From fcff5c1b76e50e2938b1443c7e78c1de7b16ea26 Mon Sep 17 00:00:00 2001 From: joborun Date: Tue, 2 Apr 2024 04:46:40 +0300 Subject: [PATCH] upg shadow xz --- shadow/PKGBUILD | 5 +- shadow/PKGBUILD-arch | 2 +- xz/PKGBUILD | 120 +++++++++++++++++++++++-------------------- xz/PKGBUILD-arch | 19 ++----- xz/clean | 2 +- xz/deps | 4 ++ 6 files changed, 76 insertions(+), 76 deletions(-) diff --git a/shadow/PKGBUILD b/shadow/PKGBUILD index 68a08d1..4a103b7 100644 --- a/shadow/PKGBUILD +++ b/shadow/PKGBUILD @@ -7,7 +7,7 @@ pkgname=shadow pkgver=4.15.1 -pkgrel=01 +pkgrel=02 pkgdesc="Password and account management tool suite with support for shadow files and PAM w/o systemd" url="https://github.com/shadow-maint/shadow" depends=( glibc ) @@ -123,5 +123,4 @@ sha256sums=(bb5f70639a0581f9d626f227ce45b31ac137daa7c451c0f672ce14f2731a96ee # c2faa81b894de452e6cd23660ad7e30a4e03d6a4eacb94ff209c6e578df05e61 # shadow.tmpfiles 2d4b7b85ea1d5cddf93c2d636a11b0e76c1f484474449bdb018e3af0fcbd93c3) # useradd.defaults -## ec2b1c7f737af7eb4881ef01b201f1ff6cf1410980b009342bc0a5b2d0de505d shadow-4.15.1-01-x86_64.pkg.tar.lz - +## c696c84683c9775cab6fb5fdf5dfb57d03f3f24b7f253a5f5f2b3bc17098e68a shadow-4.15.1-02-x86_64.pkg.tar.lz diff --git a/shadow/PKGBUILD-arch b/shadow/PKGBUILD-arch index 84eb2c9..cfcbfff 100644 --- a/shadow/PKGBUILD-arch +++ b/shadow/PKGBUILD-arch @@ -4,7 +4,7 @@ pkgname=shadow pkgver=4.15.1 -pkgrel=1 +pkgrel=2 pkgdesc="Password and account management tool suite with support for shadow files and PAM" arch=(x86_64) url="https://github.com/shadow-maint/shadow" diff --git a/xz/PKGBUILD b/xz/PKGBUILD index b0effcb..7c4295b 100644 --- a/xz/PKGBUILD +++ b/xz/PKGBUILD @@ -1,19 +1,22 @@ -echo "DO NOT USE THIS" -echo "Read comments first, use arch: core/xz 5.6.1-2 - -Due to the uncovered back door 3/29/24 -and according to Arch building from git was safer than from tar ball, but -they also - -Both tar ball and git source at github is removed -We have copies of both but we will not use either -till this clears up. - -As far as we can research ONLY when sshd was run by systemd would this -backdoor be effective, so we have nothing to worry about even if the -code is in our copies of xz - - +# March 30th 2024 concerning xz 5.6.2-01 and 02 (briefly made available at sf) +# before the compromised xz code was announced. +# +# Due to the uncovered back door 3/29/24 +# and according to Arch building from git was safer than from tar ball +# +# +# Both tar ball and git source at github is removed +# We have copies of both but we will not use either +# till this clears up. +# +# As far as we can research ONLY when sshd was run by systemd would this +# backdoor be effective, so we have nothing to worry about even if the +# code is in our copies of xz +# +# -------------------------------------------------------------------------- +# The following build is perceived cleaned up from what has been discovered +# ad compromised April 2nd 2024 +# ------------------------------------------------------------------------- #!/usr/bin/bash # JOBoRun : Jwm OpenBox Obarun RUNit @@ -24,58 +27,59 @@ code is in our copies of xz pkgname=xz pkgver=5.6.1 -pkgrel=02 +pkgrel=03 pkgdesc='Library and command line tools for XZ and LZMA compressed files' -#makedepends=('git' 'po4a' 'doxygen') # useless doxygen branding and some icons with the trade name + +url='https://xz.tukaani.org/xz-utils/' depends=('sh') +makedepends=('git' 'po4a' 'doxygen' 'automake' 'autoconf') + provides=('liblzma.so') #options=('debug') ##### uncomment this to produce the debug pkg -url='https://xz.tukaani.org/xz-utils/' -source=("https://github.com/tukaani-project/xz/releases/download/v${pkgver}/xz-${pkgver}.tar.gz"{,.sig}) -#source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}") + +# source=("https://github.com/tukaani-project/xz/releases/download/v${pkgver}/xz-${pkgver}.tar.gz"{,.sig}) +# source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}") # previous sources # source=("https://tukaani.org/${pkgname}/${pkgname}-${pkgver}.tar.gz"{,.sig}) # temporary use of unsigned mirror at SF since zoner.fi is down # Sums same with arch #source=("xz-5.2.9.tar.gz:https://downloads.sourceforge.net/project/lzmautils/xz-5.2.9.tar.gz?ts=gAAAAABjiAaACqaAp0YyfNS0hoSgTfR8z7zafIiHfu8jZuEf9Dk3IX7wbWPwuuekp1LHnfAHvVrsFD4kpAbKm9HOsRMfAzd3CA%3D%3D&r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Flzmautils%2Ffiles%2Fxz-5.2.9.tar.gz") ## "https://tukaani.org/${pkgname}/xzgrep-ZDI-CAN-16587.patch"{,.sig}) - -#prepare() { -## cd ${pkgname} -# cd "${srcdir}/${pkgname}-${pkgver}" -# ./autogen.sh -#} +source=("git+https://git.tukaani.org/xz.git#tag=v${pkgver}") + + +prepare() { + cd ${pkgname} +# cd "${srcdir}/${pkgname}-${pkgver}" + ./autogen.sh +} -#prepare() { -# cd "${srcdir}/${pkgname}-${pkgver}" -# -# patch -p1 -i "${srcdir}/xzgrep-ZDI-CAN-16587.patch" -#} build() { - cd "${srcdir}/${pkgname}-${pkgver}" -# cd ${pkgname} - ./configure --prefix=/usr \ - --disable-rpath \ - --enable-werror +# cd "${srcdir}/${pkgname}-${pkgver}" + cd ${pkgname} + ./configure \ + --prefix=/usr \ + --disable-rpath \ + --enable-werror make } ## Some of the reading on this indicates the code is injected by -## blobs used to run the following tests -#check() { +## blobs used to run the following tests on tarballs from github +check() { # cd "${srcdir}/${pkgname}-${pkgver}" -## cd ${pkgname} -# make check -#} + cd ${pkgname} + make check +} package() { - cd "${srcdir}/${pkgname}-${pkgver}" -# cd ${pkgname} +# cd "${srcdir}/${pkgname}-${pkgver}" + cd ${pkgname} make DESTDIR="${pkgdir}" install - install -d -m755 "${pkgdir}/usr/share/licenses/xz/" + install -d -m0755 "${pkgdir}/usr/share/licenses/xz/" ln -sf /usr/share/doc/xz/COPYING "${pkgdir}/usr/share/licenses/xz/" - ln -sf /usr/share/licenses/common/GPL2/license.txt "${pkgdir}/usr/share/doc/xz/COPYING.GPLv2" +# ln -sf /usr/share/licenses/common/GPL2/license.txt "${pkgdir}/usr/share/doc/xz/COPYING.GPLv2" } #---- arch license gpg-key & sha256sums ---- @@ -86,18 +90,24 @@ license=('GPL' 'LGPL' 'custom') validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin +# The following checksums come from arch and from the clean git from Lasse Collin's tukaani.org server +# See arch PKGBUILD-arch for reference +# +sha256sums=('e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc') +sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc') + +## 56e253f6c4eedb18672f60ab77b3f8fb685cc81cc441e8f2536e5250375b3ef8 xz-5.6.1-03-x86_64.pkg.tar.lz + + ## THIS WAS THE ATTACKER ### ### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan ### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445 - -# tarball sums -sha256sums=(2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8 # xz-5.6.1.tar.gz - 2a0745db95fee581cba776c3f68e75729d8bdc0f3db6e4453d6391894c100dac) # xz-5.6.1.tar.gz.sig - -# git sums +# tarball sums github infected and so where 5.6.0.tar.gz +#sha256sums=(2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8 # xz-5.6.1.tar.gz +# 2a0745db95fee581cba776c3f68e75729d8bdc0f3db6e4453d6391894c100dac) # xz-5.6.1.tar.gz.sig +# git sums from github #sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc') #sha256sums=(e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc) # xz - -## Removed --- Use arch core/xz instead for now -## 8466a47ac4224181b2f56bbf17ef7afea38849abd1d1ffa2da3b5ae8b1e7f941 xz-5.6.1-02-x86_64.pkg.tar.lz +# We keep the above as reference for possible investigation of the compromised source ## + diff --git a/xz/PKGBUILD-arch b/xz/PKGBUILD-arch index 450f5da..eb61134 100644 --- a/xz/PKGBUILD-arch +++ b/xz/PKGBUILD-arch @@ -3,7 +3,7 @@ pkgname=xz pkgver=5.6.1 -pkgrel=2 +pkgrel=3 pkgdesc='Library and command line tools for XZ and LZMA compressed files' arch=('x86_64') url='https://xz.tukaani.org/xz-utils/' @@ -11,21 +11,8 @@ license=('GPL' 'LGPL' 'custom') depends=('sh') makedepends=('git' 'po4a' 'doxygen') provides=('liblzma.so') - - -## THIS WAS THE ATTACKER ### -### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan -### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445 - -validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin -### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan - -## THIS WAS THE ATTACKER ### -### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan -### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445 - - -source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}") +validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin +source=("git+https://git.tukaani.org/xz.git#tag=v${pkgver}") sha256sums=('e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc') sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc') diff --git a/xz/clean b/xz/clean index 63cfd90..52439aa 100644 --- a/xz/clean +++ b/xz/clean @@ -1 +1 @@ -rm -rf {src,pkg,xz*.tar.gz*,xzgrep*patch*} +rm -rf {src,pkg,xz*.tar.gz*,xz} diff --git a/xz/deps b/xz/deps index f4099d9..d873120 100644 --- a/xz/deps +++ b/xz/deps @@ -1,3 +1,7 @@ git +po4a +doxygen +autoconf +automake