app-emulation/xen: security bump

fix XSA-217,218,219,220,221,222,223,224,225

Gentoo-Bug: 624112,624114,624116,624118,624120,624122,624124,624126,624130
Package-Manager: Portage-2.3.6, Repoman-2.3.2

app-emulation/xen/Manifest

@@ -1,4 +1,7 @@
 DIST xen-4.7.2-upstream-patches-0.tar.xz 45944 SHA256 e7783bc9adc939167eaef91e96fda506d2d52815f709b31952229891357e6b67 SHA512 6d4e23fb5a63fd191f893e31194b6397a394956846f356ae0119c656a92e7e22296e728286a98109b64a5736241b2317969f54915e7b487b4d7a64aae534614c WHIRLPOOL e185ce40085559d00a302eae8814b4c013817a5e4c0a2a9c56a6b4983b38e7103e44d0407fa78ea79fdbe8eefde346b994812851d8b4bad0bf08cb5721507c37
 DIST xen-4.7.2.tar.gz 20714281 SHA256 61494a56d9251e2108080f95b0dc8e3d175f1ba4da34603fc07b91cfebf358d5 SHA512 8f447e7feffec81fea5b5a4098968b8b8cebc6989e7b6a845413317644d5d328d6f12181d09266366200878ab6a29ab34c7235c1af7b55463a3fdaea40ee1500 WHIRLPOOL 27f3fd88846724e03bf9bb53133046cb79139950c9162dd9c9a85798e169259f73dc2fe4212e750ce9a8fd1d0abd99f1f76108faceb7bf1934ce0495377ee756
+DIST xen-4.7.3.tar.gz 20722625 SHA256 5b5385b476e59e4cf31ecc6dd605df38814b83432b8e8d917f18c8edfdfb708f SHA512 df596bef7f0f0e7f35246fb025913721dae5aa91da27f1b47a49256e9faa8f7dcb80e8c4679345c19614093c02059b6ced54fc51e6900a372b0e76b4ad827126 WHIRLPOOL 9e88db149e216651711cd56830fba33d587de60d57d53fd3ab3db231319f74e4e88222bf1b2bb9b20fea68739bccd4b26304c73a0ae25aad6dbbac64681e3a62
+DIST xen-4.8.1-upstream-patches-0.tar.xz 57132 SHA256 6a6d466e74b28e50cc8ffcf56f6e3853dff73a5d936374404a2aab9dadb54566 SHA512 bcf43f7f9c15016576f225146a34e26122a6e35d953ca8df05d6d3b6b2465bd8e237e824d3d84dfd892f440b40d6e6b3bb7c16c3c79b8e04534b2bed60877f53 WHIRLPOOL 4470d244bed58f9b71a031da19cfe38a79badf426300637211c3e8dfdab02f2b87ed21d9a5340af267685aafd627451f8750b85d9afc73ed2a550c52b43c31ab
 DIST xen-4.8.1.tar.gz 22516631 SHA256 1d69153b94561429293015f66463ee17c26404d1c014e646ecbcca6078581395 SHA512 9f535b4bb57d285dfb92c974d55513505cf485b2d7218fe8f6ed62768e2cee7f225b08adf6706590b2c0a04feca16e10915297c33b98e1b110f8ea7035f46c15 WHIRLPOOL ea367d4d08eaa464417f6c5e7143a52e085a8d0e515c99cbb49ac3ccd5c189aa79947d233754177698a076c28abf7a32c83ae29019ca70c6300839b09ca67bad
 DIST xen-security-patches-26.tar.xz 8276 SHA256 2a21ec429f8952875f7d95f24697600e606326f1a16d5622cee73628cd0401c1 SHA512 f54fc7e720a70258263d29cc482b8269386818ad75792de87b0d0357fdb6af81f2102e5983100db47563435fa28f875a84e8c6d73d44797aadaf0c469d9fb0ec WHIRLPOOL b31667d8415dc1fbcd60160fdbc2fe0ad4de9bd2171fda875f5585b8d7821c4c035b029dbf382abacf4b6be745aeeb708f419fdcabdd86f78ff1c13703802e3f
+DIST xen-security-patches-27.tar.xz 2604 SHA256 a8d01bc309894cb1bbde7a264003b873b77d1b4a1cb5c917b25a51e1b068f85b SHA512 ed9ef5ca3a39635a5ebbdc88663ea32f48c12e8ac1f193b8a66486bb62da692add38c5a89051753c992294528b4b4e92d121997317032a864f46776cb91d1897 WHIRLPOOL 07e2321959664083000a6cc90f30fa2365e206e8c1cc22e74afb085760e2c6378ba51f4ebcbf2b433c0d7a8ad9d98d0f43adb423b1bffc6a00eade362e1c59f5

