- a/package/go/go.hash
+++ b/package/go/go.hash
@@ -1,3 +1,3 @@
 # From https://golang.org/dl/
-sha256	042fba357210816160341f1002440550e952eb12678f7c9e7e9d389437942550  go1.11.2.src.tar.gz
+sha256	bc1ef02bb1668835db1390a2e478dcbccb5dd16911691af9d75184bbe5aa943e  go1.11.5.src.tar.gz
 sha256	2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GO_VERSION = 1.11.2
+GO_VERSION = 1.11.5
 GO_SITE = https://storage.googleapis.com/golang
 GO_SOURCE = go$(GO_VERSION).src.tar.gz

--- a/package/imagemagick/Config.in
+++ b/package/imagemagick/Config.in
@@ -9,8 +9,8 @@ config BR2_PACKAGE_IMAGEMAGICK
 	  JPEG, JPEG-2000, PDF, PhotoCD, PNG, Postscript, SVG, and TIFF.
 	  Use ImageMagick to translate, flip, mirror, rotate, scale,
 	  shear and transform images, adjust image colors, apply various
-	  special effects, or draw text,
-	  lines, polygons, ellipses and Bézier curves.
+	  special effects, or draw text, lines, polygons, ellipses and
+	  Bézier curves.

 	  http://www.imagemagick.org/

--- a/package/jpeg-turbo/0001-fix-install-of-binaries-with-a-static-only-library.patch
+++ b/package/jpeg-turbo/0001-fix-install-of-binaries-with-a-static-only-library.patch
@@ -1,42 +0,0 @@
-From f8c7732e24502c06739944f9a721c9d84a50319d Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Sun, 26 Aug 2018 19:11:55 +0200
-Subject: [PATCH] fix install of binaries with a static only library
-
-Define CMAKE_INSTALL_RPATH only if ENABLE_SHARED is set otherwise the
-following error is raised:
-
-CMake Error at cmake_install.cmake:73 (file):
-  file RPATH_CHANGE could not write new RPATH:
-
-    /usr/lib
-
-  to the file:
-
-    /home/fabrice/buildroot/output/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/bin/rdjpgcom
-
-  No valid ELF RPATH or RUNPATH entry exists in the file;
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-[Upstream status: https://github.com/libjpeg-turbo/libjpeg-turbo/pull/273]
---
- CMakeLists.txt | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 1719522..862ab11 100644
--- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -109,7 +109,9 @@ endif()
- 
- include(cmakescripts/GNUInstallDirs.cmake)
- 
-+if(ENABLE_SHARED)
- set(CMAKE_INSTALL_RPATH ${CMAKE_INSTALL_FULL_LIBDIR})
-+endif()
- 
- macro(report_directory var)
-   if(CMAKE_INSTALL_${var} STREQUAL CMAKE_INSTALL_FULL_${var})
-- 
-2.14.1
-
--- a/package/jpeg-turbo/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch
+++ b/package/jpeg-turbo/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch
@@ -0,0 +1,51 @@
+From 3d9c64e9f8aa1ee954d1d0bb3390fc894bb84da3 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 1 Jan 2019 18:57:36 -0600
+Subject: [PATCH] tjLoadImage(): Fix int overflow/segfault w/big BMP
+
+Fixes #304
+
+[baruch: drop the ChangeLog.md hunk]
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 3d9c64e9f8aa
+
+ ChangeLog.md | 4 ++++
+ turbojpeg.c  | 9 ++++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/turbojpeg.c b/turbojpeg.c
+index 90a9ce6a0be8..3f7cd640677f 100644
+--- a/turbojpeg.c
+++ b/turbojpeg.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C)2009-2018 D. R. Commander.  All Rights Reserved.
