apache-commons-compress/apache-commons-compress.changes

371 lines
17 KiB
Plaintext

-------------------------------------------------------------------
Mon Feb 19 13:14:54 UTC 2024 - Fridrich Strba <fstrba@suse.com>
- Upgrade to 1.26
* Fixing several vulnerabilities
+ bsc#1220068, CVE-2024-26308
+ bsc#1220070, CVE-2024-25710
* New Features
+ Add and use ZipFile.builder(), ZipFile.Builder, and deprecate
constructors
+ Add and use SevenZFile.builder(), SevenZFile.Builder, and
deprecate constructors
+ Add and use ArchiveInputStream.getCharset()
+ Add and use ArchiveEntry.resolveIn(Path)
+ Add Maven property project.build.outputTimestamp for build
reproducibility
* Fixed Bugs
+ COMPRESS-632: Check for invalid PAX values in TarArchiveEntry
+ COMPRESS-632: Fix for zero size headers in ArjInputStream
+ COMPRESS-632: Fixes and tests for ArInputStream
+ COMPRESS-632: Fixes for dump file parsing
+ COMPRESS-632: Improve CPIO exception detection and handling
+ Deprecate SkipShieldingInputStream without replacement (no
longer used)
+ Reuse commons-codec, don't duplicate class PureJavaCrc32C
(removed package-private class)
+ Reuse commons-codec, don't duplicate class XXHash32
(deprecated class)
+ Reuse commons-io, don't duplicate class Charsets (deprecated
class)
+ Reuse commons-io, don't duplicate class IOUtils (deprecated
methods)
+ Reuse commons-io, don't duplicate class BoundedInputStream
(deprecated class)
+ Reuse commons-io, don't duplicate class FileTimes (deprecated
TimeUtils methods)
+ Reuse Arrays.equals(byte[], byte[]) and deprecate
ArchiveUtils.isEqual(byte[], byte[])
+ Add a null-check for the class loader of OsgiUtils
+ Add a null-check in Pack200.newInstance(String, String)
+ Deprecate ChecksumCalculatingInputStream in favor of
java.util.zip.CheckedInputStream
+ Deprecate CRC32VerifyingInputStream
.CRC32VerifyingInputStream(InputStream, long, int)
+ COMPRESS-655: FramedSnappyCompressorOutputStream produces
incorrect output when writing a large buffer
+ COMPRESS-657: Fix TAR directory entries being misinterpreted
as files
+ Deprecate unused method FileNameUtils.getBaseName(String)
+ Deprecate unused method FileNameUtils.getExtension(String)
+ ArchiveInputStream.BoundedInputStream.read() incorrectly adds
1 for EOF to the bytes read count
+ Deprecate IOUtils.read(File, byte[])
+ Deprecate IOUtils.copyRange(InputStream, long, OutputStream,
int)
+ COMPRESS-653: ZipArchiveOutputStream multi archive updates
metadata in incorrect file
+ Deprecate ByteUtils.InputStreamByteSupplier
+ Deprecate ByteUtils.fromLittleEndian(InputStream, int)
+ Deprecate ByteUtils.toLittleEndian(DataOutput, long, int)
+ Reduce duplication by having ArchiveInputStream extend
FilterInputStream
+ Support preamble garbage in ZipArchiveInputStream
+ COMPRESS-658: Fix formatting the lowest expressable DOS time
+ Drop reflection from ExtraFieldUtils static initialization
+ Preserve exception causation in
ExtraFieldUtils.register(Class)
- Upgrade to 1.25.0
* New features:
+ Add GzipParameters.getFileName() and deprecate getFilename()
+ Add GzipParameters.setFileName(String) and deprecate
setFilename(String)
+ Add FileNameUtil.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add FileNameUtil.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add FileNameUtil.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add BZip2Utils.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add BZip2Utils.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add BZip2Utils.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add LZMAUtils.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add LZMAUtils.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add LZMAUtils.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add XYUtils.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add XYUtils.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add XYUtils.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add GzipUtils.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add GzipUtils.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add GzipUtils.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add SevenZOutputFile.putArchiveEntry(SevenZArchiveEntry) and
