Sync from SUSE:SLFO:Main apache-commons-compress revision dd5b27a8e8b7c0f7fbee305383421485

This commit is contained in:
Adrian Schröter 2024-05-03 10:58:58 +02:00
commit ec55646b13
8 changed files with 813 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

View File

@ -0,0 +1,37 @@
From 0b10cc9b13fa782b7e318fdbc0d8c790a472f722 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Mon, 12 Feb 2018 10:53:48 +0100
Subject: [PATCH 1/3] Remove Brotli compressor
---
.../compress/compressors/CompressorStreamFactory.java | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java b/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java
index ca0973095..2406d5a44 100644
--- a/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java
+++ b/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java
@@ -30,8 +30,6 @@
import java.util.SortedMap;
import java.util.TreeMap;
-import org.apache.commons.compress.compressors.brotli.BrotliCompressorInputStream;
-import org.apache.commons.compress.compressors.brotli.BrotliUtils;
import org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream;
import org.apache.commons.compress.compressors.bzip2.BZip2CompressorOutputStream;
import org.apache.commons.compress.compressors.deflate.DeflateCompressorInputStream;
@@ -545,10 +543,7 @@ public CompressorInputStream createCompressorInputStream(final String name, fina
}
if (BROTLI.equalsIgnoreCase(name)) {
- if (!BrotliUtils.isBrotliCompressionAvailable()) {
- throw new CompressorException("Brotli compression is not available." + YOU_NEED_BROTLI_DEC);
- }
- return new BrotliCompressorInputStream(in);
+ throw new CompressorException("Brotli compression is not available in this build.");
}
if (XZ.equalsIgnoreCase(name)) {
--
2.43.0

View File

@ -0,0 +1,87 @@
From d80b7b190c789c33a15f56613a21c44827a63c75 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Mon, 12 Feb 2018 10:59:55 +0100
Subject: [PATCH 2/3] Remove ZSTD compressor
---
.../compressors/CompressorStreamFactory.java | 22 ++++---------------
1 file changed, 4 insertions(+), 18 deletions(-)
diff --git a/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java b/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java
index 2406d5a44..9ed40a3d7 100644
--- a/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java
+++ b/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java
@@ -53,9 +53,6 @@
import org.apache.commons.compress.compressors.xz.XZCompressorOutputStream;
import org.apache.commons.compress.compressors.xz.XZUtils;
import org.apache.commons.compress.compressors.z.ZCompressorInputStream;
-import org.apache.commons.compress.compressors.zstandard.ZstdCompressorInputStream;
-import org.apache.commons.compress.compressors.zstandard.ZstdCompressorOutputStream;
-import org.apache.commons.compress.compressors.zstandard.ZstdUtils;
import org.apache.commons.compress.utils.IOUtils;
import org.apache.commons.compress.utils.Sets;
@@ -280,10 +277,6 @@ static String detect(final InputStream inputStream, final Set<String> compressor
return LZ4_FRAMED;
}
- if (compressorNames.contains(ZSTANDARD) && ZstdUtils.matches(signature, signatureLength)) {
- return ZSTANDARD;
- }
-
throw new CompressorException("No Compressor found for the stream signature.");
}
@@ -405,10 +398,6 @@ public static String getZ() {
return Z;
}
- public static String getZstandard() {
- return ZSTANDARD;
- }
-
static void putAll(final Set<String> names, final CompressorStreamProvider provider, final TreeMap<String, CompressorStreamProvider> map) {
names.forEach(name -> map.put(toKey(name), provider));
}
@@ -513,7 +502,7 @@ public CompressorInputStream createCompressorInputStream(final InputStream in, f
* Creates a compressor input stream from a compressor name and an input stream.
*
* @param name of the compressor, i.e. {@value #GZIP}, {@value #BZIP2}, {@value #XZ}, {@value #LZMA}, {@value #PACK200}, {@value #SNAPPY_RAW},
- * {@value #SNAPPY_FRAMED}, {@value #Z}, {@value #LZ4_BLOCK}, {@value #LZ4_FRAMED}, {@value #ZSTANDARD}, {@value #DEFLATE64} or
+ * {@value #SNAPPY_FRAMED}, {@value #Z}, {@value #LZ4_BLOCK}, {@value #LZ4_FRAMED}, {@value #DEFLATE64} or
* {@value #DEFLATE}
* @param in the input stream
* @return compressor input stream
@@ -554,10 +543,7 @@ public CompressorInputStream createCompressorInputStream(final String name, fina
}
if (ZSTANDARD.equalsIgnoreCase(name)) {
- if (!ZstdUtils.isZstdCompressionAvailable()) {
- throw new CompressorException("Zstandard compression is not available." + YOU_NEED_ZSTD_JNI);
- }
- return new ZstdCompressorInputStream(in);
+ throw new CompressorException("Zstandard compression is not available in this build.");
}
if (LZMA.equalsIgnoreCase(name)) {
@@ -614,7 +600,7 @@ public CompressorInputStream createCompressorInputStream(final String name, fina
* Creates a compressor output stream from a compressor name and an output stream.
