app-arch/xz-utils: update to xz-utils 5.2.5-r2

Update app-arch/xz-utils to 5.2.5-r2, mainly to address CVE-2022-1271.

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest

@@ -1 +1,2 @@
 DIST xz-5.2.5.tar.gz 1791345 BLAKE2B aded57324e129572c41646b3cc3b0b59a459452d9338d9245663b63dac2a463fb1f1b2b1d2d4ad3c09cb71fb8439df52cd94f24db99e782fc899b94a288a3043 SHA512 7443674247deda2935220fbc4dfc7665e5bb5a260be8ad858c8bd7d7b9f0f868f04ea45e62eb17c0a5e6a2de7c7500ad2d201e2d668c48ca29bd9eea5a73a3ce
+DIST xz-5.2.5.tar.gz.sig 566 BLAKE2B 8b40d8d7913eaebe2595ea41a735d972d1969d8b58f42b2bee6591b51e2e626473fc85d64f1bbbff3cba6b0e1b4423556d6ddaf16f646ccc18ba1bad5cf45d83 SHA512 3aa21484bef0282ed0b83e3fcd5cf3d87bf51fa68e24d55bb11f91bc96f0ac29f468949bc4c8cc20fbd6ad12f5735686fe09ee42efe2b8d728010da9668aa5a9

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/files/xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch

@@ -0,0 +1,88 @@
+https://bugs.gentoo.org/837155
+https://git.tukaani.org/?p=xz.git;a=commitdiff;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6;hp=bd93b776c1bd15e90661033c918cdeb354dbcc38
+
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Tue, 29 Mar 2022 19:19:12 +0300
+Subject: [PATCH 1/1] xzgrep: Fix escaping of malicious filenames
+ (ZDI-CAN-16587).
+
+Malicious filenames can make xzgrep to write to arbitrary files
+or (with a GNU sed extension) lead to arbitrary code execution.
+
+xzgrep from XZ Utils versions up to and including 5.2.5 are
+affected. 5.3.1alpha and 5.3.2alpha are affected as well.
+This patch works for all of them.
+
+This bug was inherited from gzip's zgrep. gzip 1.12 includes
+a fix for zgrep.
+
+The issue with the old sed script is that with multiple newlines,
+the N-command will read the second line of input, then the
+s-commands will be skipped because it's not the end of the
+file yet, then a new sed cycle starts and the pattern space
+is printed and emptied. So only the last line or two get escaped.
+
+One way to fix this would be to read all lines into the pattern
+space first. However, the included fix is even simpler: All lines
+except the last line get a backslash appended at the end. To ensure
+that shell command substitution doesn't eat a possible trailing
+newline, a colon is appended to the filename before escaping.
+The colon is later used to separate the filename from the grep
+output so it is fine to add it here instead of a few lines later.
+
+The old code also wasn't POSIX compliant as it used \n in the
+replacement section of the s-command. Using \<newline> is the
+POSIX compatible method.
+
+LC_ALL=C was added to the two critical sed commands. POSIX sed
+manual recommends it when using sed to manipulate pathnames
+because in other locales invalid multibyte sequences might
+cause issues with some sed implementations. In case of GNU sed,
+these particular sed scripts wouldn't have such problems but some
+other scripts could have, see:
+
+    info '(sed)Locale Considerations'
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+Thanks to Jim Meyering and Paul Eggert discussing the different
+ways to fix this and for coordinating the patch release schedule
+with gzip.
+--- a/src/scripts/xzgrep.in
++++ b/src/scripts/xzgrep.in
+@@ -180,22 +180,26 @@ for i; do
+          { test $# -eq 1 || test $no_filename -eq 1; }; then
+       eval "$grep"
+     else
++      # Append a colon so that the last character will never be a newline
++      # which would otherwise get lost in shell command substitution.
++      i="$i:"
++
++      # Escape & \ | and newlines only if such characters are present
++      # (speed optimization).
+       case $i in
+       (*'
+ '* | *'&'* | *'\'* | *'|'*)
+-        i=$(printf '%s\n' "$i" |
+-            sed '
+-              $!N
+-              $s/[&\|]/\\&/g
+-              $s/\n/\\n/g
+-            ');;
++        i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
+       esac
+-      sed_script="s|^|$i:|"
++
++      # $i already ends with a colon so don't add it here.
++      sed_script="s|^|$i|"
+ 
+       # Fail if grep or sed fails.
+       r=$(
+         exec 4>&1
+-        (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
++        (eval "$grep" 4>&-; echo $? >&4) 3>&- |
++            LC_ALL=C sed "$sed_script" >&3 4>&-
+       ) || r=2
+       exit $r
+     fi >&3 5>&-