deprecate putArchiveEntry(ArchiveEntry)
+ Add generics to ChangeSet and ChangeSetPerformer
+ Add generics to ArchiveStreamProvider and friends
+ Add a generic type parameter to ArchiveOutputStream and avoid
unchecked/unconfirmed type casts in subclasses
+ Add a generic type parameter to ArchiveInputStream and
deprecate redundant get methods in subclasses
+ COMPRESS-648: Add ability to restrict autodetection in
CompressorStreamFactory
* Fixed Bugs:
+ Precompile regular expression in
ArArchiveInputStream.isBSDLongName(String)
+ Precompile regular expression in
ArArchiveInputStream.isGNULongName(String)
+ Precompile regular expression in
TarArchiveEntry.parseInstantFromDecimalSeconds(String)
+ Precompile regular expression in
ChangeSet.addDeletion(Change)
+ COMPRESS-649: Improve performance in
BlockLZ4CompressorOutputStream
+ Null-guard Lister.main(String[]) for programmatic invocation
+ NPE in pack200.NewAttributeBands.Reference
.addAttributeToBand(NewAttribute, InputStream)
+ Incorrect lazy initialization and update of static field in
pack200.CodecEncoding.getSpecifier(Codec, Codec)
+ Incorrect string comparison in unpack200.AttributeLayout
.numBackwardsCallables()
+ Inefficient use of keySet iterator instead of entrySet
iterator in pack200.PackingOptions
.addOrUpdateAttributeActions(List, Map, int)
+ Package private class pack200.IcBands.IcTuple should be a
static inner class
+ Private class ZipFile.BoundedFileChannelInputStream should be
a static inner class
+ Refactor internal SevenZ AES256SHA256Decoder InputStream into
a named static inner class
+ Refactor internal SevenZ AES256SHA256Decoder OutputStream into
a named static inner class
+ Use the root Locale for string conversion of command line
options in org.apache.commons.compress.archivers.sevenz.CLI
+ Calling PackingUtils.config(PackingOptions) with null now
closes the internal FileHandler
+ COMPRESS-650: LZ4 compressor throws IndexOutOfBoundsException
+ COMPRESS-632: LZWInputStream.initializeTables(int) should
throw IllegalArgumentException instead of
ArrayIndexOutOfBoundsException
+ COMPRESS-647: Throw IOException instead of
ArrayIndexOutOfBoundsException when reading Zip with data
descriptor entries
- Update to 1.24.0
* New features:
+ Make ZipArchiveEntry.getLocalHeaderOffset() public
* Fixed Bugs:
+ Use try-with-resources in ArchiveStreamFactory
+ Javadoc and code comments: Sanitize grammar issues and typos
+ Remove redundant (null) initializations
+ [StepSecurity] ci: Harden GitHub Actions
- Update to 1.23.0
* New features:
+ COMPRESS-614: Use FileTime for time fields in
SevenZipArchiveEntry
+ COMPRESS-621: Fix calculation the offset of the first ZIP
central directory entry
+ COMPRESS-633:Add encryption support for SevenZ
+ COMPRESS-613: Support for extra time data in Zip archives
+ COMPRESS-621: Add org.apache.commons.compress.archivers.zip
.DefaultBackingStoreSupplier to write to a custom folder
instead of the default temporary folder.
+ COMPRESS-600: Add capability to configure Deflater strategy
in GzipCompressorOutputStream:
GzipParameters.setDeflateStrategy(int).
* Fixed Bugs:
+ Implicit narrowing conversion in compound assignment
+ Avoid NPE in FileNameUtils.getBaseName(Path) for paths with
zero elements like root paths
+ Avoid NPE in FileNameUtils.getExtension(Path) for paths with
zero elements like root paths
+ LZMA2Decoder.decode() looses original exception
+ Extract conditions and avoid duplicate code.
+ Remove duplicate conditions. Use switch instead.