*
* @param name the compressor name, i.e. {@value #GZIP}, {@value #BZIP2}, {@value #XZ}, {@value #PACK200}, {@value #SNAPPY_FRAMED}, {@value #LZ4_BLOCK},
- * {@value #LZ4_FRAMED}, {@value #ZSTANDARD} or {@value #DEFLATE}
+ * {@value #LZ4_FRAMED} or {@value #DEFLATE}
* @param out the output stream
* @return the compressor output stream
* @throws CompressorException if the archiver name is not known
@@ -665,7 +651,7 @@ public CompressorOutputStream createCompressorOutputStream(final String name, fi
}
if (ZSTANDARD.equalsIgnoreCase(name)) {
- return new ZstdCompressorOutputStream(out);
+ throw new CompressorException("Zstandard compression is not available in this build.");
}
} catch (final IOException e) {
throw new CompressorException("Could not create CompressorOutputStream", e);
--
2.43.0

View File

@ -0,0 +1,54 @@
From 77d08229cd95cc948a19996faa8515e0d77d7930 Mon Sep 17 00:00:00 2001
From: Marian Koncek <mkoncek@redhat.com>
Date: Fri, 6 Aug 2021 13:42:40 +0200
Subject: [PATCH 3/3] Remove Pack200 compressor
---
.../compress/compressors/CompressorStreamFactory.java | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java b/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java
index 9ed40a3d7..565aa519e 100644
--- a/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java
+++ b/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java
@@ -44,8 +44,6 @@
import org.apache.commons.compress.compressors.lzma.LZMACompressorInputStream;
import org.apache.commons.compress.compressors.lzma.LZMACompressorOutputStream;
import org.apache.commons.compress.compressors.lzma.LZMAUtils;
-import org.apache.commons.compress.compressors.pack200.Pack200CompressorInputStream;
-import org.apache.commons.compress.compressors.pack200.Pack200CompressorOutputStream;
import org.apache.commons.compress.compressors.snappy.FramedSnappyCompressorInputStream;
import org.apache.commons.compress.compressors.snappy.FramedSnappyCompressorOutputStream;
import org.apache.commons.compress.compressors.snappy.SnappyCompressorInputStream;
@@ -249,10 +247,6 @@ static String detect(final InputStream inputStream, final Set<String> compressor
return GZIP;
}
- if (compressorNames.contains(PACK200) && Pack200CompressorInputStream.matches(signature, signatureLength)) {
- return PACK200;
- }
-
if (compressorNames.contains(SNAPPY_FRAMED) && FramedSnappyCompressorInputStream.matches(signature, signatureLength)) {
return SNAPPY_FRAMED;
}
@@ -554,7 +548,7 @@ public CompressorInputStream createCompressorInputStream(final String name, fina
}
if (PACK200.equalsIgnoreCase(name)) {
- return new Pack200CompressorInputStream(in);
+ throw new CompressorException("Pack200 compression is not available in this build.");
}
if (SNAPPY_RAW.equalsIgnoreCase(name)) {
@@ -627,7 +621,7 @@ public CompressorOutputStream createCompressorOutputStream(final String name, fi
}
if (PACK200.equalsIgnoreCase(name)) {
- return new Pack200CompressorOutputStream(out);
+ throw new CompressorException("Pack200 compression is not available in this build.");
}
if (LZMA.equalsIgnoreCase(name)) {
--
2.43.0

View File

@ -0,0 +1,124 @@
<?xml version="1.0" encoding="UTF-8"?>
<project name="commons-compress" default="package" basedir=".">
<!-- ====================================================================== -->
<!-- Build environment properties -->
<!-- ====================================================================== -->
<property file="build.properties"/>
<property name="build.name" value="commons-compress"/>
<property name="build.version" value="1.26.0"/>
<property name="build.finalName" value="${build.name}-${build.version}"/>
<property name="build.dir" value="target"/>
<property name="build.javadocDir" value="${build.dir}/site/apidocs"/>
<property name="build.outputDir" value="${build.dir}/classes"/>
<property name="build.srcDir" value="src/main/java"/>
<property name="build.resourceDir" value="src/main/resources"/>
<property name="commons.osgi.dynamicImport" value=""/>
<property name="commons.osgi.excludeDependencies" value="true"/>
