joborun-pkg/jobcore
joborun-pkg
/
jobcore
Template
2
1
Fork 0
Code Issues Pull Requests Projects Releases Activity

upg shadow xz

This commit is contained in:
joborun linux 2024-04-02 04:46:40 +03:00
parent f9e3b3f51f
commit fcff5c1b76
6 changed files with 76 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
shadow/PKGBUILD
View File

@ -7,7 +7,7 @@
pkgname=shadow pkgname=shadow
pkgver=4.15.1 pkgver=4.15.1
pkgrel=01 pkgrel=02
pkgdesc="Password and account management tool suite with support for shadow files and PAM w/o systemd" pkgdesc="Password and account management tool suite with support for shadow files and PAM w/o systemd"
url="https://github.com/shadow-maint/shadow" url="https://github.com/shadow-maint/shadow"
depends=( glibc ) depends=( glibc )
@ -123,5 +123,4 @@ sha256sums=(bb5f70639a0581f9d626f227ce45b31ac137daa7c451c0f672ce14f2731a96ee #
c2faa81b894de452e6cd23660ad7e30a4e03d6a4eacb94ff209c6e578df05e61 # shadow.tmpfiles c2faa81b894de452e6cd23660ad7e30a4e03d6a4eacb94ff209c6e578df05e61 # shadow.tmpfiles
2d4b7b85ea1d5cddf93c2d636a11b0e76c1f484474449bdb018e3af0fcbd93c3) # useradd.defaults 2d4b7b85ea1d5cddf93c2d636a11b0e76c1f484474449bdb018e3af0fcbd93c3) # useradd.defaults
## ec2b1c7f737af7eb4881ef01b201f1ff6cf1410980b009342bc0a5b2d0de505d shadow-4.15.1-01-x86_64.pkg.tar.lz ## c696c84683c9775cab6fb5fdf5dfb57d03f3f24b7f253a5f5f2b3bc17098e68a shadow-4.15.1-02-x86_64.pkg.tar.lz

2
shadow/PKGBUILD-arch
View File

@ -4,7 +4,7 @@
pkgname=shadow pkgname=shadow
pkgver=4.15.1 pkgver=4.15.1
pkgrel=1 pkgrel=2
pkgdesc="Password and account management tool suite with support for shadow files and PAM" pkgdesc="Password and account management tool suite with support for shadow files and PAM"
arch=(x86_64) arch=(x86_64)
url="https://github.com/shadow-maint/shadow" url="https://github.com/shadow-maint/shadow"