+ * Copyright (C)2009-2019 D. R. Commander.  All Rights Reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions are met:
+@@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
+                                      int align, int *height, int *pixelFormat,
+                                      int flags)
+ {
+-  int retval = 0, tempc, pitch;
+  int retval = 0, tempc;
+  size_t pitch;
+   tjhandle handle = NULL;
+   tjinstance *this;
+   j_compress_ptr cinfo = NULL;
+@@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
+   *pixelFormat = cs2pf[cinfo->in_color_space];
+ 
+   pitch = PAD((*width) * tjPixelSize[*pixelFormat], align);
+-  if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
+  if ((unsigned long long)pitch * (unsigned long long)(*height) >
+      (unsigned long long)((size_t)-1) ||
+      (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
+     _throwg("tjLoadImage(): Memory allocation failure");
+ 
+   if (setjmp(this->jerr.setjmp_buffer)) {
+-- 
+2.20.1
+
--- a/package/jpeg-turbo/0002-wrbmp.c-Don-t-allow-quantization-w-non-RGB-CS.patch
+++ b/package/jpeg-turbo/0002-wrbmp.c-Don-t-allow-quantization-w-non-RGB-CS.patch
@@ -0,0 +1,39 @@
+From f8cca819a4fb42aafa5f70df43c45e8c416d716f Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 1 Jan 2019 20:32:40 -0600
+Subject: [PATCH] wrbmp.c: Don't allow quantization w/ non-RGB CS
+
+If cinfo->quantize_colors == 1, then jpeg_calc_output_dimensions() will
+set cinfo->output_components to 1, and if cinfo->out_color_space is not
+RGB (or extended RGB), hilarity will ensue.
+
+Fixes #305
+
+[baruch: drop the ChangeLog.md hunk]
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit f8cca819a4
+
+ ChangeLog.md | 4 ++++
+ wrbmp.c      | 5 +++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/wrbmp.c b/wrbmp.c
+index 4bf81426b0ef..239f64eb3c3f 100644
+--- a/wrbmp.c
+++ b/wrbmp.c
+@@ -502,8 +502,9 @@ jinit_write_bmp(j_decompress_ptr cinfo, boolean is_os2,
+       dest->pub.put_pixel_rows = put_gray_rows;
+     else
+       dest->pub.put_pixel_rows = put_pixel_rows;
+-  } else if (cinfo->out_color_space == JCS_RGB565 ||
+-             cinfo->out_color_space == JCS_CMYK) {
+  } else if (!cinfo->quantize_colors &&
+             (cinfo->out_color_space == JCS_RGB565 ||
+              cinfo->out_color_space == JCS_CMYK)) {
+     dest->pub.put_pixel_rows = put_pixel_rows;
+   } else {
+     ERREXIT(cinfo, JERR_BMP_COLORSPACE);
+-- 
+2.20.1
+
--- a/package/jpeg-turbo/jpeg-turbo.hash
+++ b/package/jpeg-turbo/jpeg-turbo.hash
@@ -1,7 +1,7 @@
-# From https://sourceforge.net/projects/libjpeg-turbo/files/2.0.0/
-sha1 fe49aea935617748c21ecbe46c986d6c1b98f39b  libjpeg-turbo-2.0.0.tar.gz
-md5 b12a3fcf1d078db38410f27718a91b83  libjpeg-turbo-2.0.0.tar.gz
+# From https://sourceforge.net/projects/libjpeg-turbo/files/2.0.1/
+sha1 7ea4a288bccbb5a2d5bfad5fb328d4a839853f4e  libjpeg-turbo-2.0.1.tar.gz
+md5 1b05a66aa9b006fd04ed29f408e68f46  libjpeg-turbo-2.0.1.tar.gz
 # Locally computed
-sha256 778876105d0d316203c928fd2a0374c8c01f755d0a00b12a1c8934aeccff8868  libjpeg-turbo-2.0.0.tar.gz
+sha256 e5f86cec31df1d39596e0cca619ab1b01f99025a27dafdfc97a30f3a12f866ff  libjpeg-turbo-2.0.1.tar.gz
 sha256 8412238c5ad95965cf3c3197791e9dea8b5fae505d133449e33ee2fa754fe61e  LICENSE.md
 sha256 82fece2bff2669c476495f0fe70096b154e8bc5b40916a64e99836d9a01c3110  README.ijg
--- a/package/jpeg-turbo/jpeg-turbo.mk