<property name="commons.osgi.export" value="org.apache.commons.compress;version=&quot;${build.version}&quot;,org.apache.commons.compress.archivers;version=&quot;${build.version}&quot;,org.apache.commons.compress.archivers.ar;version=&quot;${build.version}&quot;,org.apache.commons.compress.archivers.arj;version=&quot;${build.version}&quot;,org.apache.commons.compress.archivers.cpio;version=&quot;${build.version}&quot;,org.apache.commons.compress.archivers.dump;version=&quot;${build.version}&quot;,org.apache.commons.compress.archivers.examples;version=&quot;${build.version}&quot;,org.apache.commons.compress.archivers.jar;version=&quot;${build.version}&quot;,org.apache.commons.compress.archivers.sevenz;version=&quot;${build.version}&quot;,org.apache.commons.compress.archivers.tar;version=&quot;${build.version}&quot;,org.apache.commons.compress.archivers.zip;version=&quot;${build.version}&quot;,org.apache.commons.compress.changes;version=&quot;${build.version}&quot;,org.apache.commons.compress.compressors;version=&quot;${build.version}&quot;,org.apache.commons.compress.compressors.bzip2;version=&quot;${build.version}&quot;,org.apache.commons.compress.compressors.deflate;version=&quot;${build.version}&quot;,org.apache.commons.compress.compressors.deflate64;version=&quot;${build.version}&quot;,org.apache.commons.compress.compressors.gzip;version=&quot;${build.version}&quot;,org.apache.commons.compress.compressors.lz4;version=&quot;${build.version}&quot;,org.apache.commons.compress.compressors.lz77support;version=&quot;${build.version}&quot;,org.apache.commons.compress.compressors.lzma;version=&quot;${build.version}&quot;,org.apache.commons.compress.compressors.lzw;version=&quot;${build.version}&quot;,org.apache.commons.compress.compressors.pack200;version=&quot;${build.version}&quot;,org.apache.commons.compress.compressors.snappy;version=&quot;${build.version}&quot;,org.apache.commons.compress.compressors.xz;version=&quot;${build.version}&quot;,org.apache.commons.compress.compressors.z;version=&quot;${build.version}&quot;,org.apache.commons.compress.harmony.archive.internal.nls;version=&quot;${build.version}&quot;,org.apache.commons.compress.harmony.pack200;version=&quot;${build.version}&quot;,org.apache.commons.compress.harmony.unpack200;version=&quot;${build.version}&quot;,org.apache.commons.compress.harmony.unpack200.bytecode;version=&quot;${build.version}&quot;,org.apache.commons.compress.harmony.unpack200.bytecode.forms;version=&quot;${build.version}&quot;,org.apache.commons.compress.java.util.jar;version=&quot;${build.version}&quot;,org.apache.commons.compress.parallel;version=&quot;${build.version}&quot;,org.apache.commons.compress.utils;version=&quot;${build.version}&quot;"/>
<property name="commons.osgi.import" value="org.tukaani.xz;resolution:=optional,org.objectweb.asm;resolution:=optional,javax.crypto;resolution:=optional,javax.crypto.spec;resolution:=optional"/>
<property name="commons.osgi.private" value=""/>
<property name="commons.osgi.symbolicName" value="org.apache.commons.compress"/>
<property name="compiler.release" value="8"/>
<property name="compiler.source" value="1.${compiler.release}"/>
<property name="compiler.target" value="${compiler.source}"/>
<!-- ====================================================================== -->
<!-- Defining classpaths -->
<!-- ====================================================================== -->
<path id="build.classpath">
<fileset dir="lib">
<include name="**/*.jar">
</include>
</fileset>
</path>
<!-- ====================================================================== -->
<!-- Cleaning up target -->
<!-- ====================================================================== -->
<target name="clean" description="Clean the output directory">
<delete dir="${build.dir}"/>
</target>
<!-- ====================================================================== -->
<!-- Compilation target -->
<!-- ====================================================================== -->
<target name="compile" description="Compile the code">
<mkdir dir="${build.outputDir}"/>
<javac destdir="${build.outputDir}"
encoding="iso-8859-1"
nowarn="false"
debug="true"
optimize="false"
deprecation="true"
target="${compiler.target}"
release="${compiler.release}"
verbose="false"
fork="false"
source="${compiler.source}">
<src>
<pathelement location="${build.srcDir}"/>
</src>
<classpath refid="build.classpath"/>
</javac>
</target>
<!-- ====================================================================== -->
