app-arch/xz-utils: Sync with Gentoo (revert to known-good)

The 5.6 release contained a backdoor for SSH. The 5.6 release wasn't used in Flatcar and so far it seems that the backdoor wouldn't even be compiled for Gentoo. However, we so far don't know whether the other patches are malicious. Revert to 5.4.2 as last known-good release (like Gentoo did). Note that the Flatcar main branch had a copy of the 5.6 ebuild but was not using it. Flatcar Alpha was on 5.4.6-r1, so before the backdoor but the malicious contributor did other changes of unclear impact part of this release. Similarly, Beta is on 5.4.5 and Stable is on 5.4.3. These should get downgraded, too.
2026-05-05 12:16:41 +02:00 · 2024-04-02 12:03:42 +09:00 · 2024-04-02 12:03:42 +09:00 · 168d90a3d5
commit 168d90a3d5
parent 347bb91b5d
10 changed files with 33 additions and 704 deletions
--- a/changelog/security/2024-04-02-xz-utils.md
+++ b/changelog/security/2024-04-02-xz-utils.md
@ -0,0 +1 @@
+- Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor ([CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094))
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest
@ -1,12 +1,4 @@
-DIST xz-5.2.11.tar.gz 2130684 BLAKE2B e513f99b2e28fa79f32747e21138cc13ab9340e95a302ac742bc6bda088465488173ea212704c4612f4059bbbc6c6a5b041332d84b999dc7df5b3fab1b1ac4e9 SHA512 8f75450380563229465420f4518fa7a60bbe6f0c9a3b580c2a9a7bf9bf380ad69209f792764115c346d89c49711478e8db42325ef9a46ccd3a6ec72292890ac8
-DIST xz-5.2.11.tar.gz.sig 566 BLAKE2B 34186ea22960f508dd796736107b99e1e3884ffae683f26671f455e46e4debf87400f2d7bb64b446fb142370a8bcebc6c05dce34dcc2678a761b9401b1e23860 SHA512 036ed0f663e179057a805a41052d3e437fbfb9dbbe173c5180fbb255f5a01ac4fa2561424228f4e568e63b22802b3a4ffd88dec2ba7c41a454998ebea30bea7c
-DIST xz-5.2.12.tar.gz 2190541 BLAKE2B 9ca5ecf753ae264f542ec53b4c9a1c85466bc2a932651aafb0ae2a3ebb7d3979a9384e9a81f16173c2d6d14ca8b86e4a820191817675a5e9fd214a64cf364c98 SHA512 1a67112eb1cfd70352c41a1cbb5e34eacd6da2ae816f5020385772a7698b835d059843c2c30461beb15b7514e95906b2033dac6abf09248b5837270420dfe732
-DIST xz-5.2.12.tar.gz.sig 566 BLAKE2B 93d0fb89186ccf018d17278823c2c6cc724798acfe425fd01ecf54338e53451d94b1ad951f2f1ec58171a3eb827fcd6b5d9dcb97da72c5d8545d57d9fba0597b SHA512 0734e1838dd9ab7ba06675af0f4ff5866c0e5c268f0c3e2ca6f12fa8f27b41830d11063244b0039f8d8ba184efc1c1b7b9a7311c378a02abc1290d7727357cb6
 DIST xz-5.4.2.tar.gz 2799022 BLAKE2B 3c622b0823f0cbb5fbc5eaa0372fc2f0fefe0950d131417f831bce47b6d9747d145429f0649de106819331f9ae6a289c497182c7b6d1e211513308dd083a9b72 SHA512 149f980338bea3d66de1ff5994b2b236ae1773135eda68b62b009df0c9dcdf5467f8cb2c06da95a71b6556d60bd3d21f475feced34d5dfdb80ee95416a2f9737
 DIST xz-5.4.2.tar.gz.sig 566 BLAKE2B 95c9c70fdd25b92095dd9691e4d9d4306a3f982becfe7bd42ca6132a76f29be2c2bc66f4fc2bda547058c18e227292f4185799eb905084fc3ab415ae867b4b1b SHA512 30e965c228ed3a8ecb804db8eb11703a765b7ee934030ea69bb3940b630811eb71bf74fd20371ef7759761904ece4f0144a0b00be4d843cf98299fd016f161aa
