upg shadow xz
This commit is contained in:
parent
f9e3b3f51f
commit
fcff5c1b76
|
|
@ -7,7 +7,7 @@
|
|||
|
||||
pkgname=shadow
|
||||
pkgver=4.15.1
|
||||
pkgrel=01
|
||||
pkgrel=02
|
||||
pkgdesc="Password and account management tool suite with support for shadow files and PAM w/o systemd"
|
||||
url="https://github.com/shadow-maint/shadow"
|
||||
depends=( glibc )
|
||||
|
|
@ -123,5 +123,4 @@ sha256sums=(bb5f70639a0581f9d626f227ce45b31ac137daa7c451c0f672ce14f2731a96ee #
|
|||
c2faa81b894de452e6cd23660ad7e30a4e03d6a4eacb94ff209c6e578df05e61 # shadow.tmpfiles
|
||||
2d4b7b85ea1d5cddf93c2d636a11b0e76c1f484474449bdb018e3af0fcbd93c3) # useradd.defaults
|
||||
|
||||
## ec2b1c7f737af7eb4881ef01b201f1ff6cf1410980b009342bc0a5b2d0de505d shadow-4.15.1-01-x86_64.pkg.tar.lz
|
||||
|
||||
## c696c84683c9775cab6fb5fdf5dfb57d03f3f24b7f253a5f5f2b3bc17098e68a shadow-4.15.1-02-x86_64.pkg.tar.lz
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
pkgname=shadow
|
||||
pkgver=4.15.1
|
||||
pkgrel=1
|
||||
pkgrel=2
|
||||
pkgdesc="Password and account management tool suite with support for shadow files and PAM"
|
||||
arch=(x86_64)
|
||||
url="https://github.com/shadow-maint/shadow"
|
||||
|
|
|
|||
120
xz/PKGBUILD
120
xz/PKGBUILD
|
|
@ -1,19 +1,22 @@
|
|||
echo "DO NOT USE THIS"
|
||||
echo "Read comments first, use arch: core/xz 5.6.1-2
|
||||
|
||||
Due to the uncovered back door 3/29/24
|
||||
and according to Arch building from git was safer than from tar ball, but
|
||||
they also
|
||||
|
||||
Both tar ball and git source at github is removed
|
||||
We have copies of both but we will not use either
|
||||
till this clears up.