<!-- Javadoc target -->
<!-- ====================================================================== -->
<target name="javadoc" description="Generates the Javadoc of the application">
<mkdir dir="${build.javadocDir}"/>
<javadoc sourcepath="${build.srcDir}"
packagenames="*"
destdir="${build.javadocDir}"
access="protected"
verbose="false"
encoding="iso-8859-1"
version="true"
use="true"
author="true"
splitindex="false"
nodeprecated="false"
nodeprecatedlist="false"
notree="false"
noindex="false"
nohelp="false"
nonavbar="false"
serialwarn="false"
source="${compiler.source}"
linksource="true"
breakiterator="false">
<classpath refid="build.classpath"/>
</javadoc>
</target>
<!-- ====================================================================== -->
<!-- Package target -->
<!-- ====================================================================== -->
<target name="package" depends="compile" description="Package the application">
<jar jarfile="${build.dir}/${build.finalName}.jar"
compress="true"
index="false"
basedir="${build.outputDir}"
excludes="**/package.html">
<manifest>
<attribute name="Bundle-SymbolicName" value="${commons.osgi.symbolicName}"/>
<attribute name="Bundle-Version" value="${build.version}"/>
<attribute name="Export-Package" value="${commons.osgi.export}"/>
<attribute name="Import-Package" value="${commons.osgi.import}"/>
</manifest>
</jar>
</target>
</project>

View File

@ -0,0 +1,370 @@
-------------------------------------------------------------------
Mon Feb 19 13:14:54 UTC 2024 - Fridrich Strba <fstrba@suse.com>
- Upgrade to 1.26
* Fixing several vulnerabilities
+ bsc#1220068, CVE-2024-26308
+ bsc#1220070, CVE-2024-25710
* New Features
+ Add and use ZipFile.builder(), ZipFile.Builder, and deprecate
constructors
+ Add and use SevenZFile.builder(), SevenZFile.Builder, and
deprecate constructors
+ Add and use ArchiveInputStream.getCharset()
+ Add and use ArchiveEntry.resolveIn(Path)
+ Add Maven property project.build.outputTimestamp for build
reproducibility
* Fixed Bugs
+ COMPRESS-632: Check for invalid PAX values in TarArchiveEntry
+ COMPRESS-632: Fix for zero size headers in ArjInputStream
+ COMPRESS-632: Fixes and tests for ArInputStream
+ COMPRESS-632: Fixes for dump file parsing
+ COMPRESS-632: Improve CPIO exception detection and handling
+ Deprecate SkipShieldingInputStream without replacement (no
longer used)
+ Reuse commons-codec, don't duplicate class PureJavaCrc32C
(removed package-private class)
+ Reuse commons-codec, don't duplicate class XXHash32
(deprecated class)
+ Reuse commons-io, don't duplicate class Charsets (deprecated
class)
+ Reuse commons-io, don't duplicate class IOUtils (deprecated
methods)
+ Reuse commons-io, don't duplicate class BoundedInputStream
(deprecated class)
+ Reuse commons-io, don't duplicate class FileTimes (deprecated
TimeUtils methods)
+ Reuse Arrays.equals(byte[], byte[]) and deprecate
ArchiveUtils.isEqual(byte[], byte[])
+ Add a null-check for the class loader of OsgiUtils
+ Add a null-check in Pack200.newInstance(String, String)
+ Deprecate ChecksumCalculatingInputStream in favor of
java.util.zip.CheckedInputStream
+ Deprecate CRC32VerifyingInputStream
.CRC32VerifyingInputStream(InputStream, long, int)
+ COMPRESS-655: FramedSnappyCompressorOutputStream produces
incorrect output when writing a large buffer
+ COMPRESS-657: Fix TAR directory entries being misinterpreted
as files
+ Deprecate unused method FileNameUtils.getBaseName(String)
+ Deprecate unused method FileNameUtils.getExtension(String)
+ ArchiveInputStream.BoundedInputStream.read() incorrectly adds
1 for EOF to the bytes read count
+ Deprecate IOUtils.read(File, byte[])
+ Deprecate IOUtils.copyRange(InputStream, long, OutputStream,
int)
+ COMPRESS-653: ZipArchiveOutputStream multi archive updates
metadata in incorrect file
+ Deprecate ByteUtils.InputStreamByteSupplier
+ Deprecate ByteUtils.fromLittleEndian(InputStream, int)
+ Deprecate ByteUtils.toLittleEndian(DataOutput, long, int)
+ Reduce duplication by having ArchiveInputStream extend
FilterInputStream
+ Support preamble garbage in ZipArchiveInputStream
+ COMPRESS-658: Fix formatting the lowest expressable DOS time
+ Drop reflection from ExtraFieldUtils static initialization
