JuliaPackaging · giordano · Apr 2, 2024 · Mar 31, 2024 · Mar 31, 2024 · Apr 2, 2024
diff --git a/X/XZ/build_tarballs.jl b/X/XZ/build_tarballs.jl
@@ -7,18 +7,34 @@ name = "XZ"
 # code is free from malicious backdoors, see for example
 # * https://www.openwall.com/lists/oss-security/2024/03/29/4
 # * https://boehs.org/node/everything-i-know-about-the-xz-backdoor
-version = v"5.4.6"
+# v5.2.5 is the last stable version without commits from the backdoor author
+version = v"5.2.5"
 
 # Collection of sources required to complete build
 sources = [
-    ArchiveSource("https://github.com/tukaani-project/xz/releases/download/v$(version)/xz-$(version).tar.xz",
-                  # NOTE: see comment above about changing version
-                  "cdafe1632f139c82937cc1ed824f7a60b7b0a0619dfbbd681dcac02b1ac28f5b"),
+    GitSource("https://git.tukaani.org/xz.git",
+              # NOTE: see comment above about changing version
+              "2327a461e1afce862c22269b80d3517801103c1b"),
+    DirectorySource("./bundled"),
 ]
 
 # Bash recipe for building across all platforms
 script = raw"""
-cd $WORKSPACE/srcdir/xz-*
+cd $WORKSPACE/srcdir/xz*
+if [[ "${target}" != "*mingw32*" ]]; then
+    # install `autopoint`
+    apk update && apk add gettext-dev po4a gpg gpg-agent
+fi
+
+# From https://tukaani.org/misc/lasse_collin_pubkey.txt
+gpg --import ../keys/lasse_collin_pubkey.txt
+git verify-tag `git describe --exact-match --tags HEAD`
+
+# Patch is only needed for version < v"5.2.6"
+gpg --verify ../patches/xzgrep-ZDI-CAN-16587.patch.sig
+git apply ../patches/xzgrep-ZDI-CAN-16587.patch
+
+./autogen.sh
 BUILD_FLAGS=(--prefix=${prefix} --build=${MACHTYPE} --host=${target} --with-pic)
 
 # i686 error "configure works but build fails at crc32_x86.S"
@@ -44,8 +60,11 @@ else
         ./configure "${BUILD_FLAGS[@]}" "${TOGGLE[@]}"
         make -j${nproc}
         make install
+        # Toggle does not work with v5.2.5 without clean
+        make clean
     done
 fi
+install_license COPYING
 """
 
 # These are the platforms we will build for by default, unless further

diff --git a/X/XZ/bundled/keys/lasse_collin_pubkey.txt b/X/XZ/bundled/keys/lasse_collin_pubkey.txt
