* liblzma:
- Fix the build on ARM64 on glibc versions older than
2.24 (2016). They don't have HWCAP_CRC32 in <sys/auxv.h>.
- Disable CLMUL CRC code when building for 32-bit x86
with old MSVC versions. This avoids a compiler bug.
* xz:
- Add a workaround for Red Hat Enterprise Linux 9
kernel bug which made xz fail with "xz: Failed to enable the
sandbox".
- On AIX, don't use fsync() on directories because it
fails.
- Fix the build on Emscripten.
- Fix the build on clang-cl on Windows.
- Take resource limits (RLIMIT_DATA, RLIMIT_AS, and
RLIMIT_VMEM)
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=173
- Update to 5.8.1:
* Multithreaded .xz decoder (lzma_stream_decoder_mt()):
- Fix a bug that could at least result in a crash with
invalid input. (bsc#1240414, CVE-2025-31115)
- Fix a performance bug: Only one thread was used if the whole
input file was provided at once to lzma_code(), the output
buffer was big enough, timeout was disabled, and LZMA_FINISH
was used. There are no bug reports about this, thus it's
possible that no real-world application was affected.
* Avoid <stdalign.h> even with C11/C17 compilers. This fixes the
build with Oracle Developer Studio 12.6 on Solaris 10 when the
compiler is in C11 mode (the header doesn't exist).
* Autotools: Restore compatibility with GNU make versions older
than 4.0 by creating the package using GNU gettext 0.23.1
infrastructure instead of 0.24.
* Update Croatian translation.
- 5.8.0 changelog:
* liblzma on 32/64-bit x86: When possible, use SSE2 intrinsics
instead of memcpy() in the LZMA/LZMA2 decoder. In typical cases,
this may reduce decompression time by 0-5 %. However, when built
against musl libc, over 15 % time reduction was observed with
highly compressed files.
* CMake: Make the feature test macros match the Autotools-based
build on NetBSD, Darwin, and mingw-w64.
* Update the Croatian, Italian, Portuguese, and Romanian
translations.
* Update the German, Italian, Korean, Romanian, Serbian, and
Ukrainian man page translations.
- Summary of changes in the 5.7.x development releases:
* Mark the following LZMA Utils script aliases as deprecated:
OBS-URL: https://build.opensuse.org/request/show/1266930
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=171
* Multithreaded .xz decoder (lzma_stream_decoder_mt()):
- Fix a bug that could at least result in a crash with
invalid input. (bsc#1240414, CVE-2025-31115)
- Fix a performance bug: Only one thread was used if the whole
input file was provided at once to lzma_code(), the output
buffer was big enough, timeout was disabled, and LZMA_FINISH
was used. There are no bug reports about this, thus it's
possible that no real-world application was affected.
* Avoid <stdalign.h> even with C11/C17 compilers. This fixes the
build with Oracle Developer Studio 12.6 on Solaris 10 when the
compiler is in C11 mode (the header doesn't exist).
* Autotools: Restore compatibility with GNU make versions older
than 4.0 by creating the package using GNU gettext 0.23.1
infrastructure instead of 0.24.
* Update Croatian translation.
- 5.8.0 changelog:
* liblzma on 32/64-bit x86: When possible, use SSE2 intrinsics
instead of memcpy() in the LZMA/LZMA2 decoder. In typical cases,
this may reduce decompression time by 0-5 %. However, when built
against musl libc, over 15 % time reduction was observed with
highly compressed files.
* CMake: Make the feature test macros match the Autotools-based
build on NetBSD, Darwin, and mingw-w64.
* Update the Croatian, Italian, Portuguese, and Romanian
translations.
* Update the German, Italian, Korean, Romanian, Serbian, and
Ukrainian man page translations.
- Summary of changes in the 5.7.x development releases:
* Mark the following LZMA Utils script aliases as deprecated:
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=171
- Update to 5.6.3:
* liblzma:
- Fix x86-64 inline assembly compatibility with GNU Binutils
older than 2.27.
- Fix the build with GCC 4.2 on OpenBSD/sparc64.
* xzdec: Display an error instead of failing silently if the
unsupported option -M is specified.
* lzmainfo: Fix integer overflows when rounding the dictionary and
uncompressed sizes to the nearest mebibyte.
* Autotools-based build:
- Fix feature checks with link-time optimization (-flto).
- Solaris: Fix a compatibility issue in version.sh. It matters
if one wants to regenerate configure by running autoconf.
* CMake:
- Use paths relative to ${prefix} in liblzma.pc when possible.
This is done only with CMake >= 3.20.
- Prefer a C11 compiler over a C99 compiler but accept both.
- Link Threads::Threads against liblzma using PRIVATE so that
-pthread and such flags won't unnecessarily get included in
the usage requirements of shared liblzma. That is,
target_link_libraries(foo PRIVATE liblzma::liblzma) no
longer adds -pthread if using POSIX threads and linking
against shared liblzma. The threading flags are still added
if linking against static liblzma.