+ Preserve exception causation in
ExtraFieldUtils.register(Class)
- Upgrade to 1.25.0
* New features:
+ Add GzipParameters.getFileName() and deprecate getFilename()
+ Add GzipParameters.setFileName(String) and deprecate
setFilename(String)
+ Add FileNameUtil.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add FileNameUtil.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add FileNameUtil.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add BZip2Utils.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add BZip2Utils.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add BZip2Utils.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add LZMAUtils.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add LZMAUtils.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add LZMAUtils.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add XYUtils.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add XYUtils.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add XYUtils.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add GzipUtils.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add GzipUtils.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add GzipUtils.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add SevenZOutputFile.putArchiveEntry(SevenZArchiveEntry) and
deprecate putArchiveEntry(ArchiveEntry)
+ Add generics to ChangeSet and ChangeSetPerformer
+ Add generics to ArchiveStreamProvider and friends
+ Add a generic type parameter to ArchiveOutputStream and avoid
unchecked/unconfirmed type casts in subclasses
+ Add a generic type parameter to ArchiveInputStream and
deprecate redundant get methods in subclasses
+ COMPRESS-648: Add ability to restrict autodetection in
CompressorStreamFactory
* Fixed Bugs:
+ Precompile regular expression in
ArArchiveInputStream.isBSDLongName(String)
+ Precompile regular expression in
ArArchiveInputStream.isGNULongName(String)
+ Precompile regular expression in
TarArchiveEntry.parseInstantFromDecimalSeconds(String)
+ Precompile regular expression in
ChangeSet.addDeletion(Change)
+ COMPRESS-649: Improve performance in
BlockLZ4CompressorOutputStream
+ Null-guard Lister.main(String[]) for programmatic invocation
+ NPE in pack200.NewAttributeBands.Reference
.addAttributeToBand(NewAttribute, InputStream)
+ Incorrect lazy initialization and update of static field in
pack200.CodecEncoding.getSpecifier(Codec, Codec)
+ Incorrect string comparison in unpack200.AttributeLayout
.numBackwardsCallables()
+ Inefficient use of keySet iterator instead of entrySet
iterator in pack200.PackingOptions
.addOrUpdateAttributeActions(List, Map, int)
+ Package private class pack200.IcBands.IcTuple should be a
static inner class
+ Private class ZipFile.BoundedFileChannelInputStream should be
a static inner class
+ Refactor internal SevenZ AES256SHA256Decoder InputStream into
a named static inner class
+ Refactor internal SevenZ AES256SHA256Decoder OutputStream into
a named static inner class
+ Use the root Locale for string conversion of command line
options in org.apache.commons.compress.archivers.sevenz.CLI
+ Calling PackingUtils.config(PackingOptions) with null now
closes the internal FileHandler
+ COMPRESS-650: LZ4 compressor throws IndexOutOfBoundsException
+ COMPRESS-632: LZWInputStream.initializeTables(int) should
throw IllegalArgumentException instead of
ArrayIndexOutOfBoundsException
+ COMPRESS-647: Throw IOException instead of
ArrayIndexOutOfBoundsException when reading Zip with data
descriptor entries
- Update to 1.24.0
* New features:
+ Make ZipArchiveEntry.getLocalHeaderOffset() public
* Fixed Bugs:
+ Use try-with-resources in ArchiveStreamFactory
+ Javadoc and code comments: Sanitize grammar issues and typos
+ Remove redundant (null) initializations
+ [StepSecurity] ci: Harden GitHub Actions
- Update to 1.23.0
* New features:
+ COMPRESS-614: Use FileTime for time fields in
SevenZipArchiveEntry
+ COMPRESS-621: Fix calculation the offset of the first ZIP
central directory entry
+ COMPRESS-633:Add encryption support for SevenZ
+ COMPRESS-613: Support for extra time data in Zip archives
+ COMPRESS-621: Add org.apache.commons.compress.archivers.zip
.DefaultBackingStoreSupplier to write to a custom folder
instead of the default temporary folder.