@@ -0,0 +1,64 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBEzEOZIBEACxg/IuXERlDB48JBWmF4NxNUuuup1IhJAJyFGFSKh3OGAO2Ard
+sNuRLjANsFXA7m7P5eTFcG+BoHHuAVYmKnI3PPZtHVLnUt4pGItPczQZ2BE1WpcI
+ayjGTBJeKItX3Npqg9D/odO9WWS1i3FQPVdrLn0YH37/BA66jeMQCRo7g7GLpaNf
+IrvYGsqTbxCwsmA37rpE7oyU4Yrf74HT091WBsRIoq/MelhbxTDMR8eu/dUGZQVc
+Kj3lN55RepwWwUUKyqarY0zMt4HkFJ7v7yRL+Cvzy92Ouv4Wf2FlhNtEs5LE4Tax
+W0PO5AEmUoKjX87SezQK0f652018b4u6Ex52cY7p+n5TII/UyoowH6+tY8UHo9yb
+fStrqgNE/mY2bhA6+AwCaOUGsFzVVPTbjtxL3HacUP/jlA1h78V8VTvTs5d55iG7
+jSqR9o05wje8rwNiXXK0xtiJahyNzL97Kn/DgPSqPIi45G+8nxWSPFM5eunBKRl9
+vAnsvwrdPRsR6YR3uMHTuVhQX9/CY891MHkaZJ6wydWtKt3yQwJLYqwo5d4DwnUX
+CduUwSKv+6RmtWI5ZmTQYOcBRcZyGKml9X9Q8iSbm6cnpFXmLrNQwCJN+D3SiYGc
+MtbltZo0ysPMa6Xj5xFaYqWk/BI4iLb2Gs+ByGo/+a0Eq4XYBMOpitNniQARAQAB
+tCdMYXNzZSBDb2xsaW4gPGxhc3NlLmNvbGxpbkB0dWthYW5pLm9yZz6JAlEEEwEK
+ADsCGwMCHgECF4AECwkIBwMVCggFFgIDAQAWIQQ2kMJAzlG0Zw0wrRw47nV9aRhG
+IAUCZZwJyQUJGuHiNwAKCRA47nV9aRhGIE4qD/4jdFTe3WPpLgvz/jdlbnSZxr7q
+OS6H/ZJFENHO4SbavXdoXLtj+t6/lqWq890Js8IpWaaiJLowzW1xJMEg99W6k0KD
+3pHUbwPxf0GCSAt/W4JYxdTj+1ggdHjx5yBAmOakjnOH+ZDKQNBnDOI6ghf3ew+H
+9z/b0mQX3rlQbtoqSPZtuDOdFcjCOSwEyqdV+9eNqnv2CoKZkiGoUB1WGCbqKUkY
+KiUJ3WldmPQ5RQYjEi7zZWVac1VuwBA0XOku+W4cCJ5DnPyK7CtMwC84VvaodlOX
+UAK3Y5BIZpZM2Rk6yMX5lFDA5nA8UuHJQRDjTVmh3BIdgRvp0ZV6ogtqNE7RifpW
+aBWDIsCkimcbCJJM+edOLiVZog+ia1Ts8zu33wj7Tnvp5znLc8NLZIqwu1HKLS97
+m+Yf5oC3ObTZtXbVF+OglWe/3ljLHdL2bJxNdtcVlChSNPUW3fgLHk9Fzrlnqdab
+tSGwI/0Ryt00cKjRiMOagTn5Nly6boCtgGYdQafQoSrs3eQjnWVgbNYDMgPyl4k+
+Q5RJLEY7AvtXo7FUEgOTfr9PWmjmc2JzGpxbtwl6sQi6yLrBZTRf1Xao2OjOje6G
+XdUbXNmgOv16sWxcI0s4lX1z28BgHQfwXhBFBRjw2Sy+6TfFXjX24thcpMwvyJ3c
+xhMtdY4N4jyfRjYe8IkCMwQQAQoAHRYhBCLUZfK0wXOAOyDG3ln88gf+p/RFBQJl
+oUP9AAoJEFn88gf+p/RF8vkQAK61ozYuBgfRZP4agZAxljb5x76B9r3KcLwz4LDS
+57WD90aJ+ZsMP7RRCpqd63LDFxNvX+w8advw8U5Tfg4d6xN9AdK8ApI15MG2M/YJ
+gZ89DPlnU0HbldPqk+uKNUFTI2Ngzv3Z0rzKhcDwqs0wkXRNL+a40TeNDsi4S2xi
+IVF4KvJczYnm69PwK6TIJeL3DroloOlFnHXTPsbfYnd8nzI+FZf0ZWI/mGAGQ9g8
+oZhAMVaeehqehh3XyXw6ZxOOGmPttPP8BDQd8p2kWursAvNp0jBGGMMiAww3QsCi
+2YVFcBivLhRGov3Hxl9TvHWsNLe/bMJzJT7UnanjTB6B1mt+qTZZemq14gNy1HoF
