diff --git a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch b/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch
new file mode 100644
index 0000000..0e27684
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch
@@ -0,0 +1,34 @@
+From 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6 Mon Sep 17 00:00:00 2001
+From: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Date: Wed, 23 Dec 2015 10:56:58 +0100
+Subject: [PATCH] virtio-9p: use accessor to get thread_pool
+
+The aio_context_new() function does not allocate a thread pool. This is
+deferred to the first call to the aio_get_thread_pool() accessor. It is
+hence forbidden to access the thread_pool field directly, as it may be
+NULL. The accessor *must* be used always.
+
+Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Tested-by: Michael Tokarev <mjt@tls.msk.ru>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
+---
+ hw/9pfs/virtio-9p-coth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c
+index fb6e8f8..ab9425c 100644
+--- a/hw/9pfs/virtio-9p-coth.c
++++ b/hw/9pfs/virtio-9p-coth.c
+@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg)
+ void co_run_in_worker_bh(void *opaque)
+ {
+     Coroutine *co = opaque;
+-    thread_pool_submit_aio(qemu_get_aio_context()->thread_pool,
++    thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()),
+                            coroutine_enter_func, co, coroutine_enter_cb, co);
+ }
+-- 
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch b/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch
new file mode 100644
index 0000000..2874b75
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch
@@ -0,0 +1,37 @@
+From 415ab35a441eca767d033a2702223e785b9d5190 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 24 Feb 2016 11:41:33 +0530
+Subject: [PATCH] net: ne2000: check ring buffer control registers
+
+Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
+bytes to process network packets. Registers PSTART & PSTOP
+define ring buffer size & location. Setting these registers
+to invalid values could lead to infinite loop or OOB r/w
+access issues. Add check to avoid it.
+
+Reported-by: Yang Hongke <yanghongke@huawei.com>
+Tested-by: Yang Hongke <yanghongke@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/ne2000.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index e408083..f0feaf9 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -155,6 +155,10 @@ static int ne2000_buffer_full(NE2000State *s)
+ {
+     int avail, index, boundary;
+ 
++    if (s->stop <= s->start) {
++        return 1;
++    }
++
+     index = s->curpag << 8;
+     boundary = s->boundary << 8;
+     if (index < boundary)
+-- 
+2.7.4
+
diff --git a/app-emulation/qemu/qemu-2.5.0-r2.ebuild b/app-emulation/qemu/qemu-2.5.0-r3.ebuild
similarity index 95%
rename from app-emulation/qemu/qemu-2.5.0-r2.ebuild
rename to app-emulation/qemu/qemu-2.5.0-r3.ebuild
index e13d9df..dc2a9a1 100644
--- a/app-emulation/qemu/qemu-2.5.0-r2.ebuild
+++ b/app-emulation/qemu/qemu-2.5.0-r3.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2015 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 # $Id$
 
@@ -9,8 +9,10 @@ EAPI=5
 PYTHON_COMPAT=( python2_7 )
 PYTHON_REQ_USE="ncurses,readline"
 
+PLOCALES="de_DE fr_FR hu it tr zh_CN"
+
 inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \
-	user udev fcaps readme.gentoo pax-utils
+	user udev fcaps readme.gentoo pax-utils l10n
 
 BACKPORTS=
 
@@ -124,11 +126,7 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
 			media-libs/libsdl2[static-libs(+)]
 		)
 	)
-	seccomp? ( 
-		arm? ( >=sys-libs/libseccomp-2.2.3[static-libs(+)] )
-		arm64? ( >=sys-libs/libseccomp-2.2.3[static-libs(+)] )
-		>=sys-libs/libseccomp-2.1.0[static-libs(+)]
-	)
+	seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] )
 	smartcard? ( >=app-emulation/libcacard-2.5.0[static-libs(+)] )
 	snappy? ( app-arch/snappy[static-libs(+)] )
 	spice? (
@@ -302,6 +300,29 @@ check_targets() {
 	popd >/dev/null
 }
 
+handle_locales() {
+	# Make sure locale list is kept up-to-date.
+	local detected sorted
+	detected=$(echo $(cd po && printf '%s\n' *.po | grep -v messages.po | sed 's:.po$::' | sort -u))
+	sorted=$(echo $(printf '%s\n' ${PLOCALES} | sort -u))
+	if [[ ${sorted} != "${detected}" ]] ; then
+		eerror "The ebuild needs to be kept in sync."
+		eerror "PLOCALES: ${sorted}"
+		eerror " po/*.po: ${detected}"
+		die "sync PLOCALES"
+	fi
+
+	# Deal with selective install of locales.
+	if use nls ; then
+		# Delete locales the user does not want. #577814
+		rm_loc() { rm po/$1.po || die; }
+		l10n_for_each_disabled_locale_do rm_loc
+	else
+		# Cheap hack to disable gettext .mo generation.
+		rm -f po/*.po
+	fi
+}
+
 src_prepare() {
 	check_targets IUSE_SOFTMMU_TARGETS softmmu
 	check_targets IUSE_USER_TARGETS linux-user
@@ -311,9 +332,6 @@ src_prepare() {
 		-e 's/^(C|OP_C|HELPER_C)FLAGS=/\1FLAGS+=/' \
 		Makefile Makefile.target || die
 
-	# Cheap hack to disable gettext .mo generation.
-	use nls || rm -f po/*.po
-
 	epatch "${FILESDIR}"/qemu-2.5.0-cflags.patch
 	[[ -n ${BACKPORTS} ]] && \
 		EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
@@ -336,6 +354,8 @@ src_prepare() {
 	epatch "${FILESDIR}"/${P}-usb-ndis-int-overflow.patch #575492
 	epatch "${FILESDIR}"/${P}-rng-stack-corrupt-{0,1,2,3}.patch #576420
 	epatch "${FILESDIR}"/${P}-sysmacros.patch
+	epatch "${FILESDIR}"/${P}-ne2000-reg-check.patch #573816
+	epatch "${FILESDIR}"/${P}-9pfs-segfault.patch #578142
 
 	# Fix ld and objcopy being called directly
 	tc-export AR LD OBJCOPY
@@ -344,6 +364,9 @@ src_prepare() {
 	MAKEOPTS+=" V=1"
 
 	epatch_user
+
+	# Run after we've applied all patches.
+	handle_locales
 }
 
 ##