120
xz/PKGBUILD
View File

@ -1,19 +1,22 @@
echo "DO NOT USE THIS" # March 30th 2024 concerning xz 5.6.2-01 and 02 (briefly made available at sf)
echo "Read comments first, use arch: core/xz 5.6.1-2 # before the compromised xz code was announced.
#
Due to the uncovered back door 3/29/24 # Due to the uncovered back door 3/29/24
and according to Arch building from git was safer than from tar ball, but # and according to Arch building from git was safer than from tar ball
they also #
#
Both tar ball and git source at github is removed # Both tar ball and git source at github is removed
We have copies of both but we will not use either # We have copies of both but we will not use either
till this clears up. # till this clears up.
#
As far as we can research ONLY when sshd was run by systemd would this # As far as we can research ONLY when sshd was run by systemd would this
backdoor be effective, so we have nothing to worry about even if the # backdoor be effective, so we have nothing to worry about even if the
code is in our copies of xz # code is in our copies of xz
#
# --------------------------------------------------------------------------
# The following build is perceived cleaned up from what has been discovered
# ad compromised April 2nd 2024
# -------------------------------------------------------------------------
#!/usr/bin/bash #!/usr/bin/bash
# JOBoRun : Jwm OpenBox Obarun RUNit # JOBoRun : Jwm OpenBox Obarun RUNit
@ -24,58 +27,59 @@ code is in our copies of xz
pkgname=xz pkgname=xz
pkgver=5.6.1 pkgver=5.6.1
pkgrel=02 pkgrel=03
pkgdesc='Library and command line tools for XZ and LZMA compressed files' pkgdesc='Library and command line tools for XZ and LZMA compressed files'
#makedepends=('git' 'po4a' 'doxygen') # useless doxygen branding and some icons with the trade name
url='https://xz.tukaani.org/xz-utils/'
depends=('sh') depends=('sh')
makedepends=('git' 'po4a' 'doxygen' 'automake' 'autoconf')
provides=('liblzma.so') provides=('liblzma.so')
#options=('debug') ##### uncomment this to produce the debug pkg #options=('debug') ##### uncomment this to produce the debug pkg
url='https://xz.tukaani.org/xz-utils/'
source=("https://github.com/tukaani-project/xz/releases/download/v${pkgver}/xz-${pkgver}.tar.gz"{,.sig}) # source=("https://github.com/tukaani-project/xz/releases/download/v${pkgver}/xz-${pkgver}.tar.gz"{,.sig})
#source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}") # source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
# previous sources # previous sources
# source=("https://tukaani.org/${pkgname}/${pkgname}-${pkgver}.tar.gz"{,.sig}) # source=("https://tukaani.org/${pkgname}/${pkgname}-${pkgver}.tar.gz"{,.sig})
# temporary use of unsigned mirror at SF since zoner.fi is down # temporary use of unsigned mirror at SF since zoner.fi is down
# Sums same with arch # Sums same with arch
#source=("xz-5.2.9.tar.gz:https://downloads.sourceforge.net/project/lzmautils/xz-5.2.9.tar.gz?ts=gAAAAABjiAaACqaAp0YyfNS0hoSgTfR8z7zafIiHfu8jZuEf9Dk3IX7wbWPwuuekp1LHnfAHvVrsFD4kpAbKm9HOsRMfAzd3CA%3D%3D&r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Flzmautils%2Ffiles%2Fxz-5.2.9.tar.gz") #source=("xz-5.2.9.tar.gz:https://downloads.sourceforge.net/project/lzmautils/xz-5.2.9.tar.gz?ts=gAAAAABjiAaACqaAp0YyfNS0hoSgTfR8z7zafIiHfu8jZuEf9Dk3IX7wbWPwuuekp1LHnfAHvVrsFD4kpAbKm9HOsRMfAzd3CA%3D%3D&r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Flzmautils%2Ffiles%2Fxz-5.2.9.tar.gz")
## "https://tukaani.org/${pkgname}/xzgrep-ZDI-CAN-16587.patch"{,.sig}) ## "https://tukaani.org/${pkgname}/xzgrep-ZDI-CAN-16587.patch"{,.sig})
source=("git+https://git.tukaani.org/xz.git#tag=v${pkgver}")
#prepare() {
## cd ${pkgname}
# cd "${srcdir}/${pkgname}-${pkgver}" prepare() {
# ./autogen.sh cd ${pkgname}
#} # cd "${srcdir}/${pkgname}-${pkgver}"
./autogen.sh
}
#prepare() {
# cd "${srcdir}/${pkgname}-${pkgver}"
#
# patch -p1 -i "${srcdir}/xzgrep-ZDI-CAN-16587.patch"
#}
build() { build() {
cd "${srcdir}/${pkgname}-${pkgver}" # cd "${srcdir}/${pkgname}-${pkgver}"
# cd ${pkgname} cd ${pkgname}
./configure --prefix=/usr \ ./configure \
--disable-rpath \ --prefix=/usr \
--enable-werror --disable-rpath \
--enable-werror
make make
} }
## Some of the reading on this indicates the code is injected by ## Some of the reading on this indicates the code is injected by
## blobs used to run the following tests ## blobs used to run the following tests on tarballs from github
#check() { check() {
# cd "${srcdir}/${pkgname}-${pkgver}" # cd "${srcdir}/${pkgname}-${pkgver}"
## cd ${pkgname} cd ${pkgname}
# make check make check
#} }
package() { package() {
cd "${srcdir}/${pkgname}-${pkgver}" # cd "${srcdir}/${pkgname}-${pkgver}"
# cd ${pkgname} cd ${pkgname}
make DESTDIR="${pkgdir}" install make DESTDIR="${pkgdir}" install
install -d -m755 "${pkgdir}/usr/share/licenses/xz/" install -d -m0755 "${pkgdir}/usr/share/licenses/xz/"
ln -sf /usr/share/doc/xz/COPYING "${pkgdir}/usr/share/licenses/xz/" ln -sf /usr/share/doc/xz/COPYING "${pkgdir}/usr/share/licenses/xz/"
ln -sf /usr/share/licenses/common/GPL2/license.txt "${pkgdir}/usr/share/doc/xz/COPYING.GPLv2" # ln -sf /usr/share/licenses/common/GPL2/license.txt "${pkgdir}/usr/share/doc/xz/COPYING.GPLv2"
} }
#---- arch license gpg-key & sha256sums ---- #---- arch license gpg-key & sha256sums ----
@ -86,18 +90,24 @@ license=('GPL' 'LGPL' 'custom')
validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org> validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
# The following checksums come from arch and from the clean git from Lasse Collin's tukaani.org server
# See arch PKGBUILD-arch for reference
#
sha256sums=('e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc')
sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')
## 56e253f6c4eedb18672f60ab77b3f8fb685cc81cc441e8f2536e5250375b3ef8 xz-5.6.1-03-x86_64.pkg.tar.lz
## THIS WAS THE ATTACKER ### ## THIS WAS THE ATTACKER ###
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com> ### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445 ### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445
# tarball sums github infected and so where 5.6.0.tar.gz
# tarball sums #sha256sums=(2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8 # xz-5.6.1.tar.gz
sha256sums=(2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8 # xz-5.6.1.tar.gz # 2a0745db95fee581cba776c3f68e75729d8bdc0f3db6e4453d6391894c100dac) # xz-5.6.1.tar.gz.sig
2a0745db95fee581cba776c3f68e75729d8bdc0f3db6e4453d6391894c100dac) # xz-5.6.1.tar.gz.sig # git sums from github
# git sums
#sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc') #sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')
#sha256sums=(e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc) # xz #sha256sums=(e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc) # xz
# We keep the above as reference for possible investigation of the compromised source
## Removed --- Use arch core/xz instead for now
## 8466a47ac4224181b2f56bbf17ef7afea38849abd1d1ffa2da3b5ae8b1e7f941 xz-5.6.1-02-x86_64.pkg.tar.lz
## ##

