summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChí-Thanh Christopher Nguyễn <chithanh@gentoo.org>2015-09-03 17:56:58 +0200
committerChí-Thanh Christopher Nguyễn <chithanh@gentoo.org>2015-09-03 17:56:58 +0200
commit9695eae2fcfd4e20f418a488729639dce3556376 (patch)
tree5cc2e68043affad7669a86cdfee31d3f5e2bd6a8 /x11-base
parentfix building with gcc-5.2 with patch from Sven Eden via bug 552370 (diff)
downloadgentoo-9695eae2fcfd4e20f418a488729639dce3556376.tar.gz
gentoo-9695eae2fcfd4e20f418a488729639dce3556376.tar.bz2
gentoo-9695eae2fcfd4e20f418a488729639dce3556376.zip
x11-base/xorg-server: add patches for CVE-2015-3164
Bug: https://bugs.gentoo.org/show_bug.cgi?id=551680 Package-Manager: portage-2.2.20.1
Diffstat (limited to 'x11-base')
-rw-r--r--x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-1.patch33
-rw-r--r--x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-2.patch246
-rw-r--r--x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-3.patch34
-rw-r--r--x11-base/xorg-server/xorg-server-1.16.4-r3.ebuild261
-rw-r--r--x11-base/xorg-server/xorg-server-1.16.4-r4.ebuild236
5 files changed, 810 insertions, 0 deletions
diff --git a/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-1.patch b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-1.patch
new file mode 100644
index 00000000000..a9f80302270
--- /dev/null
+++ b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-1.patch
@@ -0,0 +1,33 @@
+From c4534a38b68aa07fb82318040dc8154fb48a9588 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 5 May 2015 16:43:42 -0400
+Subject: xwayland: Enable access control on open sockets [CVE-2015-3164 1/3]
+
+Xwayland currently allows wide-open access to the X sockets
+it listens on, ignoring Xauth access control.
+
+This commit makes sure to enable access control on the sockets,
+so one user can't snoop on another user's X-over-wayland
+applications.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
+index 7e8d667..c5bee77 100644
+--- a/hw/xwayland/xwayland.c
++++ b/hw/xwayland/xwayland.c
+@@ -483,7 +483,7 @@ listen_on_fds(struct xwl_screen *xwl_screen)
+ int i;
+
+ for (i = 0; i < xwl_screen->listen_fd_count; i++)
+- ListenOnOpenFD(xwl_screen->listen_fds[i], TRUE);
++ ListenOnOpenFD(xwl_screen->listen_fds[i], FALSE);
+ }
+
+ static void
+--
+cgit v0.10.2
+
diff --git a/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-2.patch b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-2.patch
new file mode 100644
index 00000000000..47b323f1ec8
--- /dev/null
+++ b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-2.patch
@@ -0,0 +1,246 @@
+From 4b4b9086d02b80549981d205fb1f495edc373538 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 5 May 2015 16:43:43 -0400
+Subject: os: support new implicit local user access mode [CVE-2015-3164 2/3]
+
+If the X server is started without a '-auth' argument, then
+it gets started wide open to all local users on the system.
+
+This isn't a great default access model, but changing it in
+Xorg at this point would break backward compatibility.
+
+Xwayland, on the other hand is new, and much more targeted
+in scope. It could, in theory, be changed to allow the much
+more secure default of a "user who started X server can connect
+clients to that server."
+
+This commit paves the way for that change, by adding a mechanism
+for DDXs to opt-in to that behavior. They merely need to call
+
+LocalAccessScopeUser()
+
+in their init functions.
