x11-base/xorg-server: add patches for CVE-2015-3164
authorChí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
Thu, 3 Sep 2015 15:56:58 +0000 (17:56 +0200)
committerChí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
Thu, 3 Sep 2015 15:56:58 +0000 (17:56 +0200)
Bug: https://bugs.gentoo.org/show_bug.cgi?id=551680

Package-Manager: portage-2.2.20.1

x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-1.patch [new file with mode: 0644]
x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-2.patch [new file with mode: 0644]
x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-3.patch [new file with mode: 0644]
x11-base/xorg-server/xorg-server-1.16.4-r3.ebuild [new file with mode: 0644]
x11-base/xorg-server/xorg-server-1.16.4-r4.ebuild [new file with mode: 0644]

diff --git a/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-1.patch b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-1.patch
new file mode 100644 (file)
index 0000000..a9f8030
--- /dev/null
@@ -0,0 +1,33 @@
+From c4534a38b68aa07fb82318040dc8154fb48a9588 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 5 May 2015 16:43:42 -0400
+Subject: xwayland: Enable access control on open sockets [CVE-2015-3164 1/3]
+
+Xwayland currently allows wide-open access to the X sockets
+it listens on, ignoring Xauth access control.
+
+This commit makes sure to enable access control on the sockets,
+so one user can't snoop on another user's X-over-wayland
+applications.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
+index 7e8d667..c5bee77 100644
+--- a/hw/xwayland/xwayland.c
++++ b/hw/xwayland/xwayland.c
+@@ -483,7 +483,7 @@ listen_on_fds(struct xwl_screen *xwl_screen)
+     int i;
+     for (i = 0; i < xwl_screen->listen_fd_count; i++)
+-        ListenOnOpenFD(xwl_screen->listen_fds[i], TRUE);
++        ListenOnOpenFD(xwl_screen->listen_fds[i], FALSE);
+ }
+ static void
+-- 
+cgit v0.10.2
+
diff --git a/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-2.patch b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-2.patch
new file mode 100644 (file)
index 0000000..47b323f
--- /dev/null
@@ -0,0 +1,246 @@
+From 4b4b9086d02b80549981d205fb1f495edc373538 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 5 May 2015 16:43:43 -0400
+Subject: os: support new implicit local user access mode [CVE-2015-3164 2/3]
+
+If the X server is started without a '-auth' argument, then
+it gets started wide open to all local users on the system.
+
+This isn't a great default access model, but changing it in
+Xorg at this point would break backward compatibility.
+
+Xwayland, on the other hand is new, and much more targeted
+in scope.  It could, in theory, be changed to allow the much
+more secure default of a "user who started X server can connect
+clients to that server."
+
+This commit paves the way for that change, by adding a mechanism
+for DDXs to opt-in to that behavior.  They merely need to call
+
+LocalAccessScopeUser()
+
+in their init functions.
+
+A subsequent commit will add that call for Xwayland.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/include/os.h b/include/os.h
+index 6638c84..b2b96c8 100644
+--- a/include/os.h
++++ b/include/os.h
+@@ -431,11 +431,28 @@ extern _X_EXPORT void
+ ResetHosts(const char *display);
+ extern _X_EXPORT void
++EnableLocalAccess(void);
++
++extern _X_EXPORT void
++DisableLocalAccess(void);
++
++extern _X_EXPORT void
+ EnableLocalHost(void);
+ extern _X_EXPORT void
+ DisableLocalHost(void);
++#ifndef NO_LOCAL_CLIENT_CRED
++extern _X_EXPORT void
++EnableLocalUser(void);
++
++extern _X_EXPORT void
++DisableLocalUser(void);
++
++extern _X_EXPORT void
++LocalAccessScopeUser(void);
++#endif
++
+ extern _X_EXPORT void
+ AccessUsingXdmcp(void);
+diff --git a/os/access.c b/os/access.c
+index 8fa028e..75e7a69 100644
+--- a/os/access.c
++++ b/os/access.c
+@@ -102,6 +102,10 @@ SOFTWARE.
