113 lines
4.4 KiB
Bash
113 lines
4.4 KiB
Bash
# March 30th 2024 concerning xz 5.6.2-01 and 02 (briefly made available at sf)
|
|
# before the compromised xz code was announced.
|
|
#
|
|
# Due to the uncovered back door 3/29/24
|
|
# and according to Arch building from git was safer than from tar ball
|
|
#
|
|
#
|
|
# Both tar ball and git source at github is removed
|
|
# We have copies of both but we will not use either
|
|
# till this clears up.
|
|
#
|
|
# As far as we can research ONLY when sshd was run by systemd would this
|
|
# backdoor be effective, so we have nothing to worry about even if the
|
|
# code is in our copies of xz
|
|
#
|
|
# --------------------------------------------------------------------------
|
|
# The following build is perceived cleaned up from what has been discovered
|
|
# ad compromised April 2nd 2024
|
|
# -------------------------------------------------------------------------
|
|
|
|
#!/usr/bin/bash
|
|
# JOBoRun : Jwm OpenBox Obarun RUNit
|
|
# Maintainer : Joe Bo Run <joborun@disroot.org>
|
|
# PkgSource : url="https://gittea.disroot.org/joborun-pkg/jobcore/$pkgname"
|
|
# Website : https://pozol.eu
|
|
#-----------------------------------------| DESCRIPTION |---------------------------------------
|
|
|
|
pkgname=xz
|
|
pkgver=5.6.1
|
|
pkgrel=03
|
|
pkgdesc='Library and command line tools for XZ and LZMA compressed files'
|
|
|
|
url='https://xz.tukaani.org/xz-utils/'
|
|
depends=('sh')
|
|
makedepends=('git' 'po4a' 'doxygen' 'automake' 'autoconf')
|
|
|
|
provides=('liblzma.so')
|
|
#options=('debug') ##### uncomment this to produce the debug pkg
|
|
|
|
# source=("https://github.com/tukaani-project/xz/releases/download/v${pkgver}/xz-${pkgver}.tar.gz"{,.sig})
|
|
# source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}")
|
|
# previous sources
|
|
# source=("https://tukaani.org/${pkgname}/${pkgname}-${pkgver}.tar.gz"{,.sig})
|
|
# temporary use of unsigned mirror at SF since zoner.fi is down
|
|
# Sums same with arch
|
|
#source=("xz-5.2.9.tar.gz:https://downloads.sourceforge.net/project/lzmautils/xz-5.2.9.tar.gz?ts=gAAAAABjiAaACqaAp0YyfNS0hoSgTfR8z7zafIiHfu8jZuEf9Dk3IX7wbWPwuuekp1LHnfAHvVrsFD4kpAbKm9HOsRMfAzd3CA%3D%3D&r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Flzmautils%2Ffiles%2Fxz-5.2.9.tar.gz")
|
|
## "https://tukaani.org/${pkgname}/xzgrep-ZDI-CAN-16587.patch"{,.sig})
|
|
source=("git+https://git.tukaani.org/xz.git#tag=v${pkgver}")
|
|
|
|
|
|
prepare() {
|
|
cd ${pkgname}
|
|
# cd "${srcdir}/${pkgname}-${pkgver}"
|
|
./autogen.sh
|
|
}
|
|
|
|
|
|
build() {
|
|
# cd "${srcdir}/${pkgname}-${pkgver}"
|
|
cd ${pkgname}
|
|
./configure \
|
|
--prefix=/usr \
|
|
--disable-rpath \
|
|
--enable-werror
|
|
make
|
|
}
|
|
|
|
## Some of the reading on this indicates the code is injected by
|
|
## blobs used to run the following tests on tarballs from github
|
|
check() {
|
|
# cd "${srcdir}/${pkgname}-${pkgver}"
|
|
cd ${pkgname}
|
|
make check
|
|
}
|
|
|
|
package() {
|
|
# cd "${srcdir}/${pkgname}-${pkgver}"
|
|
cd ${pkgname}
|
|
make DESTDIR="${pkgdir}" install
|
|
install -d -m0755 "${pkgdir}/usr/share/licenses/xz/"
|
|
ln -sf /usr/share/doc/xz/COPYING "${pkgdir}/usr/share/licenses/xz/"
|
|
# ln -sf /usr/share/licenses/common/GPL2/license.txt "${pkgdir}/usr/share/doc/xz/COPYING.GPLv2"
|
|
}
|
|
|
|
#---- arch license gpg-key & sha256sums ----
|
|
|
|
arch=(x86_64)
|
|
|
|
license=('GPL' 'LGPL' 'custom')
|
|
|
|
validpgpkeys=('3690C240CE51B4670D30AD1C38EE757D69184620') # Lasse Collin <lasse.collin@tukaani.org>
|
|
|
|
# The following checksums come from arch and from the clean git from Lasse Collin's tukaani.org server
|
|
# See arch PKGBUILD-arch for reference
|
|
#
|
|
sha256sums=('e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc')
|
|
sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')
|
|
|
|
## 56e253f6c4eedb18672f60ab77b3f8fb685cc81cc441e8f2536e5250375b3ef8 xz-5.6.1-03-x86_64.pkg.tar.lz
|
|
|
|
|
|
## THIS WAS THE ATTACKER ###
|
|
### '22D465F2B4C173803B20C6DE59FCF207FEA7F445') # Jia Tan <jiat0218@gmail.com>
|
|
### REMOVE THIS FROM YOUR KEYRING: gpg --delete-keys 22D465F2B4C173803B20C6DE59FCF207FEA7F445
|
|
# tarball sums github infected and so where 5.6.0.tar.gz
|
|
#sha256sums=(2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8 # xz-5.6.1.tar.gz
|
|
# 2a0745db95fee581cba776c3f68e75729d8bdc0f3db6e4453d6391894c100dac) # xz-5.6.1.tar.gz.sig
|
|
# git sums from github
|
|
#sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')
|
|
#sha256sums=(e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc) # xz
|
|
# We keep the above as reference for possible investigation of the compromised source
|
|
##
|
|
|