-DIST xz-5.4.3.tar.gz 2869347 BLAKE2B c4192a59ca751567ebab17e08e72aa1bf0f5ca14af0b59fded1c4dff02c1b76ab30119a4138932f78f69bd4b7827071c81d6ca1c56be65491466ea061786ed78 SHA512 aff0fe166af6df4491a6f5df2372cab100b081452461a0e8c6fd65b72af3f250f16c64d9fb8fd309141e9b9ae4e41649f48687cc29e63dd82f27f2eab19b4023
-DIST xz-5.4.3.tar.gz.sig 566 BLAKE2B 1e3f86a2de532e77cae4c31928d57edeac81ca207e03c71523210605dc6bab76a50793697a242b232f74911c6e1872a0339ed977e2dd0d201504bd859fd3b4f4 SHA512 b7c7eedf4d9604ee50ec97275e5ab57e22a567402815281440ca765210c75707bd2de20e7ebfb0842725690ae19557916fc41a9fbdace5fec8190632b038292e
-DIST xz-5.4.4.tar.gz 2874706 BLAKE2B 0ade3767651a07a6bb4d53b510d7e97239e182788c42bc3388b97c54463ccaa968e27bcb88d34697df70381eea91279615f2622b5493ae2da22632e9576d8989 SHA512 2e27d864c9f346e53afc549d7046385b5d35a749af15d84f69de14612657df2f0e2ce71d3be03d57adadf8fd28549ecf4ef1c214bdcd1f061b5a47239e0104e8
-DIST xz-5.4.4.tar.gz.sig 566 BLAKE2B 9d695293fe479e07b4051f9b22af19191ec7cb5063da519769a24a08cff46819a4f29db002cea92e4af982410dd660d9b3185c8ef0908abbf13b86f89c0baa0f SHA512 6f12f0b30e4e5c78238f5d758443621d4126edf5ec8d02c51f06cc27e40822f0429c2018ec567eae20d118a81295f9d31e2f9101720d289bebab15f72590e9f2
-DIST xz-5.4.5.tar.gz 2884510 BLAKE2B 647c8227080a7f37e3321e778d7f52ccb9da3810f2be81b2d2b46001605b22cef6e724f9b3facfada26a12b24401c9a11449d6066443849b37b28e0eaa199315 SHA512 91f8f548c915de0ed79cee13ce0336b51c1cebf2eb142fa1efecfd07771c662c99cad3730540fcb712057ab274130e13b87960f6b4c62f0bd9477f27a303fb2b
-DIST xz-5.4.5.tar.gz.sig 566 BLAKE2B c6ec64f92ecb30395e6d580be5d0aad1ee007585245ed42e7b05f1ea3a8cd8bf4317e8dc964c65417daa0a04e8f523c6ba8ae61a7f5b2ff3dc17dd53c7593ce2 SHA512 4f2c779d3c14bacd0451cfd68846201a48931128994c4119fcbf4f0dd7331710c32098039d38561de29327d543d67174fddbb6a83cb2fcfda9b3153cab092d4d
+DIST xz-5.4.6.tar.gz 2889306 BLAKE2B f0bbd33ea7cd64d475c3501f6e76080c8c0080e377f23462f5f76459935f4e621538ddaa8452d2feaed278d62a596e38ed2aca18ed9e76512c4ec77fa2f4cc5f SHA512 b08a61d8d478d3b4675cb1ddacdbbd98dc6941a55bcdd81a28679e54e9367d3a595fa123ac97874a17da571c1b712e2a3e901c2737099a9d268616a1ba3de497
+DIST xz-5.4.6.tar.gz.sig 566 BLAKE2B 808f1b5e2a17729f36a05ba88a9c00210cda2afa02923e6f289d13dc2a48f7674cafec6e25660e142d67f01dd941c7390cee2757b054df3a3193dde0791363a1 SHA512 d5e32b944e7492a32c40f675d918796e077f63490a23c6fce5c4d6d1eebc443f129d27a2e888913c5a36c3ffdac75b9c96c1749402283445e0ba9ff72b965741
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/files/xz-utils-5.4.2-Wsign-conversion.patch
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/files/xz-utils-5.4.2-Wsign-conversion.patch
@ -1,23 +0,0 @@
-https://github.com/tukaani-project/xz/commit/0673c9ec98b6bae12b33dc295564514aaa26e2fc
-
-From 0673c9ec98b6bae12b33dc295564514aaa26e2fc Mon Sep 17 00:00:00 2001
-From: Lasse Collin <lasse.collin@tukaani.org>
-Date: Sun, 19 Mar 2023 22:45:59 +0200
-Subject: [PATCH] liblzma: Silence -Wsign-conversion in SSE2 code in
- memcmplen.h.
-
-Thanks to Christian Hesse for reporting the issue.
-Fixes: https://github.com/tukaani-project/xz/issues/44
--- a/src/liblzma/common/memcmplen.h