app-emulation/xen/xen-4.7.3.ebuild

@@ -0,0 +1,192 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+PYTHON_COMPAT=( python2_7 )
+
+inherit eutils multilib mount-boot flag-o-matic python-any-r1 toolchain-funcs
+
+MY_PV=${PV/_/-}
+MY_P=${PN}-${PV/_/-}
+
+if [[ $PV == *9999 ]]; then
+	inherit git-r3
+	KEYWORDS="amd64 x86"
+	EGIT_REPO_URI="git://xenbits.xen.org/xen.git"
+	SRC_URI=""
+else
+	KEYWORDS="~amd64 ~arm ~x86"
+	UPSTREAM_VER=
+	SECURITY_VER=
+	GENTOO_VER=
+
+	[[ -n ${UPSTREAM_VER} ]] && \
+		UPSTREAM_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${P}-upstream-patches-${UPSTREAM_VER}.tar.xz"
+	[[ -n ${SECURITY_VER} ]] && \
+		SECURITY_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-security-patches-${SECURITY_VER}.tar.xz"
+	[[ -n ${GENTOO_VER} ]] && \
+		GENTOO_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-gentoo-patches-${GENTOO_VER}.tar.xz"
+	SRC_URI="https://downloads.xenproject.org/release/xen/${MY_PV}/${MY_P}.tar.gz
+		${UPSTREAM_PATCHSET_URI}
+		${SECURITY_PATCHSET_URI}
+		${GENTOO_PATCHSET_URI}"
+fi
+
+DESCRIPTION="The Xen virtual machine monitor"
+HOMEPAGE="http://xen.org/"
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="custom-cflags debug efi flask"
+
+DEPEND="${PYTHON_DEPS}
+	efi? ( >=sys-devel/binutils-2.22[multitarget] )
+	!efi? ( >=sys-devel/binutils-2.22 )"
+RDEPEND=""
+PDEPEND="~app-emulation/xen-tools-${PV}"
+
+# no tests are available for the hypervisor
+# prevent the silliness of /usr/lib/debug/usr/lib/debug files
+# prevent stripping of the debug info from the /usr/lib/debug/xen-syms
+RESTRICT="test splitdebug strip"
+
+# Approved by QA team in bug #144032
+QA_WX_LOAD="boot/xen-syms-${PV}"
+
+REQUIRED_USE="arm? ( debug )"
+
+S="${WORKDIR}/${MY_P}"
+
+pkg_setup() {
+	python-any-r1_pkg_setup
+	if [[ -z ${XEN_TARGET_ARCH} ]]; then
+		if use amd64; then
+			export XEN_TARGET_ARCH="x86_64"
+		elif use arm; then
+			export XEN_TARGET_ARCH="arm32"
+		elif use arm64; then
+			export XEN_TARGET_ARCH="arm64"
+		else
+			die "Unsupported architecture!"
+		fi
+	fi
+
+	if use flask ; then
+		export "XSM_ENABLE=y"
+		export "FLASK_ENABLE=y"
+	fi
+}
+
+src_prepare() {
+	# Upstream's patchset
+	if [[ -n ${UPSTREAM_VER} ]]; then
+		EPATCH_SUFFIX="patch" \
+		EPATCH_FORCE="yes" \
+		EPATCH_OPTS="-p1" \
+			epatch "${WORKDIR}"/patches-upstream
+	fi
+
+	# Security patchset
+	if [[ -n ${SECURITY_VER} ]]; then
+	einfo "Try to apply Xen Security patch set"
+		# apply main xen patches
+		# Two parallel systems, both work side by side
+		# Over time they may concdense into one. This will suffice for now
