diff -Nru libffi-3.1~rc1+r3.0.13/debian/changelog libffi-3.1~rc1+r3.0.13/debian/changelog
--- libffi-3.1~rc1+r3.0.13/debian/changelog	2015-11-06 20:34:09.000000000 +0000
+++ libffi-3.1~rc1+r3.0.13/debian/changelog	2017-06-27 11:53:35.000000000 +0000
@@ -1,3 +1,15 @@
+libffi (3.1~rc1+r3.0.13-12ubuntu0.2) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: executable stack
+    - debian/patches/CVE-2017-1000376.patch: add missing GNU stack markings
+      in src/x86/win32.S.
+    - debian/patches/pax_status.patch: check /proc/self/status for PaX
+      status in src/closures.c.
+    - debian/rules: build with --enable-pax_emutramp.
+    - CVE-2017-1000376
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 27 Jun 2017 07:52:51 -0400
+
 libffi (3.1~rc1+r3.0.13-12ubuntu0.1) trusty; urgency=medium
 
   * Fix an AArch64 issue, taken from upstream:
diff -Nru libffi-3.1~rc1+r3.0.13/debian/patches/CVE-2017-1000376.patch libffi-3.1~rc1+r3.0.13/debian/patches/CVE-2017-1000376.patch
--- libffi-3.1~rc1+r3.0.13/debian/patches/CVE-2017-1000376.patch	1970-01-01 00:00:00.000000000 +0000
+++ libffi-3.1~rc1+r3.0.13/debian/patches/CVE-2017-1000376.patch	2017-06-21 19:36:01.000000000 +0000
@@ -0,0 +1,28 @@
+From 978c9540154d320525488db1b7049277122f736d Mon Sep 17 00:00:00 2001
+From: Samuli Suominen <ssuominen@gentoo.org>
+Date: Sat, 31 May 2014 08:53:10 -0400
+Subject: [PATCH] Add missing GNU stack markings in win32.S
+
+---
+ src/x86/win32.S | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: libffi-3.1~rc1+r3.0.13/src/x86/win32.S
+===================================================================
+--- libffi-3.1~rc1+r3.0.13.orig/src/x86/win32.S	2017-06-21 15:35:56.915725618 -0400
++++ libffi-3.1~rc1+r3.0.13/src/x86/win32.S	2017-06-21 15:35:56.911725576 -0400
+@@ -1,5 +1,6 @@
+ /* -----------------------------------------------------------------------
+-   win32.S - Copyright (c) 1996, 1998, 2001, 2002, 2009  Red Hat, Inc.
++   win32.S - Copyright (c) 2014  Anthony Green
++	     Copyright (c) 1996, 1998, 2001, 2002, 2009  Red Hat, Inc.
+ 	     Copyright (c) 2001  John Beniton
+ 	     Copyright (c) 2002  Ranjit Mathew
+ 	     Copyright (c) 2009  Daniel Witte
+@@ -1199,3 +1200,6 @@ _ffi_closure_STDCALL:
+ 
+ #endif /* !_MSC_VER */
+ 
++#if defined __ELF__ && defined __linux__
++	.section	.note.GNU-stack,"",@progbits
++#endif
diff -Nru libffi-3.1~rc1+r3.0.13/debian/patches/pax_status.patch libffi-3.1~rc1+r3.0.13/debian/patches/pax_status.patch
--- libffi-3.1~rc1+r3.0.13/debian/patches/pax_status.patch	1970-01-01 00:00:00.000000000 +0000
+++ libffi-3.1~rc1+r3.0.13/debian/patches/pax_status.patch	2017-06-27 11:52:36.000000000 +0000
@@ -0,0 +1,43 @@
+From 52b3457093ed19b2a7c5fcf243c4014c90ce6225 Mon Sep 17 00:00:00 2001
+From: Magnus Granberg <zorry@gentoo.org>
+Date: Sun, 11 May 2014 09:55:28 -0400
+Subject: [PATCH] Check /proc/self/status for PaX status.
+
+---
+ src/closures.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/closures.c b/src/closures.c
+index 98f00f95..c7863f3d 100644
+--- a/src/closures.c
++++ b/src/closures.c
+@@ -181,10 +181,26 @@ static int emutramp_enabled = -1;
+ static int
+ emutramp_enabled_check (void)
+ {
+-  if (getenv ("FFI_DISABLE_EMUTRAMP") == NULL)
+-    return 1;
+-  else
++  char *buf = NULL;
++  size_t len = 0;
++  FILE *f;
++  int ret;
++  f = fopen ("/proc/self/status", "r");
++  if (f == NULL)
+     return 0;
++  ret = 0;
++
++  while (getline (&buf, &len, f) != -1)
++    if (!strncmp (buf, "PaX:", 4))
++      {
++        char emutramp;
++        if (sscanf (buf, "%*s %*c%c", &emutramp) == 1)
++          ret = (emutramp == 'E');
++        break;
++      }
++  free (buf);
++  fclose (f);
++  return ret;
+ }
+ 
+ #define is_emutramp_enabled() (emutramp_enabled >= 0 ? emutramp_enabled \
diff -Nru libffi-3.1~rc1+r3.0.13/debian/patches/series libffi-3.1~rc1+r3.0.13/debian/patches/series
--- libffi-3.1~rc1+r3.0.13/debian/patches/series	2015-11-06 20:03:13.000000000 +0000
+++ libffi-3.1~rc1+r3.0.13/debian/patches/series	2017-06-27 11:52:36.000000000 +0000
@@ -4,3 +4,5 @@
 aarch64-call-frame-info.diff
 fix-ffi_call_VFP-with-no-VFP-argument.diff
 aarch64-fix.diff
+CVE-2017-1000376.patch
+pax_status.patch
diff -Nru libffi-3.1~rc1+r3.0.13/debian/rules libffi-3.1~rc1+r3.0.13/debian/rules
--- libffi-3.1~rc1+r3.0.13/debian/rules	2014-01-14 12:33:44.000000000 +0000
+++ libffi-3.1~rc1+r3.0.13/debian/rules	2017-06-21 19:36:16.000000000 +0000
@@ -45,6 +45,7 @@
 		--prefix=/usr \
 		--mandir=\$${prefix}/share/man \
 		--infodir=\$${prefix}/share/info \
+		--enable-pax_emutramp \
 		CC="$(CC)" CXX="$(CXX)" CFLAGS="$(CFLAGS)" CCASFLAGS="$(CFLAGS) -Wa,--gdwarf2" LDFLAGS="-Wl,-z,defs $(LDFLAGS)"
 	touch $@
 #		--libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \