xorg-server: version bump 1.16.1 -> 1.17.1

Brings many security fixes and some new features. We keep the default
socket listen policy to keep the attack surface low. This can be overridden
at runtime if needed.

Also disable BINDNOW hardening, as it interferes with the xorg module loader
and prevents modules with dependencies to load correctly.

Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>

1 files changed, 10 insertions, 19 deletions

diff --git a/rules/xorg-server.make b/rules/xorg-server.make
index 5e82580f4..46e9514aa 100644
--- a/rules/xorg-server.make
+++ b/rules/xorg-server.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_XORG_SERVER) += xorg-server
 #
 # Paths and names
 #
-XORG_SERVER_VERSION	:= 1.16.1
-XORG_SERVER_MD5		:= b1ff364222e921d32de40c4786e8bc47
+XORG_SERVER_VERSION	:= 1.17.1
+XORG_SERVER_MD5		:= 5986510d59e394a50126a8e2833e79d3
 XORG_SERVER		:= xorg-server-$(XORG_SERVER_VERSION)
 XORG_SERVER_SUFFIX	:= tar.bz2
 XORG_SERVER_URL		:= $(call ptx/mirror, XORG, individual/xserver/$(XORG_SERVER).$(XORG_SERVER_SUFFIX))
@@ -28,6 +28,10 @@ XORG_SERVER_DIR		:= $(BUILDDIR)/$(XORG_SERVER)
 # Prepare
 # ----------------------------------------------------------------------------
 
+# The xorg module loader needs lazy symbol binding
+XORG_SERVER_WRAPPER_BLACKLIST := \
+        TARGET_HARDEN_BINDNOW
+
 XORG_SERVER_ENV 	:= $(CROSS_ENV) \
 	ac_cv_sys_linker_h=yes \
 	ac_cv_file__usr_share_sgml_X11_defs_ent=no
@@ -61,7 +65,6 @@ XORG_SERVER_CONF_OPT	= \
 	--disable-install-libxf86config \
 	--$(call ptx/endis, PTXCONF_XORG_SERVER_OPT_AIGLX)-aiglx \
 	--$(call ptx/endis, PTXCONF_XORG_SERVER_OPT_GLX_TLS)-glx-tls \
-	--$(call ptx/endis, PTXCONF_XORG_SERVER_STRING_REGISTRY)-registry \
 	--$(call ptx/endis, PTXCONF_XORG_SERVER_EXT_COMPOSITE)-composite \
 	--$(call ptx/endis, PTXCONF_XORG_SERVER_EXT_SHM)-mitshm \
 	--$(call ptx/endis, PTXCONF_XORG_SERVER_EXT_XRES)-xres \
@@ -100,6 +103,9 @@ XORG_SERVER_CONF_OPT	= \
 	--$(call ptx/endis, PTXCONF_XORG_SERVER_XORG)-pciaccess \
 	--enable-linux-acpi \
 	--enable-linux-apm \
+	--disable-listen-tcp \
+	--enable-listen-unix \
+	--enable-listen-local \
 	--disable-systemd-logind \
 	--disable-suid-wrapper \
 	--$(call ptx/endis, PTXCONF_XORG_SERVER_XORG)-xorg \
@@ -107,6 +113,7 @@ XORG_SERVER_CONF_OPT	= \
 	--$(call ptx/endis, PTXCONF_XORG_SERVER_XVFB)-xvfb \
 	--$(call ptx/endis, PTXCONF_XORG_SERVER_XNEST)-xnest \
 	--disable-xquartz \
+	--disable-xshmfence \
 	--$(call ptx/endis, PTXCONF_XORG_SERVER_XWAYLAND)-xwayland \
 	--disable-standalone-xpbproxy \
 	--$(call ptx/endis, PTXCONF_XORG_SERVER_XWIN)-xwin \
@@ -239,22 +246,6 @@ ifdef PTXCONF_XORG_DRIVER_VIDEO
 		$(XORG_PREFIX)/lib/xorg/modules/libvgahw.so)
 endif
 
-# FIXME: Should be included on demand only
-	@$(call install_copy, xorg-server, 0, 0, 0644, -, \
-		/usr/lib/xorg/modules/multimedia/bt829_drv.so)
-	@$(call install_copy, xorg-server, 0, 0, 0644, -, \
-		/usr/lib/xorg/modules/multimedia/tda8425_drv.so)
-	@$(call install_copy, xorg-server, 0, 0, 0644, -, \
-		/usr/lib/xorg/modules/multimedia/tda9850_drv.so)
-	@$(call install_copy, xorg-server, 0, 0, 0644, - ,\
-		/usr/lib/xorg/modules/multimedia/uda1380_drv.so)
-	@$(call install_copy, xorg-server, 0, 0, 0644, -, \
-		/usr/lib/xorg/modules/multimedia/fi1236_drv.so)
-	@$(call install_copy, xorg-server, 0, 0, 0644, - ,\
-		/usr/lib/xorg/modules/multimedia/msp3430_drv.so)
-	@$(call install_copy, xorg-server, 0, 0, 0644, -, \
-		/usr/lib/xorg/modules/multimedia/tda9885_drv.so)
-
 ifdef PTXCONF_XORG_SERVER_EXT_GLX
 	@$(call install_copy, xorg-server, 0, 0, 0644, -, \
 		/usr/lib/xorg/modules/extensions/libglx.so)