+		EPATCH_SUFFIX="patch"
+		EPATCH_FORCE="yes"
+
+		source "${WORKDIR}"/patches-security/${PV}.conf
+
+		for i in ${XEN_SECURITY_MAIN}; do
+			epatch "${WORKDIR}"/patches-security/xen/$i
+		done
+	fi
+
+	# Gentoo's patchset
+	if [[ -n ${GENTOO_VER} ]]; then
+		EPATCH_SUFFIX="patch" \
+		EPATCH_FORCE="yes" \
+			epatch "${WORKDIR}"/patches-gentoo
+	fi
+
+	epatch "${FILESDIR}"/${PN}-4.6-efi.patch
+
+	# Drop .config
+	sed -e '/-include $(XEN_ROOT)\/.config/d' -i Config.mk || die "Couldn't	drop"
+
+	if use efi; then
+		export EFI_VENDOR="gentoo"
+		export EFI_MOUNTPOINT="boot"
+	fi
+
+	# if the user *really* wants to use their own custom-cflags, let them
+	if use custom-cflags; then
+		einfo "User wants their own CFLAGS - removing defaults"
+		# try and remove all the default custom-cflags
+		find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \
+			-i {} \; || die "failed to re-set custom-cflags"
+	fi
+
+	# remove -Werror for gcc-4.6's sake
+	find "${S}" -name 'Makefile*' -o -name '*.mk' -o -name 'common.make' | \
+		xargs sed -i 's/ *-Werror */ /'
+	# not strictly necessary to fix this
+	sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py"
+
+	# Bug #575868 converted to a sed statement, typo of one char
+	sed -e "s:granter’s:granter's:" -i xen/include/public/grant_table.h || die
+
+	epatch_user
+}
+
+src_configure() {
+	use arm && myopt="${myopt} CONFIG_EARLY_PRINTK=sun7i"
+
+	use debug && myopt="${myopt} debug=y"
+
+	if use custom-cflags; then
+		filter-flags -fPIE -fstack-protector
+		replace-flags -O3 -O2
+	else
+		unset CFLAGS
+		unset LDFLAGS
+		unset ASFLAGS
+	fi
+}
+
+src_compile() {
+	# Send raw LDFLAGS so that --as-needed works
+	emake V=1 CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt}
+}
+
+src_install() {
+	local myopt
+	use debug && myopt="${myopt} debug=y"
+
+	# The 'make install' doesn't 'mkdir -p' the subdirs
+	if use efi; then
+		mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die
+	fi
+
+	emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install
+
+	# make install likes to throw in some extra EFI bits if it built
+	use efi || rm -rf "${D}/usr/$(get_libdir)/efi"
+}
+
+pkg_postinst() {
+	elog "Official Xen Guide and the unoffical wiki page:"
+	elog " https://wiki.gentoo.org/wiki/Xen"
+	elog " http://en.gentoo-wiki.com/wiki/Xen/"
+
+	use efi && einfo "The efi executable is installed in boot/efi/gentoo"
+
+	elog "You can optionally block the installation of /boot/xen-syms by an entry"
+	elog "in folder /etc/portage/env using the portage's feature INSTALL_MASK"
+	elog "e.g. echo ${msg} > /etc/portage/env/xen.conf"
+}

