From 982d2c6bcbbb579e85bb27c40be84072ca0b1fd9 Mon Sep 17 00:00:00 2001
From: Ariadne Conill <ariadne@ariadne.space>
Date: Fri, 29 Mar 2024 11:07:13 -0700
Subject: [PATCH] main/xz: switch to github tags instead of official tarballs
 (CVE-2024-3094)

Also regenerate autoconf scripts ourselves, since the git repository does
not contain them.
---
 main/xz/APKBUILD | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/main/xz/APKBUILD b/main/xz/APKBUILD
index afebd1d45f8..35e236d7437 100644
--- a/main/xz/APKBUILD
+++ b/main/xz/APKBUILD
@@ -2,18 +2,26 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=xz
 pkgver=5.6.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Library and CLI tools for XZ and LZMA compressed files"
 url="https://xz.tukaani.org/xz-utils/"
 arch="all"
 license="GPL-2.0-or-later AND 0BSD AND Public-Domain AND LGPL-2.1-or-later"
+makedepends="autoconf automake libtool po4a gettext-dev"
 depends_dev="$pkgname=$pkgver-r$pkgrel"
 subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-libs"
-source="https://github.com/tukaani-project/xz/releases/download/v$pkgver/xz-$pkgver.tar.xz"
+source="https://github.com/tukaani-project/xz/archive/refs/tags/v$pkgver/xz-$pkgver.tar.gz"
 
 # secfixes:
 #   5.2.5-r1:
 #     - CVE-2022-1271
+#   5.6.1-r2:
+#     - CVE-2024-3094
+
+prepare() {
+	default_prepare
+	autoreconf -fi
+}
 
 build() {
 	# compression utility
@@ -49,5 +57,5 @@ package() {
 }
 
 sha512sums="
-a8b6d2e58eb61609a64b182e868c47aaf722d34f87bad3a9598c94ad96fb3357477959a95bb215c1dac59b8c84453cf00dc23669d13358f4aeb5123526f741f2  xz-5.6.1.tar.xz
+6391794eee783302a3f276299fc92df3e81a05dee0eab61cbb8505858da6d535ae2ac5d067f6825d6963b1e4c3d9616039f495f11f99ecec692ccd79ec17ba8d  xz-5.6.1.tar.gz
 "