+ COMPRESS-600: Add capability to configure Deflater strategy
in GzipCompressorOutputStream:
GzipParameters.setDeflateStrategy(int).
* Fixed Bugs:
+ Implicit narrowing conversion in compound assignment
+ Avoid NPE in FileNameUtils.getBaseName(Path) for paths with
zero elements like root paths
+ Avoid NPE in FileNameUtils.getExtension(Path) for paths with
zero elements like root paths
+ LZMA2Decoder.decode() looses original exception
+ Extract conditions and avoid duplicate code.
+ Remove duplicate conditions. Use switch instead.
+ Replace JUnit 3 and 4 with JUnit 5
+ Make 'ZipFile.offsetComparator' static
+ COMPRESS-638: The GzipCompressorOutputStream#writeHeader()
uses ISO_8859_1 to write the file name and comment. If the
strings contains non-ISO_8859_1 characters, unknown characters
are displayed after decompression. Use percent encoding for
non ISO_8859_1 characters.
+ Port some code from IO to NIO APIs
+ pack200: Fix FileBands misusing InputStream#read(byte[])
+ COMPRESS-641: Add TarArchiveEntry.getLinkFlag()
+ COMPRESS-642: Integer overflow ArithmeticException in
TarArchiveOutputStream
+ COMPRESS-642: org.apache.commons.compress.archivers.zip
.ZipFile.finalize() should not write to std err.
* Removed:
+ Remove BZip2CompressorOutputStream.finalize() which only wrote
to std err
- Update to 1.22
* New features:
+ COMPRESS-602: Migrate zip package to use NIO
+ Add APK file extension constants: ArchiveStreamFactory.APK,
APKM, APKS, XAPK
+ ArchiveStreamFactory.createArchiveInputStream(String,
InputStream, String) supports the "APK" format (it's a JAR)
+ Expander example now has NIO Path versions of IO File APIs
+ COMPRESS-612: Improve TAR support for file times
+ Add SevenZArchiveEntry.setContentMethods(SevenZMethodConfiguration...)
* Fixed Bugs:
+ Fix some compiler warnings in pack200 packages
+ Close File input stream after unpacking in
Pack200UnpackerAdapter.unpack(File, JarOutputStream)
+ Pack200UnpackerAdapter.unpack(InputStream, JarOutputStream)
should not close its given input stream
+ COMPRESS-596: Fix minor problem in examples.
+ COMPRESS-584: Add a limit to the copy buffer in
IOUtils.readRange() to avoid reading more from a channel than
asked for
+ Documentation nits
+ Replace wrapper Collections.sort is with an instance method
directly
+ Replace manual comparisons with Comparator.comparingInt()
+ Replace manual copy of array contents with System.arraycopy()
+ Fix thread safety issues when encoding 7z password
+ bzip2: calculate median-of-3 on unsigned values
+ Use Math.min and Math.max calculations.
+ COMPRESS-603: Expander should be able to work if an entry's
name is "./".
+ COMPRESS-604: Ensure compatibility with Java 8
+ Use StringBuilder instead of StringBuffer.
+ Inline variable. Remove redundant local variable.
+ Use compare method
+ Remove Unnecessary interface modifiers
+ Avoid use C-style array declaration.
+ ChecksumVerifyingInputStream.read() does not always validate
checksum at end-of-stream
+ Fix TarFileTest
+ COMPRESS-625: Update Wikipedia link in TarUtils.java:627.
+ COMPRESS-626: OutOfMemoryError on malformed pack200 input
(attributes).
+ COMPRESS-628: OutOfMemoryError on malformed pack200 input
(org.apache.commons.compress.harmony.pack200.NewAttributeBands
.readNextUnionCase).
+ COMPRESS-628: OutOfMemoryError on malformed unpack200 input
(org.apache.commons.compress.harmony.unpack200
.NewAttributeBands.readNextUnionCase).