+
+A subsequent commit will add that call for Xwayland.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/include/os.h b/include/os.h
+index 6638c84..b2b96c8 100644
+--- a/include/os.h
++++ b/include/os.h
+@@ -431,11 +431,28 @@ extern _X_EXPORT void
+ ResetHosts(const char *display);
+
+ extern _X_EXPORT void
++EnableLocalAccess(void);
++
++extern _X_EXPORT void
++DisableLocalAccess(void);
++
++extern _X_EXPORT void
+ EnableLocalHost(void);
+
+ extern _X_EXPORT void
+ DisableLocalHost(void);
+
++#ifndef NO_LOCAL_CLIENT_CRED
++extern _X_EXPORT void
++EnableLocalUser(void);
++
++extern _X_EXPORT void
++DisableLocalUser(void);
++
++extern _X_EXPORT void
++LocalAccessScopeUser(void);
++#endif
++
+ extern _X_EXPORT void
+ AccessUsingXdmcp(void);
+
+diff --git a/os/access.c b/os/access.c
+index 8fa028e..75e7a69 100644
+--- a/os/access.c
++++ b/os/access.c
+@@ -102,6 +102,10 @@ SOFTWARE.
+ #include <sys/ioctl.h>
+ #include <ctype.h>
+
++#ifndef NO_LOCAL_CLIENT_CRED
++#include <pwd.h>
++#endif
++
+ #if defined(TCPCONN) || defined(STREAMSCONN)
+ #include <netinet/in.h>
+ #endif /* TCPCONN || STREAMSCONN */
+@@ -225,6 +229,13 @@ static int LocalHostEnabled = FALSE;
+ static int LocalHostRequested = FALSE;
+ static int UsingXdmcp = FALSE;
+
++static enum {
++ LOCAL_ACCESS_SCOPE_HOST = 0,
++#ifndef NO_LOCAL_CLIENT_CRED
++ LOCAL_ACCESS_SCOPE_USER,
++#endif
++} LocalAccessScope;
++
+ /* FamilyServerInterpreted implementation */
+ static Bool siAddrMatch(int family, void *addr, int len, HOST * host,
+ ClientPtr client);
+@@ -237,6 +248,21 @@ static void siTypesInitialize(void);
+ */
+
+ void
++EnableLocalAccess(void)
++{
++ switch (LocalAccessScope) {
++ case LOCAL_ACCESS_SCOPE_HOST:
++ EnableLocalHost();
++ break;
++#ifndef NO_LOCAL_CLIENT_CRED
++ case LOCAL_ACCESS_SCOPE_USER:
++ EnableLocalUser();
++ break;
++#endif
++ }
++}
++
++void
+ EnableLocalHost(void)
+ {
+ if (!UsingXdmcp) {
+@@ -249,6 +275,21 @@ EnableLocalHost(void)
+ * called when authorization is enabled to keep us secure
+ */
+ void
++DisableLocalAccess(void)
++{
++ switch (LocalAccessScope) {
++ case LOCAL_ACCESS_SCOPE_HOST:
++ DisableLocalHost();
++ break;
++#ifndef NO_LOCAL_CLIENT_CRED
++ case LOCAL_ACCESS_SCOPE_USER:
++ DisableLocalUser();
++ break;
++#endif
++ }
++}
++
++void
+ DisableLocalHost(void)
+ {
+ HOST *self;
+@@ -262,6 +303,74 @@ DisableLocalHost(void)
+ }
+ }
+
++#ifndef NO_LOCAL_CLIENT_CRED
++static int GetLocalUserAddr(char **addr)
++{
++ static const char *type = "localuser";
++ static const char delimiter = '\0';
++ static const char *value;
++ struct passwd *pw;
++ int length = -1;
++
++ pw = getpwuid(getuid());
++
++ if (pw == NULL || pw->pw_name == NULL)
++ goto out;
++
++ value = pw->pw_name;
++
++ length = asprintf(addr, "%s%c%s", type, delimiter, value);
++
++ if (length == -1) {
++ goto out;
++ }
++
++ /* Trailing NUL */
++ length++;
++
++out:
++ return length;
++}
++
++void
++EnableLocalUser(void)
++{
++ char *addr = NULL;
++ int length = -1;
++
++ length = GetLocalUserAddr(&addr);
++
++ if (length == -1)
++ return;
++
++ NewHost(FamilyServerInterpreted, addr, length, TRUE);
++
++ free(addr);
++}
++
++void
++DisableLocalUser(void)
++{
++ char *addr = NULL;
++ int length = -1;
++
++ length = GetLocalUserAddr(&addr);
++
++ if (length == -1)
++ return;
++
++ RemoveHost(NULL, FamilyServerInterpreted, length, addr);
++
++ free(addr);
++}
++
++void
++LocalAccessScopeUser(void)
++{
++ LocalAccessScope = LOCAL_ACCESS_SCOPE_USER;
++}
++#endif
++
+ /*
+ * called at init time when XDMCP will be used; xdmcp always
+ * adds local hosts manually when needed
+diff --git a/os/auth.c b/os/auth.c
+index 5fcb538..7da6fc6 100644
+--- a/os/auth.c
++++ b/os/auth.c
+@@ -181,11 +181,11 @@ CheckAuthorization(unsigned int name_length,
+
+ /*
+ * If the authorization file has at least one entry for this server,
+- * disable local host access. (loadauth > 0)
++ * disable local access. (loadauth > 0)
+ *
+ * If there are zero entries (either initially or when the
+ * authorization file is later reloaded), or if a valid
+- * authorization file was never loaded, enable local host access.
