diff -Nru pax-utils-1.2.8/debian/changelog pax-utils-1.2.9/debian/changelog
--- pax-utils-1.2.8/debian/changelog	2021-01-30 20:16:17.000000000 +0000
+++ pax-utils-1.2.9/debian/changelog	2021-02-13 14:45:19.000000000 +0000
@@ -1,3 +1,9 @@
+pax-utils (1.2.9-1) unstable; urgency=medium
+
+  * New upstream version 1.2.9
+
+ -- Tomasz Buchert <tomasz@debian.org>  Sat, 13 Feb 2021 15:45:19 +0100
+
 pax-utils (1.2.8-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru pax-utils-1.2.8/debian/control pax-utils-1.2.9/debian/control
--- pax-utils-1.2.8/debian/control	2021-01-30 20:16:17.000000000 +0000
+++ pax-utils-1.2.9/debian/control	2021-02-13 14:45:19.000000000 +0000
@@ -11,7 +11,7 @@
                python3-pyelftools,
                python3:any,
                xmlto
-Standards-Version: 4.5.0
+Standards-Version: 4.5.1
 Vcs-Browser: https://salsa.debian.org/debian/pax-utils
 Vcs-Git: https://salsa.debian.org/debian/pax-utils.git
 Homepage: https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities
diff -Nru pax-utils-1.2.8/debian/patches/0002-use-python3-for-lddtree.py.patch pax-utils-1.2.9/debian/patches/0002-use-python3-for-lddtree.py.patch
--- pax-utils-1.2.8/debian/patches/0002-use-python3-for-lddtree.py.patch	2021-01-30 20:16:17.000000000 +0000
+++ pax-utils-1.2.9/debian/patches/0002-use-python3-for-lddtree.py.patch	2021-02-13 14:45:19.000000000 +0000
@@ -7,7 +7,7 @@
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/lddtree.py b/lddtree.py
-index 6e57a99..3db71a1 100755
+index 141195b..92d9a1c 100755
 --- a/lddtree.py
 +++ b/lddtree.py
 @@ -1,4 +1,4 @@
diff -Nru pax-utils-1.2.8/macho.h pax-utils-1.2.9/macho.h
--- pax-utils-1.2.8/macho.h	2020-12-20 19:52:04.000000000 +0000
+++ pax-utils-1.2.9/macho.h	2021-02-03 20:40:12.000000000 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2012 Gentoo Foundation
+ * Copyright 2008-2021 Gentoo Foundation
  * Distributed under the terms of the GNU General Public License v2
  */
 
@@ -128,6 +128,7 @@
 /* cputype */
 #define CPU_TYPE_POWERPC64  (CPU_TYPE_POWERPC | CPU_ARCH_ABI64)
 #define CPU_TYPE_X86_64     (CPU_TYPE_I386 | CPU_ARCH_ABI64)
+#define CPU_TYPE_ARM64      (CPU_TYPE_ARM | CPU_ARCH_ABI64)
 
 struct load_command
 {
@@ -257,6 +258,12 @@
     union lc_str path;
 };
 
+struct uuid_command {
+    uint32_t cmd;
+    uint32_t cmdsize;
+    uint8_t uuid[16];
+};
+
 struct fat_header
 {
 	uint32_t magic;
diff -Nru pax-utils-1.2.8/paxmacho.c pax-utils-1.2.9/paxmacho.c
--- pax-utils-1.2.8/paxmacho.c	2020-12-20 19:52:04.000000000 +0000
+++ pax-utils-1.2.9/paxmacho.c	2021-02-03 20:40:12.000000000 +0000
@@ -1,10 +1,10 @@
 /*
- * Copyright 2003-2012 Gentoo Foundation
+ * Copyright 2003-2021 Gentoo Foundation
  * Distributed under the terms of the GNU General Public License v2
  *
  * Copyright 2005-2012 Ned Ludd        - <solar@gentoo.org>
  * Copyright 2005-2012 Mike Frysinger  - <vapier@gentoo.org>
- *           2008-2012 Fabian Groffen  - <grobian@gentoo.org>
+ *           2008-2021 Fabian Groffen  - <grobian@gentoo.org>
  */
 
 #include "paxinc.h"
@@ -17,6 +17,7 @@
 static const char STR_I386[]    = "i386";
 static const char STR_X86_64[]  = "x86_64";
 static const char STR_ARM[]     = "arm"; /* iPhone */
+static const char STR_ARM64[]   = "arm64"; /* Apple M1 */
 static const char STR_UNKNOWN[] = "unknown";
 
