main/xz: switch to github tags instead of official tarballs (CVE-2024-3094)

Also regenerate autoconf scripts ourselves, since the git repository does not contain them.
2026-05-04 20:06:43 +02:00 · 2024-03-29 11:07:13 -07:00 · 2024-03-29 11:07:13 -07:00 · 982d2c6bcb
commit 982d2c6bcb
parent 8d898e3a9a
1 changed files with 11 additions and 3 deletions
--- a/main/xz/APKBUILD
+++ b/main/xz/APKBUILD
@ -2,18 +2,26 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=xz
 pkgver=5.6.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Library and CLI tools for XZ and LZMA compressed files"
 url="https://xz.tukaani.org/xz-utils/"
 arch="all"
 license="GPL-2.0-or-later AND 0BSD AND Public-Domain AND LGPL-2.1-or-later"
+makedepends="autoconf automake libtool po4a gettext-dev"
 depends_dev="$pkgname=$pkgver-r$pkgrel"
 subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-libs"
-source="https://github.com/tukaani-project/xz/releases/download/v$pkgver/xz-$pkgver.tar.xz"
+source="https://github.com/tukaani-project/xz/archive/refs/tags/v$pkgver/xz-$pkgver.tar.gz"

 # secfixes:
 #   5.2.5-r1:
 #     - CVE-2022-1271
+#   5.6.1-r2:
+#     - CVE-2024-3094
+
+prepare() {
+	default_prepare
+	autoreconf -fi
+}

 build() {
 	# compression utility
@ -49,5 +57,5 @@ package() {
 }

 sha512sums="
-a8b6d2e58eb61609a64b182e868c47aaf722d34f87bad3a9598c94ad96fb3357477959a95bb215c1dac59b8c84453cf00dc23669d13358f4aeb5123526f741f2  xz-5.6.1.tar.xz
+6391794eee783302a3f276299fc92df3e81a05dee0eab61cbb8505858da6d535ae2ac5d067f6825d6963b1e4c3d9616039f495f11f99ecec692ccd79ec17ba8d  xz-5.6.1.tar.gz
 "