|
||||
|
||||
As far as we can research ONLY when sshd was run by systemd would this
|
||||
backdoor be effective, so we have nothing to worry about even if the
|
||||
code is in our copies of xz
|
||||
|
||||
|
||||
# March 30th 2024 concerning xz 5.6.2-01 and 02 (briefly made available at sf)
|
||||
# before the compromised xz code was announced.
|
||||
#
|
||||
# Due to the uncovered back door 3/29/24
|
||||
# and according to Arch building from git was safer than from tar ball
|
||||
#
|
||||
#
|
||||
# Both tar ball and git source at github is removed
|
||||
# We have copies of both but we will not use either
|
||||
# till this clears up.
|
||||
#
|
||||
# As far as we can research ONLY when sshd was run by systemd would this
|
||||
# backdoor be effective, so we have nothing to worry about even if the
|
||||
# code is in our copies of xz
|
||||
#
|
||||
# --------------------------------------------------------------------------
|
||||
# The following build is perceived cleaned up from what has been discovered
|
||||
# ad compromised April 2nd 2024
|
||||
# -------------------------------------------------------------------------
|
||||
|
||||
#!/usr/bin/bash
|
||||
# JOBoRun : Jwm OpenBox Obarun RUNit
|
||||
|
|
@ -24,58 +27,59 @@ code is in our copies of xz
|
|||
|
||||
pkgname=xz
|
||||
pkgver=5.6.1
|
||||
pkgrel=02
|
||||
pkgrel=03
|
||||
pkgdesc='Library and command line tools for XZ and LZMA compressed files'
|
||||
#makedepends=('git' 'po4a' 'doxygen') # useless doxygen branding and some icons with the trade name
|
||||
|
||||
url='https://xz.tukaani.org/xz-utils/'
|
||||
depends=('sh')
|
||||
makedepends=('git' 'po4a' 'doxygen' 'automake' 'autoconf')
|
||||
|
||||
provides=('liblzma.so')
|
||||
#options=('debug') ##### uncomment this to produce the debug pkg
|
||||
url='https://xz.tukaani.org/xz-utils/'
|
||||
source=("https://github.com/tukaani-project/xz/releases/download/v${pkgver}/xz-${pkgver}.tar.gz"{,.sig})
|
||||
#source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
|
||||
|
||||
# source=("https://github.com/tukaani-project/xz/releases/download/v${pkgver}/xz-${pkgver}.tar.gz"{,.sig})
|
||||
# source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
|
||||
# previous sources
|
||||
# source=("https://tukaani.org/${pkgname}/${pkgname}-${pkgver}.tar.gz"{,.sig})
|
||||
# temporary use of unsigned mirror at SF since zoner.fi is down
|
||||
# Sums same with arch
|
||||
#source=("xz-5.2.9.tar.gz:https://downloads.sourceforge.net/project/lzmautils/xz-5.2.9.tar.gz?ts=gAAAAABjiAaACqaAp0YyfNS0hoSgTfR8z7zafIiHfu8jZuEf9Dk3IX7wbWPwuuekp1LHnfAHvVrsFD4kpAbKm9HOsRMfAzd3CA%3D%3D&r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Flzmautils%2Ffiles%2Fxz-5.2.9.tar.gz")
|
||||
## "https://tukaani.org/${pkgname}/xzgrep-ZDI-CAN-16587.patch"{,.sig})
|
||||
|
||||
#prepare() {
|
||||
## cd ${pkgname}
|
||||
# cd "${srcdir}/${pkgname}-${pkgver}"
|
||||
# ./autogen.sh
|
||||
#}
|
||||
source=("git+https://git.tukaani.org/xz.git#tag=v${pkgver}")
|
||||
|
||||
|
||||
prepare() {
|
||||
cd ${pkgname}
|
||||
# cd "${srcdir}/${pkgname}-${pkgver}"
|
||||
./autogen.sh
|
||||
}
|
||||
|
||||
#prepare() {
|
||||
# cd "${srcdir}/${pkgname}-${pkgver}"
|
||||
#
|
||||
# patch -p1 -i "${srcdir}/xzgrep-ZDI-CAN-16587.patch"
|
||||
#}
|
||||
|
||||
build() {
|
||||
cd "${srcdir}/${pkgname}-${pkgver}"
|
||||
# cd ${pkgname}
|
||||
./configure --prefix=/usr \
|
||||
--disable-rpath \
|
||||
--enable-werror
|
||||
# cd "${srcdir}/${pkgname}-${pkgver}"
|
||||
cd ${pkgname}
|
||||
./configure \
|
||||
--prefix=/usr \
|
||||
--disable-rpath \
|
||||
--enable-werror
|
||||
make
|
||||
}
|
||||
|
||||
## Some of the reading on this indicates the code is injected by
|
||||
## blobs used to run the following tests
|
||||
#check() {
|
||||
## blobs used to run the following tests on tarballs from github
|
||||
check() {
|
||||
# cd "${srcdir}/${pkgname}-${pkgver}"
|