+++ b/package/jpeg-turbo/jpeg-turbo.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-JPEG_TURBO_VERSION = 2.0.0
+JPEG_TURBO_VERSION = 2.0.1
 JPEG_TURBO_SOURCE = libjpeg-turbo-$(JPEG_TURBO_VERSION).tar.gz
 JPEG_TURBO_SITE = https://downloads.sourceforge.net/project/libjpeg-turbo/$(JPEG_TURBO_VERSION)
 JPEG_TURBO_LICENSE = IJG (libjpeg), BSD-3-Clause (TurboJPEG), Zlib (SIMD)
--- a/package/leveldb/0003-fix-parallel-build.patch
+++ b/package/leveldb/0003-fix-parallel-build.patch
@@ -1,36 +0,0 @@
-From 293e1b08317567b2e479d24530986676ae4d2221 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Mon, 8 Oct 2018 23:08:19 +0200
-Subject: [PATCH] fix parallel build
-
-Build of leveldb sometimes fails on:
-Fatal error: can't create out-shared/db/db_bench.o: No such file or directory
-
-Fix this, by creating $(SHARED_OUTDIR) before building
-(SHARED_OUTDIR)/db/db_bench.o
-
-Fixes:
- - http://autobuild.buildroot.net/results/945bb8096c1f98f307161a6def5a9f7f25b2454a
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-[Upstream status: not upstreamable as upstream switched to cmake]
---
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index f7cc7d7..edb56a5 100644
--- a/Makefile
-+++ b/Makefile
-@@ -386,7 +386,7 @@ $(STATIC_OUTDIR)/write_batch_test:db/write_batch_test.cc $(STATIC_LIBOBJECTS) $(
- $(STATIC_OUTDIR)/memenv_test:$(STATIC_OUTDIR)/helpers/memenv/memenv_test.o $(STATIC_OUTDIR)/libmemenv.a $(STATIC_OUTDIR)/libleveldb.a $(TESTHARNESS)
- 	$(XCRUN) $(CXX) $(LDFLAGS) $(STATIC_OUTDIR)/helpers/memenv/memenv_test.o $(STATIC_OUTDIR)/libmemenv.a $(STATIC_OUTDIR)/libleveldb.a $(TESTHARNESS) -o $@ $(LIBS)
- 
-$(SHARED_OUTDIR)/db_bench:$(SHARED_OUTDIR)/db/db_bench.o $(SHARED_LIBS) $(TESTUTIL)
-+$(SHARED_OUTDIR)/db_bench:$(SHARED_OUTDIR) $(SHARED_OUTDIR)/db/db_bench.o $(SHARED_LIBS) $(TESTUTIL)
- 	$(XCRUN) $(CXX) $(LDFLAGS) $(CXXFLAGS) $(PLATFORM_SHARED_CFLAGS) $(SHARED_OUTDIR)/db/db_bench.o $(TESTUTIL) $(SHARED_OUTDIR)/$(SHARED_LIB3) -o $@ $(LIBS)
- 
- .PHONY: run-shared
-- 
-2.17.1
-
--- a/package/leveldb/leveldb.mk
+++ b/package/leveldb/leveldb.mk
@@ -17,18 +17,18 @@ LEVELDB_MAKE_ARGS += SHARED_LIBS= SHARED_PROGRAMS=
 endif

 define LEVELDB_BUILD_CMDS
-	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) \
+	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE1) \
 		$(LEVELDB_MAKE_ARGS) -C $(@D)
 endef

 define LEVELDB_INSTALL_STAGING_CMDS
-	$(TARGET_MAKE_ENV) $(MAKE) \
+	$(TARGET_MAKE_ENV) $(MAKE1) \
 		INSTALL_ROOT=$(STAGING_DIR) INSTALL_PREFIX=/usr \
 		$(LEVELDB_MAKE_ARGS) -C $(@D) install
 endef

 define LEVELDB_INSTALL_TARGET_CMDS
-	$(TARGET_MAKE_ENV) $(MAKE) \
+	$(TARGET_MAKE_ENV) $(MAKE1) \
 		INSTALL_ROOT=$(TARGET_DIR) INSTALL_PREFIX=/usr \
 		$(LEVELDB_MAKE_ARGS) -C $(@D) install
 endef
--- a/package/libarchive/0001-Avoid-a-double-free-when-a-window-size-of-0-is-speci.patch
+++ b/package/libarchive/0001-Avoid-a-double-free-when-a-window-size-of-0-is-speci.patch
@@ -0,0 +1,40 @@
+From 021efa522ad729ff0f5806c4ce53e4a6cc1daa31 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 20 Nov 2018 17:56:29 +1100
+Subject: [PATCH] Avoid a double-free when a window size of 0 is specified
+
+new_size can be 0 with a malicious or corrupted RAR archive.
+
+realloc(area, 0) is equivalent to free(area), so the region would
+be free()d here and the free()d again in the cleanup function.
+
+Found with a setup running AFL, afl-rb, and qsym.
