From f283ca76bb529b34f98556c1fc8b78b37fadec89 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Tue, 2 Apr 2024 12:03:42 +0900
Subject: [PATCH] app-arch/xz-utils: Sync with Gentoo (revert to known-good)

The 5.6 release contained a backdoor for SSH. The 5.6 release wasn't
used in Flatcar and so far it seems that the backdoor wouldn't even be
compiled for Gentoo. However, we so far don't know whether the other
patches are malicious.

Revert to 5.4.2 as last known-good release (like Gentoo did).
Note that the Flatcar main branch had a copy of the 5.6 ebuild but was
not using it. Flatcar Alpha was on 5.4.6-r1, so before the backdoor but
the malicious contributor did other changes of unclear impact part of
this release. Similarly, Beta is on 5.4.5 and Stable is on 5.4.3. These
should get downgraded, too.
---
 changelog/security/2024-04-02-xz-utils.md     |  1 +
 .../portage-stable/app-arch/xz-utils/Manifest |  6 ++++--
 ...ils-5.4.5.ebuild => xz-utils-5.4.2.ebuild} | 20 +++++++------------
 .../app-arch/xz-utils/xz-utils-9999.ebuild    |  7 +++++--
 4 files changed, 17 insertions(+), 17 deletions(-)
 create mode 100644 changelog/security/2024-04-02-xz-utils.md
 rename sdk_container/src/third_party/portage-stable/app-arch/xz-utils/{xz-utils-5.4.5.ebuild => xz-utils-5.4.2.ebuild} (89%)

diff --git a/changelog/security/2024-04-02-xz-utils.md b/changelog/security/2024-04-02-xz-utils.md
new file mode 100644
index 0000000000..78553319eb
--- /dev/null
+++ b/changelog/security/2024-04-02-xz-utils.md
@@ -0,0 +1 @@
+- Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor ([CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094))
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest
index 976c7a3cbe..ec1a06d7c6 100644
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest
@@ -1,2 +1,4 @@
-DIST xz-5.4.5.tar.gz 2884510 BLAKE2B 647c8227080a7f37e3321e778d7f52ccb9da3810f2be81b2d2b46001605b22cef6e724f9b3facfada26a12b24401c9a11449d6066443849b37b28e0eaa199315 SHA512 91f8f548c915de0ed79cee13ce0336b51c1cebf2eb142fa1efecfd07771c662c99cad3730540fcb712057ab274130e13b87960f6b4c62f0bd9477f27a303fb2b
-DIST xz-5.4.5.tar.gz.sig 566 BLAKE2B c6ec64f92ecb30395e6d580be5d0aad1ee007585245ed42e7b05f1ea3a8cd8bf4317e8dc964c65417daa0a04e8f523c6ba8ae61a7f5b2ff3dc17dd53c7593ce2 SHA512 4f2c779d3c14bacd0451cfd68846201a48931128994c4119fcbf4f0dd7331710c32098039d38561de29327d543d67174fddbb6a83cb2fcfda9b3153cab092d4d
+DIST xz-5.4.2.tar.gz 2799022 BLAKE2B 3c622b0823f0cbb5fbc5eaa0372fc2f0fefe0950d131417f831bce47b6d9747d145429f0649de106819331f9ae6a289c497182c7b6d1e211513308dd083a9b72 SHA512 149f980338bea3d66de1ff5994b2b236ae1773135eda68b62b009df0c9dcdf5467f8cb2c06da95a71b6556d60bd3d21f475feced34d5dfdb80ee95416a2f9737
+DIST xz-5.4.2.tar.gz.sig 566 BLAKE2B 95c9c70fdd25b92095dd9691e4d9d4306a3f982becfe7bd42ca6132a76f29be2c2bc66f4fc2bda547058c18e227292f4185799eb905084fc3ab415ae867b4b1b SHA512 30e965c228ed3a8ecb804db8eb11703a765b7ee934030ea69bb3940b630811eb71bf74fd20371ef7759761904ece4f0144a0b00be4d843cf98299fd016f161aa
+DIST xz-5.4.6.tar.gz 2889306 BLAKE2B f0bbd33ea7cd64d475c3501f6e76080c8c0080e377f23462f5f76459935f4e621538ddaa8452d2feaed278d62a596e38ed2aca18ed9e76512c4ec77fa2f4cc5f SHA512 b08a61d8d478d3b4675cb1ddacdbbd98dc6941a55bcdd81a28679e54e9367d3a595fa123ac97874a17da571c1b712e2a3e901c2737099a9d268616a1ba3de497
+DIST xz-5.4.6.tar.gz.sig 566 BLAKE2B 808f1b5e2a17729f36a05ba88a9c00210cda2afa02923e6f289d13dc2a48f7674cafec6e25660e142d67f01dd941c7390cee2757b054df3a3193dde0791363a1 SHA512 d5e32b944e7492a32c40f675d918796e077f63490a23c6fce5c4d6d1eebc443f129d27a2e888913c5a36c3ffdac75b9c96c1749402283445e0ba9ff72b965741
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.5.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.2.ebuild
similarity index 89%
rename from sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.5.ebuild
rename to sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.2.ebuild
index b14b9dda36..982f62b0c1 100644
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.5.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # Remember: we cannot leverage autotools in this ebuild in order
@@ -6,7 +6,7 @@
 
 EAPI=8
 
-inherit flag-o-matic libtool multilib multilib-minimal preserve-libs toolchain-funcs usr-ldscript
+inherit flag-o-matic libtool multilib multilib-minimal preserve-libs toolchain-funcs
 
 if [[ ${PV} == 9999 ]] ; then
 	# Per tukaani.org, git.tukaani.org is a mirror of github and
@@ -18,18 +18,18 @@ if [[ ${PV} == 9999 ]] ; then
 	inherit git-r3 autotools
 
 	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
+	BDEPEND="sys-devel/gettext >=dev-build/libtool-2"
 else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc
 	inherit verify-sig
 
 	MY_P="${PN/-utils}-${PV/_}"
 	SRC_URI="
-		https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz
+		https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz
 		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
 		https://tukaani.org/xz/${MY_P}.tar.gz
 		verify-sig? (
-			https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz.sig
+			https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz.sig
 			https://tukaani.org/xz/${MY_P}.tar.gz.sig
 		)
 	"
@@ -50,7 +50,7 @@ SLOT="0"
 IUSE="doc +extra-filters pgo nls static-libs"
 
 if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
+	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-lassecollin )"
 fi
 
 src_prepare() {
@@ -123,12 +123,6 @@ multilib_src_compile() {
 	fi
 }
 
-multilib_src_install() {
-	default
-
-	gen_usr_ldscript -a lzma
-}
-
 multilib_src_install_all() {
 	find "${ED}" -type f -name '*.la' -delete || die
 
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild
index 817c272e11..946c918493 100644
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild
@@ -20,7 +20,7 @@ if [[ ${PV} == 9999 ]] ; then
 	# bug #272880 and bug #286068
 	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
 else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc
 	inherit verify-sig
 
 	MY_P="${PN/-utils}-${PV/_}"
@@ -50,12 +50,15 @@ SLOT="0"
 IUSE="doc +extra-filters pgo nls static-libs"
 
 if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
+	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-lassecollin )"
 fi
 
 src_prepare() {
 	default
 
+	# Delete known-compromised test data (bug #928134)
+	rm tests/files/bad-3-corrupt_lzma2.xz tests/files/good-large_compressed.lzma || die
+
 	if [[ ${PV} == 9999 ]] ; then
 		eautopoint
 		eautoreconf