+ #include <sys/ioctl.h>
+ #include <ctype.h>
++#ifndef NO_LOCAL_CLIENT_CRED
++#include <pwd.h>
++#endif
++
+ #if defined(TCPCONN) || defined(STREAMSCONN)
+ #include <netinet/in.h>
+ #endif                          /* TCPCONN || STREAMSCONN */
+@@ -225,6 +229,13 @@ static int LocalHostEnabled = FALSE;
+ static int LocalHostRequested = FALSE;
+ static int UsingXdmcp = FALSE;
++static enum {
++    LOCAL_ACCESS_SCOPE_HOST = 0,
++#ifndef NO_LOCAL_CLIENT_CRED
++    LOCAL_ACCESS_SCOPE_USER,
++#endif
++} LocalAccessScope;
++
+ /* FamilyServerInterpreted implementation */
+ static Bool siAddrMatch(int family, void *addr, int len, HOST * host,
+                         ClientPtr client);
+@@ -237,6 +248,21 @@ static void siTypesInitialize(void);
+  */
+ void
++EnableLocalAccess(void)
++{
++    switch (LocalAccessScope) {
++        case LOCAL_ACCESS_SCOPE_HOST:
++            EnableLocalHost();
++            break;
++#ifndef NO_LOCAL_CLIENT_CRED
++        case LOCAL_ACCESS_SCOPE_USER:
++            EnableLocalUser();
++            break;
++#endif
++    }
++}
++
++void
+ EnableLocalHost(void)
+ {
+     if (!UsingXdmcp) {
+@@ -249,6 +275,21 @@ EnableLocalHost(void)
+  * called when authorization is enabled to keep us secure
+  */
+ void
++DisableLocalAccess(void)
++{
++    switch (LocalAccessScope) {
++        case LOCAL_ACCESS_SCOPE_HOST:
++            DisableLocalHost();
++            break;
++#ifndef NO_LOCAL_CLIENT_CRED
++        case LOCAL_ACCESS_SCOPE_USER:
++            DisableLocalUser();
++            break;
++#endif
++    }
++}
++
++void
+ DisableLocalHost(void)
+ {
+     HOST *self;
+@@ -262,6 +303,74 @@ DisableLocalHost(void)
+     }
+ }
++#ifndef NO_LOCAL_CLIENT_CRED
++static int GetLocalUserAddr(char **addr)
++{
++    static const char *type = "localuser";
++    static const char delimiter = '\0';
++    static const char *value;
++    struct passwd *pw;
++    int length = -1;
++
++    pw = getpwuid(getuid());
++
++    if (pw == NULL || pw->pw_name == NULL)
++        goto out;
++
++    value = pw->pw_name;
++
++    length = asprintf(addr, "%s%c%s", type, delimiter, value);
++
++    if (length == -1) {
++        goto out;
++    }
++
++    /* Trailing NUL */
++    length++;
++
++out:
++    return length;
++}
++
++void
++EnableLocalUser(void)
++{
++    char *addr = NULL;
++    int length = -1;
++
++    length = GetLocalUserAddr(&addr);
++
++    if (length == -1)
++        return;
++
++    NewHost(FamilyServerInterpreted, addr, length, TRUE);
++
++    free(addr);
++}
++
++void
++DisableLocalUser(void)
++{
++    char *addr = NULL;
++    int length = -1;
++
++    length = GetLocalUserAddr(&addr);
++
++    if (length == -1)
++        return;
++
++    RemoveHost(NULL, FamilyServerInterpreted, length, addr);
++
++    free(addr);
++}
++
++void
++LocalAccessScopeUser(void)
++{
++    LocalAccessScope = LOCAL_ACCESS_SCOPE_USER;
++}
++#endif
++
+ /*
+  * called at init time when XDMCP will be used; xdmcp always
+  * adds local hosts manually when needed
+diff --git a/os/auth.c b/os/auth.c
+index 5fcb538..7da6fc6 100644
+--- a/os/auth.c
++++ b/os/auth.c
+@@ -181,11 +181,11 @@ CheckAuthorization(unsigned int name_length,
+         /*
+          * If the authorization file has at least one entry for this server,
+-         * disable local host access. (loadauth > 0)
++         * disable local access. (loadauth > 0)
+          *
+          * If there are zero entries (either initially or when the
+          * authorization file is later reloaded), or if a valid
+-         * authorization file was never loaded, enable local host access.
