upg shadow xz

This commit is contained in:
joborun linux 2024-04-02 04:46:40 +03:00
parent f9e3b3f51f
commit fcff5c1b76
6 changed files with 76 additions and 76 deletions

View file

@ -7,7 +7,7 @@
pkgname=shadow
pkgver=4.15.1
pkgrel=01
pkgrel=02
pkgdesc="Password and account management tool suite with support for shadow files and PAM w/o systemd"
url="https://github.com/shadow-maint/shadow"
depends=( glibc )
@ -123,5 +123,4 @@ sha256sums=(bb5f70639a0581f9d626f227ce45b31ac137daa7c451c0f672ce14f2731a96ee #
c2faa81b894de452e6cd23660ad7e30a4e03d6a4eacb94ff209c6e578df05e61 # shadow.tmpfiles
2d4b7b85ea1d5cddf93c2d636a11b0e76c1f484474449bdb018e3af0fcbd93c3) # useradd.defaults
## ec2b1c7f737af7eb4881ef01b201f1ff6cf1410980b009342bc0a5b2d0de505d shadow-4.15.1-01-x86_64.pkg.tar.lz
## c696c84683c9775cab6fb5fdf5dfb57d03f3f24b7f253a5f5f2b3bc17098e68a shadow-4.15.1-02-x86_64.pkg.tar.lz

View file

@ -4,7 +4,7 @@
pkgname=shadow
pkgver=4.15.1
pkgrel=1
pkgrel=2
pkgdesc="Password and account management tool suite with support for shadow files and PAM"
arch=(x86_64)
url="https://github.com/shadow-maint/shadow"