++ * authorization file was never loaded, enable local access.
+ * (loadauth == 0 || !loaded)
+ *
+ * If the authorization file was loaded initially (with valid
+@@ -194,11 +194,11 @@ CheckAuthorization(unsigned int name_length,
+ */
+
+ if (loadauth > 0) {
+- DisableLocalHost(); /* got at least one */
++ DisableLocalAccess(); /* got at least one */
+ loaded = TRUE;
+ }
+ else if (loadauth == 0 || !loaded)
+- EnableLocalHost();
++ EnableLocalAccess();
+ }
+ if (name_length) {
+ for (i = 0; i < NUM_AUTHORIZATION; i++) {
+--
+cgit v0.10.2
+
diff --git a/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-3.patch b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-3.patch
new file mode 100644
index 00000000000..7e8f173117a
--- /dev/null
+++ b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-3.patch
@@ -0,0 +1,34 @@
+From 76636ac12f2d1dbdf7be08222f80e7505d53c451 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 5 May 2015 16:43:44 -0400
+Subject: xwayland: default to local user if no xauth file given.
+ [CVE-2015-3164 3/3]
+
+Right now if "-auth" isn't passed on the command line, we let
+any user on the system connect to the Xwayland server.
+
+That's clearly suboptimal, given Xwayland is generally designed
+to be used by one user at a time.
+
+This commit changes the behavior, so only the user who started the
+X server can connect clients to it.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
+index c5bee77..bc92beb 100644
+--- a/hw/xwayland/xwayland.c
++++ b/hw/xwayland/xwayland.c
+@@ -702,4 +702,6 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv)
+ if (AddScreen(xwl_screen_init, argc, argv) == -1) {
+ FatalError("Couldn't add screen\n");
+ }
++
++ LocalAccessScopeUser();
+ }
+--
+cgit v0.10.2
+
diff --git a/x11-base/xorg-server/xorg-server-1.16.4-r3.ebuild b/x11-base/xorg-server/xorg-server-1.16.4-r3.ebuild
new file mode 100644
index 00000000000..58c70e0256e
--- /dev/null
+++ b/x11-base/xorg-server/xorg-server-1.16.4-r3.ebuild
@@ -0,0 +1,261 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+XORG_DOC=doc
+inherit xorg-2 multilib versionator flag-o-matic
+EGIT_REPO_URI="git://anongit.freedesktop.org/git/xorg/xserver"
+
+DESCRIPTION="X.Org X servers"
+SLOT="0/1.16.1"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux"
+
+IUSE_SERVERS="dmx kdrive xnest xorg xvfb"
+IUSE="${IUSE_SERVERS} glamor ipv6 minimal nptl selinux +suid systemd tslib +udev unwind wayland"
+
+CDEPEND=">=app-eselect/eselect-opengl-1.0.8
+ !>=app-eselect/eselect-opengl-1.3.0
+ dev-libs/openssl
+ media-libs/freetype
+ >=x11-apps/iceauth-1.0.2
+ >=x11-apps/rgb-1.0.3
+ >=x11-apps/xauth-1.0.3
+ x11-apps/xkbcomp
+ >=x11-libs/libdrm-2.4.20
+ >=x11-libs/libpciaccess-0.12.901
+ >=x11-libs/libXau-1.0.4
+ >=x11-libs/libXdmcp-1.0.2