++         * authorization file was never loaded, enable local access.
+          * (loadauth == 0 || !loaded)
+          *
+          * If the authorization file was loaded initially (with valid
+@@ -194,11 +194,11 @@ CheckAuthorization(unsigned int name_length,
+          */
+         if (loadauth > 0) {
+-            DisableLocalHost(); /* got at least one */
++            DisableLocalAccess(); /* got at least one */
+             loaded = TRUE;
+         }
+         else if (loadauth == 0 || !loaded)
+-            EnableLocalHost();
++            EnableLocalAccess();
+     }
+     if (name_length) {
+         for (i = 0; i < NUM_AUTHORIZATION; i++) {
+-- 
+cgit v0.10.2
+
diff --git a/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-3.patch b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-3.patch
new file mode 100644 (file)
index 0000000..7e8f173
--- /dev/null
@@ -0,0 +1,34 @@
+From 76636ac12f2d1dbdf7be08222f80e7505d53c451 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 5 May 2015 16:43:44 -0400
+Subject: xwayland: default to local user if no xauth file given.
+ [CVE-2015-3164 3/3]
+
+Right now if "-auth" isn't passed on the command line, we let
+any user on the system connect to the Xwayland server.
+
+That's clearly suboptimal, given Xwayland is generally designed
+to be used by one user at a time.
+
+This commit changes the behavior, so only the user who started the
+X server can connect clients to it.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
+index c5bee77..bc92beb 100644
+--- a/hw/xwayland/xwayland.c
++++ b/hw/xwayland/xwayland.c
+@@ -702,4 +702,6 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv)
+     if (AddScreen(xwl_screen_init, argc, argv) == -1) {
+         FatalError("Couldn't add screen\n");
+     }
++
++    LocalAccessScopeUser();
+ }
+-- 
+cgit v0.10.2
+
diff --git a/x11-base/xorg-server/xorg-server-1.16.4-r3.ebuild b/x11-base/xorg-server/xorg-server-1.16.4-r3.ebuild
new file mode 100644 (file)
index 0000000..58c70e0
--- /dev/null
@@ -0,0 +1,261 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+XORG_DOC=doc
+inherit xorg-2 multilib versionator flag-o-matic
+EGIT_REPO_URI="git://anongit.freedesktop.org/git/xorg/xserver"
+
+DESCRIPTION="X.Org X servers"
+SLOT="0/1.16.1"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux"
+
+IUSE_SERVERS="dmx kdrive xnest xorg xvfb"
+IUSE="${IUSE_SERVERS} glamor ipv6 minimal nptl selinux +suid systemd tslib +udev unwind wayland"
+
+CDEPEND=">=app-eselect/eselect-opengl-1.0.8
+       !>=app-eselect/eselect-opengl-1.3.0
+       dev-libs/openssl
+       media-libs/freetype
+       >=x11-apps/iceauth-1.0.2
+       >=x11-apps/rgb-1.0.3
+       >=x11-apps/xauth-1.0.3
+       x11-apps/xkbcomp
+       >=x11-libs/libdrm-2.4.20
+       >=x11-libs/libpciaccess-0.12.901
+       >=x11-libs/libXau-1.0.4
+       >=x11-libs/libXdmcp-1.0.2
+       >=x11-libs/libXfont-1.4.2
+       >=x11-libs/libxkbfile-1.0.4
+       >=x11-libs/libxshmfence-1.1
+       >=x11-libs/pixman-0.27.2
+       >=x11-libs/xtrans-1.3.3
+       >=x11-misc/xbitmaps-1.0.1
+       >=x11-misc/xkeyboard-config-2.4.1-r3
+       dmx? (
+               x11-libs/libXt
+               >=x11-libs/libdmx-1.0.99.1
+               >=x11-libs/libX11-1.1.5
+               >=x11-libs/libXaw-1.0.4