-+++ b/src/liblzma/common/memcmplen.h
-@@ -89,7 +89,8 @@ lzma_memcmplen(const uint8_t *buf1, const uint8_t *buf2,
- 	// version isn't used on x86-64.
- #	define LZMA_MEMCMPLEN_EXTRA 16
- 	while (len < limit) {
-		const uint32_t x = 0xFFFF ^ _mm_movemask_epi8(_mm_cmpeq_epi8(
-+		const uint32_t x = 0xFFFF ^ (uint32_t)_mm_movemask_epi8(
-+			_mm_cmpeq_epi8(
- 			_mm_loadu_si128((const __m128i *)(buf1 + len)),
- 			_mm_loadu_si128((const __m128i *)(buf2 + len))));
- 
-
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.2.11.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.2.11.ebuild
@ -1,118 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-# Remember: we cannot leverage autotools in this ebuild in order
-#           to avoid circular deps with autotools
-
-EAPI=7
-
-inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
-
-if [[ ${PV} == 9999 ]] ; then
-	EGIT_REPO_URI="https://git.tukaani.org/xz.git"
-	inherit git-r3 autotools
-
-	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
-else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc
-	inherit verify-sig
-
-	MY_P="${PN/-utils}-${PV/_}"
-	SRC_URI="
-		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
-		https://tukaani.org/xz/${MY_P}.tar.gz
-		verify-sig? (
-			https://tukaani.org/xz/${MY_P}.tar.gz.sig
-		)
-	"
-
-	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-	fi
-
-	S="${WORKDIR}/${MY_P}"
-fi
-
-DESCRIPTION="Utils for managing LZMA compressed files"
-HOMEPAGE="https://tukaani.org/xz/"
-
-# See top-level COPYING file as it outlines the various pieces and their licenses.
-LICENSE="public-domain LGPL-2.1+ GPL-2+"
-SLOT="0"
-IUSE="+extra-filters nls static-libs"
-
-if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( >=sec-keys/openpgp-keys-lassecollin-20230213 )"
-fi
-
-# Tests currently do not account for smaller feature set
-RESTRICT="!extra-filters? ( test )"
-
-src_prepare() {
-	default
-
-	if [[ ${PV} == 9999 ]] ; then
-		eautopoint
-		eautoreconf
-	else
-		# Allow building shared libs on Solaris/x64
-		elibtoolize
-	fi
-}
-
-multilib_src_configure() {
-	local myconf=(
-		--enable-threads
-		$(use_enable nls)
-		$(use_enable static-libs static)
-	)
-
-	if ! multilib_is_native_abi ; then
-		myconf+=(
-			--disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
-		)
-	fi
-
-	if ! use extra-filters ; then
-		myconf+=(
-			# LZMA1 + LZMA2 for standard .lzma & .xz files
-			--enable-encoders=lzma1,lzma2
-			--enable-decoders=lzma1,lzma2
-
-			# those are used by default, depending on preset
-			--enable-match-finders=hc3,hc4,bt4
-
-			# CRC64 is used by default, though some (old?) files use CRC32
-			--enable-checks=crc32,crc64
-		)
-	fi
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		export gl_cv_posix_shell="${EPREFIX}"/bin/sh
-
-		# Undo Solaris-based defaults pointing to /usr/xpg5/bin
-		myconf+=( --disable-path-for-script )
-	fi
-
-	ECONF_SOURCE="${S}" econf "${myconf[@]}"
-}
-
-multilib_src_install() {
-	default
-
-	gen_usr_ldscript -a lzma
-}
-
-multilib_src_install_all() {