+ Replace JUnit 3 and 4 with JUnit 5
+ Make 'ZipFile.offsetComparator' static
+ COMPRESS-638: The GzipCompressorOutputStream#writeHeader()
uses ISO_8859_1 to write the file name and comment. If the
strings contains non-ISO_8859_1 characters, unknown characters
are displayed after decompression. Use percent encoding for
non ISO_8859_1 characters.
+ Port some code from IO to NIO APIs
+ pack200: Fix FileBands misusing InputStream#read(byte[])
+ COMPRESS-641: Add TarArchiveEntry.getLinkFlag()
+ COMPRESS-642: Integer overflow ArithmeticException in
TarArchiveOutputStream
+ COMPRESS-642: org.apache.commons.compress.archivers.zip
.ZipFile.finalize() should not write to std err.
* Removed:
+ Remove BZip2CompressorOutputStream.finalize() which only wrote
to std err
- Update to 1.22
* New features:
+ COMPRESS-602: Migrate zip package to use NIO
+ Add APK file extension constants: ArchiveStreamFactory.APK,
APKM, APKS, XAPK
+ ArchiveStreamFactory.createArchiveInputStream(String,
InputStream, String) supports the "APK" format (it's a JAR)
+ Expander example now has NIO Path versions of IO File APIs
+ COMPRESS-612: Improve TAR support for file times
+ Add SevenZArchiveEntry.setContentMethods(SevenZMethodConfiguration...)
* Fixed Bugs:
+ Fix some compiler warnings in pack200 packages
+ Close File input stream after unpacking in
Pack200UnpackerAdapter.unpack(File, JarOutputStream)
+ Pack200UnpackerAdapter.unpack(InputStream, JarOutputStream)
should not close its given input stream
+ COMPRESS-596: Fix minor problem in examples.
+ COMPRESS-584: Add a limit to the copy buffer in
IOUtils.readRange() to avoid reading more from a channel than
asked for
+ Documentation nits
+ Replace wrapper Collections.sort is with an instance method
directly
+ Replace manual comparisons with Comparator.comparingInt()
+ Replace manual copy of array contents with System.arraycopy()
+ Fix thread safety issues when encoding 7z password
+ bzip2: calculate median-of-3 on unsigned values
+ Use Math.min and Math.max calculations.
+ COMPRESS-603: Expander should be able to work if an entry's
name is "./".
+ COMPRESS-604: Ensure compatibility with Java 8
+ Use StringBuilder instead of StringBuffer.
+ Inline variable. Remove redundant local variable.
+ Use compare method
+ Remove Unnecessary interface modifiers
+ Avoid use C-style array declaration.
+ ChecksumVerifyingInputStream.read() does not always validate
checksum at end-of-stream
+ Fix TarFileTest
+ COMPRESS-625: Update Wikipedia link in TarUtils.java:627.
+ COMPRESS-626: OutOfMemoryError on malformed pack200 input
(attributes).
+ COMPRESS-628: OutOfMemoryError on malformed pack200 input
(org.apache.commons.compress.harmony.pack200.NewAttributeBands
.readNextUnionCase).
+ COMPRESS-628: OutOfMemoryError on malformed unpack200 input
(org.apache.commons.compress.harmony.unpack200
.NewAttributeBands.readNextUnionCase).
+ Some input streams are not closed in org.apache.commons
.compress.harmony.pack200.PackingUtils
+ COMPRESS-627: Pack200 causes a 'archive.3E' error if it's not
in the system class loader.
- Modified patches:
* 0001-Remove-Brotli-compressor.patch
* 0002-Remove-ZSTD-compressor.patch
* 0003-Remove-Pack200-compressor.patch
+ rediff to changed context
- Removed patch:
* fix_java_8_compatibility.patch
+ not needed, since we handle the compatibility differently
-------------------------------------------------------------------
Mon Mar 21 08:57:33 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Added patch:
* 0003-Remove-Pack200-compressor.patch
+ Remove support for pack200 which depends on old asm3
-------------------------------------------------------------------
Tue Jul 20 07:17:33 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Updated to 1.21
* When reading a specially crafted 7Z archive, the construction of
the list of codecs that decompress an entry can result in an
infinite loop. This could be used to mount a denial of service
attack against services that use Compress' sevenz package.
