From 9695eae2fcfd4e20f418a488729639dce3556376 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ch=C3=AD-Thanh=20Christopher=20Nguy=E1=BB=85n?= Date: Thu, 3 Sep 2015 17:56:58 +0200 Subject: [PATCH] x11-base/xorg-server: add patches for CVE-2015-3164 Bug: https://bugs.gentoo.org/show_bug.cgi?id=551680 Package-Manager: portage-2.2.20.1 --- .../xorg-server-1.17-cve-2015-3164-1.patch | 33 +++ .../xorg-server-1.17-cve-2015-3164-2.patch | 246 +++++++++++++++++ .../xorg-server-1.17-cve-2015-3164-3.patch | 34 +++ .../xorg-server/xorg-server-1.16.4-r3.ebuild | 261 ++++++++++++++++++ .../xorg-server/xorg-server-1.16.4-r4.ebuild | 236 ++++++++++++++++ 5 files changed, 810 insertions(+) create mode 100644 x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-1.patch create mode 100644 x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-2.patch create mode 100644 x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-3.patch create mode 100644 x11-base/xorg-server/xorg-server-1.16.4-r3.ebuild create mode 100644 x11-base/xorg-server/xorg-server-1.16.4-r4.ebuild diff --git a/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-1.patch b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-1.patch new file mode 100644 index 000000000000..a9f803022703 --- /dev/null +++ b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-1.patch @@ -0,0 +1,33 @@ +From c4534a38b68aa07fb82318040dc8154fb48a9588 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Tue, 5 May 2015 16:43:42 -0400 +Subject: xwayland: Enable access control on open sockets [CVE-2015-3164 1/3] + +Xwayland currently allows wide-open access to the X sockets +it listens on, ignoring Xauth access control. + +This commit makes sure to enable access control on the sockets, +so one user can't snoop on another user's X-over-wayland +applications. + +Signed-off-by: Ray Strode +Reviewed-by: Daniel Stone +Reviewed-by: Alan Coopersmith +Signed-off-by: Keith Packard + +diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c +index 7e8d667..c5bee77 100644 +--- a/hw/xwayland/xwayland.c ++++ b/hw/xwayland/xwayland.c +@@ -483,7 +483,7 @@ listen_on_fds(struct xwl_screen *xwl_screen) + int i; + + for (i = 0; i < xwl_screen->listen_fd_count; i++) +- ListenOnOpenFD(xwl_screen->listen_fds[i], TRUE); ++ ListenOnOpenFD(xwl_screen->listen_fds[i], FALSE); + } + + static void +-- +cgit v0.10.2 + diff --git a/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-2.patch b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-2.patch new file mode 100644 index 000000000000..47b323f1ec8e --- /dev/null +++ b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-2.patch @@ -0,0 +1,246 @@ +From 4b4b9086d02b80549981d205fb1f495edc373538 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Tue, 5 May 2015 16:43:43 -0400 +Subject: os: support new implicit local user access mode [CVE-2015-3164 2/3] + +If the X server is started without a '-auth' argument, then +it gets started wide open to all local users on the system. + +This isn't a great default access model, but changing it in +Xorg at this point would break backward compatibility. + +Xwayland, on the other hand is new, and much more targeted +in scope. It could, in theory, be changed to allow the much +more secure default of a "user who started X server can connect +clients to that