diff --git a/changelog/security/2024-04-02-xz-utils.md b/changelog/security/2024-04-02-xz-utils.md new file mode 100644 index 0000000000..78553319eb --- /dev/null +++ b/changelog/security/2024-04-02-xz-utils.md @@ -0,0 +1 @@ +- Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor ([CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094)) diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest index 976c7a3cbe..ec1a06d7c6 100644 --- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest +++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest @@ -1,2 +1,4 @@ -DIST xz-5.4.5.tar.gz 2884510 BLAKE2B 647c8227080a7f37e3321e778d7f52ccb9da3810f2be81b2d2b46001605b22cef6e724f9b3facfada26a12b24401c9a11449d6066443849b37b28e0eaa199315 SHA512 91f8f548c915de0ed79cee13ce0336b51c1cebf2eb142fa1efecfd07771c662c99cad3730540fcb712057ab274130e13b87960f6b4c62f0bd9477f27a303fb2b -DIST xz-5.4.5.tar.gz.sig 566 BLAKE2B c6ec64f92ecb30395e6d580be5d0aad1ee007585245ed42e7b05f1ea3a8cd8bf4317e8dc964c65417daa0a04e8f523c6ba8ae61a7f5b2ff3dc17dd53c7593ce2 SHA512 4f2c779d3c14bacd0451cfd68846201a48931128994c4119fcbf4f0dd7331710c32098039d38561de29327d543d67174fddbb6a83cb2fcfda9b3153cab092d4d +DIST xz-5.4.2.tar.gz 2799022 BLAKE2B 3c622b0823f0cbb5fbc5eaa0372fc2f0fefe0950d131417f831bce47b6d9747d145429f0649de106819331f9ae6a289c497182c7b6d1e211513308dd083a9b72 SHA512 149f980338bea3d66de1ff5994b2b236ae1773135eda68b62b009df0c9dcdf5467f8cb2c06da95a71b6556d60bd3d21f475feced34d5dfdb80ee95416a2f9737 +DIST xz-5.4.2.tar.gz.sig 566 BLAKE2B 95c9c70fdd25b92095dd9691e4d9d4306a3f982becfe7bd42ca6132a76f29be2c2bc66f4fc2bda547058c18e227292f4185799eb905084fc3ab415ae867b4b1b SHA512 30e965c228ed3a8ecb804db8eb11703a765b7ee934030ea69bb3940b630811eb71bf74fd20371ef7759761904ece4f0144a0b00be4d843cf98299fd016f161aa +DIST xz-5.4.6.tar.gz 2889306 BLAKE2B f0bbd33ea7cd64d475c3501f6e76080c8c0080e377f23462f5f76459935f4e621538ddaa8452d2feaed278d62a596e38ed2aca18ed9e76512c4ec77fa2f4cc5f SHA512 b08a61d8d478d3b4675cb1ddacdbbd98dc6941a55bcdd81a28679e54e9367d3a595fa123ac97874a17da571c1b712e2a3e901c2737099a9d268616a1ba3de497 +DIST xz-5.4.6.tar.gz.sig 566 BLAKE2B 808f1b5e2a17729f36a05ba88a9c00210cda2afa02923e6f289d13dc2a48f7674cafec6e25660e142d67f01dd941c7390cee2757b054df3a3193dde0791363a1 SHA512 d5e32b944e7492a32c40f675d918796e077f63490a23c6fce5c4d6d1eebc443f129d27a2e888913c5a36c3ffdac75b9c96c1749402283445e0ba9ff72b965741 diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.5.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.2.ebuild similarity index 89% rename from sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.5.ebuild rename to sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.2.ebuild index b14b9dda36..982f62b0c1 100644 --- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.5.ebuild +++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.2.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # Remember: we cannot leverage autotools in this ebuild in order @@ -6,7 +6,7 @@ EAPI=8 -inherit flag-o-matic libtool multilib multilib-minimal preserve-libs toolchain-funcs usr-ldscript +inherit flag-o-matic libtool multilib multilib-minimal preserve-libs toolchain-funcs if [[ ${PV} == 9999 ]] ; then # Per tukaani.org, git.tukaani.org is a mirror of github and @@ -18,18 +18,18 @@ if [[ ${PV} == 9999 ]] ; then inherit git-r3 autotools # bug #272880 and bug #286068 - BDEPEND="sys-devel/gettext >=sys-devel/libtool-2" + BDEPEND="sys-devel/gettext >=dev-build/libtool-2" else - VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc inherit verify-sig MY_P="${PN/-utils}-${PV/_}" SRC_URI=" - https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz + https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz mirror://sourceforge/lzmautils/${MY_P}.tar.gz https://tukaani.org/xz/${MY_P}.tar.gz verify-sig? ( - https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz.sig + https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz.sig https://tukaani.org/xz/${MY_P}.tar.gz.sig ) " @@ -50,7 +50,7 @@ SLOT="0" IUSE="doc +extra-filters pgo nls static-libs" if [[ ${PV} != 9999 ]] ; then - BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )" + BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-lassecollin )" fi src_prepare() { @@ -123,12 +123,6 @@ multilib_src_compile() { fi } -multilib_src_install() { - default - - gen_usr_ldscript -a lzma -} - multilib_src_install_all() { find "${ED}" -type f -name '*.la' -delete || die diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild index 817c272e11..946c918493 100644 --- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild @@ -20,7 +20,7 @@ if [[ ${PV} == 9999 ]] ; then # bug #272880 and bug #286068 BDEPEND="sys-devel/gettext >=sys-devel/libtool-2" else - VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc inherit verify-sig MY_P="${PN/-utils}-${PV/_}" @@ -50,12 +50,15 @@ SLOT="0" IUSE="doc +extra-filters pgo nls static-libs" if [[ ${PV} != 9999 ]] ; then - BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )" + BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-lassecollin )" fi src_prepare() { default + # Delete known-compromised test data (bug #928134) + rm tests/files/bad-3-corrupt_lzma2.xz tests/files/good-large_compressed.lzma || die + if [[ ${PV} == 9999 ]] ; then eautopoint eautoreconf