+ >=x11-libs/libXfont-1.4.2
+ >=x11-libs/libxkbfile-1.0.4
+ >=x11-libs/libxshmfence-1.1
+ >=x11-libs/pixman-0.27.2
+ >=x11-libs/xtrans-1.3.3
+ >=x11-misc/xbitmaps-1.0.1
+ >=x11-misc/xkeyboard-config-2.4.1-r3
+ dmx? (
+ x11-libs/libXt
+ >=x11-libs/libdmx-1.0.99.1
+ >=x11-libs/libX11-1.1.5
+ >=x11-libs/libXaw-1.0.4
+ >=x11-libs/libXext-1.0.99.4
+ >=x11-libs/libXfixes-5.0
+ >=x11-libs/libXi-1.2.99.1
+ >=x11-libs/libXmu-1.0.3
+ x11-libs/libXrender
+ >=x11-libs/libXres-1.0.3
+ >=x11-libs/libXtst-1.0.99.2
+ )
+ glamor? (
+ media-libs/libepoxy
+ media-libs/mesa[egl,gbm]
+ !x11-libs/glamor
+ )
+ kdrive? (
+ >=x11-libs/libXext-1.0.5
+ x11-libs/libXv
+ )
+ !minimal? (
+ >=x11-libs/libX11-1.1.5
+ >=x11-libs/libXext-1.0.5
+ >=media-libs/mesa-9.2.0[nptl=]
+ )
+ tslib? ( >=x11-libs/tslib-1.0 )
+ udev? ( >=virtual/udev-150 )
+ unwind? ( sys-libs/libunwind )
+ wayland? (
+ >=dev-libs/wayland-1.3.0
+ media-libs/libepoxy
+ )
+ >=x11-apps/xinit-1.3
+ systemd? (
+ sys-apps/dbus
+ sys-apps/systemd
+ )"
+
+DEPEND="${CDEPEND}
+ sys-devel/flex
+ >=x11-proto/bigreqsproto-1.1.0
+ >=x11-proto/compositeproto-0.4
+ >=x11-proto/damageproto-1.1
+ >=x11-proto/fixesproto-5.0
+ >=x11-proto/fontsproto-2.1.3
+ >=x11-proto/glproto-1.4.17
+ >=x11-proto/inputproto-2.2.99.1
+ >=x11-proto/kbproto-1.0.3
+ >=x11-proto/randrproto-1.4.0
+ >=x11-proto/recordproto-1.13.99.1
+ >=x11-proto/renderproto-0.11
+ >=x11-proto/resourceproto-1.2.0
+ >=x11-proto/scrnsaverproto-1.1
+ >=x11-proto/trapproto-3.4.3
+ >=x11-proto/videoproto-2.2.2
+ >=x11-proto/xcmiscproto-1.2.0
+ >=x11-proto/xextproto-7.2.99.901
+ >=x11-proto/xf86dgaproto-2.0.99.1
+ >=x11-proto/xf86rushproto-1.1.2
+ >=x11-proto/xf86vidmodeproto-2.2.99.1
+ >=x11-proto/xineramaproto-1.1.3
+ >=x11-proto/xproto-7.0.26
+ >=x11-proto/presentproto-1.0
+ >=x11-proto/dri3proto-1.0
+ dmx? (
+ >=x11-proto/dmxproto-2.2.99.1
+ doc? (
+ || (
+ www-client/links
+ www-client/lynx
+ www-client/w3m
+ )
+ )
+ )
+ !minimal? (
+ >=x11-proto/xf86driproto-2.1.0
+ >=x11-proto/dri2proto-2.8
+ )"
+
+RDEPEND="${CDEPEND}
+ selinux? ( sec-policy/selinux-xserver )
+"
+
+PDEPEND="
+ xorg? ( >=x11-base/xorg-drivers-$(get_version_component_range 1-2) )"
+
+REQUIRED_USE="!minimal? (
+ || ( ${IUSE_SERVERS} )
+ )"
+
+#UPSTREAMED_PATCHES=(
+# "${WORKDIR}/patches/"
+#)
+
+PATCHES=(
+ "${UPSTREAMED_PATCHES[@]}"
+ "${FILESDIR}"/${PN}-1.12-ia64-fix_inx_outx.patch
+ "${FILESDIR}"/${PN}-1.12-unloadsubmodule.patch
+ "${FILESDIR}"/${PN}-1.17-cve-2015-3164-1.patch
+ "${FILESDIR}"/${PN}-1.17-cve-2015-3164-2.patch
+ "${FILESDIR}"/${PN}-1.17-cve-2015-3164-3.patch
+)
+
+pkg_pretend() {
+ # older gcc is not supported
+ [[ "${MERGE_TYPE}" != "binary" && $(gcc-major-version) -lt 4 ]] && \
+ die "Sorry, but gcc earlier than 4.0 will not work for xorg-server."