+---
+ libarchive/archive_read_support_format_rar.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+[for import into Buildroot]
+Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
+Upstream-status: backport
+
+CVE-2018-1000877
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 23452222..6f419c27 100644
+--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
+@@ -2300,6 +2300,11 @@ parse_codes(struct archive_read *a)
+       new_size = DICTIONARY_MAX_SIZE;
+     else
+       new_size = rar_fls((unsigned int)rar->unp_size) << 1;
+    if (new_size == 0) {
+      archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+                        "Zero window size is invalid.");
+      return (ARCHIVE_FATAL);
+    }
+     new_window = realloc(rar->lzss.window, new_size);
+     if (new_window == NULL) {
+       archive_set_error(&a->archive, ENOMEM,
+-- 
+2.19.2
+
--- a/package/libarchive/0002-rar-file-split-across-multi-part-archives-must-match.patch
+++ b/package/libarchive/0002-rar-file-split-across-multi-part-archives-must-match.patch
@@ -0,0 +1,81 @@
+From bfcfe6f04ed20db2504db8a254d1f40a1d84eb28 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 4 Dec 2018 00:55:22 +1100
+Subject: [PATCH] rar: file split across multi-part archives must match
+
+Fuzzing uncovered some UAF and memory overrun bugs where a file in a
+single file archive reported that it was split across multiple
+volumes. This was caused by ppmd7 operations calling
+rar_br_fillup. This would invoke rar_read_ahead, which would in some
+situations invoke archive_read_format_rar_read_header.  That would
+check the new file name against the old file name, and if they didn't
+match up it would free the ppmd7 buffer and allocate a new
+one. However, because the ppmd7 decoder wasn't actually done with the
+buffer, it would continue to used the freed buffer. Both reads and
+writes to the freed region can be observed.
+
+This is quite tricky to solve: once the buffer has been freed it is
+too late, as the ppmd7 decoder functions almost universally assume
+success - there's no way for ppmd_read to signal error, nor are there
+good ways for functions like Range_Normalise to propagate them. So we
+can't detect after the fact that we're in an invalid state - e.g. by
+checking rar->cursor, we have to prevent ourselves from ever ending up
+there. So, when we are in the dangerous part or rar_read_ahead that
+assumes a valid split, we set a flag force read_header to either go
+down the path for split files or bail. This means that the ppmd7
+decoder keeps a valid buffer and just runs out of data.
+
+Found with a combination of AFL, afl-rb and qsym.
+---
+ libarchive/archive_read_support_format_rar.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+[for import into Buildroot]
+Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
+Upstream-status: backport
+
+CVE-2018-1000878
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 6f419c27..a8cc5c94 100644
+--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
+@@ -258,6 +258,7 @@ struct rar
+   struct data_block_offsets *dbo;
+   unsigned int cursor;
+   unsigned int nodes;
+  char filename_must_match;
+ 
+   /* LZSS members */
+   struct huffman_code maincode;
+@@ -1560,6 +1561,12 @@ read_header(struct archive_read *a, struct archive_entry *entry,
+     }
+     return ret;
+   }
+  else if (rar->filename_must_match)
+  {
+    archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+      "Mismatch of file parts split across multi-volume archive");
+    return (ARCHIVE_FATAL);
+  }
+ 
+   rar->filename_save = (char*)realloc(rar->filename_save,
+                                       filename_size + 1);
+@@ -2933,12 +2940,14 @@ rar_read_ahead(struct archive_read *a, size_t min, ssize_t *avail)
+     else if (*avail == 0 && rar->main_flags & MHD_VOLUME &&
+       rar->file_flags & FHD_SPLIT_AFTER)
+     {
+      rar->filename_must_match = 1;
+       ret = archive_read_format_rar_read_header(a, a->entry);
+       if (ret == (ARCHIVE_EOF))
+       {
+         rar->has_endarc_header = 1;
+         ret = archive_read_format_rar_read_header(a, a->entry);
+       }
+      rar->filename_must_match = 0;
+       if (ret != (ARCHIVE_OK))
+         return NULL;
+       return rar_read_ahead(a, min, avail);
+-- 
+2.19.2
+
--- a/package/libarchive/0003-Skip-0-length-ACL-fields.patch
+++ b/package/libarchive/0003-Skip-0-length-ACL-fields.patch
@@ -0,0 +1,52 @@
+From 15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 4 Dec 2018 14:29:42 +1100
+Subject: [PATCH] Skip 0-length ACL fields
+
+Currently, it is possible to create an archive that crashes bsdtar
+with a malformed ACL:
+
+Program received signal SIGSEGV, Segmentation fault.