+ Some input streams are not closed in org.apache.commons
.compress.harmony.pack200.PackingUtils
+ COMPRESS-627: Pack200 causes a 'archive.3E' error if it's not
in the system class loader.
- Modified patches:
* 0001-Remove-Brotli-compressor.patch
* 0002-Remove-ZSTD-compressor.patch
* 0003-Remove-Pack200-compressor.patch
+ rediff to changed context
- Removed patch:
* fix_java_8_compatibility.patch
+ not needed, since we handle the compatibility differently
-------------------------------------------------------------------
Mon Mar 21 08:57:33 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Added patch:
* 0003-Remove-Pack200-compressor.patch
+ Remove support for pack200 which depends on old asm3
-------------------------------------------------------------------
Tue Jul 20 07:17:33 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Updated to 1.21
* When reading a specially crafted 7Z archive, the construction of
the list of codecs that decompress an entry can result in an
infinite loop. This could be used to mount a denial of service
attack against services that use Compress' sevenz package.
(CVE-2021-35515, bsc#1188463)
* When reading a specially crafted 7Z archive, Compress can be
made to allocate large amounts of memory that finally leads to
an out of memory error even for very small inputs. This could
be used to mount a denial of service attack against services
that use Compress' sevenz package. (CVE-2021-35516, bsc#1188464)
* When reading a specially crafted TAR archive, Compress can be
made to allocate large amounts of memory that finally leads to
an out of memory error even for very small inputs. This could be
used to mount a denial of service attack against services that
use Compress' tar package. (CVE-2021-35517, bsc#1188465)
* When reading a specially crafted ZIP archive, Compress can be
made to allocate large amounts of memory that finally leads to
an out of memory error even for very small inputs. This could
be used to mount a denial of service attack against services
that use Compress' zip package. (CVE-2021-36090, bsc#1188466)
- New dependency on asm3 for Pack200 compressor
- Rebased patch fix_java_8_compatibility.patch to a new context and
added some new ocurrences
-------------------------------------------------------------------
Wed Aug 28 08:57:02 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Updated to 1.19 [bsc#1148475, CVE-2019-12402]
* ZipFile could get stuck in an infinite loop when parsing ZIP archives
with certain strong encryption headers (CVE-2019-12402).
* ZipArchiveInputStream and ZipFile will no longer throw an exception if
an extra field generally understood by Commons Compress is malformed
but rather turn them into UnrecognizedExtraField instances. You can
influence the way extra fields are parsed in more detail by using the
new getExtraFields(ExtraFieldParsingBehavior) method of ZipArchiveEntry now.
* Some of the ZIP extra fields related to strong encryption will now
throw ZipExceptions rather than ArrayIndexOutOfBoundsExceptions in
certain cases when used directly. There is no practical difference
when they are read via ZipArchiveInputStream or ZipFile.
* ParallelScatterZipCreator now writes entries in the same order they have
been added to the archive.
* ZipArchiveInputStream and ZipFile are more forgiving when parsing extra
fields by default now.
* TarArchiveInputStream has a new lenient mode that may allow it to read
certain broken archives.
- Rebased patch fix_java_8_compatibility.patch
-------------------------------------------------------------------
Mon Mar 25 17:32:03 UTC 2019 - Fridrich Strba <fstrba@suse.com>
- Remove pom parent, since we don't use it when not building with
maven
-------------------------------------------------------------------
Sun Jan 27 16:48:58 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Add missing RPM group for %name-javadoc.
