Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 953088

Summary: app-arch/xz-utils-5.6.4-r1: security stabilisation
Product: Gentoo Linux Reporter: Sam James <sam>
Component: StabilizationAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: normal CC: m1027
Priority: Normal Keywords: CC-ARCHES, SECURITY
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
app-arch/xz-utils-5.6.4-r1
 Runtime testing required: ---
Bug Depends on: 953102    
Bug Blocks: 953086    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-04-03 15:27:42 UTC 
Thanks! Will CC-ARCHES shortly, want to let mirrors get it first (so AT workers don't try it and fail).
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-04-03 16:04:31 UTC 
amd64 done
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-04-03 16:04:32 UTC 
x86 done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-04-03 16:06:48 UTC 
arm done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-04-03 16:06:49 UTC 
arm64 done
Comment 5 Arthur Zamarin archtester Gentoo Infrastructure gentoo-dev Security 2025-04-03 16:52:15 UTC 
ppc64 done
Comment 6 m1027 2025-04-03 19:02:35 UTC 
Build fails here:

 * Verifying xz-cve-2025-31115.patch ...
ERROR    OpenPGP verification failed for <_io.BufferedReader name='/var/tmp/portage/app-arch/xz-utils-5.6.4-r1/distdir/xz-cve-2025-31115.patch'> (sig in
         /var/tmp/portage/app-arch/xz-utils-5.6.4-r1/distdir/xz-cve-2025-31115.patch.sig):
         OpenPGP signature rejected because of expired key:
         gpg: Signature made Thu Apr  3 11:43:30 2025 UTC
         gpg:                using RSA key 3690C240CE51B4670D30AD1C38EE757D69184620
         gpg: Good signature from "Lasse Collin <lasse.collin@tukaani.org>" [expired]
         gpg: Note: This key has expired!
         Primary key fingerprint: 3690 C240 CE51 B467 0D30  AD1C 38EE 757D 6918 4620


I can file a separate issue if you wish so. Thanks
Comment 7 Larry the Git Cow gentoo-dev 2025-04-03 19:11:24 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bdd29e74a3459ea368880c73a17a76818d8ea7ae

commit bdd29e74a3459ea368880c73a17a76818d8ea7ae
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2025-04-03 19:09:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-04-03 19:09:07 +0000

    app-arch/xz-utils: update verify-sig dep for 5.6.x
    
    The issue is that I decided last-minute to use the downloaded patch for 5.6.x,
    and for 5.6.x, I hadn't updated the dep, while for 5.8.x and the live template,
    of course I had.
    
    Closes: https://bugs.gentoo.org/953102
    Bug: https://bugs.gentoo.org/953088
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/xz-utils/xz-utils-5.6.4-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c560a1fa8b0c07664809678374db07b4ee7a795e

commit c560a1fa8b0c07664809678374db07b4ee7a795e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2025-04-03 19:08:51 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-04-03 19:08:51 +0000

    sec-keys/openpgp-keys-lassecollin: stabilize 20250313-r1 for ALLARCHES
    
    Bug: https://bugs.gentoo.org/953088
    Bug: https://bugs.gentoo.org/953102
    Signed-off-by: Sam James <sam@gentoo.org>

 .../openpgp-keys-lassecollin-20250313-r1.ebuild                         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-04-03 20:42:06 UTC 
hppa done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-04-03 20:42:07 UTC 
ppc done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-04-03 20:42:08 UTC 
sparc done

all arches done