 #define QUERY(n) { #n, n }
@@ -95,6 +96,7 @@
 	QUERY(CPU_TYPE_ARM),
 	QUERY(CPU_TYPE_POWERPC64),
 	QUERY(CPU_TYPE_X86_64),
+	QUERY(CPU_TYPE_ARM64),
 	{ 0, 0 }
 };
 const char *get_machocputype(fatobj *fobj)
@@ -383,6 +385,7 @@
 		case CPU_TYPE_ARM:       return STR_ARM;
 		case CPU_TYPE_POWERPC64: return STR_PPC64;
 		case CPU_TYPE_X86_64:    return STR_X86_64;
+		case CPU_TYPE_ARM64:     return STR_ARM64;
 		default:                 return STR_UNKNOWN;
 	}
 }
diff -Nru pax-utils-1.2.8/scanmacho.c pax-utils-1.2.9/scanmacho.c
--- pax-utils-1.2.8/scanmacho.c	2020-12-20 19:52:04.000000000 +0000
+++ pax-utils-1.2.9/scanmacho.c	2021-02-03 20:40:12.000000000 +0000
@@ -1,12 +1,12 @@
 /*
- * Copyright 2008-2012 Gentoo Foundation
+ * Copyright 2008-2021 Gentoo Foundation
  * Distributed under the terms of the GNU General Public License v2
  *
  * based on scanelf by:
  * Copyright 2003-2012 Ned Ludd        - <solar@gentoo.org>
  * Copyright 2004-2012 Mike Frysinger  - <vapier@gentoo.org>
  * for Darwin specific fun:
- *           2008-2013 Fabian Groffen  - <grobian@gentoo.org>
+ *           2008-2021 Fabian Groffen  - <grobian@gentoo.org>
  */
 
 const char argv0[] = "scanmacho";
@@ -37,6 +37,7 @@
 static char show_needed = 0;
 static char show_interp = 0;
 static char show_bind = 0;
+static char show_uuid = 0;
 static char show_soname = 0;
 static char show_banner = 1;
 static char show_endian = 0;
@@ -181,18 +182,54 @@
 	return NULL;
 }
 
+static char *macho_file_uuid(fatobj *fobj, char *found_uuid)
+{
+	loadcmd *lcmd;
+	uint32_t lc_uuid;
+	static char uuid_buf[32 + 4 + 1];
+
+	if (!show_uuid)
+		return NULL;
+
+	lcmd = firstloadcmd(fobj);
+	lc_uuid = MGET(fobj->swapped, LC_UUID);
+
+	do {
+		if (lcmd->lcmd->cmd == lc_uuid) {
+			struct uuid_command *ucmd = lcmd->data;
+			unsigned char *uuid;
+			uuid = (unsigned char *)(ucmd->uuid);
+			*found_uuid = 1;
+			free(lcmd);
+			if (be_wewy_wewy_quiet)
+				return NULL;
+			snprintf(uuid_buf, sizeof(uuid_buf),
+					"%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-"
+					"%02x%02x%02x%02x%02x%02x",
+					uuid[0], uuid[1], uuid[2], uuid[3],
+					uuid[4], uuid[5],
+					uuid[6], uuid[7],
+					uuid[8], uuid[9],
+					uuid[10], uuid[11], uuid[12], uuid[13], uuid[14], uuid[15]);
+			return uuid_buf;
+		}
+	} while (nextloadcmd(lcmd));
+
+	return NULL;
+}
+
 /* scan a macho file and show all the fun stuff */
 #define prints(str) ({ ssize_t ret = write(fileno(stdout), str, strlen(str)); ret; })
 static int scanmacho_fatobj(fatobj *fobj)
 {
 	unsigned long i;
 	char found_rpath, found_needed, found_interp, found_soname,
-		 found_lib, found_file;
+		 found_lib, found_file, found_uuid;
 	static char *out_buffer = NULL;
 	static size_t out_len;
 
 	found_rpath = found_needed = found_interp = found_soname = \
-	found_lib = found_file = 0;
+	found_lib = found_file = found_uuid = 0;
 