||||
## cd ${pkgname}
|
||||
# make check
|
||||
#}
|
||||
cd ${pkgname}
|
||||
make check
|
||||
}
|
||||
|
||||
package() {
|
||||
cd "${srcdir}/${pkgname}-${pkgver}"
|
||||
# cd ${pkgname}
|
||||
# cd "${srcdir}/${pkgname}-${pkgver}"
|
||||
cd ${pkgname}
|
||||
make DESTDIR="${pkgdir}" install
|
||||
install -d -m755 "${pkgdir}/usr/share/licenses/xz/"
|
||||
install -d -m0755 "${pkgdir}/usr/share/licenses/xz/"
|
||||
ln -sf /usr/share/doc/xz/COPYING "${pkgdir}/usr/share/licenses/xz/"
|
||||
ln -sf /usr/share/licenses/common/GPL2/license.txt "${pkgdir}/usr/share/doc/xz/COPYING.GPLv2"
|
||||
# ln -sf /usr/share/licenses/common/GPL2/license.txt "${pkgdir}/usr/share/doc/xz/COPYING.GPLv2"
|
||||
}
|
||||
|
||||
#---- arch license gpg-key & sha256sums ----
|
||||
|
|
@ -86,18 +90,24 @@ license=('GPL' 'LGPL' 'custom')
|
|||
|
||||
validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
|
||||
|
||||
# The following checksums come from arch and from the clean git from Lasse Collin's tukaani.org server
|
||||
# See arch PKGBUILD-arch for reference
|
||||
#
|
||||
sha256sums=('e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc')
|
||||
sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')
|
||||
|
||||
## 56e253f6c4eedb18672f60ab77b3f8fb685cc81cc441e8f2536e5250375b3ef8 xz-5.6.1-03-x86_64.pkg.tar.lz
|
||||
|
||||
|
||||
## THIS WAS THE ATTACKER ###
|
||||
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
|
||||
### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445
|
||||
|
||||
# tarball sums
|
||||
sha256sums=(2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8 # xz-5.6.1.tar.gz
|
||||
2a0745db95fee581cba776c3f68e75729d8bdc0f3db6e4453d6391894c100dac) # xz-5.6.1.tar.gz.sig
|
||||
|
||||
# git sums
|
||||
# tarball sums github infected and so where 5.6.0.tar.gz
|
||||
#sha256sums=(2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8 # xz-5.6.1.tar.gz
|
||||
# 2a0745db95fee581cba776c3f68e75729d8bdc0f3db6e4453d6391894c100dac) # xz-5.6.1.tar.gz.sig
|
||||
# git sums from github
|
||||
#sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')
|
||||
#sha256sums=(e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc) # xz
|
||||
|
||||
## Removed --- Use arch core/xz instead for now
|
||||
## 8466a47ac4224181b2f56bbf17ef7afea38849abd1d1ffa2da3b5ae8b1e7f941 xz-5.6.1-02-x86_64.pkg.tar.lz
|
||||
# We keep the above as reference for possible investigation of the compromised source
|
||||
##
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
pkgname=xz
|
||||
pkgver=5.6.1
|
||||
pkgrel=2
|
||||
pkgrel=3
|
||||
pkgdesc='Library and command line tools for XZ and LZMA compressed files'
|
||||
arch=('x86_64')
|
||||
url='https://xz.tukaani.org/xz-utils/'
|
||||
|
|
@ -11,21 +11,8 @@ license=('GPL' 'LGPL' 'custom')
|
|||
depends=('sh')
|
||||
makedepends=('git' 'po4a' 'doxygen')
|
||||
provides=('liblzma.so')
|
||||
|
||||
|
||||
## THIS WAS THE ATTACKER ###
|
||||
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
|
||||
### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445
|
||||
|
||||
validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
|
||||
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
|
||||
|
||||
## THIS WAS THE ATTACKER ###
|
||||
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
|
||||
### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445
|
||||
|
||||
|
||||
source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
|
||||
validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
|
||||
source=("git+https://git.tukaani.org/xz.git#tag=v${pkgver}")
|
||||
sha256sums=('e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc')
|
||||
sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')
|
||||
|
||||
|
|
|
|||
2
xz/clean
2
xz/clean
|
|
@ -1 +1 @@
|
|||
rm -rf {src,pkg,xz*.tar.gz*,xzgrep*patch*}
|
||||
rm -rf {src,pkg,xz*.tar.gz*,xz}
|
||||
|
|
|
|||
Loading…
Reference in New Issue