19
xz/PKGBUILD-arch
View File

@ -3,7 +3,7 @@
pkgname=xz pkgname=xz
pkgver=5.6.1 pkgver=5.6.1
pkgrel=2 pkgrel=3
pkgdesc='Library and command line tools for XZ and LZMA compressed files' pkgdesc='Library and command line tools for XZ and LZMA compressed files'
arch=('x86_64') arch=('x86_64')
url='https://xz.tukaani.org/xz-utils/' url='https://xz.tukaani.org/xz-utils/'
@ -11,21 +11,8 @@ license=('GPL' 'LGPL' 'custom')
depends=('sh') depends=('sh')
makedepends=('git' 'po4a' 'doxygen') makedepends=('git' 'po4a' 'doxygen')
provides=('liblzma.so') provides=('liblzma.so')
validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
source=("git+https://git.tukaani.org/xz.git#tag=v${pkgver}")
## THIS WAS THE ATTACKER ###
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445
validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
## THIS WAS THE ATTACKER ###
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445
source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
sha256sums=('e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc') sha256sums=('e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc')
sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc') sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')

2
xz/clean
View File

@ -1 +1 @@
rm -rf {src,pkg,xz*.tar.gz*,xzgrep*patch*} rm -rf {src,pkg,xz*.tar.gz*,xz}

4
xz/deps
View File

@ -1,3 +1,7 @@
git git
po4a
doxygen
autoconf
automake