+}
+
+src_configure() {
+ # localstatedir is used for the log location; we need to override the default
+ # from ebuild.sh
+ # sysconfdir is used for the xorg.conf location; same applies
+ # NOTE: fop is used for doc generating ; and i have no idea if gentoo
+ # package it somewhere
+ XORG_CONFIGURE_OPTIONS=(
+ $(use_enable ipv6)
+ $(use_enable dmx)
+ $(use_enable glamor)
+ $(use_enable kdrive)
+ $(use_enable kdrive kdrive-kbd)
+ $(use_enable kdrive kdrive-mouse)
+ $(use_enable kdrive kdrive-evdev)
+ $(use_enable suid install-setuid)
+ $(use_enable tslib)
+ $(use_enable unwind libunwind)
+ $(use_enable wayland xwayland)
+ $(use_enable !minimal record)
+ $(use_enable !minimal xfree86-utils)
+ $(use_enable !minimal install-libxf86config)
+ $(use_enable !minimal dri)
+ $(use_enable !minimal dri2)
+ $(use_enable !minimal glx)
+ $(use_enable xnest)
+ $(use_enable xorg)
+ $(use_enable xvfb)
+ $(use_enable nptl glx-tls)
+ $(use_enable udev config-udev)
+ $(use_with doc doxygen)
+ $(use_with doc xmlto)
+ $(use_with systemd systemd-daemon)
+ $(use_enable systemd systemd-logind)
+ --enable-libdrm
+ --sysconfdir="${EPREFIX}"/etc/X11
+ --localstatedir="${EPREFIX}"/var
+ --with-fontrootdir="${EPREFIX}"/usr/share/fonts
+ --with-xkb-output="${EPREFIX}"/var/lib/xkb
+ --disable-config-hal
+ --disable-linux-acpi
+ --without-dtrace
+ --without-fop
+ --with-os-vendor=Gentoo
+ --with-sha1=libcrypto
+ )
+
+ # Xorg-server requires includes from OS mesa which are not visible for
+ # users of binary drivers.
