Merge pull request #1816 from flatcar/scripts

app-arch/xz-utils: Sync with Gentoo (revert to known-good)

changelog/security/2024-04-02-xz-utils.md

@@ -0,0 +1 @@
+- Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor ([CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094))

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest

@@ -1,12 +1,4 @@
-DIST xz-5.2.11.tar.gz 2130684 BLAKE2B e513f99b2e28fa79f32747e21138cc13ab9340e95a302ac742bc6bda088465488173ea212704c4612f4059bbbc6c6a5b041332d84b999dc7df5b3fab1b1ac4e9 SHA512 8f75450380563229465420f4518fa7a60bbe6f0c9a3b580c2a9a7bf9bf380ad69209f792764115c346d89c49711478e8db42325ef9a46ccd3a6ec72292890ac8
-DIST xz-5.2.11.tar.gz.sig 566 BLAKE2B 34186ea22960f508dd796736107b99e1e3884ffae683f26671f455e46e4debf87400f2d7bb64b446fb142370a8bcebc6c05dce34dcc2678a761b9401b1e23860 SHA512 036ed0f663e179057a805a41052d3e437fbfb9dbbe173c5180fbb255f5a01ac4fa2561424228f4e568e63b22802b3a4ffd88dec2ba7c41a454998ebea30bea7c
-DIST xz-5.2.12.tar.gz 2190541 BLAKE2B 9ca5ecf753ae264f542ec53b4c9a1c85466bc2a932651aafb0ae2a3ebb7d3979a9384e9a81f16173c2d6d14ca8b86e4a820191817675a5e9fd214a64cf364c98 SHA512 1a67112eb1cfd70352c41a1cbb5e34eacd6da2ae816f5020385772a7698b835d059843c2c30461beb15b7514e95906b2033dac6abf09248b5837270420dfe732
-DIST xz-5.2.12.tar.gz.sig 566 BLAKE2B 93d0fb89186ccf018d17278823c2c6cc724798acfe425fd01ecf54338e53451d94b1ad951f2f1ec58171a3eb827fcd6b5d9dcb97da72c5d8545d57d9fba0597b SHA512 0734e1838dd9ab7ba06675af0f4ff5866c0e5c268f0c3e2ca6f12fa8f27b41830d11063244b0039f8d8ba184efc1c1b7b9a7311c378a02abc1290d7727357cb6
 DIST xz-5.4.2.tar.gz 2799022 BLAKE2B 3c622b0823f0cbb5fbc5eaa0372fc2f0fefe0950d131417f831bce47b6d9747d145429f0649de106819331f9ae6a289c497182c7b6d1e211513308dd083a9b72 SHA512 149f980338bea3d66de1ff5994b2b236ae1773135eda68b62b009df0c9dcdf5467f8cb2c06da95a71b6556d60bd3d21f475feced34d5dfdb80ee95416a2f9737
 DIST xz-5.4.2.tar.gz.sig 566 BLAKE2B 95c9c70fdd25b92095dd9691e4d9d4306a3f982becfe7bd42ca6132a76f29be2c2bc66f4fc2bda547058c18e227292f4185799eb905084fc3ab415ae867b4b1b SHA512 30e965c228ed3a8ecb804db8eb11703a765b7ee934030ea69bb3940b630811eb71bf74fd20371ef7759761904ece4f0144a0b00be4d843cf98299fd016f161aa
-DIST xz-5.4.3.tar.gz 2869347 BLAKE2B c4192a59ca751567ebab17e08e72aa1bf0f5ca14af0b59fded1c4dff02c1b76ab30119a4138932f78f69bd4b7827071c81d6ca1c56be65491466ea061786ed78 SHA512 aff0fe166af6df4491a6f5df2372cab100b081452461a0e8c6fd65b72af3f250f16c64d9fb8fd309141e9b9ae4e41649f48687cc29e63dd82f27f2eab19b4023
-DIST xz-5.4.3.tar.gz.sig 566 BLAKE2B 1e3f86a2de532e77cae4c31928d57edeac81ca207e03c71523210605dc6bab76a50793697a242b232f74911c6e1872a0339ed977e2dd0d201504bd859fd3b4f4 SHA512 b7c7eedf4d9604ee50ec97275e5ab57e22a567402815281440ca765210c75707bd2de20e7ebfb0842725690ae19557916fc41a9fbdace5fec8190632b038292e
-DIST xz-5.4.4.tar.gz 2874706 BLAKE2B 0ade3767651a07a6bb4d53b510d7e97239e182788c42bc3388b97c54463ccaa968e27bcb88d34697df70381eea91279615f2622b5493ae2da22632e9576d8989 SHA512 2e27d864c9f346e53afc549d7046385b5d35a749af15d84f69de14612657df2f0e2ce71d3be03d57adadf8fd28549ecf4ef1c214bdcd1f061b5a47239e0104e8
-DIST xz-5.4.4.tar.gz.sig 566 BLAKE2B 9d695293fe479e07b4051f9b22af19191ec7cb5063da519769a24a08cff46819a4f29db002cea92e4af982410dd660d9b3185c8ef0908abbf13b86f89c0baa0f SHA512 6f12f0b30e4e5c78238f5d758443621d4126edf5ec8d02c51f06cc27e40822f0429c2018ec567eae20d118a81295f9d31e2f9101720d289bebab15f72590e9f2
-DIST xz-5.4.5.tar.gz 2884510 BLAKE2B 647c8227080a7f37e3321e778d7f52ccb9da3810f2be81b2d2b46001605b22cef6e724f9b3facfada26a12b24401c9a11449d6066443849b37b28e0eaa199315 SHA512 91f8f548c915de0ed79cee13ce0336b51c1cebf2eb142fa1efecfd07771c662c99cad3730540fcb712057ab274130e13b87960f6b4c62f0bd9477f27a303fb2b
-DIST xz-5.4.5.tar.gz.sig 566 BLAKE2B c6ec64f92ecb30395e6d580be5d0aad1ee007585245ed42e7b05f1ea3a8cd8bf4317e8dc964c65417daa0a04e8f523c6ba8ae61a7f5b2ff3dc17dd53c7593ce2 SHA512 4f2c779d3c14bacd0451cfd68846201a48931128994c4119fcbf4f0dd7331710c32098039d38561de29327d543d67174fddbb6a83cb2fcfda9b3153cab092d4d
+DIST xz-5.4.6.tar.gz 2889306 BLAKE2B f0bbd33ea7cd64d475c3501f6e76080c8c0080e377f23462f5f76459935f4e621538ddaa8452d2feaed278d62a596e38ed2aca18ed9e76512c4ec77fa2f4cc5f SHA512 b08a61d8d478d3b4675cb1ddacdbbd98dc6941a55bcdd81a28679e54e9367d3a595fa123ac97874a17da571c1b712e2a3e901c2737099a9d268616a1ba3de497
+DIST xz-5.4.6.tar.gz.sig 566 BLAKE2B 808f1b5e2a17729f36a05ba88a9c00210cda2afa02923e6f289d13dc2a48f7674cafec6e25660e142d67f01dd941c7390cee2757b054df3a3193dde0791363a1 SHA512 d5e32b944e7492a32c40f675d918796e077f63490a23c6fce5c4d6d1eebc443f129d27a2e888913c5a36c3ffdac75b9c96c1749402283445e0ba9ff72b965741