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/metadata.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 <maintainer type="project">
 	<email>base-system@gentoo.org</email>

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.2.5-r2.ebuild

@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # Remember: we cannot leverage autotools in this ebuild in order
@@ -8,20 +8,27 @@ EAPI=7
 
 inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
 
-if [[ ${PV} == "9999" ]] ; then
+if [[ ${PV} == 9999 ]] ; then
 	EGIT_REPO_URI="https://git.tukaani.org/xz.git"
 	inherit git-r3 autotools
-	SRC_URI=""
-	BDEPEND="sys-devel/gettext dev-vcs/cvs >=sys-devel/libtool-2" #272880 286068
+
+	# bug #272880 and bug #286068
+	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
 else
+	VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/lassecollin.asc
+	inherit verify-sig
+
 	MY_P="${PN/-utils}-${PV/_}"
 	SRC_URI="https://tukaani.org/xz/${MY_P}.tar.gz"
-	[[ "${PV}" == *_alpha* ]] || [[ "${PV}" == *_beta* ]] || \
-	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+	SRC_URI+=" verify-sig? ( https://tukaani.org/xz/${MY_P}.tar.gz.sig )"
+
+	if [[ ${PV} != *_alpha* ]] && [[ ${PV} != *_beta* ]] ; then
+		KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+	fi
 	S="${WORKDIR}/${MY_P}"
 fi
 
-DESCRIPTION="utils for managing LZMA compressed files"
+DESCRIPTION="Utils for managing LZMA compressed files"
 HOMEPAGE="https://tukaani.org/xz/"
 
 # See top-level COPYING file as it outlines the various pieces and their licenses.
@@ -33,17 +40,24 @@ RDEPEND="!<app-arch/lzma-4.63
 	!<app-arch/p7zip-4.57
 	!<app-i18n/man-pages-de-2.16"
 DEPEND="${RDEPEND}"
+BDEPEND="verify-sig? ( sec-keys/openpgp-keys-lassecollin )"
 
 # Tests currently do not account for smaller feature set
 RESTRICT="!extra-filters? ( test )"
 
+PATCHES=(
+	"${FILESDIR}"/${P}-xzgrep-ZDI-CAN-16587.patch
+)
+
 src_prepare() {
 	default
-	if [[ ${PV} == "9999" ]] ; then
+
+	if [[ ${PV} == 9999 ]] ; then
 		eautopoint
 		eautoreconf
 	else
-		elibtoolize  # to allow building shared libs on Solaris/x64
+		# Allow building shared libs on Solaris/x64
+		elibtoolize
 	fi
 }
 
@@ -53,24 +67,32 @@ multilib_src_configure() {
 		$(use_enable nls)
 		$(use_enable static-libs static)
 	)
-	multilib_is_native_abi ||
-		myconf+=( --disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts} )
-	if ! use extra-filters; then
+
+	if ! multilib_is_native_abi ; then
+		myconf+=(
+			--disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
+		)
+	fi
+
+	if ! use extra-filters ; then
 		myconf+=(
 			# LZMA1 + LZMA2 for standard .lzma & .xz files
 			--enable-encoders=lzma1,lzma2
 			--enable-decoders=lzma1,lzma2
+
 			# those are used by default, depending on preset
 			--enable-match-finders=hc3,hc4,bt4
+
 			# CRC64 is used by default, though some (old?) files use CRC32
 			--enable-checks=crc32,crc64
 		)
 	fi
 
 	if [[ ${CHOST} == *-solaris* ]] ; then
-		# undo Solaris-based defaults pointing to /usr/xpg5/bin
+		export gl_cv_posix_shell="${EPREFIX}"/bin/sh
+
+		# Undo Solaris-based defaults pointing to /usr/xpg5/bin
 		myconf+=( --disable-path-for-script )
-		export gl_cv_posix_shell=${EPREFIX}/bin/sh
 	fi
 