+ mkdir -p "${T}/mesa-symlinks/GL"
+ for i in gl glx glxmd glxproto glxtokens; do
+ ln -s "${EROOT}usr/$(get_libdir)/opengl/xorg-x11/include/$i.h" "${T}/mesa-symlinks/GL/$i.h" || die
+ done
+ for i in glext glxext; do
+ ln -s "${EROOT}usr/$(get_libdir)/opengl/global/include/$i.h" "${T}/mesa-symlinks/GL/$i.h" || die
+ done
+ append-cppflags "-I${T}/mesa-symlinks"
+
+ xorg-2_src_configure
+}
+
+src_install() {
+ xorg-2_src_install
+
+ dynamic_libgl_install
+
+ server_based_install
+
+ if ! use minimal && use xorg; then
+ # Install xorg.conf.example into docs
+ dodoc "${AUTOTOOLS_BUILD_DIR}"/hw/xfree86/xorg.conf.example
+ fi
+
+ newinitd "${FILESDIR}"/xdm-setup.initd-1 xdm-setup
+ newinitd "${FILESDIR}"/xdm.initd-11 xdm
+ newconfd "${FILESDIR}"/xdm.confd-4 xdm
+
+ # install the @x11-module-rebuild set for Portage
+ insinto /usr/share/portage/config/sets
+ newins "${FILESDIR}"/xorg-sets.conf xorg.conf
+}
+
+pkg_postinst() {
+ # sets up libGL and DRI2 symlinks if needed (ie, on a fresh install)
+ eselect opengl set xorg-x11 --use-old
+}
+
+pkg_postrm() {
+ # Get rid of module dir to ensure opengl-update works properly
+ if [[ -z ${REPLACED_BY_VERSION} && -e ${EROOT}/usr/$(get_libdir)/xorg/modules ]]; then
+ rm -rf "${EROOT}"/usr/$(get_libdir)/xorg/modules
+ fi
+}
+
+dynamic_libgl_install() {
+ # next section is to setup the dynamic libGL stuff
+ ebegin "Moving GL files for dynamic switching"
+ dodir /usr/$(get_libdir)/opengl/xorg-x11/extensions
+ local x=""
+ for x in "${ED}"/usr/$(get_libdir)/xorg/modules/extensions/lib{glx,dri,dri2}*; do
+ if [ -f ${x} -o -L ${x} ]; then
+ mv -f ${x} "${ED}"/usr/$(get_libdir)/opengl/xorg-x11/extensions
+ fi
+ done
+ eend 0
+}
+
+server_based_install() {
+ if ! use xorg; then
+ rm "${ED}"/usr/share/man/man1/Xserver.1x \
+ "${ED}"/usr/$(get_libdir)/xserver/SecurityPolicy \
+ "${ED}"/usr/$(get_libdir)/pkgconfig/xorg-server.pc \
+ "${ED}"/usr/share/man/man1/Xserver.1x
+ fi
+}
diff --git a/x11-base/xorg-server/xorg-server-1.16.4-r4.ebuild b/x11-base/xorg-server/xorg-server-1.16.4-r4.ebuild
new file mode 100644
index 00000000000..1ec0222efd2
--- /dev/null
+++ b/x11-base/xorg-server/xorg-server-1.16.4-r4.ebuild
@@ -0,0 +1,236 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+XORG_DOC=doc
+inherit xorg-2 multilib versionator flag-o-matic
+EGIT_REPO_URI="git://anongit.freedesktop.org/git/xorg/xserver"
+
+DESCRIPTION="X.Org X servers"
+SLOT="0/1.16.1"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux"
+
+IUSE_SERVERS="dmx kdrive xnest xorg xvfb"
+IUSE="${IUSE_SERVERS} glamor ipv6 minimal nptl selinux +suid systemd tslib +udev unwind wayland"
+
+CDEPEND=">=app-eselect/eselect-opengl-1.3.0
+ dev-libs/openssl
+ media-libs/freetype
+ >=x11-apps/iceauth-1.0.2
+ >=x11-apps/rgb-1.0.3
+ >=x11-apps/xauth-1.0.3
+ x11-apps/xkbcomp
+ >=x11-libs/libdrm-2.4.20
+ >=x11-libs/libpciaccess-0.12.901
+ >=x11-libs/libXau-1.0.4
+ >=x11-libs/libXdmcp-1.0.2
