- n_Install-Avoid-failure-on-wrapper-installation.patch:

rename to:
    N_Install-Avoid-failure-on-wrapper-installation.patch
-  u_xorg-wrapper-Drop-supplemental-group-IDs.patch:
   Drop supplementary group privileges.
-  u_xorg-wrapper-build-Build-position-independent-code.patch:
   Build position independent.

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=627

u_xorg-wrapper-Drop-supplemental-group-IDs.patch

@@ -0,0 +1,78 @@
+From: Egbert Eich <eich@suse.de>
+Date: Tue Apr 12 15:52:37 2016 +0200
+Subject: [PATCH]xorg-wrapper: Drop supplemental group IDs
+Patch-mainline: to be upstreamed
+References: 
+Signed-off-by: Egbert Eich <eich@suse.com>
+
+Signed-off-by: Egbert Eich <eich@suse.de>
+---
+ hw/xfree86/xorg-wrapper.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+diff --git a/hw/xfree86/xorg-wrapper.c b/hw/xfree86/xorg-wrapper.c
+index d930962..64a43c4 100644
+--- a/hw/xfree86/xorg-wrapper.c
++++ b/hw/xfree86/xorg-wrapper.c
+@@ -36,6 +36,8 @@
+ #include <sys/ioctl.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
++#include <pwd.h>
++#include <grp.h>
+ #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
+ #include <sys/consio.h>
+ #endif
+@@ -252,6 +254,52 @@ int main(int argc, char *argv[])
+     if (needs_root_rights == 0 || (total_cards && kms_cards == total_cards)) {
+         gid_t realgid = getgid();
+         uid_t realuid = getuid();
++        int ngroups = 0;
++        gid_t *groups = NULL;
++        long int initlen = sysconf(_SC_GETPW_R_SIZE_MAX);
++        size_t len;
++        struct passwd result, *resultp;
++        char *buffer;
++        int e;
++
++        if (initlen == -1)
++            len = 1024;
++        else
++            len = (size_t) initlen;
++        if ((buffer = malloc(len)) < 0) {
++            fprintf(stderr, "%s: Could not allocate memory: %s\n",
++                    progname, strerror(errno));
++            exit (1);
++        }
++        if ((e = getpwuid_r(realuid, &result, buffer, len, &resultp)) > 0) {
++            fprintf(stderr, "%s: Could not get user name: %s\n",
++                    progname, strerror(errno));
++            exit (1);
++        } else if (resultp == NULL) {
++            fprintf(stderr, "%s: Could not find user name for UID %d\n",
++                    progname, realuid);
++            exit (1);
++        }
++        if (getgrouplist(result.pw_name, realgid, groups, &ngroups) < 0) {
++            if ((groups = malloc(sizeof(gid_t) * ngroups)) == NULL) {
++                fprintf(stderr, "%s: Could not allocate memory: %s\n",
++                        progname, strerror(errno));
++                exit (1);
++            }
++            if (getgrouplist(result.pw_name, realgid, groups, &ngroups) < 0) {
++                fprintf(stderr, "%s: Could not get supplementary group list\n",
++                        progname);
++                ngroups = 0;
++            }
++        }
++        if (setgroups(ngroups, groups) == -1) {
++            fprintf(stderr, "%s: Could not set groups: %s\n",
++                    progname, strerror(errno));
++            exit (1);
++        }
++        memset(buffer, 0, len);
++        free(buffer);
++        free(groups);
+ 
+         if (setresgid(-1, realgid, realgid) != 0) {
+             fprintf(stderr, "%s: Could not drop setgid privileges: %s\n",

u_xorg-wrapper-build-Build-position-independent-code.patch

@@ -0,0 +1,24 @@
+From: Egbert Eich <eich@suse.de>
+Date: Tue Apr 12 15:53:11 2016 +0200
+Subject: [PATCH]xorg-wrapper/build: Build position independent code
+Patch-mainline: to be upstreamed
+References: 
+Signed-off-by: Egbert Eich <eich@suse.com>
+
+Signed-off-by: Egbert Eich <eich@suse.de>
+---
+ hw/xfree86/Makefile.am | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/xfree86/Makefile.am b/hw/xfree86/Makefile.am
+index 461e818..c0ce3b8 100644
+--- a/hw/xfree86/Makefile.am
++++ b/hw/xfree86/Makefile.am
+@@ -87,6 +87,7 @@ if SUID_WRAPPER
+ wrapdir = $(SUID_WRAPPER_DIR)
+ wrap_PROGRAMS = Xorg.wrap
+ Xorg_wrap_SOURCES = xorg-wrapper.c
++Xorg_wrap_CFLAGS = $(AM_CFLAGS) -pie -fpie
+ endif
+ 
+ BUILT_SOURCES = xorg.conf.example

xorg-x11-server.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Apr 12 13:59:48 UTC 2016 - eich@suse.com
+
+-  n_Install-Avoid-failure-on-wrapper-installation.patch:
+   rename to:
+    N_Install-Avoid-failure-on-wrapper-installation.patch
+-  u_xorg-wrapper-Drop-supplemental-group-IDs.patch:
+   Drop supplementary group privileges.
+-  u_xorg-wrapper-build-Build-position-independent-code.patch:
+   Build position independent.
+
 -------------------------------------------------------------------
 Tue Apr 12 09:06:06 UTC 2016 - eich@suse.com
 

xorg-x11-server.spec

@@ -170,8 +170,9 @@ Patch2:         N_zap_warning_xserver.diff
 Patch3:         N_driver-autoconfig.diff
 Patch4:         N_fix_fglrx_screendepth_issue.patch
 Patch6:         N_fix-dpi-values.diff
-Patch7:         n_Install-Avoid-failure-on-wrapper-installation.patch
+Patch7:         N_Install-Avoid-failure-on-wrapper-installation.patch
-
+Patch8:         u_xorg-wrapper-Drop-supplemental-group-IDs.patch
+Patch9:         u_xorg-wrapper-build-Build-position-independent-code.patch
 Patch100:       u_01-Improved-ConfineToShape.patch
 Patch101:       u_02-DIX-ConfineTo-Don-t-bother-about-the-bounding-box-when-grabbing-a-shaped-window.patch
 # PATCH-FIX-UPSTREAM u_x86emu-include-order.patch schwab@suse.de -- Change include order to avoid conflict with system header, remove duplicate definitions
@@ -307,6 +308,8 @@ sh %{SOURCE92} --verify . %{SOURCE91}
 %patch4 -p0
 %patch6 -p0
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
 #
 %patch100 -p1
 #%patch101 -p1