From fcff5c1b76e50e2938b1443c7e78c1de7b16ea26 Mon Sep 17 00:00:00 2001
From: joborun <joborun@disroot.org>
Date: Tue, 2 Apr 2024 04:46:40 +0300
Subject: [PATCH] upg shadow xz

---
 shadow/PKGBUILD      |   5 +-
 shadow/PKGBUILD-arch |   2 +-
 xz/PKGBUILD          | 120 +++++++++++++++++++++++--------------------
 xz/PKGBUILD-arch     |  19 ++-----
 xz/clean             |   2 +-
 xz/deps              |   4 ++
 6 files changed, 76 insertions(+), 76 deletions(-)

diff --git a/shadow/PKGBUILD b/shadow/PKGBUILD
index 68a08d1..4a103b7 100644
--- a/shadow/PKGBUILD
+++ b/shadow/PKGBUILD
@@ -7,7 +7,7 @@
 
 pkgname=shadow
 pkgver=4.15.1
-pkgrel=01
+pkgrel=02
 pkgdesc="Password and account management tool suite with support for shadow files and PAM w/o systemd"
 url="https://github.com/shadow-maint/shadow"
 depends=( glibc )
@@ -123,5 +123,4 @@ sha256sums=(bb5f70639a0581f9d626f227ce45b31ac137daa7c451c0f672ce14f2731a96ee  #
 	c2faa81b894de452e6cd23660ad7e30a4e03d6a4eacb94ff209c6e578df05e61  # shadow.tmpfiles
 	2d4b7b85ea1d5cddf93c2d636a11b0e76c1f484474449bdb018e3af0fcbd93c3) # useradd.defaults
 
-##  ec2b1c7f737af7eb4881ef01b201f1ff6cf1410980b009342bc0a5b2d0de505d  shadow-4.15.1-01-x86_64.pkg.tar.lz
-
+##  c696c84683c9775cab6fb5fdf5dfb57d03f3f24b7f253a5f5f2b3bc17098e68a  shadow-4.15.1-02-x86_64.pkg.tar.lz
diff --git a/shadow/PKGBUILD-arch b/shadow/PKGBUILD-arch
index 84eb2c9..cfcbfff 100644
--- a/shadow/PKGBUILD-arch
+++ b/shadow/PKGBUILD-arch
@@ -4,7 +4,7 @@
 
 pkgname=shadow
 pkgver=4.15.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Password and account management tool suite with support for shadow files and PAM"
 arch=(x86_64)
 url="https://github.com/shadow-maint/shadow"
diff --git a/xz/PKGBUILD b/xz/PKGBUILD
index b0effcb..7c4295b 100644
--- a/xz/PKGBUILD
+++ b/xz/PKGBUILD
@@ -1,19 +1,22 @@
-echo "DO NOT USE THIS" 
-echo "Read comments first, use arch: core/xz 5.6.1-2
-
-Due to the uncovered back door 3/29/24
-and according to Arch building from git was safer than from tar ball, but
-they also
-
-Both tar ball and git source at github is removed
-We have copies of both but we will not use either
-till this clears up.
-
-As far as we can research ONLY when sshd was run by systemd would this
-backdoor be effective, so we have nothing to worry about even if the
-code is in our copies of xz
-
-
+# March 30th 2024 concerning xz 5.6.2-01 and 02 (briefly made available at sf)
+# before the compromised xz code was announced.
+#
+# Due to the uncovered back door 3/29/24
+# and according to Arch building from git was safer than from tar ball
+# 
+#
+# Both tar ball and git source at github is removed
+# We have copies of both but we will not use either
+# till this clears up.
+#
+# As far as we can research ONLY when sshd was run by systemd would this
+# backdoor be effective, so we have nothing to worry about even if the
+# code is in our copies of xz
+#
+# --------------------------------------------------------------------------
+# The following build is perceived cleaned up from what has been discovered
+# ad compromised April 2nd 2024
+# -------------------------------------------------------------------------
 