(CVE-2021-35515, bsc#1188463)
* When reading a specially crafted 7Z archive, Compress can be
made to allocate large amounts of memory that finally leads to
an out of memory error even for very small inputs. This could
be used to mount a denial of service attack against services
that use Compress' sevenz package. (CVE-2021-35516, bsc#1188464)
* When reading a specially crafted TAR archive, Compress can be
made to allocate large amounts of memory that finally leads to
an out of memory error even for very small inputs. This could be
used to mount a denial of service attack against services that
use Compress' tar package. (CVE-2021-35517, bsc#1188465)
* When reading a specially crafted ZIP archive, Compress can be
made to allocate large amounts of memory that finally leads to
an out of memory error even for very small inputs. This could
be used to mount a denial of service attack against services
that use Compress' zip package. (CVE-2021-36090, bsc#1188466)
- New dependency on asm3 for Pack200 compressor
- Rebased patch fix_java_8_compatibility.patch to a new context and
added some new ocurrences
-------------------------------------------------------------------
Wed Aug 28 08:57:02 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Updated to 1.19 [bsc#1148475, CVE-2019-12402]
* ZipFile could get stuck in an infinite loop when parsing ZIP archives
with certain strong encryption headers (CVE-2019-12402).
* ZipArchiveInputStream and ZipFile will no longer throw an exception if
an extra field generally understood by Commons Compress is malformed
but rather turn them into UnrecognizedExtraField instances. You can
influence the way extra fields are parsed in more detail by using the
new getExtraFields(ExtraFieldParsingBehavior) method of ZipArchiveEntry now.
* Some of the ZIP extra fields related to strong encryption will now
throw ZipExceptions rather than ArrayIndexOutOfBoundsExceptions in
certain cases when used directly. There is no practical difference
when they are read via ZipArchiveInputStream or ZipFile.
* ParallelScatterZipCreator now writes entries in the same order they have
been added to the archive.
* ZipArchiveInputStream and ZipFile are more forgiving when parsing extra
fields by default now.
* TarArchiveInputStream has a new lenient mode that may allow it to read
certain broken archives.
- Rebased patch fix_java_8_compatibility.patch
-------------------------------------------------------------------
Mon Mar 25 17:32:03 UTC 2019 - Fridrich Strba <fstrba@suse.com>
- Remove pom parent, since we don't use it when not building with
maven
-------------------------------------------------------------------
Sun Jan 27 16:48:58 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Add missing RPM group for %name-javadoc.
-------------------------------------------------------------------
Fri Jan 25 09:10:54 UTC 2019 - Fridrich Strba <fstrba@suse.com>
- Rename package to apache-commons-compress
* Upgrade to version 1.18
* Use build.xml file generated ba mvn ant:ant and simplified
manually after
+ Allows building with ant and considerably shortens build
cycle
- Added patches
* 0001-Remove-Brotli-compressor.patch
+ do not build Brotli compressor, since we don't have its
dependencies
* 0002-Remove-ZSTD-compressor.patch
+ do not build ZSTD compressor, since we don't have its
dependencies
* fix_java_8_compatibility.patch
+ restore Java 8 compatibility in java.nio.ByteBuffer use
-------------------------------------------------------------------
Mon Sep 18 10:43:23 UTC 2017 - fstrba@suse.com
- Fix build with jdk9: specify java source and target 1.6
- Build also the javadoc package
-------------------------------------------------------------------
Fri May 19 16:04:30 UTC 2017 - tchvatal@suse.com
- Fix build under new javapackage-tools
-------------------------------------------------------------------
Thu Nov 29 14:57:33 UTC 2012 - mvyskocil@suse.com
- use saxon and saxon-scripts only when using maven
-------------------------------------------------------------------
Thu May 14 16:05:37 CEST 2009 - mvyskocil@suse.cz
- 'Initial SUSE packaging from jpackage.org 5.0'