-	find "${ED}" -type f -name '*.la' -delete || die
-	rm "${ED}"/usr/share/doc/${PF}/COPYING* || die
-}
-
-pkg_preinst() {
-	preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
-
-pkg_postinst() {
-	preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.2.12.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.2.12.ebuild
@ -1,118 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-# Remember: we cannot leverage autotools in this ebuild in order
-#           to avoid circular deps with autotools
-
-EAPI=8
-
-inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
-
-if [[ ${PV} == 9999 ]] ; then
-	EGIT_REPO_URI="https://git.tukaani.org/xz.git"
-	inherit git-r3 autotools
-
-	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
-else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc
-	inherit verify-sig
-
-	MY_P="${PN/-utils}-${PV/_}"
-	SRC_URI="
-		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
-		https://tukaani.org/xz/${MY_P}.tar.gz
-		verify-sig? (
-			https://tukaani.org/xz/${MY_P}.tar.gz.sig
-		)
-	"
-
-	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-	fi
-
-	S="${WORKDIR}/${MY_P}"
-fi
-
-DESCRIPTION="Utils for managing LZMA compressed files"
-HOMEPAGE="https://tukaani.org/xz/"
-
-# See top-level COPYING file as it outlines the various pieces and their licenses.
-LICENSE="public-domain LGPL-2.1+ GPL-2+"
-SLOT="0"
-IUSE="+extra-filters nls static-libs"
-
-if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
-fi
-
-# Tests currently do not account for smaller feature set
-RESTRICT="!extra-filters? ( test )"
-
-src_prepare() {
-	default
-
-	if [[ ${PV} == 9999 ]] ; then
-		eautopoint
-		eautoreconf
-	else
-		# Allow building shared libs on Solaris/x64
-		elibtoolize
-	fi
-}
-
-multilib_src_configure() {
-	local myconf=(
-		--enable-threads
-		$(use_enable nls)
-		$(use_enable static-libs static)
-	)
-
-	if ! multilib_is_native_abi ; then
-		myconf+=(
-			--disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
-		)
-	fi
-
-	if ! use extra-filters ; then
-		myconf+=(
-			# LZMA1 + LZMA2 for standard .lzma & .xz files
-			--enable-encoders=lzma1,lzma2
-			--enable-decoders=lzma1,lzma2
-
-			# those are used by default, depending on preset
-			--enable-match-finders=hc3,hc4,bt4
-
-			# CRC64 is used by default, though some (old?) files use CRC32
-			--enable-checks=crc32,crc64
-		)
-	fi
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		export gl_cv_posix_shell="${EPREFIX}"/bin/sh
-
-		# Undo Solaris-based defaults pointing to /usr/xpg5/bin
-		myconf+=( --disable-path-for-script )
-	fi
-
-	ECONF_SOURCE="${S}" econf "${myconf[@]}"
-}
-
-multilib_src_install() {
-	default
-
-	gen_usr_ldscript -a lzma
-}
-
-multilib_src_install_all() {
-	find "${ED}" -type f -name '*.la' -delete || die
-	rm "${ED}"/usr/share/doc/${PF}/COPYING* || die
-}
-
-pkg_preinst() {
-	preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
-
-pkg_postinst() {
-	preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.2.ebuild
@ -1,12 +1,12 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2