+archive_acl_from_text_l (acl=<optimised out>, text=0x7e2e92 "", want_type=<optimised out>, sc=<optimised out>) at libarchive/archive_acl.c:1726
+1726				switch (*s) {
+(gdb) p n
+$1 = 1
+(gdb) p field[n]
+$2 = {start = 0x0, end = 0x0}
+
+Stop this by checking that the length is not zero before beginning
+the switch statement.
+
+I am pretty sure this is the bug mentioned in the qsym paper [1],
+and I was able to replicate it with a qsym + AFL + afl-rb setup.
+
+[1] https://www.usenix.org/conference/usenixsecurity18/presentation/yun
+---
+ libarchive/archive_acl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+[for import into Buildroot]
+Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
+Upstream-status: backport
+
+CVE-2018-1000879
+
+diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c
+index 512beee1..7beeee86 100644
+--- a/libarchive/archive_acl.c
+++ b/libarchive/archive_acl.c
+@@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl *acl, const char *text,
+ 			st = field[n].start + 1;
+ 			len = field[n].end - field[n].start;
+ 
+			if (len == 0) {
+				ret = ARCHIVE_WARN;
+				continue;
+			}
+
+ 			switch (*s) {
+ 			case 'u':
+ 				if (len == 1 || (len == 4
+-- 
+2.19.2
+
--- a/package/libarchive/0004-warc-consume-data-once-read.patch
+++ b/package/libarchive/0004-warc-consume-data-once-read.patch
@@ -0,0 +1,46 @@
+From 9c84b7426660c09c18cc349f6d70b5f8168b5680 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 4 Dec 2018 16:33:42 +1100
+Subject: [PATCH] warc: consume data once read
+
+The warc decoder only used read ahead, it wouldn't actually consume
+data that had previously been printed. This means that if you specify
+an invalid content length, it will just reprint the same data over
+and over and over again until it hits the desired length.
+
+This means that a WARC resource with e.g.
+Content-Length: 666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666665
+but only a few hundred bytes of data, causes a quasi-infinite loop.
+
+Consume data in subsequent calls to _warc_read.
+
+Found with an AFL + afl-rb + qsym setup.
+---
+ libarchive/archive_read_support_format_warc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+[for import into Buildroot]
+Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
+Upstream-status: backport
+
+CVE-2018-1000880
+
+diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c
+index e8753853..e8fc8428 100644
+--- a/libarchive/archive_read_support_format_warc.c
+++ b/libarchive/archive_read_support_format_warc.c
+@@ -386,6 +386,11 @@ _warc_read(struct archive_read *a, const void **buf, size_t *bsz, int64_t *off)
+ 		return (ARCHIVE_EOF);
+ 	}
+ 
+	if (w->unconsumed) {
+		__archive_read_consume(a, w->unconsumed);
+		w->unconsumed = 0U;
+	}
+
+ 	rab = __archive_read_ahead(a, 1U, &nrd);
+ 	if (nrd < 0) {
+ 		*bsz = 0U;
+-- 
+2.19.2
+
--- a/package/libarchive/0005-iso9660-Fail-when-expected-Rockridge-extensions-is-m.patch
+++ b/package/libarchive/0005-iso9660-Fail-when-expected-Rockridge-extensions-is-m.patch
@@ -0,0 +1,62 @@
+From 8312eaa576014cd9b965012af51bc1f967b12423 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 1 Jan 2019 17:10:49 +1100
+Subject: [PATCH] iso9660: Fail when expected Rockridge extensions is missing
+
+A corrupted or malicious ISO9660 image can cause read_CE() to loop
+forever.
+
+read_CE() calls parse_rockridge(), expecting a Rockridge extension
+to be read. However, parse_rockridge() is structured as a while
+loop starting with a sanity check, and if the sanity check fails
+before the loop has run, the function returns ARCHIVE_OK without
+advancing the position in the file. This causes read_CE() to retry
+indefinitely.
+
+Make parse_rockridge() return ARCHIVE_WARN if it didn't read an
+extension. As someone with no real knowledge of the format, this
+seems more apt than ARCHIVE_FATAL, but both the call-sites escalate
+it to a fatal error immediately anyway.