 #!/usr/bin/bash
 # JOBoRun		: Jwm OpenBox Obarun RUNit
@@ -24,58 +27,59 @@ code is in our copies of xz
 
 pkgname=xz
 pkgver=5.6.1
-pkgrel=02
+pkgrel=03
 pkgdesc='Library and command line tools for XZ and LZMA compressed files'
-#makedepends=('git' 'po4a' 'doxygen') # useless doxygen branding and some icons with the trade name
+
+url='https://xz.tukaani.org/xz-utils/'
 depends=('sh')
+makedepends=('git' 'po4a' 'doxygen' 'automake' 'autoconf')
+
 provides=('liblzma.so')
 #options=('debug')   ##### uncomment this to produce the debug pkg
-url='https://xz.tukaani.org/xz-utils/'
-source=("https://github.com/tukaani-project/xz/releases/download/v${pkgver}/xz-${pkgver}.tar.gz"{,.sig})
-#source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
+
+# source=("https://github.com/tukaani-project/xz/releases/download/v${pkgver}/xz-${pkgver}.tar.gz"{,.sig})
+# source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
 # previous sources
 # source=("https://tukaani.org/${pkgname}/${pkgname}-${pkgver}.tar.gz"{,.sig})
 # temporary use of unsigned mirror at SF since zoner.fi is down
 # Sums same with arch 
 #source=("xz-5.2.9.tar.gz:https://downloads.sourceforge.net/project/lzmautils/xz-5.2.9.tar.gz?ts=gAAAAABjiAaACqaAp0YyfNS0hoSgTfR8z7zafIiHfu8jZuEf9Dk3IX7wbWPwuuekp1LHnfAHvVrsFD4kpAbKm9HOsRMfAzd3CA%3D%3D&r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Flzmautils%2Ffiles%2Fxz-5.2.9.tar.gz")
 ##        "https://tukaani.org/${pkgname}/xzgrep-ZDI-CAN-16587.patch"{,.sig})
- 
-#prepare() {
-##  cd ${pkgname}
-#  cd "${srcdir}/${pkgname}-${pkgver}"
-#  ./autogen.sh
-#}
+source=("git+https://git.tukaani.org/xz.git#tag=v${pkgver}")
+
+ 
+prepare() {
+  cd ${pkgname}
+#  cd "${srcdir}/${pkgname}-${pkgver}"
+  ./autogen.sh
+}
 
-#prepare() {
-#	cd "${srcdir}/${pkgname}-${pkgver}"
-#
-#	patch -p1 -i "${srcdir}/xzgrep-ZDI-CAN-16587.patch"
-#}
 
 build() {
-	cd "${srcdir}/${pkgname}-${pkgver}"
-#  cd ${pkgname}
-	./configure --prefix=/usr \
-		--disable-rpath \
-		--enable-werror
+#	cd "${srcdir}/${pkgname}-${pkgver}"
+  cd ${pkgname}
+	./configure \
+	  --prefix=/usr \
+	  --disable-rpath \
+	  --enable-werror
 	make
 }
 
 ##   Some of the reading on this indicates the code is injected by 
-##   blobs used to run the following tests
-#check() {
+##   blobs used to run the following tests on tarballs from github
+check() {
 #	cd "${srcdir}/${pkgname}-${pkgver}"
-##  cd ${pkgname}
-#	make check
-#}
+  cd ${pkgname}
+	make check
+}
 
 package() {
-	cd "${srcdir}/${pkgname}-${pkgver}"
-#  cd ${pkgname}
+#	cd "${srcdir}/${pkgname}-${pkgver}"
+  cd ${pkgname}
 	make DESTDIR="${pkgdir}" install
-	install -d -m755 "${pkgdir}/usr/share/licenses/xz/"
+	install -d -m0755 "${pkgdir}/usr/share/licenses/xz/"
 	ln -sf /usr/share/doc/xz/COPYING "${pkgdir}/usr/share/licenses/xz/"
-	ln -sf /usr/share/licenses/common/GPL2/license.txt "${pkgdir}/usr/share/doc/xz/COPYING.GPLv2"
+#	ln -sf /usr/share/licenses/common/GPL2/license.txt "${pkgdir}/usr/share/doc/xz/COPYING.GPLv2"
 }
 