+CuX7gPHBTXFMrIchGiMoFloXTf5Jcb4sXNWYD0olSkz9vIx+5TNliMv7fi/iHXTU
+3IzpL2niy3wsIFq4e5Zn3iYTmbd7ONapNXrGOp/v/EJqTWUO2oFkoDDeXnk6E5yo
+yHJgqPEP/jRWWBsjykZ9XrkeuWP3cXPwAwkcrB25qpYd5aUDexfIiYslCrulzlsS
+pnYtIEG8LPfOcD59g+SCX6UiJY2sWhJ2ms32Pvy2mU2bbAbpJTUSav0dWXqATsNv
+q81IWkqxGHzUmHjxbiE0oXkCSIoWNgNeZ+rbjzEMLD6BE8P6R+0ca76uUcMWz8gc
+Ga6ruQINBEzEOZIBEAC/xcCnY8YD8bUqYKtUjM4GbU08i6oYBg9zWX2nR1h2ESC9
+/DQ1dyXkwO/WNs49nY+ykDw0/tGqnos01dhN4z94gkOd1Tk+HKJ7AWkAICnsaabZ
+0vk9Q6G7SAhSdBhs39B0Y+ijts0jrjorVj1pVMG71+zNCyyNvoapcdI0z6myRWf2
+Wuik7W0usXQj1VKVKmGUKaJBGXMEJlKfEPpRqCQ9rDWAmcmqet1/2gDoAhq9kV2H
+XTh+XvLxsxlvpsLQr/lkPQMt+ZhqiOTKpG2XdUG7r9m9euOxP0BBLnH0R1WyVShh
+j6RTFCbXCLcsiLeY6Pq/Qgi+ArOO3Rf/f0TcLjb6bx11MqjAUHVjWUTMeJPzRg/1
+r4j4vZupiDLouqzkLEjmqmHXFF+Datjq69zms9iT0HVH3iNt4qLdbyvIcb1AkE1d
+x3yYIYszerKVZdMkDigYhPJoiUYK4x4pR94U28aKONsQ5DQKvgkKN0AJtYmw8Sgg
+6tEXFj43AkQDf0OTJqXKHaXSpM1dMhiEuIO7OX61a4Ff5KMdq+P2MbK/CvdPfuB/
+NgI0yhl/wZrEBQkwKgZOqeyNM8YyKif8N902QUND5+K91iJVD2n82OmvfywLzdXx
+0cX/UqQgcibLMw9N0LuX+UwfILYbHZ1Zk6O444qK3RCjLcNmhDC83Vlk0P0zVQAR
+AQABiQI8BBgBCgAmAhsMFiEENpDCQM5RtGcNMK0cOO51fWkYRiAFAmWcCbIFCRrh
+4iAACgkQOO51fWkYRiC7JhAAmj7lKcwx2753vSZZ9Rv09mDs/kIZF6kedyTH1KKz
+mhHmzs02XmPljLgnVTCyas/6afna6Op7CSRWwKrrk0ZBDHv62TC4oa+cYGQd2sj5
+omTzqosx/gOWc0kSY3y3mNMZB9EtsVV/YjwRjqpcDMJKYv1mz76sNTPrkY5MHUQ/
+ReYFGy5VhF8NsV7Os9AfQkO5xtcWL/YEOeXb8yT00GhDQK8Higa0sOJBn6NXufVV
+dcnV9oP2zuLSE5N1wbquXIiqL8vIDN0Kc5hOSa/dTWR2bOS+uHUoSJ6Oczl+PbtE
+Ta/X3W+HeGBn5fn67CM1M/RALio/xfKRA4ADy6w4xVnvaXJcICTCJRxF2sBcs39d
+sgU1xDebh3dbq3rQaTT3AWVQpoSW0MyU9SzGJIbeoXAUY8E/pRWHeaMkwCXWOW0u
+tHvJt7PRJzN+twC10KwpO+DNX1bZPNR8rZH08FqeZdNcrYzvJTciq4e3cl7hpI/t
+dhvkP5qOVsU2+dc5hxqLxavJ8LmcsB9Xgxs9f5SVFpgKqodWG62Ar3et7UvmYwjf
+OMblGLmMulQD22hIkIgkhjnPCv/wsv9kvhOLFeWi4DXvKOSlj94GOzxw2PU7dozi
+NjYUoJLxRt/E6IBGT/mQExE8Rn+aqkxC23MTwpWM6/p9HHL95UTzzz+BOh7mRvyp
+jDI=
+=PHuF
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/X/XZ/bundled/patches/xzgrep-ZDI-CAN-16587.patch b/X/XZ/bundled/patches/xzgrep-ZDI-CAN-16587.patch
@@ -0,0 +1,94 @@
+From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Tue, 29 Mar 2022 19:19:12 +0300
+Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).