+               >=x11-libs/libXext-1.0.99.4
+               >=x11-libs/libXfixes-5.0
+               >=x11-libs/libXi-1.2.99.1
+               >=x11-libs/libXmu-1.0.3
+               x11-libs/libXrender
+               >=x11-libs/libXres-1.0.3
+               >=x11-libs/libXtst-1.0.99.2
+       )
+       glamor? (
+               media-libs/libepoxy
+               media-libs/mesa[egl,gbm]
+               !x11-libs/glamor
+       )
+       kdrive? (
+               >=x11-libs/libXext-1.0.5
+               x11-libs/libXv
+       )
+       !minimal? (
+               >=x11-libs/libX11-1.1.5
+               >=x11-libs/libXext-1.0.5
+               >=media-libs/mesa-9.2.0[nptl=]
+       )
+       tslib? ( >=x11-libs/tslib-1.0 )
+       udev? ( >=virtual/udev-150 )
+       unwind? ( sys-libs/libunwind )
+       wayland? (
+               >=dev-libs/wayland-1.3.0
+               media-libs/libepoxy
+       )
+       >=x11-apps/xinit-1.3
+       systemd? (
+               sys-apps/dbus
+               sys-apps/systemd
+       )"
+
+DEPEND="${CDEPEND}
+       sys-devel/flex
+       >=x11-proto/bigreqsproto-1.1.0
+       >=x11-proto/compositeproto-0.4
+       >=x11-proto/damageproto-1.1
+       >=x11-proto/fixesproto-5.0
+       >=x11-proto/fontsproto-2.1.3
+       >=x11-proto/glproto-1.4.17
+       >=x11-proto/inputproto-2.2.99.1
+       >=x11-proto/kbproto-1.0.3
+       >=x11-proto/randrproto-1.4.0
+       >=x11-proto/recordproto-1.13.99.1
+       >=x11-proto/renderproto-0.11
+       >=x11-proto/resourceproto-1.2.0
+       >=x11-proto/scrnsaverproto-1.1
+       >=x11-proto/trapproto-3.4.3
+       >=x11-proto/videoproto-2.2.2
+       >=x11-proto/xcmiscproto-1.2.0
+       >=x11-proto/xextproto-7.2.99.901
+       >=x11-proto/xf86dgaproto-2.0.99.1
+       >=x11-proto/xf86rushproto-1.1.2
+       >=x11-proto/xf86vidmodeproto-2.2.99.1
+       >=x11-proto/xineramaproto-1.1.3
+       >=x11-proto/xproto-7.0.26
+       >=x11-proto/presentproto-1.0
+       >=x11-proto/dri3proto-1.0
+       dmx? (
+               >=x11-proto/dmxproto-2.2.99.1
+               doc? (
+                       || (
+                               www-client/links
+                               www-client/lynx
+                               www-client/w3m
+                       )
+               )
+       )
+       !minimal? (
+               >=x11-proto/xf86driproto-2.1.0
+               >=x11-proto/dri2proto-2.8
+       )"
+
+RDEPEND="${CDEPEND}
+       selinux? ( sec-policy/selinux-xserver )
+"
+
+PDEPEND="
+       xorg? ( >=x11-base/xorg-drivers-$(get_version_component_range 1-2) )"
+
+REQUIRED_USE="!minimal? (
+               || ( ${IUSE_SERVERS} )
+       )"
+
+#UPSTREAMED_PATCHES=(
+#      "${WORKDIR}/patches/"
+#)
+
+PATCHES=(
+       "${UPSTREAMED_PATCHES[@]}"
+       "${FILESDIR}"/${PN}-1.12-ia64-fix_inx_outx.patch
+       "${FILESDIR}"/${PN}-1.12-unloadsubmodule.patch
+       "${FILESDIR}"/${PN}-1.17-cve-2015-3164-1.patch
+       "${FILESDIR}"/${PN}-1.17-cve-2015-3164-2.patch
+       "${FILESDIR}"/${PN}-1.17-cve-2015-3164-3.patch
+)
+
+pkg_pretend() {
+       # older gcc is not supported
+       [[ "${MERGE_TYPE}" != "binary" && $(gcc-major-version) -lt 4 ]] && \
+               die "Sorry, but gcc earlier than 4.0 will not work for xorg-server."