 #---- arch license gpg-key & sha256sums ----
@@ -86,18 +90,24 @@ license=('GPL' 'LGPL' 'custom')
 
 validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
 
+# The following checksums come from arch and from the clean git from Lasse Collin's tukaani.org server
+# See arch PKGBUILD-arch for reference
+# 
+sha256sums=('e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc')
+sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')
+
+##  56e253f6c4eedb18672f60ab77b3f8fb685cc81cc441e8f2536e5250375b3ef8  xz-5.6.1-03-x86_64.pkg.tar.lz
+
+
 ##   THIS WAS THE ATTACKER  ###
 ###              '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
 ###  REMOVE THIS FROM YOUR KEYRING:  gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445   
-
-# tarball sums
-sha256sums=(2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8  # xz-5.6.1.tar.gz
-	2a0745db95fee581cba776c3f68e75729d8bdc0f3db6e4453d6391894c100dac) # xz-5.6.1.tar.gz.sig
-
-# git sums
+# tarball sums github infected and so where 5.6.0.tar.gz 
+#sha256sums=(2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8  # xz-5.6.1.tar.gz
+#	2a0745db95fee581cba776c3f68e75729d8bdc0f3db6e4453d6391894c100dac) # xz-5.6.1.tar.gz.sig
+# git sums from github
 #sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')
 #sha256sums=(e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc) # xz
-
-##  Removed  --- Use arch core/xz instead for now 
-##  8466a47ac4224181b2f56bbf17ef7afea38849abd1d1ffa2da3b5ae8b1e7f941  xz-5.6.1-02-x86_64.pkg.tar.lz
+# We keep the above as reference for possible investigation of the compromised source
 ##  
+
diff --git a/xz/PKGBUILD-arch b/xz/PKGBUILD-arch
index 450f5da..eb61134 100644
--- a/xz/PKGBUILD-arch
+++ b/xz/PKGBUILD-arch
@@ -3,7 +3,7 @@
 
 pkgname=xz
 pkgver=5.6.1
-pkgrel=2
+pkgrel=3
 pkgdesc='Library and command line tools for XZ and LZMA compressed files'
 arch=('x86_64')
 url='https://xz.tukaani.org/xz-utils/'
@@ -11,21 +11,8 @@ license=('GPL' 'LGPL' 'custom')
 depends=('sh')
 makedepends=('git' 'po4a' 'doxygen')
 provides=('liblzma.so')
-
-
-##   THIS WAS THE ATTACKER  ###
-###              '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
-###  REMOVE THIS FROM YOUR KEYRING:  gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445   
-
-validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620')  # Lasse Collin <lasse.collin@tukaani.org>
-###              '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
-
-##   THIS WAS THE ATTACKER  ###
-###              '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
-###  REMOVE THIS FROM YOUR KEYRING:  gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445   
-
-
-source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
+validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
+source=("git+https://git.tukaani.org/xz.git#tag=v${pkgver}")
 sha256sums=('e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc')
 sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')
 
diff --git a/xz/clean b/xz/clean
index 63cfd90..52439aa 100644
--- a/xz/clean
+++ b/xz/clean
@@ -1 +1 @@
-rm -rf {src,pkg,xz*.tar.gz*,xzgrep*patch*}
+rm -rf {src,pkg,xz*.tar.gz*,xz}
diff --git a/xz/deps b/xz/deps
index f4099d9..d873120 100644
--- a/xz/deps
+++ b/xz/deps
@@ -1,3 +1,7 @@
 git
+po4a
+doxygen
+autoconf
+automake