View file

@ -1,19 +1,22 @@
echo "DO NOT USE THIS"
echo "Read comments first, use arch: core/xz 5.6.1-2
Due to the uncovered back door 3/29/24
and according to Arch building from git was safer than from tar ball, but
they also
Both tar ball and git source at github is removed
We have copies of both but we will not use either
till this clears up.
As far as we can research ONLY when sshd was run by systemd would this
backdoor be effective, so we have nothing to worry about even if the
code is in our copies of xz
# March 30th 2024 concerning xz 5.6.2-01 and 02 (briefly made available at sf)
# before the compromised xz code was announced.
#
# Due to the uncovered back door 3/29/24
# and according to Arch building from git was safer than from tar ball
#
#
# Both tar ball and git source at github is removed
# We have copies of both but we will not use either
# till this clears up.
#
# As far as we can research ONLY when sshd was run by systemd would this
# backdoor be effective, so we have nothing to worry about even if the
# code is in our copies of xz
#
# --------------------------------------------------------------------------
# The following build is perceived cleaned up from what has been discovered
# ad compromised April 2nd 2024
# -------------------------------------------------------------------------
#!/usr/bin/bash
# JOBoRun : Jwm OpenBox Obarun RUNit
@ -24,58 +27,59 @@ code is in our copies of xz
pkgname=xz
pkgver=5.6.1
pkgrel=02
pkgrel=03
pkgdesc='Library and command line tools for XZ and LZMA compressed files'
#makedepends=('git' 'po4a' 'doxygen') # useless doxygen branding and some icons with the trade name
url='https://xz.tukaani.org/xz-utils/'
depends=('sh')
makedepends=('git' 'po4a' 'doxygen' 'automake' 'autoconf')
provides=('liblzma.so')
#options=('debug') ##### uncomment this to produce the debug pkg
url='https://xz.tukaani.org/xz-utils/'
source=("https://github.com/tukaani-project/xz/releases/download/v${pkgver}/xz-${pkgver}.tar.gz"{,.sig})
#source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
# source=("https://github.com/tukaani-project/xz/releases/download/v${pkgver}/xz-${pkgver}.tar.gz"{,.sig})
# source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
# previous sources
# source=("https://tukaani.org/${pkgname}/${pkgname}-${pkgver}.tar.gz"{,.sig})
# temporary use of unsigned mirror at SF since zoner.fi is down
# Sums same with arch
#source=("xz-5.2.9.tar.gz:https://downloads.sourceforge.net/project/lzmautils/xz-5.2.9.tar.gz?ts=gAAAAABjiAaACqaAp0YyfNS0hoSgTfR8z7zafIiHfu8jZuEf9Dk3IX7wbWPwuuekp1LHnfAHvVrsFD4kpAbKm9HOsRMfAzd3CA%3D%3D&r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Flzmautils%2Ffiles%2Fxz-5.2.9.tar.gz")
## "https://tukaani.org/${pkgname}/xzgrep-ZDI-CAN-16587.patch"{,.sig})
#prepare() {
## cd ${pkgname}
# cd "${srcdir}/${pkgname}-${pkgver}"
# ./autogen.sh
#}
source=("git+https://git.tukaani.org/xz.git#tag=v${pkgver}")
prepare() {
cd ${pkgname}
# cd "${srcdir}/${pkgname}-${pkgver}"
./autogen.sh
}
#prepare() {
# cd "${srcdir}/${pkgname}-${pkgver}"
#
# patch -p1 -i "${srcdir}/xzgrep-ZDI-CAN-16587.patch"
#}
build() {
cd "${srcdir}/${pkgname}-${pkgver}"
# cd ${pkgname}
./configure --prefix=/usr \
--disable-rpath \
--enable-werror
# cd "${srcdir}/${pkgname}-${pkgver}"
cd ${pkgname}
./configure \
--prefix=/usr \
--disable-rpath \
--enable-werror
make
}
## Some of the reading on this indicates the code is injected by
## blobs used to run the following tests
#check() {
## blobs used to run the following tests on tarballs from github
check() {
# cd "${srcdir}/${pkgname}-${pkgver}"
## cd ${pkgname}
# make check
#}
cd ${pkgname}
make check
}
package() {
cd "${srcdir}/${pkgname}-${pkgver}"
# cd ${pkgname}
# cd "${srcdir}/${pkgname}-${pkgver}"
cd ${pkgname}
make DESTDIR="${pkgdir}" install
install -d -m755 "${pkgdir}/usr/share/licenses/xz/"
install -d -m0755 "${pkgdir}/usr/share/licenses/xz/"
ln -sf /usr/share/doc/xz/COPYING "${pkgdir}/usr/share/licenses/xz/"
ln -sf /usr/share/licenses/common/GPL2/license.txt "${pkgdir}/usr/share/doc/xz/COPYING.GPLv2"
# ln -sf /usr/share/licenses/common/GPL2/license.txt "${pkgdir}/usr/share/doc/xz/COPYING.GPLv2"
}
#---- arch license gpg-key & sha256sums ----
@ -86,18 +90,24 @@ license=('GPL' 'LGPL' 'custom')
validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
# The following checksums come from arch and from the clean git from Lasse Collin's tukaani.org server
# See arch PKGBUILD-arch for reference
#
sha256sums=('e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc')
sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')
## 56e253f6c4eedb18672f60ab77b3f8fb685cc81cc441e8f2536e5250375b3ef8 xz-5.6.1-03-x86_64.pkg.tar.lz
## THIS WAS THE ATTACKER ###
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445
# tarball sums
sha256sums=(2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8 # xz-5.6.1.tar.gz
2a0745db95fee581cba776c3f68e75729d8bdc0f3db6e4453d6391894c100dac) # xz-5.6.1.tar.gz.sig
# git sums
# tarball sums github infected and so where 5.6.0.tar.gz
#sha256sums=(2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8 # xz-5.6.1.tar.gz
# 2a0745db95fee581cba776c3f68e75729d8bdc0f3db6e4453d6391894c100dac) # xz-5.6.1.tar.gz.sig
# git sums from github
#sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')
#sha256sums=(e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc) # xz
## Removed --- Use arch core/xz instead for now
## 8466a47ac4224181b2f56bbf17ef7afea38849abd1d1ffa2da3b5ae8b1e7f941 xz-5.6.1-02-x86_64.pkg.tar.lz
# We keep the above as reference for possible investigation of the compromised source
##

View file

@ -3,7 +3,7 @@
pkgname=xz
pkgver=5.6.1
pkgrel=2
pkgrel=3
pkgdesc='Library and command line tools for XZ and LZMA compressed files'
arch=('x86_64')
url='https://xz.tukaani.org/xz-utils/'
@ -11,21 +11,8 @@ license=('GPL' 'LGPL' 'custom')
depends=('sh')
makedepends=('git' 'po4a' 'doxygen')
provides=('liblzma.so')
## THIS WAS THE ATTACKER ###
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445
validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
## THIS WAS THE ATTACKER ###
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445
source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
source=("git+https://git.tukaani.org/xz.git#tag=v${pkgver}")
sha256sums=('e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc')
sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')

View file

@ -1 +1 @@
rm -rf {src,pkg,xz*.tar.gz*,xzgrep*patch*}
rm -rf {src,pkg,xz*.tar.gz*,xz}

View file

@ -1,3 +1,7 @@
git
po4a
doxygen
autoconf
automake