 # Remember: we cannot leverage autotools in this ebuild in order
 #           to avoid circular deps with autotools

-EAPI=7
+EAPI=8

-inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
+inherit flag-o-matic libtool multilib multilib-minimal preserve-libs toolchain-funcs

 if [[ ${PV} == 9999 ]] ; then
 	# Per tukaani.org, git.tukaani.org is a mirror of github and
@ -18,18 +18,18 @@ if [[ ${PV} == 9999 ]] ; then
 	inherit git-r3 autotools

 	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
+	BDEPEND="sys-devel/gettext >=dev-build/libtool-2"
 else
 	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc
 	inherit verify-sig

 	MY_P="${PN/-utils}-${PV/_}"
 	SRC_URI="
-		https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz
+		https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz
 		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
 		https://tukaani.org/xz/${MY_P}.tar.gz
 		verify-sig? (
-			https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz.sig
+			https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz.sig
 			https://tukaani.org/xz/${MY_P}.tar.gz.sig
 		)
 	"
@ -47,16 +47,12 @@ HOMEPAGE="https://tukaani.org/xz/"
 # See top-level COPYING file as it outlines the various pieces and their licenses.
 LICENSE="public-domain LGPL-2.1+ GPL-2+"
 SLOT="0"
-IUSE="doc +extra-filters nls static-libs"
+IUSE="doc +extra-filters pgo nls static-libs"

 if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( >=sec-keys/openpgp-keys-lassecollin-20230213 )"
+	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-lassecollin )"
 fi

-PATCHES=(
-	"${FILESDIR}"/${P}-Wsign-conversion.patch
-)
-
 src_prepare() {
 	default

@ -107,10 +103,24 @@ multilib_src_configure() {
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 }

-multilib_src_install() {
-	default
+multilib_src_compile() {
+	# -fprofile-partial-training because upstream note the test suite isn't super comprehensive
+	# See https://documentation.suse.com/sbp/all/html/SBP-GCC-10/index.html#sec-gcc10-pgo
+	local pgo_generate_flags=$(usev pgo "-fprofile-update=atomic -fprofile-dir=${T}/${ABI}-pgo -fprofile-generate=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
+	local pgo_use_flags=$(usev pgo "-fprofile-use=${T}/${ABI}-pgo -fprofile-dir=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")

-	gen_usr_ldscript -a lzma
+	emake CFLAGS="${CFLAGS} ${pgo_generate_flags}"
+
+	if use pgo ; then
+		emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" -k check
+
+		if tc-is-clang; then
+			llvm-profdata merge "${T}"/${ABI}-pgo --output="${T}"/${ABI}-pgo/default.profdata || die
+		fi
+
+		emake clean
+		emake CFLAGS="${CFLAGS} ${pgo_use_flags}"
+	fi
 }