server." + +This commit paves the way for that change, by adding a mechanism +for DDXs to opt-in to that behavior. They merely need to call + +LocalAccessScopeUser() + +in their init functions. + +A subsequent commit will add that call for Xwayland. + +Signed-off-by: Ray Strode +Reviewed-by: Daniel Stone +Reviewed-by: Alan Coopersmith +Signed-off-by: Keith Packard + +diff --git a/include/os.h b/include/os.h +index 6638c84..b2b96c8 100644 +--- a/include/os.h ++++ b/include/os.h +@@ -431,11 +431,28 @@ extern _X_EXPORT void + ResetHosts(const char *display); + + extern _X_EXPORT void ++EnableLocalAccess(void); ++ ++extern _X_EXPORT void ++DisableLocalAccess(void); ++ ++extern _X_EXPORT void + EnableLocalHost(void); + + extern _X_EXPORT void + DisableLocalHost(void); + ++#ifndef NO_LOCAL_CLIENT_CRED ++extern _X_EXPORT void ++EnableLocalUser(void); ++ ++extern _X_EXPORT void ++DisableLocalUser(void); ++ ++extern _X_EXPORT void ++LocalAccessScopeUser(void); ++#endif ++ + extern _X_EXPORT void + AccessUsingXdmcp(void); + +diff --git a/os/access.c b/os/access.c +index 8fa028e..75e7a69 100644 +--- a/os/access.c ++++ b/os/access.c +@@ -102,6 +102,10 @@ SOFTWARE. + #include + #include + ++#ifndef NO_LOCAL_CLIENT_CRED ++#include ++#endif ++ + #if defined(TCPCONN) || defined(STREAMSCONN) + #include + #endif /* TCPCONN || STREAMSCONN */ +@@ -225,6 +229,13 @@ static int LocalHostEnabled = FALSE; + static int LocalHostRequested = FALSE; + static int UsingXdmcp = FALSE; + ++static enum { ++ LOCAL_ACCESS_SCOPE_HOST = 0, ++#ifndef NO_LOCAL_CLIENT_CRED ++ LOCAL_ACCESS_SCOPE_USER, ++#endif ++} LocalAccessScope; ++ + /* FamilyServerInterpreted implementation */ + static Bool siAddrMatch(int family, void *addr, int len, HOST * host, + ClientPtr client); +@@ -237,6 +248,21 @@ static void siTypesInitialize(void); + */ + + void ++EnableLocalAccess(void) ++{ ++ switch (LocalAccessScope) { ++ case LOCAL_ACCESS_SCOPE_HOST: ++ EnableLocalHost(); ++ break; ++#ifndef NO_LOCAL_CLIENT_CRED ++ case LOCAL_ACCESS_SCOPE_USER: ++ EnableLocalUser(); ++ break; ++#endif ++ } ++} ++ ++void + EnableLocalHost(void) + { + if (!UsingXdmcp) { +@@ -249,6 +275,21 @@ EnableLocalHost(void) + * called when authorization is enabled to keep us secure + */ + void ++DisableLocalAccess(void) ++{ ++ switch (LocalAccessScope) { ++ case LOCAL_ACCESS_SCOPE_HOST: ++ DisableLocalHost(); ++ break; ++#ifndef NO_LOCAL_CLIENT_CRED ++ case LOCAL_ACCESS_SCOPE_USER: ++ DisableLocalUser(); ++ break; ++#endif ++ } ++} ++ ++void + DisableLocalHost(void) + { + HOST *self; +@@ -262,6 +303,74 @@ DisableLocalHost(void) + } + } + ++#ifndef NO_LOCAL_CLIENT_CRED ++static int GetLocalUserAddr(char **addr) ++{ ++ static const char *type = "localuser"; ++ static const char delimiter = '\0'; ++ static const char *value; ++ struct passwd *pw; ++ int length = -1; ++ ++ pw = getpwuid(getuid()); ++ ++ if (pw == NULL || pw->pw_name == NULL) ++ goto out; ++ ++ value = pw->pw_name; ++ ++ length = asprintf(addr, "%s%c%s", type, delimiter, value); ++ ++ if (length == -1) { ++ goto out; ++ } ++ ++ /* Trailing NUL */ ++ length++; ++ ++out: ++ return length; ++} ++ ++void ++EnableLocalUser(void) ++{ ++ char *addr = NULL; ++ int length = -1; ++ ++ length = GetLocalUserAddr(&addr); ++ ++ if (length == -1) ++ return; ++ ++ NewHost(FamilyServerInterpreted, addr, length, TRUE); ++ ++ free(addr); ++} ++ ++void ++DisableLocalUser(void) ++{ ++ char *addr = NULL; ++ int length = -1; ++ ++ length = GetLocalUserAddr(&addr); ++ ++ if (length == -1) ++ return; ++ ++ RemoveHost(NULL, FamilyServerInterpreted, length, addr); ++ ++ free(addr); ++} ++ ++void ++LocalAccessScopeUser(void) ++{ ++ LocalAccessScope = LOCAL_ACCESS_SCOPE_USER; ++} ++#endif ++ + /* + * called at init time when XDMCP will be used; xdmcp always + * adds local hosts manually when needed +diff --git a/os/auth.c b/os/auth.c +index 5fcb538..7da6fc6 100644 +--- a/os/auth.c ++++ b/os/auth.c +@@ -181,11 +181,11 @@ CheckAuthorization(unsigned int name_length, + + /* + * If the authorization file has at least one entry for this server, +- * disable local host access. (loadauth > 0) ++ * disable local access. (loadauth > 0) + * + * If there are zero entries (either initially or when the + * authorization file is later reloaded), or if a valid +- * authorization file was never loaded, enable local host access. ++ * authorization file was never loaded, enable local access. + * (loadauth == 0 || !loaded) + * + * If the authorization file was loaded initially (with valid +@@ -194,11 +194,11 @@ CheckAuthorization(unsigned int name_length, + */ + + if (loadauth > 0) { +- DisableLocalHost(); /* got at least one */ ++ DisableLocalAccess(); /* got at least one */ + loaded = TRUE; + } + else if (loadauth == 0 || !loaded) +- EnableLocalHost(); ++ EnableLocalAccess(); + } + if (name_length) { + for (i = 0; i < NUM_AUTHORIZATION; i++) { +-- +cgit v0.10.2 + diff --git a/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-3.patch b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-3.patch new file mode 100644 index 000000000000..7e8f173117ac --- /dev/null +++ b/x11-base/xorg-server/files/xorg-server-1.17-cve-2015-3164-3.patch @@ -0,0 +1,34 @@ +From 76636ac12f2d1dbdf7be08222f80e7505d53c451 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Tue, 5 May 2015 16:43:44 -0400 +Subject: xwayland: default to local user if no xauth file given. + [CVE-2015-3164 3/3] + +Right now if "-auth" isn't passed on the command line, we let +any user on the system connect to the Xwayland server. + +That's clearly suboptimal, given Xwayland is generally designed +to be used by one user at a time. + +This commit changes the behavior, so only the user who started the +X server can connect clients to it. + +Signed-off-by: Ray Strode +Reviewed-by: Daniel Stone +Reviewed-by: Alan Coopersmith +Signed-off-by: Keith Packard + +diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c +index c5bee77..bc92beb 100644 +--- a/hw/xwayland/xwayland.c ++++ b/hw/xwayland/xwayland.c +@@ -702,4 +702,6 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv) + if (AddScreen(xwl_screen_init, argc, argv) == -1) { + FatalError("Couldn't add screen\n"); + } ++ ++ LocalAccessScopeUser(); + } +-- +cgit v0.10.2 + diff --git a/x11-base/xorg-server/xorg-server-1.16.4-r3.ebuild b/x11-base/xorg-server/xorg-server-1.16.4-r3.ebuild new file mode 100644 index 000000000000..58c70e0256e8 --- /dev/null +++ b/x11-base/xorg-server/xorg-server-1.16.4-r3.ebuild @@ -0,0 +1,261 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +XORG_DOC=doc +inherit xorg-2 multilib versionator flag-o-matic +EGIT_REPO_URI="git://anongit.freedesktop.org/git/xorg/xserver" + +DESCRIPTION="X.Org X servers" +SLOT="0/1.16.1" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux" + +IUSE_SERVERS="dmx kdrive xnest xorg xvfb" +IUSE="${IUSE_SERVERS} glamor ipv6 minimal nptl selinux +suid systemd tslib +udev unwind wayland" + +CDEPEND=">=app-eselect/eselect-opengl-1.0.8 + !