 	if (be_verbose > 2)
 		printf("%s: scanning file {%s,%s}\n", fobj->filename,
@@ -228,6 +265,7 @@
 			case 'b': prints("FLAGS "); break;
 			case 'Z': prints("SIZE "); break;
 			case 'S': prints("INSTALLNAME "); break;
+			case 'U': prints("UUID "); break;
 			case 'N': prints("LIB "); break;
 			case 'a': prints("ARCH "); break;
 			case 'O': prints("PERM "); break;
@@ -293,6 +331,7 @@
 		case 'i': out = macho_file_interp(fobj, &found_interp); break;
 		case 'b': get_machomhflags(fobj, &out_buffer, &out_len); break;
 		case 'S': out = macho_file_soname(fobj, &found_soname); break;
+		case 'U': out = macho_file_uuid(fobj, &found_uuid); break;
 		case 'a': out = get_machomtype(fobj); break;
 		case 'Z': snprintf(ubuf, sizeof(ubuf), "%llu", (unsigned long long int)fobj->len); out = ubuf; break;;
 		default: warnf("'%c' has no scan code?", out_format[i]);
@@ -532,8 +571,8 @@
 	free(path);
 }
 
-/* usage / invocation handling functions */ /* Free Flags: c d e j k l s t u w x z G H I J K L P Q T U W X Y */
-#define PARSE_FLAGS "pRmyArnibSN:gE:M:DO:ZaqvF:f:o:CBhV"
+/* usage / invocation handling functions */ /* Free Flags: c d e j k l s t u w x z G H I J K L P Q T W X Y */
+#define PARSE_FLAGS "pRmyArnibSUN:gE:M:DO:ZaqvF:f:o:CBhV"
 #define a_argument required_argument
 static struct option const long_opts[] = {
 	{"path",      no_argument, NULL, 'p'},
@@ -546,6 +585,7 @@
 	{"interp",    no_argument, NULL, 'i'},
 	{"bind",      no_argument, NULL, 'b'},
 	{"soname",    no_argument, NULL, 'S'},
+	{"uuid",      no_argument, NULL, 'U'},
 	{"lib",        a_argument, NULL, 'N'},
 	{"gmatch",    no_argument, NULL, 'g'},
 	{"etype",      a_argument, NULL, 'E'},
@@ -577,6 +617,7 @@
 	"Print LC_LOAD_DYLINKER information (ELF: INTERP)",
 	"Print flags from mach_header (ELF: BIND)",
 	"Print LC_ID_DYLIB information (ELF: SONAME)",
+	"Print LC_UUID information",
 	"Find a specified library",
 	"Use strncmp to match libraries. (use with -N)",
 	"Print only Mach-O files matching mach_header\n"
@@ -678,6 +719,7 @@
 		case 'i': show_interp = 1; break;
 		case 'b': show_bind = 1; break;
 		case 'S': show_soname = 1; break;
+		case 'U': show_uuid = 1; break;
 		case 'q': be_quiet = 1; break;
 		case 'v': be_verbose = (be_verbose % 20) + 1; break;
 		case 'a': show_perms = show_endian = show_bind = 1; break;
@@ -717,6 +759,7 @@
 			case 'i': show_interp = 1; break;
 			case 'b': show_bind = 1; break;
 			case 'S': show_soname = 1; break;
+			case 'U': show_uuid = 1; break;
 			default:
 				err("Invalid format specifier '%c' (byte %i)",
 				    out_format[i], i+1);
@@ -738,6 +781,7 @@
 		if (show_interp)   xstrcat(&out_format, "%i ", &fmt_len);
 		if (show_bind)     xstrcat(&out_format, "%b ", &fmt_len);
 		if (show_soname)   xstrcat(&out_format, "%S ", &fmt_len);
+		if (show_uuid)     xstrcat(&out_format, "%U ", &fmt_len);
 		if (find_lib)      xstrcat(&out_format, "%N ", &fmt_len);
 		if (!be_quiet)     xstrcat(&out_format, "%F ", &fmt_len);
 	}
diff -Nru pax-utils-1.2.8/security.c pax-utils-1.2.9/security.c
--- pax-utils-1.2.8/security.c	2020-12-20 19:52:04.000000000 +0000
+++ pax-utils-1.2.9/security.c	2021-02-03 20:40:12.000000000 +0000
@@ -156,6 +156,11 @@
 		SCMP_SYS(readlink),
 		SCMP_SYS(readlinkat),
 		SCMP_SYS(getcwd),
+		#ifndef __SNR_faccessat2
+		/* faccessat2 is not yet defiled in latest libseccomp-2.5.1 */
+		#    define __SNR_faccessat2 __NR_faccessat2
+		#endif
+		SCMP_SYS(faccessat2),
 
 		/* Syscalls listed because of fakeroot.  */
 		SCMP_SYS(msgget),