 multilib_src_install_all() {
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.3.ebuild
@ -1,126 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-# Remember: we cannot leverage autotools in this ebuild in order
-#           to avoid circular deps with autotools
-
-EAPI=7
-
-inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
-
-if [[ ${PV} == 9999 ]] ; then
-	# Per tukaani.org, git.tukaani.org is a mirror of github and
-	# may be behind.
-	EGIT_REPO_URI="
-		https://github.com/tukaani-project/xz
-		https://git.tukaani.org/xz.git
-	"
-	inherit git-r3 autotools
-
-	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
-else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc
-	inherit verify-sig
-
-	MY_P="${PN/-utils}-${PV/_}"
-	SRC_URI="
-		https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz
-		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
-		https://tukaani.org/xz/${MY_P}.tar.gz
-		verify-sig? (
-			https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz.sig
-			https://tukaani.org/xz/${MY_P}.tar.gz.sig
-		)
-	"
-
-	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-	fi
-
-	S="${WORKDIR}/${MY_P}"
-fi
-
-DESCRIPTION="Utils for managing LZMA compressed files"
-HOMEPAGE="https://tukaani.org/xz/"
-
-# See top-level COPYING file as it outlines the various pieces and their licenses.
-LICENSE="public-domain LGPL-2.1+ GPL-2+"
-SLOT="0"
-IUSE="doc +extra-filters nls static-libs"
-
-if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
-fi
-
-src_prepare() {
-	default
-
-	if [[ ${PV} == 9999 ]] ; then
-		eautopoint
-		eautoreconf
-	else
-		# Allow building shared libs on Solaris/x64
-		elibtoolize
-	fi
-}
-
-multilib_src_configure() {
-	local myconf=(
-		--enable-threads
-		$(multilib_native_use_enable doc)
-		$(use_enable nls)
-		$(use_enable static-libs static)
-	)
-
-	if ! multilib_is_native_abi ; then
-		myconf+=(
-			--disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
-		)
-	fi
-
-	if ! use extra-filters ; then
-		myconf+=(
-			# LZMA1 + LZMA2 for standard .lzma & .xz files
-			--enable-encoders=lzma1,lzma2
-			--enable-decoders=lzma1,lzma2
-
-			# those are used by default, depending on preset
-			--enable-match-finders=hc3,hc4,bt4
-
-			# CRC64 is used by default, though some (old?) files use CRC32
-			--enable-checks=crc32,crc64
-		)
-	fi
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		export gl_cv_posix_shell="${EPREFIX}"/bin/sh
-
-		# Undo Solaris-based defaults pointing to /usr/xpg5/bin
-		myconf+=( --disable-path-for-script )
-	fi
-
-	ECONF_SOURCE="${S}" econf "${myconf[@]}"
-}
-
-multilib_src_install() {
-	default
-
-	gen_usr_ldscript -a lzma
-}
-
-multilib_src_install_all() {
-	find "${ED}" -type f -name '*.la' -delete || die
-
-	if use doc ; then
-		rm "${ED}"/usr/share/doc/${PF}/COPYING* || die
-	fi
-}
-
-pkg_preinst() {
-	preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
-
-pkg_postinst() {
-	preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.4.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.4.ebuild
@ -1,146 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-# Remember: we cannot leverage autotools in this ebuild in order
-#           to avoid circular deps with autotools
-
-EAPI=8
-
-inherit flag-o-matic libtool multilib multilib-minimal preserve-libs toolchain-funcs usr-ldscript
-
-if [[ ${PV} == 9999 ]] ; then
-	# Per tukaani.org, git.tukaani.org is a mirror of github and
-	# may be behind.
-	EGIT_REPO_URI="
-		https://github.com/tukaani-project/xz
-		https://git.tukaani.org/xz.git
-	"
-	inherit git-r3 autotools
-
-	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
-else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc
-	inherit verify-sig
-
-	MY_P="${PN/-utils}-${PV/_}"
-	SRC_URI="
-		https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz
-		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
-		https://tukaani.org/xz/${MY_P}.tar.gz
-		verify-sig? (
-			https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz.sig
-			https://tukaani.org/xz/${MY_P}.tar.gz.sig
-		)
-	"
-
-	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-	fi
-
-	S="${WORKDIR}/${MY_P}"
-fi
-
-DESCRIPTION="Utils for managing LZMA compressed files"
-HOMEPAGE="https://tukaani.org/xz/"
-
-# See top-level COPYING file as it outlines the various pieces and their licenses.
-LICENSE="public-domain LGPL-2.1+ GPL-2+"
-SLOT="0"
-IUSE="doc +extra-filters pgo nls static-libs"
-
-if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
-fi
-
-src_prepare() {
-	default
-
-	if [[ ${PV} == 9999 ]] ; then
-		eautopoint
-		eautoreconf
-	else
-		# Allow building shared libs on Solaris/x64
-		elibtoolize
-	fi
-}
-
-multilib_src_configure() {
-	local myconf=(
-		--enable-threads
-		$(multilib_native_use_enable doc)
-		$(use_enable nls)
-		$(use_enable static-libs static)
-	)
-
-	if ! multilib_is_native_abi ; then
-		myconf+=(
-			--disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
-		)
-	fi
-
-	if ! use extra-filters ; then
-		myconf+=(
-			# LZMA1 + LZMA2 for standard .lzma & .xz files
-			--enable-encoders=lzma1,lzma2
-			--enable-decoders=lzma1,lzma2
-
-			# those are used by default, depending on preset
-			--enable-match-finders=hc3,hc4,bt4
-
-			# CRC64 is used by default, though some (old?) files use CRC32
-			--enable-checks=crc32,crc64
-		)
-	fi
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		export gl_cv_posix_shell="${EPREFIX}"/bin/sh
-
-		# Undo Solaris-based defaults pointing to /usr/xpg5/bin
-		myconf+=( --disable-path-for-script )
-	fi
-
-	ECONF_SOURCE="${S}" econf "${myconf[@]}"
-}
-
-multilib_src_compile() {
-	# -fprofile-partial-training because upstream note the test suite isn't super comprehensive
-	# See https://documentation.suse.com/sbp/all/html/SBP-GCC-10/index.html#sec-gcc10-pgo
-	local pgo_generate_flags=$(usev pgo "-fprofile-update=atomic -fprofile-dir=${T}/${ABI}-pgo -fprofile-generate=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
-	local pgo_use_flags=$(usev pgo "-fprofile-use=${T}/${ABI}-pgo -fprofile-dir=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
-
-	emake CFLAGS="${CFLAGS} ${pgo_generate_flags}"
-
-	if use pgo ; then
-		emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" -k check
-
-		if tc-is-clang; then
-			llvm-profdata merge "${T}"/${ABI}-pgo --output="${T}"/${ABI}-pgo/default.profdata || die
-		fi
-
-		emake clean
-		emake CFLAGS="${CFLAGS} ${pgo_use_flags}"
-	fi
-}
-
-multilib_src_install() {
-	default
-
-	gen_usr_ldscript -a lzma
-}
-
-multilib_src_install_all() {
-	find "${ED}" -type f -name '*.la' -delete || die
-
-	if use doc ; then
-		rm "${ED}"/usr/share/doc/${PF}/COPYING* || die
-	fi
-}
-
-pkg_preinst() {
-	preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
-
-pkg_postinst() {
-	preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.5.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.5.ebuild
@ -1,146 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-# Remember: we cannot leverage autotools in this ebuild in order
-#           to avoid circular deps with autotools
-
-EAPI=8
-
-inherit flag-o-matic libtool multilib multilib-minimal preserve-libs toolchain-funcs usr-ldscript
-
-if [[ ${PV} == 9999 ]] ; then
-	# Per tukaani.org, git.tukaani.org is a mirror of github and
-	# may be behind.
-	EGIT_REPO_URI="
-		https://github.com/tukaani-project/xz
-		https://git.tukaani.org/xz.git
-	"
-	inherit git-r3 autotools
-
-	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
-else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc
-	inherit verify-sig
-
-	MY_P="${PN/-utils}-${PV/_}"
-	SRC_URI="
-		https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz
-		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
-		https://tukaani.org/xz/${MY_P}.tar.gz
-		verify-sig? (
-			https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz.sig
-			https://tukaani.org/xz/${MY_P}.tar.gz.sig
-		)
-	"
-
-	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-	fi
-
-	S="${WORKDIR}/${MY_P}"
-fi
-
-DESCRIPTION="Utils for managing LZMA compressed files"
-HOMEPAGE="https://tukaani.org/xz/"
-
-# See top-level COPYING file as it outlines the various pieces and their licenses.
-LICENSE="public-domain LGPL-2.1+ GPL-2+"
-SLOT="0"
-IUSE="doc +extra-filters pgo nls static-libs"
-
-if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
-fi
-
-src_prepare() {
-	default
-
-	if [[ ${PV} == 9999 ]] ; then
-		eautopoint
-		eautoreconf
-	else
-		# Allow building shared libs on Solaris/x64
-		elibtoolize
-	fi
-}
-
-multilib_src_configure() {
-	local myconf=(
-		--enable-threads
-		$(multilib_native_use_enable doc)
-		$(use_enable nls)
-		$(use_enable static-libs static)
-	)
-
-	if ! multilib_is_native_abi ; then
-		myconf+=(
-			--disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
-		)
-	fi
-
-	if ! use extra-filters ; then
-		myconf+=(
-			# LZMA1 + LZMA2 for standard .lzma & .xz files
-			--enable-encoders=lzma1,lzma2
-			--enable-decoders=lzma1,lzma2
-
-			# those are used by default, depending on preset
-			--enable-match-finders=hc3,hc4,bt4
-
-			# CRC64 is used by default, though some (old?) files use CRC32
-			--enable-checks=crc32,crc64
-		)
-	fi
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		export gl_cv_posix_shell="${EPREFIX}"/bin/sh
-
-		# Undo Solaris-based defaults pointing to /usr/xpg5/bin
-		myconf+=( --disable-path-for-script )
-	fi
-
-	ECONF_SOURCE="${S}" econf "${myconf[@]}"
-}
-
-multilib_src_compile() {
-	# -fprofile-partial-training because upstream note the test suite isn't super comprehensive
-	# See https://documentation.suse.com/sbp/all/html/SBP-GCC-10/index.html#sec-gcc10-pgo
-	local pgo_generate_flags=$(usev pgo "-fprofile-update=atomic -fprofile-dir=${T}/${ABI}-pgo -fprofile-generate=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
-	local pgo_use_flags=$(usev pgo "-fprofile-use=${T}/${ABI}-pgo -fprofile-dir=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
-
-	emake CFLAGS="${CFLAGS} ${pgo_generate_flags}"
-
-	if use pgo ; then
-		emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" -k check
-
-		if tc-is-clang; then
-			llvm-profdata merge "${T}"/${ABI}-pgo --output="${T}"/${ABI}-pgo/default.profdata || die
-		fi
-
-		emake clean
-		emake CFLAGS="${CFLAGS} ${pgo_use_flags}"
-	fi
-}
-
-multilib_src_install() {
-	default
-
-	gen_usr_ldscript -a lzma
-}
-
-multilib_src_install_all() {
-	find "${ED}" -type f -name '*.la' -delete || die
-
-	if use doc ; then
-		rm "${ED}"/usr/share/doc/${PF}/COPYING* || die
-	fi
-}
-
-pkg_preinst() {
-	preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
-
-pkg_postinst() {
-	preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild
@ -20,7 +20,7 @@ if [[ ${PV} == 9999 ]] ; then
 	# bug #272880 and bug #286068
 	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
 else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc
 	inherit verify-sig

 	MY_P="${PN/-utils}-${PV/_}"
@ -50,12 +50,15 @@ SLOT="0"
 IUSE="doc +extra-filters pgo nls static-libs"

 if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
+	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-lassecollin )"
 fi

 src_prepare() {
 	default

+	# Delete known-compromised test data (bug #928134)
+	rm tests/files/bad-3-corrupt_lzma2.xz tests/files/good-large_compressed.lzma || die
+
 	if [[ ${PV} == 9999 ]] ; then
 		eautopoint
 		eautoreconf
				`@ -0,0 +1 @@`
				`- Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor ([CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094))`