+}
+
+src_configure() {
+       # localstatedir is used for the log location; we need to override the default
+       #       from ebuild.sh
+       # sysconfdir is used for the xorg.conf location; same applies
+       # NOTE: fop is used for doc generating ; and i have no idea if gentoo
+       #       package it somewhere
+       XORG_CONFIGURE_OPTIONS=(
+               $(use_enable ipv6)
+               $(use_enable dmx)
+               $(use_enable glamor)
+               $(use_enable kdrive)
+               $(use_enable kdrive kdrive-kbd)
+               $(use_enable kdrive kdrive-mouse)
+               $(use_enable kdrive kdrive-evdev)
+               $(use_enable suid install-setuid)
+               $(use_enable tslib)
+               $(use_enable unwind libunwind)
+               $(use_enable wayland xwayland)
+               $(use_enable !minimal record)
+               $(use_enable !minimal xfree86-utils)
+               $(use_enable !minimal install-libxf86config)
+               $(use_enable !minimal dri)
+               $(use_enable !minimal dri2)
+               $(use_enable !minimal glx)
+               $(use_enable xnest)
+               $(use_enable xorg)
+               $(use_enable xvfb)
+               $(use_enable nptl glx-tls)
+               $(use_enable udev config-udev)
+               $(use_with doc doxygen)
+               $(use_with doc xmlto)
+               $(use_with systemd systemd-daemon)
+               $(use_enable systemd systemd-logind)
+               --enable-libdrm
+               --sysconfdir="${EPREFIX}"/etc/X11
+               --localstatedir="${EPREFIX}"/var
+               --with-fontrootdir="${EPREFIX}"/usr/share/fonts
+               --with-xkb-output="${EPREFIX}"/var/lib/xkb
+               --disable-config-hal
+               --disable-linux-acpi
+               --without-dtrace
+               --without-fop
+               --with-os-vendor=Gentoo
+               --with-sha1=libcrypto
+       )
+
+       # Xorg-server requires includes from OS mesa which are not visible for
+       # users of binary drivers.
