953088 – app-arch/xz-utils-5.6.4-r1: security stabilisation

Bug 953088 - app-arch/xz-utils-5.6.4-r1: security stabilisation

Summary: app-arch/xz-utils-5.6.4-r1: security stabilisation

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Stabilization (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:	CC-ARCHES, SECURITY

Depends on:	953102
Blocks:	CVE-2025-31115
	Show dependency tree

Reported:	2025-04-03 15:27 UTC by Sam James
Modified:	2025-04-03 20:42 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	app-arch/xz-utils-5.6.4-r1
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2025-04-03 15:27:42 UTC

Thanks! Will CC-ARCHES shortly, want to let mirrors get it first (so AT workers don't try it and fail).

Comment 1 Sam James archtester

2025-04-03 16:04:31 UTC

amd64 done

Comment 2 Sam James archtester

2025-04-03 16:04:32 UTC

x86 done

Comment 3 Sam James archtester

2025-04-03 16:06:48 UTC

arm done

Comment 4 Sam James archtester

2025-04-03 16:06:49 UTC

arm64 done

Comment 5 Arthur Zamarin archtester

2025-04-03 16:52:15 UTC

ppc64 done

Comment 6 m1027 2025-04-03 19:02:35 UTC

Build fails here:

 * Verifying xz-cve-2025-31115.patch ...
ERROR    OpenPGP verification failed for <_io.BufferedReader name='/var/tmp/portage/app-arch/xz-utils-5.6.4-r1/distdir/xz-cve-2025-31115.patch'> (sig in
         /var/tmp/portage/app-arch/xz-utils-5.6.4-r1/distdir/xz-cve-2025-31115.patch.sig):
         OpenPGP signature rejected because of expired key:
         gpg: Signature made Thu Apr  3 11:43:30 2025 UTC
         gpg:                using RSA key 3690C240CE51B4670D30AD1C38EE757D69184620
         gpg: Good signature from "Lasse Collin <lasse.collin@tukaani.org>" [expired]
         gpg: Note: This key has expired!
         Primary key fingerprint: 3690 C240 CE51 B467 0D30  AD1C 38EE 757D 6918 4620


I can file a separate issue if you wish so. Thanks

Comment 7 Larry the Git Cow gentoo-dev

2025-04-03 19:11:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bdd29e74a3459ea368880c73a17a76818d8ea7ae

commit bdd29e74a3459ea368880c73a17a76818d8ea7ae
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2025-04-03 19:09:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-04-03 19:09:07 +0000

    app-arch/xz-utils: update verify-sig dep for 5.6.x
    
    The issue is that I decided last-minute to use the downloaded patch for 5.6.x,
    and for 5.6.x, I hadn't updated the dep, while for 5.8.x and the live template,
    of course I had.
    
    Closes: https://bugs.gentoo.org/953102
    Bug: https://bugs.gentoo.org/953088
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/xz-utils/xz-utils-5.6.4-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c560a1fa8b0c07664809678374db07b4ee7a795e

commit c560a1fa8b0c07664809678374db07b4ee7a795e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2025-04-03 19:08:51 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-04-03 19:08:51 +0000

    sec-keys/openpgp-keys-lassecollin: stabilize 20250313-r1 for ALLARCHES
    
    Bug: https://bugs.gentoo.org/953088
    Bug: https://bugs.gentoo.org/953102
    Signed-off-by: Sam James <sam@gentoo.org>

 .../openpgp-keys-lassecollin-20250313-r1.ebuild                         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 8 Sam James archtester

2025-04-03 20:42:06 UTC

hppa done

Comment 9 Sam James archtester

2025-04-03 20:42:07 UTC

ppc done

Comment 10 Sam James archtester

2025-04-03 20:42:08 UTC

sparc done

all arches done