+
+Found with a combination of AFL, afl-rb (FairFuzz) and qsym.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 8312eaa57601
+
+ libarchive/archive_read_support_format_iso9660.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
+index 28acfefbba8a..bad8f1dfef3a 100644
+--- a/libarchive/archive_read_support_format_iso9660.c
+++ b/libarchive/archive_read_support_format_iso9660.c
+@@ -2102,6 +2102,7 @@ parse_rockridge(struct archive_read *a, struct file_info *file,
+     const unsigned char *p, const unsigned char *end)
+ {
+ 	struct iso9660 *iso9660;
+	int entry_seen = 0;
+ 
+ 	iso9660 = (struct iso9660 *)(a->format->data);
+ 
+@@ -2257,8 +2258,16 @@ parse_rockridge(struct archive_read *a, struct file_info *file,
+ 		}
+ 
+ 		p += p[2];
+		entry_seen = 1;
+	}
+
+	if (entry_seen)
+		return (ARCHIVE_OK);
+	else {
+		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+				  "Tried to parse Rockridge extensions, but none found");
+		return (ARCHIVE_WARN);
+ 	}
+-	return (ARCHIVE_OK);
+ }
+ 
+ static int
+-- 
+2.20.1
+
--- a/package/libarchive/0006-7zip-fix-crash-when-parsing-certain-archives.patch
+++ b/package/libarchive/0006-7zip-fix-crash-when-parsing-certain-archives.patch
@@ -0,0 +1,62 @@
+From 65a23f5dbee4497064e9bb467f81138a62b0dae1 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 1 Jan 2019 16:01:40 +1100
+Subject: [PATCH] 7zip: fix crash when parsing certain archives
+
+Fuzzing with CRCs disabled revealed that a call to get_uncompressed_data()
+would sometimes fail to return at least 'minimum' bytes. This can cause
+the crc32() invocation in header_bytes to read off into invalid memory.
+
+A specially crafted archive can use this to cause a crash.
+
+An ASAN trace is below, but ASAN is not required - an uninstrumented
+binary will also crash.
+
+==7719==ERROR: AddressSanitizer: SEGV on unknown address 0x631000040000 (pc 0x7fbdb3b3ec1d bp 0x7ffe77a51310 sp 0x7ffe77a51150 T0)
+==7719==The signal is caused by a READ memory access.
+    #0 0x7fbdb3b3ec1c in crc32_z (/lib/x86_64-linux-gnu/libz.so.1+0x2c1c)
+    #1 0x84f5eb in header_bytes (/tmp/libarchive/bsdtar+0x84f5eb)
+    #2 0x856156 in read_Header (/tmp/libarchive/bsdtar+0x856156)
+    #3 0x84e134 in slurp_central_directory (/tmp/libarchive/bsdtar+0x84e134)
+    #4 0x849690 in archive_read_format_7zip_read_header (/tmp/libarchive/bsdtar+0x849690)
+    #5 0x5713b7 in _archive_read_next_header2 (/tmp/libarchive/bsdtar+0x5713b7)
+    #6 0x570e63 in _archive_read_next_header (/tmp/libarchive/bsdtar+0x570e63)
+    #7 0x6f08bd in archive_read_next_header (/tmp/libarchive/bsdtar+0x6f08bd)
+    #8 0x52373f in read_archive (/tmp/libarchive/bsdtar+0x52373f)
+    #9 0x5257be in tar_mode_x (/tmp/libarchive/bsdtar+0x5257be)
+    #10 0x51daeb in main (/tmp/libarchive/bsdtar+0x51daeb)
+    #11 0x7fbdb27cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
+    #12 0x41dd09 in _start (/tmp/libarchive/bsdtar+0x41dd09)
+
+This was primarly done with afl and FairFuzz. Some early corpus entries
+may have been generated by qsym.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 65a23f5dbee
+
+ libarchive/archive_read_support_format_7zip.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
+index bccbf896603b..b6d1505d372e 100644
+--- a/libarchive/archive_read_support_format_7zip.c
+++ b/libarchive/archive_read_support_format_7zip.c
+@@ -2964,13 +2964,7 @@ get_uncompressed_data(struct archive_read *a, const void **buff, size_t size,
+ 	if (zip->codec == _7Z_COPY && zip->codec2 == (unsigned long)-1) {
+ 		/* Copy mode. */
+ 
+-		/*
+-		 * Note: '1' here is a performance optimization.
+-		 * Recall that the decompression layer returns a count of
+-		 * available bytes; asking for more than that forces the
+-		 * decompressor to combine reads by copying data.
+-		 */
+-		*buff = __archive_read_ahead(a, 1, &bytes_avail);
+		*buff = __archive_read_ahead(a, minimum, &bytes_avail);
+ 		if (bytes_avail <= 0) {
+ 			archive_set_error(&a->archive,
+ 			    ARCHIVE_ERRNO_FILE_FORMAT,
+-- 
+2.20.1
+
--- a/Show More
+++ b/Show More