+       mkdir -p "${T}/mesa-symlinks/GL"
+       for i in gl glx glxmd glxproto glxtokens; do
+               ln -s "${EROOT}usr/$(get_libdir)/opengl/xorg-x11/include/$i.h" "${T}/mesa-symlinks/GL/$i.h" || die
+       done
+       for i in glext glxext; do
+               ln -s "${EROOT}usr/$(get_libdir)/opengl/global/include/$i.h" "${T}/mesa-symlinks/GL/$i.h" || die
+       done
+       append-cppflags "-I${T}/mesa-symlinks"
+
+       xorg-2_src_configure
+}
+
+src_install() {
+       xorg-2_src_install
+
+       dynamic_libgl_install
+
+       server_based_install
+
+       if ! use minimal &&     use xorg; then
+               # Install xorg.conf.example into docs
+               dodoc "${AUTOTOOLS_BUILD_DIR}"/hw/xfree86/xorg.conf.example
+       fi
+
+       newinitd "${FILESDIR}"/xdm-setup.initd-1 xdm-setup
+       newinitd "${FILESDIR}"/xdm.initd-11 xdm
+       newconfd "${FILESDIR}"/xdm.confd-4 xdm
+
+       # install the @x11-module-rebuild set for Portage
+       insinto /usr/share/portage/config/sets
+       newins "${FILESDIR}"/xorg-sets.conf xorg.conf
+}
+
+pkg_postinst() {
+       # sets up libGL and DRI2 symlinks if needed (ie, on a fresh install)
+       eselect opengl set xorg-x11 --use-old
+}
+
+pkg_postrm() {
+       # Get rid of module dir to ensure opengl-update works properly
+       if [[ -z ${REPLACED_BY_VERSION} && -e ${EROOT}/usr/$(get_libdir)/xorg/modules ]]; then
+               rm -rf "${EROOT}"/usr/$(get_libdir)/xorg/modules
+       fi
+}
+
+dynamic_libgl_install() {
+       # next section is to setup the dynamic libGL stuff
+       ebegin "Moving GL files for dynamic switching"
+               dodir /usr/$(get_libdir)/opengl/xorg-x11/extensions
+               local x=""
+               for x in "${ED}"/usr/$(get_libdir)/xorg/modules/extensions/lib{glx,dri,dri2}*; do
+                       if [ -f ${x} -o -L ${x} ]; then
+                               mv -f ${x} "${ED}"/usr/$(get_libdir)/opengl/xorg-x11/extensions
+                       fi
+               done
+       eend 0
+}
+
+server_based_install() {
+       if ! use xorg; then
+               rm "${ED}"/usr/share/man/man1/Xserver.1x \
+                       "${ED}"/usr/$(get_libdir)/xserver/SecurityPolicy \
+                       "${ED}"/usr/$(get_libdir)/pkgconfig/xorg-server.pc \
+                       "${ED}"/usr/share/man/man1/Xserver.1x
+       fi
+}
diff --git a/x11-base/xorg-server/xorg-server-1.16.4-r4.ebuild b/x11-base/xorg-server/xorg-server-1.16.4-r4.ebuild
new file mode 100644 (file)
index 0000000..1ec0222
--- /dev/null
@@ -0,0 +1,236 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+XORG_DOC=doc
+inherit xorg-2 multilib versionator flag-o-matic
+EGIT_REPO_URI="git://anongit.freedesktop.org/git/xorg/xserver"
+
+DESCRIPTION="X.Org X servers"
+SLOT="0/1.16.1"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux"
+
+IUSE_SERVERS="dmx kdrive xnest xorg xvfb"
+IUSE="${IUSE_SERVERS} glamor ipv6 minimal nptl selinux +suid systemd tslib +udev unwind wayland"
+
+CDEPEND=">=app-eselect/eselect-opengl-1.3.0
+       dev-libs/openssl
+       media-libs/freetype
+       >=x11-apps/iceauth-1.0.2
+       >=x11-apps/rgb-1.0.3
+       >=x11-apps/xauth-1.0.3
+       x11-apps/xkbcomp
+       >=x11-libs/libdrm-2.4.20
+       >=x11-libs/libpciaccess-0.12.901
+       >=x11-libs/libXau-1.0.4
+       >=x11-libs/libXdmcp-1.0.2
+       >=x11-libs/libXfont-1.4.2
+       >=x11-libs/libxkbfile-1.0.4
+       >=x11-libs/libxshmfence-1.1
+       >=x11-libs/pixman-0.27.2
+       >=x11-libs/xtrans-1.3.3
+       >=x11-misc/xbitmaps-1.0.1
+       >=x11-misc/xkeyboard-config-2.4.1-r3