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.2.ebuild

@@ -1,12 +1,12 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # Remember: we cannot leverage autotools in this ebuild in order
 #           to avoid circular deps with autotools
 
-EAPI=7
+EAPI=8
 
-inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
+inherit flag-o-matic libtool multilib multilib-minimal preserve-libs toolchain-funcs
 
 if [[ ${PV} == 9999 ]] ; then
 	# Per tukaani.org, git.tukaani.org is a mirror of github and
@@ -18,18 +18,18 @@ if [[ ${PV} == 9999 ]] ; then
 	inherit git-r3 autotools
 
 	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
+	BDEPEND="sys-devel/gettext >=dev-build/libtool-2"
 else
 	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc
 	inherit verify-sig
 
 	MY_P="${PN/-utils}-${PV/_}"
 	SRC_URI="
-		https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz
+		https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz
 		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
 		https://tukaani.org/xz/${MY_P}.tar.gz
 		verify-sig? (
-			https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz.sig
+			https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz.sig
 			https://tukaani.org/xz/${MY_P}.tar.gz.sig
 		)
 	"
@@ -47,16 +47,12 @@ HOMEPAGE="https://tukaani.org/xz/"
 # See top-level COPYING file as it outlines the various pieces and their licenses.
 LICENSE="public-domain LGPL-2.1+ GPL-2+"
 SLOT="0"
-IUSE="doc +extra-filters nls static-libs"
+IUSE="doc +extra-filters pgo nls static-libs"
 
 if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( >=sec-keys/openpgp-keys-lassecollin-20230213 )"
+	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-lassecollin )"
 fi
 
-PATCHES=(
-	"${FILESDIR}"/${P}-Wsign-conversion.patch
-)
-
 src_prepare() {
 	default
 
@@ -107,10 +103,24 @@ multilib_src_configure() {
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 }
 
-multilib_src_install() {
-	default
+multilib_src_compile() {
+	# -fprofile-partial-training because upstream note the test suite isn't super comprehensive
+	# See https://documentation.suse.com/sbp/all/html/SBP-GCC-10/index.html#sec-gcc10-pgo
+	local pgo_generate_flags=$(usev pgo "-fprofile-update=atomic -fprofile-dir=${T}/${ABI}-pgo -fprofile-generate=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
+	local pgo_use_flags=$(usev pgo "-fprofile-use=${T}/${ABI}-pgo -fprofile-dir=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
+
+	emake CFLAGS="${CFLAGS} ${pgo_generate_flags}"
 
-	gen_usr_ldscript -a lzma
+	if use pgo ; then
+		emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" -k check
+
+		if tc-is-clang; then
+			llvm-profdata merge "${T}"/${ABI}-pgo --output="${T}"/${ABI}-pgo/default.profdata || die
+		fi
+
+		emake clean
+		emake CFLAGS="${CFLAGS} ${pgo_use_flags}"
+	fi
 }
 
 multilib_src_install_all() {