+ >=x11-libs/libXfont-1.4.2
+ >=x11-libs/libxkbfile-1.0.4
+ >=x11-libs/libxshmfence-1.1
+ >=x11-libs/pixman-0.27.2
+ >=x11-libs/xtrans-1.3.3
+ >=x11-misc/xbitmaps-1.0.1
+ >=x11-misc/xkeyboard-config-2.4.1-r3
+ dmx? (
+ x11-libs/libXt
+ >=x11-libs/libdmx-1.0.99.1
+ >=x11-libs/libX11-1.1.5
+ >=x11-libs/libXaw-1.0.4
+ >=x11-libs/libXext-1.0.99.4
+ >=x11-libs/libXfixes-5.0
+ >=x11-libs/libXi-1.2.99.1
+ >=x11-libs/libXmu-1.0.3
+ x11-libs/libXrender
+ >=x11-libs/libXres-1.0.3
+ >=x11-libs/libXtst-1.0.99.2
+ )
+ glamor? (
+ media-libs/libepoxy
+ >=media-libs/mesa-10.3.4-r1[egl,gbm]
+ !x11-libs/glamor
+ )
+ kdrive? (
+ >=x11-libs/libXext-1.0.5
+ x11-libs/libXv
+ )
+ !minimal? (
+ >=x11-libs/libX11-1.1.5
+ >=x11-libs/libXext-1.0.5
+ >=media-libs/mesa-10.3.4-r1[nptl=]
+ )
+ tslib? ( >=x11-libs/tslib-1.0 )
+ udev? ( >=virtual/udev-150 )
+ unwind? ( sys-libs/libunwind )
+ wayland? (
+ >=dev-libs/wayland-1.3.0
+ media-libs/libepoxy
+ )
+ >=x11-apps/xinit-1.3
+ systemd? (
+ sys-apps/dbus
+ sys-apps/systemd
+ )"
+
+DEPEND="${CDEPEND}
+ sys-devel/flex
+ >=x11-proto/bigreqsproto-1.1.0
+ >=x11-proto/compositeproto-0.4
+ >=x11-proto/damageproto-1.1
+ >=x11-proto/fixesproto-5.0
+ >=x11-proto/fontsproto-2.1.3
+ >=x11-proto/glproto-1.4.17-r1
+ >=x11-proto/inputproto-2.2.99.1
+ >=x11-proto/kbproto-1.0.3
+ >=x11-proto/randrproto-1.4.0
+ >=x11-proto/recordproto-1.13.99.1
+ >=x11-proto/renderproto-0.11
+ >=x11-proto/resourceproto-1.2.0
+ >=x11-proto/scrnsaverproto-1.1
+ >=x11-proto/trapproto-3.4.3
+ >=x11-proto/videoproto-2.2.2
+ >=x11-proto/xcmiscproto-1.2.0
+ >=x11-proto/xextproto-7.2.99.901
+ >=x11-proto/xf86dgaproto-2.0.99.1
+ >=x11-proto/xf86rushproto-1.1.2
+ >=x11-proto/xf86vidmodeproto-2.2.99.1
+ >=x11-proto/xineramaproto-1.1.3
+ >=x11-proto/xproto-7.0.26
+ >=x11-proto/presentproto-1.0
+ >=x11-proto/dri3proto-1.0
+ dmx? (
+ >=x11-proto/dmxproto-2.2.99.1
+ doc? (
+ || (
+ www-client/links
+ www-client/lynx
+ www-client/w3m
+ )
+ )
+ )
+ !minimal? (
+ >=x11-proto/xf86driproto-2.1.0
+ >=x11-proto/dri2proto-2.8
+ )"
+
+RDEPEND="${CDEPEND}
+ selinux? ( sec-policy/selinux-xserver )
+"
+
+PDEPEND="
+ xorg? ( >=x11-base/xorg-drivers-$(get_version_component_range 1-2) )"
+
+REQUIRED_USE="!minimal? (
+ || ( ${IUSE_SERVERS} )
+ )"
+
+#UPSTREAMED_PATCHES=(
+# "${WORKDIR}/patches/"
+#)
+
+PATCHES=(
+ "${UPSTREAMED_PATCHES[@]}"
+ "${FILESDIR}"/${PN}-1.12-ia64-fix_inx_outx.patch
+ "${FILESDIR}"/${PN}-1.12-unloadsubmodule.patch
+ # needed for new eselect-opengl, bug #541232
+ "${FILESDIR}"/${PN}-1.17-support-multiple-Files-sections.patch
+ "${FILESDIR}"/${PN}-1.17-cve-2015-3164-1.patch
+ "${FILESDIR}"/${PN}-1.17-cve-2015-3164-2.patch
+ "${FILESDIR}"/${PN}-1.17-cve-2015-3164-3.patch
+)
+
+pkg_pretend() {
+ # older gcc is not supported
+ [[ "${MERGE_TYPE}" != "binary" && $(gcc-major-version) -lt 4 ]] && \
+ die "Sorry, but gcc earlier than 4.0 will not work for xorg-server."