+       dmx? (
+               x11-libs/libXt
+               >=x11-libs/libdmx-1.0.99.1
+               >=x11-libs/libX11-1.1.5
+               >=x11-libs/libXaw-1.0.4
+               >=x11-libs/libXext-1.0.99.4
+               >=x11-libs/libXfixes-5.0
+               >=x11-libs/libXi-1.2.99.1
+               >=x11-libs/libXmu-1.0.3
+               x11-libs/libXrender
+               >=x11-libs/libXres-1.0.3
+               >=x11-libs/libXtst-1.0.99.2
+       )
+       glamor? (
+               media-libs/libepoxy
+               >=media-libs/mesa-10.3.4-r1[egl,gbm]
+               !x11-libs/glamor
+       )
+       kdrive? (
+               >=x11-libs/libXext-1.0.5
+               x11-libs/libXv
+       )
+       !minimal? (
+               >=x11-libs/libX11-1.1.5
+               >=x11-libs/libXext-1.0.5
+               >=media-libs/mesa-10.3.4-r1[nptl=]
+       )
+       tslib? ( >=x11-libs/tslib-1.0 )
+       udev? ( >=virtual/udev-150 )
+       unwind? ( sys-libs/libunwind )
+       wayland? (
+               >=dev-libs/wayland-1.3.0
+               media-libs/libepoxy
+       )
+       >=x11-apps/xinit-1.3
+       systemd? (
+               sys-apps/dbus
+               sys-apps/systemd
+       )"
+
+DEPEND="${CDEPEND}
+       sys-devel/flex
+       >=x11-proto/bigreqsproto-1.1.0
+       >=x11-proto/compositeproto-0.4
+       >=x11-proto/damageproto-1.1
+       >=x11-proto/fixesproto-5.0
+       >=x11-proto/fontsproto-2.1.3
+       >=x11-proto/glproto-1.4.17-r1
+       >=x11-proto/inputproto-2.2.99.1
+       >=x11-proto/kbproto-1.0.3
+       >=x11-proto/randrproto-1.4.0
+       >=x11-proto/recordproto-1.13.99.1
+       >=x11-proto/renderproto-0.11
+       >=x11-proto/resourceproto-1.2.0
+       >=x11-proto/scrnsaverproto-1.1
+       >=x11-proto/trapproto-3.4.3
+       >=x11-proto/videoproto-2.2.2
+       >=x11-proto/xcmiscproto-1.2.0
+       >=x11-proto/xextproto-7.2.99.901
+       >=x11-proto/xf86dgaproto-2.0.99.1
+       >=x11-proto/xf86rushproto-1.1.2
+       >=x11-proto/xf86vidmodeproto-2.2.99.1
+       >=x11-proto/xineramaproto-1.1.3
+       >=x11-proto/xproto-7.0.26
+       >=x11-proto/presentproto-1.0
+       >=x11-proto/dri3proto-1.0
+       dmx? (
+               >=x11-proto/dmxproto-2.2.99.1
+               doc? (
+                       || (
+                               www-client/links
+                               www-client/lynx
+                               www-client/w3m
+                       )
+               )
+       )
+       !minimal? (
+               >=x11-proto/xf86driproto-2.1.0
+               >=x11-proto/dri2proto-2.8
+       )"
+
+RDEPEND="${CDEPEND}
+       selinux? ( sec-policy/selinux-xserver )
+"
+
+PDEPEND="
+       xorg? ( >=x11-base/xorg-drivers-$(get_version_component_range 1-2) )"
+
+REQUIRED_USE="!minimal? (
+               || ( ${IUSE_SERVERS} )
+       )"
+
+#UPSTREAMED_PATCHES=(
+#      "${WORKDIR}/patches/"
+#)
+
+PATCHES=(
+       "${UPSTREAMED_PATCHES[@]}"
+       "${FILESDIR}"/${PN}-1.12-ia64-fix_inx_outx.patch
+       "${FILESDIR}"/${PN}-1.12-unloadsubmodule.patch
+       # needed for new eselect-opengl, bug #541232
+       "${FILESDIR}"/${PN}-1.17-support-multiple-Files-sections.patch
+       "${FILESDIR}"/${PN}-1.17-cve-2015-3164-1.patch
+       "${FILESDIR}"/${PN}-1.17-cve-2015-3164-2.patch
+       "${FILESDIR}"/${PN}-1.17-cve-2015-3164-3.patch
+)
+
+pkg_pretend() {
+       # older gcc is not supported
+       [[ "${MERGE_TYPE}" != "binary" && $(gcc-major-version) -lt 4 ]] && \
+               die "Sorry, but gcc earlier than 4.0 will not work for xorg-server."