app-emulation/xen/xen-4.8.1-r2.ebuild

@@ -0,0 +1,192 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+PYTHON_COMPAT=( python2_7 )
+
+inherit eutils multilib mount-boot flag-o-matic python-any-r1 toolchain-funcs
+
+MY_PV=${PV/_/-}
+MY_P=${PN}-${PV/_/-}
+
+if [[ $PV == *9999 ]]; then
+	inherit git-r3
+	KEYWORDS=""
+	EGIT_REPO_URI="git://xenbits.xen.org/xen.git"
+	SRC_URI=""
+else
+	KEYWORDS="~amd64 ~arm -x86"
+	UPSTREAM_VER=0
+	SECURITY_VER=27
+	GENTOO_VER=
+
+	[[ -n ${UPSTREAM_VER} ]] && \
+		UPSTREAM_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${P}-upstream-patches-${UPSTREAM_VER}.tar.xz"
+	[[ -n ${SECURITY_VER} ]] && \
+		SECURITY_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-security-patches-${SECURITY_VER}.tar.xz"
+	[[ -n ${GENTOO_VER} ]] && \
+		GENTOO_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-gentoo-patches-${GENTOO_VER}.tar.xz"
+	SRC_URI="http://bits.xensource.com/oss-xen/release/${MY_PV}/${MY_P}.tar.gz
+		${UPSTREAM_PATCHSET_URI}
+		${SECURITY_PATCHSET_URI}
+		${GENTOO_PATCHSET_URI}"
+fi
+
+DESCRIPTION="The Xen virtual machine monitor"
+HOMEPAGE="http://xen.org/"
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="custom-cflags debug efi flask"
+
+DEPEND="${PYTHON_DEPS}
+	efi? ( >=sys-devel/binutils-2.22[multitarget] )
+	!efi? ( >=sys-devel/binutils-2.22 )"
+RDEPEND=""
+PDEPEND="~app-emulation/xen-tools-${PV}"
+
+# no tests are available for the hypervisor
+# prevent the silliness of /usr/lib/debug/usr/lib/debug files
+# prevent stripping of the debug info from the /usr/lib/debug/xen-syms
+RESTRICT="test splitdebug strip"
+
+# Approved by QA team in bug #144032
+QA_WX_LOAD="boot/xen-syms-${PV}"
+
+REQUIRED_USE="arm? ( debug )"
+
+S="${WORKDIR}/${MY_P}"
+
+pkg_setup() {
+	python-any-r1_pkg_setup
+	if [[ -z ${XEN_TARGET_ARCH} ]]; then
+		if use amd64; then
+			export XEN_TARGET_ARCH="x86_64"
+		elif use arm; then
+			export XEN_TARGET_ARCH="arm32"
+		elif use arm64; then
+			export XEN_TARGET_ARCH="arm64"
+		else
+			die "Unsupported architecture!"
+		fi
+	fi
+
+	if use flask ; then
+		export "XSM_ENABLE=y"
+		export "FLASK_ENABLE=y"
+	fi
+}
+
+src_prepare() {
+	# Upstream's patchset
+	if [[ -n ${UPSTREAM_VER} ]]; then
+		EPATCH_SUFFIX="patch" \
+		EPATCH_FORCE="yes" \
+		EPATCH_OPTS="-p1" \
+			epatch "${WORKDIR}"/patches-upstream
+	fi
+
+	# Security patchset
+	if [[ -n ${SECURITY_VER} ]]; then
+	einfo "Try to apply Xen Security patch set"
+		# apply main xen patches
+		# Two parallel systems, both work side by side
+		# Over time they may concdense into one. This will suffice for now
+		EPATCH_SUFFIX="patch"
+		EPATCH_FORCE="yes"
+
+		source "${WORKDIR}"/patches-security/${PV}.conf
+
+		for i in ${XEN_SECURITY_MAIN}; do
+			epatch "${WORKDIR}"/patches-security/xen/$i
+		done
+	fi
+
+	# Gentoo's patchset
+	if [[ -n ${GENTOO_VER} ]]; then
+		EPATCH_SUFFIX="patch" \
+		EPATCH_FORCE="yes" \
+			epatch "${WORKDIR}"/patches-gentoo
+	fi
+
+	epatch "${FILESDIR}"/${PN}-4.6-efi.patch
+
+	# Drop .config
+	sed -e '/-include $(XEN_ROOT)\/.config/d' -i Config.mk || die "Couldn't	drop"
+
+	if use efi; then
+		export EFI_VENDOR="gentoo"
+		export EFI_MOUNTPOINT="boot"
+	fi
+
+	# if the user *really* wants to use their own custom-cflags, let them
+	if use custom-cflags; then
+		einfo "User wants their own CFLAGS - removing defaults"
+		# try and remove all the default custom-cflags
+		find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \
+			-i {} \; || die "failed to re-set custom-cflags"
+	fi
+
+	# remove -Werror for gcc-4.6's sake
+	find "${S}" -name 'Makefile*' -o -name '*.mk' -o -name 'common.make' | \
+		xargs sed -i 's/ *-Werror */ /'
+	# not strictly necessary to fix this
+	sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py"
+
+	# Bug #575868 converted to a sed statement, typo of one char
+	sed -e "s:granter’s:granter's:" -i xen/include/public/grant_table.h || die
+
+	epatch_user
+}
+
+src_configure() {
+	use arm && myopt="${myopt} CONFIG_EARLY_PRINTK=sun7i"
+
+	use debug && myopt="${myopt} debug=y"
+
+	if use custom-cflags; then
+		filter-flags -fPIE -fstack-protector
+		replace-flags -O3 -O2
+	else
+		unset CFLAGS
+		unset LDFLAGS
+		unset ASFLAGS
+	fi
+}
+
+src_compile() {
+	# Send raw LDFLAGS so that --as-needed works
+	emake V=1 CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt}
+}
+
+src_install() {
+	local myopt
+	use debug && myopt="${myopt} debug=y"
+
+	# The 'make install' doesn't 'mkdir -p' the subdirs
+	if use efi; then
+		mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die
+	fi
+
+	emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install
+
+	# make install likes to throw in some extra EFI bits if it built
+	use efi || rm -rf "${D}/usr/$(get_libdir)/efi"
+}
+
+pkg_postinst() {
+	elog "Official Xen Guide and the unoffical wiki page:"
+	elog " https://wiki.gentoo.org/wiki/Xen"
+	elog " http://en.gentoo-wiki.com/wiki/Xen/"
+
+	use efi && einfo "The efi executable is installed in boot/efi/gentoo"
+
+	elog "You can optionally block the installation of /boot/xen-syms by an entry"
+	elog "in folder /etc/portage/env using the portage's feature INSTALL_MASK"
+	elog "e.g. echo ${msg} > /etc/portage/env/xen.conf"
+}