+
+Malicious filenames can make xzgrep to write to arbitrary files
+or (with a GNU sed extension) lead to arbitrary code execution.
+
+xzgrep from XZ Utils versions up to and including 5.2.5 are
+affected. 5.3.1alpha and 5.3.2alpha are affected as well.
+This patch works for all of them.
+
+This bug was inherited from gzip's zgrep. gzip 1.12 includes
+a fix for zgrep.
+
+The issue with the old sed script is that with multiple newlines,
+the N-command will read the second line of input, then the
+s-commands will be skipped because it's not the end of the
+file yet, then a new sed cycle starts and the pattern space
+is printed and emptied. So only the last line or two get escaped.
+
+One way to fix this would be to read all lines into the pattern
+space first. However, the included fix is even simpler: All lines
+except the last line get a backslash appended at the end. To ensure
+that shell command substitution doesn't eat a possible trailing
+newline, a colon is appended to the filename before escaping.
+The colon is later used to separate the filename from the grep
+output so it is fine to add it here instead of a few lines later.
+
+The old code also wasn't POSIX compliant as it used \n in the
+replacement section of the s-command. Using \<newline> is the
+POSIX compatible method.
+
+LC_ALL=C was added to the two critical sed commands. POSIX sed
+manual recommends it when using sed to manipulate pathnames
+because in other locales invalid multibyte sequences might
+cause issues with some sed implementations. In case of GNU sed,
+these particular sed scripts wouldn't have such problems but some
+other scripts could have, see:
+
+    info '(sed)Locale Considerations'
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+Thanks to Jim Meyering and Paul Eggert discussing the different
+ways to fix this and for coordinating the patch release schedule
+with gzip.
+---
+ src/scripts/xzgrep.in | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in
+index b180936..e5186ba 100644
+--- a/src/scripts/xzgrep.in
++++ b/src/scripts/xzgrep.in
+@@ -180,22 +180,26 @@ for i; do
+          { test $# -eq 1 || test $no_filename -eq 1; }; then
+       eval "$grep"
+     else
++      # Append a colon so that the last character will never be a newline
++      # which would otherwise get lost in shell command substitution.
++      i="$i:"
++
++      # Escape & \ | and newlines only if such characters are present
++      # (speed optimization).
+       case $i in
+       (*'
+ '* | *'&'* | *'\'* | *'|'*)
+-        i=$(printf '%s\n' "$i" |
+-            sed '
+-              $!N
+-              $s/[&\|]/\\&/g
+-              $s/\n/\\n/g
+-            ');;
++        i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
+       esac
+-      sed_script="s|^|$i:|"
++
++      # $i already ends with a colon so don't add it here.
++      sed_script="s|^|$i|"
+
+       # Fail if grep or sed fails.
+       r=$(
+         exec 4>&1
+-        (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
++        (eval "$grep" 4>&-; echo $? >&4) 3>&- |
++            LC_ALL=C sed "$sed_script" >&3 4>&-
+       ) || r=2
+       exit $r
+     fi >&3 5>&-
+-- 
+2.35.1
+
diff --git a/X/XZ/bundled/patches/xzgrep-ZDI-CAN-16587.patch.sig b/X/XZ/bundled/patches/xzgrep-ZDI-CAN-16587.patch.sig