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
@@ -78,6 +100,7 @@ multilib_src_configure() {
 
 multilib_src_install() {
 	default
+
 	gen_usr_ldscript -a lzma
 }
 

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild

@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # Remember: we cannot leverage autotools in this ebuild in order
@@ -8,20 +8,27 @@ EAPI=7
 
 inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
 
-if [[ ${PV} == "9999" ]] ; then
+if [[ ${PV} == 9999 ]] ; then
 	EGIT_REPO_URI="https://git.tukaani.org/xz.git"
 	inherit git-r3 autotools
-	SRC_URI=""
-	BDEPEND="sys-devel/gettext dev-vcs/cvs >=sys-devel/libtool-2" #272880 286068
+
+	# bug #272880 and bug #286068
+	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
 else
+	VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/lassecollin.asc
+	inherit verify-sig
+
 	MY_P="${PN/-utils}-${PV/_}"
 	SRC_URI="https://tukaani.org/xz/${MY_P}.tar.gz"
-	[[ "${PV}" == *_alpha* ]] || [[ "${PV}" == *_beta* ]] || \
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+	SRC_URI+=" verify-sig? ( https://tukaani.org/xz/${MY_P}.tar.gz.sig )"
+
+	if [[ ${PV} != *_alpha* ]] && [[ ${PV} != *_beta* ]] ; then
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+	fi
 	S="${WORKDIR}/${MY_P}"
 fi
 
-DESCRIPTION="utils for managing LZMA compressed files"
+DESCRIPTION="Utils for managing LZMA compressed files"
 HOMEPAGE="https://tukaani.org/xz/"
 
 # See top-level COPYING file as it outlines the various pieces and their licenses.
@@ -34,16 +41,22 @@ RDEPEND="!<app-arch/lzma-4.63
 	!<app-i18n/man-pages-de-2.16"
 DEPEND="${RDEPEND}"
 
+if [[ ${PV} != 9999 ]] ; then
+	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-lassecollin )"
+fi
+
 # Tests currently do not account for smaller feature set
 RESTRICT="!extra-filters? ( test )"
 
 src_prepare() {
 	default
-	if [[ ${PV} == "9999" ]] ; then
+
+	if [[ ${PV} == 9999 ]] ; then
 		eautopoint
 		eautoreconf
 	else
-		elibtoolize  # to allow building shared libs on Solaris/x64
+		# Allow building shared libs on Solaris/x64
+		elibtoolize
 	fi
 }
 
@@ -53,24 +66,32 @@ multilib_src_configure() {
 		$(use_enable nls)
 		$(use_enable static-libs static)
 	)
-	multilib_is_native_abi ||
-		myconf+=( --disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts} )
-	if ! use extra-filters; then
+
+	if ! multilib_is_native_abi ; then
+		myconf+=(
+			--disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
+		)
+	fi
+
+	if ! use extra-filters ; then
 		myconf+=(
 			# LZMA1 + LZMA2 for standard .lzma & .xz files
 			--enable-encoders=lzma1,lzma2
 			--enable-decoders=lzma1,lzma2
+
 			# those are used by default, depending on preset
 			--enable-match-finders=hc3,hc4,bt4
+
 			# CRC64 is used by default, though some (old?) files use CRC32
 			--enable-checks=crc32,crc64
 		)
 	fi
 
 	if [[ ${CHOST} == *-solaris* ]] ; then
-		# undo Solaris-based defaults pointing to /usr/xpg5/bin
+		export gl_cv_posix_shell="${EPREFIX}"/bin/sh
+
+		# Undo Solaris-based defaults pointing to /usr/xpg5/bin
 		myconf+=( --disable-path-for-script )
-		export gl_cv_posix_shell=${EPREFIX}/bin/sh
 	fi
 
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
@@ -78,6 +99,7 @@ multilib_src_configure() {
 
 multilib_src_install() {
 	default
+
 	gen_usr_ldscript -a lzma
 }