commit: c015a04fb35f5dc82c0a45d2b1a5b2bf57b3c6f3 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Thu Apr 3 15:25:32 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Thu Apr 3 15:26:01 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c015a04f
app-arch/xz-utils: add 5.6.4-r1 (patch CVE-2025-31115) Bug: https://bugs.gentoo.org/953086 Signed-off-by: Sam James <sam <AT> gentoo.org> app-arch/xz-utils/Manifest | 2 + app-arch/xz-utils/xz-utils-5.6.4-r1.ebuild | 205 +++++++++++++++++++++++++++++ 2 files changed, 207 insertions(+) diff --git a/app-arch/xz-utils/Manifest b/app-arch/xz-utils/Manifest index 44dcd1e4e27d..c1ed5ae0af25 100644 --- a/app-arch/xz-utils/Manifest +++ b/app-arch/xz-utils/Manifest @@ -4,3 +4,5 @@ DIST xz-5.8.0.tar.gz 2579807 BLAKE2B 4fe1f19e5951640b27e7405da4de40a811caf434914 DIST xz-5.8.0.tar.gz.sig 566 BLAKE2B 38f925e96b1f1dd9e9afc0c0b68e7c30921e8ac46f8ca62bfdd9145356b3ef4c359ae77f89c8b1ef76ca8197e34bf743a6617bcc1a76a44491ff9fedac65783c SHA512 88eb39a2078ff235f1ae9222e789d06f55d225845072a96b0e6ef8f218781aad04cc53623537b0b18607d3cd7c51b6cee3c07b36d912b3a8b7c9991ebfe795d3 DIST xz-5.8.1.tar.gz 2587189 BLAKE2B 430b14bc0f1382e7ba27ae1466ed2bc0c3e74c10b18db38fd899c9a7d315ffbbeb439d02b7b961de88ccba6064ae631c75f6d1cd03e3e58dac2e65a84b635f81 SHA512 151b2a47fdf00274c4fd71ceada8fb6c892bdac44070847ebf3259e602b97c95ee5ee88974e03d7aa821ab4f16d5c38e50dfb2baf660cf39c199878a666e19ad DIST xz-5.8.1.tar.gz.sig 566 BLAKE2B 66fdf664995781c111349b700918b030af9dacd0612d97b3426913c2d866b459a66bd25558c7ab8121b3f0b07daa46422ea1c4534cf2da7382a94f1553e911a1 SHA512 4a67ed623841d64a5826cef1d5e21f3567ba275ee8f725a1217f76ce2ba25a41c6e22e62f8c7cca74d0d6e8398e8ee8926eab722cc8c1b10c42e990c32765efd +DIST xz-cve-2025-31115.patch 11948 BLAKE2B a84c380aa6bdaa607d5bffe6370f7a2fb603945aa89f59f053d56e4be90a280b2c56d8e5fd6700a533fb24bd9ec54f047fed96364019f62eeea50adcf4e38657 SHA512 951622698f92844151f105821e1cf5bbe4fd71de5a2ac89a2310c6de80afe34528642c65d12dd4331085e1c23ba3887607bbd6185644c740cbf135c869881a33 +DIST xz-cve-2025-31115.patch.sig 566 BLAKE2B d6d4bad23ceaec55b6db04a4454885900f961dd6346c112cb97906e2403b718790e3f893d2502ba67ac1a08832478051ea480bdcf339bbf89d0edd13f40a47b4 SHA512 4002472637389c265fbe0f2ad7d80fe29a79bc4d8c1778af76e7cfd29b80d86c3be947ebf620a282494f45071f61534e385c5bed2192e6095ec2fc1338c31ccb diff --git a/app-arch/xz-utils/xz-utils-5.6.4-r1.ebuild b/app-arch/xz-utils/xz-utils-5.6.4-r1.ebuild new file mode 100644 index 000000000000..462281552628 --- /dev/null +++ b/app-arch/xz-utils/xz-utils-5.6.4-r1.ebuild @@ -0,0 +1,205 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# Remember: we cannot leverage autotools in this ebuild in order +# to avoid circular deps with autotools + +EAPI=8 + +inherit libtool multilib multilib-minimal preserve-libs toolchain-funcs + +if [[ ${PV} == 9999 ]] ; then + # Per tukaani.org, git.tukaani.org is a mirror of github and + # may be behind. + EGIT_REPO_URI=" + https://github.com/tukaani-project/xz + https://git.tukaani.org/xz.git + " + inherit git-r3 autotools + + # bug #272880 and bug #286068 + BDEPEND="sys-devel/gettext >=dev-build/libtool-2" +else + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc + inherit verify-sig + + MY_P="${PN/-utils}-${PV/_}" + SRC_URI=" + https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz + https://downloads.sourceforge.net/lzmautils/${MY_P}.tar.gz + https://tukaani.org/xz/${MY_P}.tar.gz + https://tukaani.org/xz/xz-cve-2025-31115.patch + verify-sig? ( + https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz.sig + https://tukaani.org/xz/${MY_P}.tar.gz.sig + https://tukaani.org/xz/xz-cve-2025-31115.patch.sig + ) + " + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + fi + + S="${WORKDIR}/${MY_P}" +fi + +DESCRIPTION="Utils for managing LZMA compressed files" +HOMEPAGE="https://tukaani.org/xz/"; + +# See top-level COPYING file as it outlines the various pieces and their licenses. +LICENSE="0BSD LGPL-2.1+ GPL-2+ doc? ( CC-BY-SA-4.0 )" +SLOT="0" +IUSE="cpu_flags_arm_crc32 doc +extra-filters pgo nls static-libs" + +if [[ ${PV} != 9999 ]] ; then + BDEPEND+=" verify-sig? ( >=sec-keys/openpgp-keys-lassecollin-20240529 )" +fi + +PATCHES=( + "${DISTDIR}"/xz-cve-2025-31115.patch +) + +src_prepare() { + default + + if [[ ${PV} == 9999 ]] ; then + eautopoint + eautoreconf + else + # Allow building shared libs on Solaris/x64 + elibtoolize + fi +} + +multilib_src_configure() { + local myconf=( + --enable-threads + $(multilib_native_use_enable doc) + $(use_enable nls) + $(use_enable static-libs static) + $(use_enable cpu_flags_arm_crc32 arm64-crc32) + ) + + if ! multilib_is_native_abi ; then + myconf+=( + --disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts} + ) + fi + + if ! use extra-filters ; then + myconf+=( + # LZMA1 + LZMA2 for standard .lzma & .xz files + --enable-encoders=lzma1,lzma2 + --enable-decoders=lzma1,lzma2 + + # those are used by default, depending on preset + --enable-match-finders=hc3,hc4,bt4 + + # CRC64 is used by default, though 7-Zip uses CRC32 by default. + # Also, XZ Embedded in Linux doesn't support CRC64, so + # kernel modules and friends are CRC32. + --enable-checks=crc32,crc64 + ) + fi + + if [[ ${CHOST} == *-solaris* ]] ; then + export gl_cv_posix_shell="${EPREFIX}"/bin/sh + + # Undo Solaris-based defaults pointing to /usr/xpg4/bin + myconf+=( --disable-path-for-script ) + fi + + ECONF_SOURCE="${S}" econf "${myconf[@]}" +} + +multilib_src_compile() { + local pgo_generate_flags=$(usev pgo "-fprofile-update=atomic -fprofile-dir=${T}/${ABI}-pgo -fprofile-generate=${T}/${ABI}-pgo") + local pgo_use_flags=$(usev pgo "-fprofile-use=${T}/${ABI}-pgo -fprofile-dir=${T}/${ABI}-pgo") + + emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" + + if use pgo ; then + emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" -k check + + local tar_pgo_args=() + + if has_version -b "app-alternatives/tar[gnu]" ; then + tar_pgo_args+=( + --mtime=@2718281828 + --sort=name + ) + fi + + if multilib_is_native_abi ; then + ( + shopt -s globstar + + tar \ + "${tar_pgo_args[@]}" \ + -cf xz-pgo-test-01.tar \ + {"${S}","${BUILD_DIR}"}/**/*.[cho] \ + {"${S}","${BUILD_DIR}"}/**/.libs/* \ + {"${S}","${BUILD_DIR}"}/**/**.txt \ + {"${S}","${BUILD_DIR}"}/tests/files + + stat --printf="xz-pgo-test-01.tar.tar size: %s\n" xz-pgo-test-01.tar || die + md5sum xz-pgo-test-01.tar || die + ) + + local test_variants=( + # Borrowed from ALT Linux + # https://packages.altlinux.org/en/sisyphus/srpms/xz/specfiles/#line-80 + '-0 -C none' + '-2 -C crc32' + "$(usev extra-filters '-6 --arm --lzma2 -C crc64')" + "$(usev extra-filters '-6 --x86 --lzma2=lc=4 -C sha256')" + '-7e --format=lzma' + + # Our own variants + '' + '-e' + "$(usev extra-filters '--x86 --lzma2=preset=6e')" + ) + local test_variant + for test_variant in "${test_variants[@]}" ; do + einfo "Testing '${test_variant}' variant" + "${BUILD_DIR}"/src/xz/xz -c ${test_variant} xz-pgo-test-01.tar | "${BUILD_DIR}"/src/xz/xz -c -d - > /dev/null + assert "Testing '${test_variant}' variant failed" + done + fi + + if tc-is-clang; then + llvm-profdata merge "${T}"/${ABI}-pgo --output="${T}"/${ABI}-pgo/default.profdata || die + fi + + emake clean + emake CFLAGS="${CFLAGS} ${pgo_use_flags}" + fi +} + +multilib_src_install() { + default + + # bug #934370 and bug #450436 (and bug #934515) + if ! tc-is-static-only && [[ ! -f "${ED}/usr/$(get_libdir)/liblzma$(get_libname)" ]] ; then + eerror "Sanity check for liblzma$(get_libname) failed." + eerror "Shared library wasn't built, possible libtool bug" + [[ -z ${I_KNOW_WHAT_I_AM_DOING} ]] && die "liblzma$(get_libname) not found in build, aborting" + fi +} + +multilib_src_install_all() { + find "${ED}" -type f -name '*.la' -delete || die + + if use doc ; then + rm "${ED}"/usr/share/doc/${PF}/COPYING* || die + fi +} + +pkg_preinst() { + preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0) +} + +pkg_postinst() { + preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0) +}