-------------------------------------------------------------------
Fri Jan 25 09:10:54 UTC 2019 - Fridrich Strba <fstrba@suse.com>
- Rename package to apache-commons-compress
* Upgrade to version 1.18
* Use build.xml file generated ba mvn ant:ant and simplified
manually after
+ Allows building with ant and considerably shortens build
cycle
- Added patches
* 0001-Remove-Brotli-compressor.patch
+ do not build Brotli compressor, since we don't have its
dependencies
* 0002-Remove-ZSTD-compressor.patch
+ do not build ZSTD compressor, since we don't have its
dependencies
* fix_java_8_compatibility.patch
+ restore Java 8 compatibility in java.nio.ByteBuffer use
-------------------------------------------------------------------
Mon Sep 18 10:43:23 UTC 2017 - fstrba@suse.com
- Fix build with jdk9: specify java source and target 1.6
- Build also the javadoc package
-------------------------------------------------------------------
Fri May 19 16:04:30 UTC 2017 - tchvatal@suse.com
- Fix build under new javapackage-tools
-------------------------------------------------------------------
Thu Nov 29 14:57:33 UTC 2012 - mvyskocil@suse.com
- use saxon and saxon-scripts only when using maven
-------------------------------------------------------------------
Thu May 14 16:05:37 CEST 2009 - mvyskocil@suse.cz
- 'Initial SUSE packaging from jpackage.org 5.0'

View File

@ -0,0 +1,115 @@
#
# spec file for package apache-commons-compress
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%global base_name compress
%global short_name commons-%{base_name}
Name: apache-%{short_name}
Version: 1.26.0
Release: 0
Summary: Java API for working with compressed files and archivers
License: Apache-2.0
Group: Development/Libraries/Java
URL: https://commons.apache.org/proper/commons-compress/
Source0: https://archive.apache.org/dist/commons/compress/source/%{short_name}-%{version}-src.tar.gz
Source1: %{name}-build.xml
Patch0: 0001-Remove-Brotli-compressor.patch
Patch1: 0002-Remove-ZSTD-compressor.patch
Patch2: 0003-Remove-Pack200-compressor.patch
BuildRequires: ant
BuildRequires: commons-codec
BuildRequires: commons-io >= 2.14
BuildRequires: fdupes
BuildRequires: java-devel >= 1.8
BuildRequires: javapackages-local >= 6
BuildRequires: xz-java
Provides: %{short_name} = %{version}-%{release}
Obsoletes: %{short_name} < %{version}-%{release}
Provides: jakarta-%{short_name} = %{version}-%{release}
Obsoletes: jakarta-%{short_name} < %{version}-%{release}
BuildArch: noarch
%description
The Apache Commons Compress library defines an API for working with
ar, cpio, Unix dump, tar, zip, gzip, XZ, Pack200 and bzip2 files.
In version 1.14 read-only support for Brotli decompression has been added,
but it has been removed from this package.
%package javadoc
Summary: API documentation for %{name}
Group: Documentation/HTML
%description javadoc
This package provides %{summary}.
%prep
%setup -q -n %{short_name}-%{version}-src
cp %{SOURCE1} build.xml
# Unavailable Google Brotli library (org.brotli.dec)
%patch0 -p1
%pom_remove_dep org.brotli:dec
rm -r src/{main,test}/java/org/apache/commons/compress/compressors/brotli
# Unavailable ZSTD JNI library
%patch1 -p1
%pom_remove_dep :zstd-jni
rm -r src/{main,test}/java/org/apache/commons/compress/compressors/zstandard
# Remove support for pack200 which depends on ancient asm:asm:3.2
%patch2 -p1
rm -r src/{main,test}/java/org/apache/commons/compress/harmony
rm -r src/main/java/org/apache/commons/compress/compressors/pack200
rm src/main/java/org/apache/commons/compress/java/util/jar/Pack200.java
rm -r src/test/java/org/apache/commons/compress/compressors/pack200
rm src/test/java/org/apache/commons/compress/java/util/jar/Pack200Test.java
# NPE with jdk10
%pom_remove_plugin :maven-javadoc-plugin
%pom_xpath_remove "pom:profiles/pom:profile[pom:id[text()='java9+']]"
%build
mkdir -p lib
build-jar-repository -s lib xz-java commons-io commons-codec
%{ant} package javadoc
%install
# jar
install -dm 0755 %{buildroot}%{_javadir}
install -pm 0644 target/%{short_name}-%{version}.jar %{buildroot}%{_javadir}/%{short_name}.jar
ln -sf %{short_name}.jar %{buildroot}%{_javadir}/%{name}.jar
# pom
install -dm 0755 %{buildroot}%{_mavenpomdir}
%{mvn_install_pom} pom.xml %{buildroot}%{_mavenpomdir}/%{short_name}.pom
%add_maven_depmap %{short_name}.pom %{short_name}.jar -a commons:commons-compress,commons-compress:commons-compress
# javadoc
install -dm 0755 %{buildroot}%{_javadocdir}/%{name}
cp -pr target/site/apidocs/* %{buildroot}%{_javadocdir}/%{name}
%fdupes -s %{buildroot}%{_javadocdir}
%files -f .mfiles
%{_javadir}/%{name}.jar
%license LICENSE.txt
%doc NOTICE.txt
%files javadoc
%{_javadocdir}/%{name}
%license LICENSE.txt
%doc NOTICE.txt
%changelog

BIN
commons-compress-1.26.0-src.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.