>=app-eselect/eselect-opengl-1.3.0 + dev-libs/openssl + media-libs/freetype + >=x11-apps/iceauth-1.0.2 + >=x11-apps/rgb-1.0.3 + >=x11-apps/xauth-1.0.3 + x11-apps/xkbcomp + >=x11-libs/libdrm-2.4.20 + >=x11-libs/libpciaccess-0.12.901 + >=x11-libs/libXau-1.0.4 + >=x11-libs/libXdmcp-1.0.2 + >=x11-libs/libXfont-1.4.2 + >=x11-libs/libxkbfile-1.0.4 + >=x11-libs/libxshmfence-1.1 + >=x11-libs/pixman-0.27.2 + >=x11-libs/xtrans-1.3.3 + >=x11-misc/xbitmaps-1.0.1 + >=x11-misc/xkeyboard-config-2.4.1-r3 + dmx? ( + x11-libs/libXt + >=x11-libs/libdmx-1.0.99.1 + >=x11-libs/libX11-1.1.5 + >=x11-libs/libXaw-1.0.4 + >=x11-libs/libXext-1.0.99.4 + >=x11-libs/libXfixes-5.0 + >=x11-libs/libXi-1.2.99.1 + >=x11-libs/libXmu-1.0.3 + x11-libs/libXrender + >=x11-libs/libXres-1.0.3 + >=x11-libs/libXtst-1.0.99.2 + ) + glamor? ( + media-libs/libepoxy + media-libs/mesa[egl,gbm] + !x11-libs/glamor + ) + kdrive? ( + >=x11-libs/libXext-1.0.5 + x11-libs/libXv + ) + !minimal? ( + >=x11-libs/libX11-1.1.5 + >=x11-libs/libXext-1.0.5 + >=media-libs/mesa-9.2.0[nptl=] + ) + tslib? ( >=x11-libs/tslib-1.0 ) + udev? ( >=virtual/udev-150 ) + unwind? ( sys-libs/libunwind ) + wayland? ( + >=dev-libs/wayland-1.3.0 + media-libs/libepoxy + ) + >=x11-apps/xinit-1.3 + systemd? ( + sys-apps/dbus + sys-apps/systemd + )" + +DEPEND="${CDEPEND} + sys-devel/flex + >=x11-proto/bigreqsproto-1.1.0 + >=x11-proto/compositeproto-0.4 + >=x11-proto/damageproto-1.1 + >=x11-proto/fixesproto-5.0 + >=x11-proto/fontsproto-2.1.3 + >=x11-proto/glproto-1.4.17 + >=x11-proto/inputproto-2.2.99.1 + >=x11-proto/kbproto-1.0.3 + >=x11-proto/randrproto-1.4.0 + >=x11-proto/recordproto-1.13.99.1 + >=x11-proto/renderproto-0.11 + >=x11-proto/resourceproto-1.2.0 + >=x11-proto/scrnsaverproto-1.1 + >=x11-proto/trapproto-3.4.3 + >=x11-proto/videoproto-2.2.2 + >=x11-proto/xcmiscproto-1.2.0 + >=x11-proto/xextproto-7.2.99.901 + >=x11-proto/xf86dgaproto-2.0.99.1 + >=x11-proto/xf86rushproto-1.1.2 + >=x11-proto/xf86vidmodeproto-2.2.99.1 + >=x11-proto/xineramaproto-1.1.3 + >=x11-proto/xproto-7.0.26 + >=x11-proto/presentproto-1.0 + >=x11-proto/dri3proto-1.0 + dmx? ( + >=x11-proto/dmxproto-2.2.99.1 + doc? ( + || ( + www-client/links + www-client/lynx + www-client/w3m + ) + ) + ) + !minimal? ( + >=x11-proto/xf86driproto-2.1.0 + >=x11-proto/dri2proto-2.8 + )" + +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-xserver ) +" + +PDEPEND=" + xorg? ( >=x11-base/xorg-drivers-$(get_version_component_range 1-2) )" + +REQUIRED_USE="!minimal? ( + || ( ${IUSE_SERVERS} ) + )" + +#UPSTREAMED_PATCHES=( +# "${WORKDIR}/patches/" +#) + +PATCHES=( + "${UPSTREAMED_PATCHES[@]}" + "${FILESDIR}"/${PN}-1.12-ia64-fix_inx_outx.patch + "${FILESDIR}"/${PN}-1.12-unloadsubmodule.patch + "${FILESDIR}"/${PN}-1.17-cve-2015-3164-1.patch + "${FILESDIR}"/${PN}-1.17-cve-2015-3164-2.patch + "${FILESDIR}"/${PN}-1.17-cve-2015-3164-3.patch +) + +pkg_pretend() { + # older gcc is not supported + [[ "${MERGE_TYPE}" != "binary" && $(gcc-major-version) -lt 4 ]] && \ + die "Sorry, but gcc earlier than 4.0 will not work for xorg-server." +} + +src_configure() { + # localstatedir is used for the log location; we need to override the default + # from ebuild.sh + # sysconfdir is used for the xorg.conf location; same applies + # NOTE: fop is used for doc generating ; and i have no idea if gentoo + # package it somewhere + XORG_CONFIGURE_OPTIONS=( + $(use_enable ipv6) + $(use_enable dmx) + $(use_enable glamor) + $(use_enable kdrive) + $(use_enable kdrive kdrive-kbd) + $(use_enable kdrive kdrive-mouse) + $(use_enable kdrive kdrive-evdev) + $(use_enable suid install-setuid) + $(use_enable tslib) + $(use_enable unwind libunwind) + $(use_enable wayland xwayland) + $(use_enable !minimal record) + $(use_enable !minimal xfree86-utils) + $(use_enable !minimal install-libxf86config) + $(use_enable !minimal dri) + $(use_enable !minimal dri2) + $(use_enable !minimal glx) + $(use_enable xnest) + $(use_enable xorg) + $(use_enable xvfb) + $(use_enable nptl glx-tls) + $(use_enable udev config-udev) + $(use_with doc doxygen) + $(use_with doc xmlto) + $(use_with systemd systemd-daemon) + $(use_enable systemd systemd-logind) + --enable-libdrm + --sysconfdir="${EPREFIX}"/etc/X11 + --localstatedir="${EPREFIX}"/var + --with-fontrootdir="${EPREFIX}"/usr/share/fonts + --with-xkb-output="${EPREFIX}"/var/lib/xkb + --disable-config-hal + --disable-linux-acpi + --without-dtrace + --without-fop + --with-os-vendor=Gentoo + --with-sha1=libcrypto + ) + + # Xorg-server requires includes from OS mesa which are not visible for + # users of binary drivers. + mkdir -p "${T}/mesa-symlinks/GL" + for i in gl glx glxmd glxproto glxtokens; do + ln -s "${EROOT}usr/$(get_libdir)/opengl/xorg-x11/include/$i.h" "${T}/mesa-symlinks/GL/$i.h" || die + done + for i in glext glxext; do + ln -s "${EROOT}usr/$(get_libdir)/opengl/global/include/$i.h" "${T}/mesa-symlinks/GL/$i.h" || die + done + append-cppflags "-I${T}/mesa-symlinks" + + xorg-2_src_configure +} + +src_install() { + xorg-2_src_install + + dynamic_libgl_install + + server_based_install + + if ! use minimal && use xorg; then + # Install xorg.conf.example into docs + dodoc "${AUTOTOOLS_BUILD_DIR}"/hw/xfree86/xorg.conf.example + fi + + newinitd "${FILESDIR}"/xdm-setup.initd-1 xdm-setup + newinitd "${FILESDIR}"/xdm.initd-11 xdm + newconfd "${FILESDIR}"/xdm.confd-4 xdm + + # install the @x11-module-rebuild set for Portage + insinto /usr/share/portage/config/sets + newins "${FILESDIR}"/xorg-sets.conf xorg.conf +} + +pkg_postinst() { + # sets up libGL and DRI2 symlinks if needed (ie, on a fresh install) + eselect opengl set xorg-x11 --use-old +} + +pkg_postrm() { + # Get rid of module dir to ensure opengl-update works properly + if [[ -z ${REPLACED_BY_VERSION} && -e ${EROOT}/usr/$(get_libdir)/xorg/modules ]]; then + rm -rf "${EROOT}"/usr/$(get_libdir)/xorg/modules + fi +} + +dynamic_libgl_install() { + # next section is to setup the dynamic libGL stuff + ebegin "Moving GL files for dynamic switching" + dodir /usr/$(get_libdir)/opengl/xorg-x11/extensions + local x="" + for x in "${ED}"/usr/$(get_libdir)/xorg/modules/extensions/lib{glx,dri,dri2}*; do + if [ -f ${x} -o -L ${x} ]; then + mv -f ${x} "${ED}"/usr/$(get_libdir)/opengl/xorg-x11/extensions + fi + done + eend 0 +} + +server_based_install() { + if ! use xorg; then + rm "${ED}"/usr/share/man/man1/Xserver.1x \ + "${ED}"/usr/$(get_libdir)/xserver/SecurityPolicy \ + "${ED}"/usr/$(get_libdir)/pkgconfig/xorg-server.pc \ + "${ED}"/usr/share/man/man1/Xserver.1x + fi +} diff --git a/x11-base/xorg-server/xorg-server-1.16.4-r4.ebuild b/x11-base/xorg-server/xorg-server-1.16.4-r4.ebuild new file mode 100644 index 000000000000..1ec0222efd22 --- /dev/null +++ b/x11-base/xorg-server/xorg-server-1.16.4-r4.ebuild @@ -0,0 +1,236 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +XORG_DOC=doc +inherit xorg-2 multilib versionator flag-o-matic +EGIT_REPO_URI="git://anongit.freedesktop.org/git/xorg/xserver" + +DESCRIPTION="X.Org X servers" +SLOT="0/1.16.1" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux" + +IUSE_SERVERS="dmx kdrive xnest xorg xvfb" +IUSE="${IUSE_SERVERS} glamor ipv6 minimal nptl selinux +suid systemd tslib +udev unwind wayland" + +CDEPEND=">=app-eselect/eselect-opengl-1.3.0 + dev-libs/openssl + media-libs/freetype + >=x11-apps/iceauth-1.0.2 + >=x11-apps/rgb-1.0.3 + >=x11-apps/xauth-1.0.3 + x11-apps/xkbcomp + >=x11-libs/libdrm-2.4.20 + >=x11-libs/libpciaccess-0.12.901 + >=x11-libs/libXau-1.0.4 + >=x11-libs/libXdmcp-1.0.2 + >=x11-libs/libXfont-1.4.2 + >=x11-libs/libxkbfile-1.0.4 + >=x11-libs/libxshmfence-1.1 + >=x11-libs/pixman-0.27.2 + >=x11-libs/xtrans-1.3.3 + >=x11-misc/xbitmaps-1.0.1 + >=x11-misc/xkeyboard-config-2.4.1-r3 + dmx? ( + x11-libs/libXt + >=x11-libs/libdmx-1.0.99.1 + >=x11-libs/libX11-1.1.5 + >=x11-libs/libXaw-1.0.4 + >=x11-libs/libXext-1.0.99.4 + >=x11-libs/libXfixes-5.0 + >=x11-libs/libXi-1.2.99.1 + >=x11-libs/libXmu-1.0.3 + x11-libs/libXrender + >=x11-libs/libXres-1.0.3 + >=x11-libs/libXtst-1.0.99.2 + ) + glamor? ( + media-libs/libepoxy + >=media-libs/mesa-10.3.4-r1[egl,gbm] + !x11-libs/glamor + ) + kdrive? ( + >=x11-libs/libXext-1.0.5 + x11-libs/libXv + ) + !minimal? ( + >=x11-libs/libX11-1.1.5 + >=x11-libs/libXext-1.0.5 + >=media-libs/mesa-10.3.4-r1[nptl=] + ) + tslib? ( >=x11-libs/tslib-1.0 ) + udev? ( >=virtual/udev-150 ) + unwind? ( sys-libs/libunwind ) + wayland? ( + >=dev-libs/wayland-1.3.0 + media-libs/libepoxy + ) + >=x11-apps/xinit-1.3 + systemd? ( + sys-apps/dbus + sys-apps/systemd + )" + +DEPEND="${CDEPEND} + sys-devel/flex + >=x11-proto/bigreqsproto-1.1.0 + >=x11-proto/compositeproto-0.4 + >=x11-proto/damageproto-1.1 + >=x11-proto/fixesproto-5.0 + >=x11-proto/fontsproto-2.1.3 + >=x11-proto/glproto-1.4.17-r1 + >=x11-proto/inputproto-2.2.99.1 + >=x11-proto/kbproto-1.0.3 + >=x11-proto/randrproto-1.4.0 + >=x11-proto/recordproto-1.13.99.1 + >=x11-proto/renderproto-0.11 + >=x11-proto/resourceproto-1.2.0 + >=x11-proto/scrnsaverproto-1.1 + >=x11-proto/trapproto-3.4.3 + >=x11-proto/videoproto-2.2.2 + >=x11-proto/xcmiscproto-1.2.0 + >=x11-proto/xextproto-7.2.99.901 + >=x11-proto/xf86dgaproto-2.0.99.1 + >=x11-proto/xf86rushproto-1.1.2 + >=x11-proto/xf86vidmodeproto-2.2.99.1 + >=x11-proto/xineramaproto-1.1.3 + >=x11-proto/xproto-7.0.26 + >=x11-proto/presentproto-1.0 + >=x11-proto/dri3proto-1.0 + dmx? ( + >=x11-proto/dmxproto-2.2.99.1 + doc? ( + || ( + www-client/links + www-client/lynx + www-client/w3m + ) + ) + ) + !minimal? ( + >=x11-proto/xf86driproto-2.1.0 + >=x11-proto/dri2proto-2.8 + )" + +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-xserver ) +" + +PDEPEND=" + xorg? ( >=x11-base/xorg-drivers-$(get_version_component_range 1-2) )" + +REQUIRED_USE="!minimal? ( + || ( ${IUSE_SERVERS} ) + )" + +#UPSTREAMED_PATCHES=( +# "${WORKDIR}/patches/" +#) + +PATCHES=( + "${UPSTREAMED_PATCHES[@]}" + "${FILESDIR}"/${PN}-1.12-ia64-fix_inx_outx.patch + "${FILESDIR}"/${PN}-1.12-unloadsubmodule.patch + # needed for new eselect-opengl, bug #541232 + "${FILESDIR}"/${PN}-1.17-support-multiple-Files-sections.patch + "${FILESDIR}"/${PN}-1.17-cve-2015-3164-1.patch + "${FILESDIR}"/${PN}-1.17-cve-2015-3164-2.patch + "${FILESDIR}"/${PN}-1.17-cve-2015-3164-3.patch +) + +pkg_pretend() { + # older gcc is not supported + [[ "${MERGE_TYPE}" != "binary" && $(gcc-major-version) -lt 4 ]] && \ + die "Sorry, but gcc earlier than 4.0 will not work for xorg-server." +} + +src_configure() { + # localstatedir is used for the log location; we need to override the default + # from ebuild.sh + # sysconfdir is used for the xorg.conf location; same applies + # NOTE: fop is used for doc generating ; and i have no idea if gentoo + # package it somewhere + XORG_CONFIGURE_OPTIONS=( + $(use_enable ipv6) + $(use_enable dmx) + $(use_enable glamor) + $(use_enable kdrive) + $(use_enable kdrive kdrive-kbd) + $(use_enable kdrive kdrive-mouse) + $(use_enable kdrive kdrive-evdev) + $(use_enable suid install-setuid) + $(use_enable tslib) + $(use_enable unwind libunwind) + $(use_enable wayland xwayland) + $(use_enable !minimal record) + $(use_enable !minimal xfree86-utils) + $(use_enable !minimal install-libxf86config) + $(use_enable !minimal dri) + $(use_enable !minimal dri2) + $(use_enable !minimal glx) + $(use_enable xnest) + $(use_enable xorg) + $(use_enable xvfb) + $(use_enable nptl glx-tls) + $(use_enable udev config-udev) + $(use_with doc doxygen) + $(use_with doc xmlto) + $(use_with systemd systemd-daemon) + $(use_enable systemd systemd-logind) + --enable-libdrm + --sysconfdir="${EPREFIX}"/etc/X11 + --localstatedir="${EPREFIX}"/var + --with-fontrootdir="${EPREFIX}"/usr/share/fonts + --with-xkb-output="${EPREFIX}"/var/lib/xkb + --disable-config-hal + --disable-linux-acpi + --without-dtrace + --without-fop + --with-os-vendor=Gentoo + --with-sha1=libcrypto + ) + + xorg-2_src_configure +} + +src_install() { + xorg-2_src_install + + server_based_install + + if ! use minimal && use xorg; then + # Install xorg.conf.example into docs + dodoc "${AUTOTOOLS_BUILD_DIR}"/hw/xfree86/xorg.conf.example + fi + + newinitd "${FILESDIR}"/xdm-setup.initd-1 xdm-setup + newinitd "${FILESDIR}"/xdm.initd-11 xdm + newconfd "${FILESDIR}"/xdm.confd-4 xdm + + # install the @x11-module-rebuild set for Portage + insinto /usr/share/portage/config/sets + newins "${FILESDIR}"/xorg-sets.conf xorg.conf +} + +pkg_postinst() { + # sets up libGL and DRI2 symlinks if needed (ie, on a fresh install) + eselect opengl set xorg-x11 --use-old +} + +pkg_postrm() { + # Get rid of module dir to ensure opengl-update works properly + if [[ -z ${REPLACED_BY_VERSION} && -e ${EROOT}/usr/$(get_libdir)/xorg/modules ]]; then + rm -rf "${EROOT}"/usr/$(get_libdir)/xorg/modules + fi +} + +server_based_install() { + if ! use xorg; then + rm "${ED}"/usr/share/man/man1/Xserver.1x \ + "${ED}"/usr/$(get_libdir)/xserver/SecurityPolicy \ + "${ED}"/usr/$(get_libdir)/pkgconfig/xorg-server.pc \ + "${ED}"/usr/share/man/man1/Xserver.1x + fi +} -- 2.26.2