+}
+
+src_configure() {
+ # localstatedir is used for the log location; we need to override the default
+ # from ebuild.sh
+ # sysconfdir is used for the xorg.conf location; same applies
+ # NOTE: fop is used for doc generating ; and i have no idea if gentoo
+ # package it somewhere
+ XORG_CONFIGURE_OPTIONS=(
+ $(use_enable ipv6)
+ $(use_enable dmx)
+ $(use_enable glamor)
+ $(use_enable kdrive)
+ $(use_enable kdrive kdrive-kbd)
+ $(use_enable kdrive kdrive-mouse)
+ $(use_enable kdrive kdrive-evdev)
+ $(use_enable suid install-setuid)
+ $(use_enable tslib)
+ $(use_enable unwind libunwind)
+ $(use_enable wayland xwayland)
+ $(use_enable !minimal record)
+ $(use_enable !minimal xfree86-utils)
+ $(use_enable !minimal install-libxf86config)
+ $(use_enable !minimal dri)
+ $(use_enable !minimal dri2)
+ $(use_enable !minimal glx)
+ $(use_enable xnest)
+ $(use_enable xorg)
+ $(use_enable xvfb)
+ $(use_enable nptl glx-tls)
+ $(use_enable udev config-udev)
+ $(use_with doc doxygen)
+ $(use_with doc xmlto)
+ $(use_with systemd systemd-daemon)
+ $(use_enable systemd systemd-logind)
+ --enable-libdrm
+ --sysconfdir="${EPREFIX}"/etc/X11
+ --localstatedir="${EPREFIX}"/var
+ --with-fontrootdir="${EPREFIX}"/usr/share/fonts
+ --with-xkb-output="${EPREFIX}"/var/lib/xkb
+ --disable-config-hal
+ --disable-linux-acpi
+ --without-dtrace
+ --without-fop
+ --with-os-vendor=Gentoo
+ --with-sha1=libcrypto
+ )
+
+ xorg-2_src_configure
+}
+
+src_install() {
+ xorg-2_src_install
+
+ server_based_install
+
+ if ! use minimal && use xorg; then
+ # Install xorg.conf.example into docs
+ dodoc "${AUTOTOOLS_BUILD_DIR}"/hw/xfree86/xorg.conf.example
+ fi
+
+ newinitd "${FILESDIR}"/xdm-setup.initd-1 xdm-setup
+ newinitd "${FILESDIR}"/xdm.initd-11 xdm
+ newconfd "${FILESDIR}"/xdm.confd-4 xdm
+
+ # install the @x11-module-rebuild set for Portage
+ insinto /usr/share/portage/config/sets
+ newins "${FILESDIR}"/xorg-sets.conf xorg.conf
+}
+
+pkg_postinst() {
+ # sets up libGL and DRI2 symlinks if needed (ie, on a fresh install)
+ eselect opengl set xorg-x11 --use-old
+}
+
+pkg_postrm() {
+ # Get rid of module dir to ensure opengl-update works properly
+ if [[ -z ${REPLACED_BY_VERSION} && -e ${EROOT}/usr/$(get_libdir)/xorg/modules ]]; then
+ rm -rf "${EROOT}"/usr/$(get_libdir)/xorg/modules
+ fi
+}
+
+server_based_install() {
+ if ! use xorg; then
+ rm "${ED}"/usr/share/man/man1/Xserver.1x \
+ "${ED}"/usr/$(get_libdir)/xserver/SecurityPolicy \
+ "${ED}"/usr/$(get_libdir)/pkgconfig/xorg-server.pc \
+ "${ED}"/usr/share/man/man1/Xserver.1x
+ fi
+}