+}
+
+src_configure() {
+       # localstatedir is used for the log location; we need to override the default
+       #       from ebuild.sh
+       # sysconfdir is used for the xorg.conf location; same applies
+       # NOTE: fop is used for doc generating ; and i have no idea if gentoo
+       #       package it somewhere
+       XORG_CONFIGURE_OPTIONS=(
+               $(use_enable ipv6)
+               $(use_enable dmx)
+               $(use_enable glamor)
+               $(use_enable kdrive)
+               $(use_enable kdrive kdrive-kbd)
+               $(use_enable kdrive kdrive-mouse)
+               $(use_enable kdrive kdrive-evdev)
+               $(use_enable suid install-setuid)
+               $(use_enable tslib)
+               $(use_enable unwind libunwind)
+               $(use_enable wayland xwayland)
+               $(use_enable !minimal record)
+               $(use_enable !minimal xfree86-utils)
+               $(use_enable !minimal install-libxf86config)
+               $(use_enable !minimal dri)
+               $(use_enable !minimal dri2)
+               $(use_enable !minimal glx)
+               $(use_enable xnest)
+               $(use_enable xorg)
+               $(use_enable xvfb)
+               $(use_enable nptl glx-tls)
+               $(use_enable udev config-udev)
+               $(use_with doc doxygen)
+               $(use_with doc xmlto)
+               $(use_with systemd systemd-daemon)
+               $(use_enable systemd systemd-logind)
+               --enable-libdrm
+               --sysconfdir="${EPREFIX}"/etc/X11
+               --localstatedir="${EPREFIX}"/var
+               --with-fontrootdir="${EPREFIX}"/usr/share/fonts
+               --with-xkb-output="${EPREFIX}"/var/lib/xkb
+               --disable-config-hal
+               --disable-linux-acpi
+               --without-dtrace
+               --without-fop
+               --with-os-vendor=Gentoo
+               --with-sha1=libcrypto
+       )
+
+       xorg-2_src_configure
+}
+
+src_install() {
+       xorg-2_src_install
+
+       server_based_install
+
+       if ! use minimal &&     use xorg; then
+               # Install xorg.conf.example into docs
+               dodoc "${AUTOTOOLS_BUILD_DIR}"/hw/xfree86/xorg.conf.example
+       fi
+
+       newinitd "${FILESDIR}"/xdm-setup.initd-1 xdm-setup
+       newinitd "${FILESDIR}"/xdm.initd-11 xdm
+       newconfd "${FILESDIR}"/xdm.confd-4 xdm
+
+       # install the @x11-module-rebuild set for Portage
+       insinto /usr/share/portage/config/sets
+       newins "${FILESDIR}"/xorg-sets.conf xorg.conf
+}
+
+pkg_postinst() {
+       # sets up libGL and DRI2 symlinks if needed (ie, on a fresh install)
+       eselect opengl set xorg-x11 --use-old
+}
+
+pkg_postrm() {
+       # Get rid of module dir to ensure opengl-update works properly
+       if [[ -z ${REPLACED_BY_VERSION} && -e ${EROOT}/usr/$(get_libdir)/xorg/modules ]]; then
+               rm -rf "${EROOT}"/usr/$(get_libdir)/xorg/modules
+       fi
+}
+
+server_based_install() {
+       if ! use xorg; then
+               rm "${ED}"/usr/share/man/man1/Xserver.1x \
+                       "${ED}"/usr/$(get_libdir)/xserver/SecurityPolicy \
+                       "${ED}"/usr/$(get_libdir)/pkgconfig/xorg-server.pc \
+                       "${ED}"/usr/share/man/man1/Xserver.1x
+       fi
+}