* Updated translations: Catalan, Chinese (simplified), and
Brazilian Portuguese.
OBS-URL: https://build.opensuse.org/request/show/1206089
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=167
* liblzma:
- Fix x86-64 inline assembly compatibility with GNU Binutils
older than 2.27.
- Fix the build with GCC 4.2 on OpenBSD/sparc64.
* xzdec: Display an error instead of failing silently if the
unsupported option -M is specified.
* lzmainfo: Fix integer overflows when rounding the dictionary and
uncompressed sizes to the nearest mebibyte.
* Autotools-based build:
- Fix feature checks with link-time optimization (-flto).
- Solaris: Fix a compatibility issue in version.sh. It matters
if one wants to regenerate configure by running autoconf.
* CMake:
- Use paths relative to ${prefix} in liblzma.pc when possible.
This is done only with CMake >= 3.20.
- Prefer a C11 compiler over a C99 compiler but accept both.
- Link Threads::Threads against liblzma using PRIVATE so that
-pthread and such flags won't unnecessarily get included in
the usage requirements of shared liblzma. That is,
target_link_libraries(foo PRIVATE liblzma::liblzma) no
longer adds -pthread if using POSIX threads and linking
against shared liblzma. The threading flags are still added
if linking against static liblzma.
* Updated translations: Catalan, Chinese (simplified), and
Brazilian Portuguese.
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=167
- Update to 5.6.2:
* Remove the backdoor (CVE-2024-3094).
* Not changed: Memory sanitizer (MSAN) has a false positive
in the CRC CLMUL code which also makes OSS Fuzz unhappy.
Valgrind is smarter and doesn't complain.
A revision to the CLMUL code is coming anyway and this issue
will be cleaned up as part of it. It won't be backported to
5.6.x or 5.4.x because the old code isn't wrong. There is
no reason to risk introducing regressions in old branches
just to silence a false positive.
* liblzma:
- lzma_index_decoder() and lzma_index_buffer_decode(): Fix
a missing output pointer initialization (*i = NULL) if the
functions are called with invalid arguments. The API docs
say that such an initialization is always done. In practice
this matters very little because the problem can only occur
if the calling application has a bug and these functions
return LZMA_PROG_ERROR.
- lzma_str_to_filters(): Fix a missing output pointer
initialization (*error_pos = 0). This is very similar
to the fix above.
- Fix C standard conformance with function pointer types.
- Remove GNU indirect function (IFUNC) support. This is *NOT*
done for security reasons even though the backdoor relied on
this code. The performance benefits of IFUNC are too tiny in
this project to make the extra complexity worth it.
- FreeBSD on ARM64: Add error checking to CRC32 instruction
support detection.
- Fix building with NVIDIA HPC SDK.
* xz:
OBS-URL: https://build.opensuse.org/request/show/1177678
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=165
- Update to 5.6.2:
* Remove the backdoor (CVE-2024-3094).
* Not changed: Memory sanitizer (MSAN) has a false positive
in the CRC CLMUL code which also makes OSS Fuzz unhappy.
Valgrind is smarter and doesn't complain.
A revision to the CLMUL code is coming anyway and this issue
will be cleaned up as part of it. It won't be backported to
5.6.x or 5.4.x because the old code isn't wrong. There is
no reason to risk introducing regressions in old branches
just to silence a false positive.
* liblzma:
- lzma_index_decoder() and lzma_index_buffer_decode(): Fix
a missing output pointer initialization (*i = NULL) if the
functions are called with invalid arguments. The API docs
say that such an initialization is always done. In practice
this matters very little because the problem can only occur
if the calling application has a bug and these functions
return LZMA_PROG_ERROR.
- lzma_str_to_filters(): Fix a missing output pointer
initialization (*error_pos = 0). This is very similar
to the fix above.
- Fix C standard conformance with function pointer types.
- Remove GNU indirect function (IFUNC) support. This is *NOT*
done for security reasons even though the backdoor relied on
this code. The performance benefits of IFUNC are too tiny in
this project to make the extra complexity worth it.
- FreeBSD on ARM64: Add error checking to CRC32 instruction
support detection.
- Fix building with NVIDIA HPC SDK.
* xz:
OBS-URL: https://build.opensuse.org/request/show/1177678
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=165
- revert the switch to tar_scm which dropped the signature
validation
- switch back to tarballs because the upstream tarballs are not
gone
- reinstanciate keyring from Lasse
- go back to the last release signed by Lasse (5.4.2)
- revert multibuild, drop service and rpmlintrc
- use real_ver for the Source, move everything else back to
%version like before the hectic XZ downgrade
- remove payload setting, we are using zstd now
- Switch to using tar_scm for fetching the sources as the upstream
tarballs on github are gone
- introduce _multibuild to allow building the translations outside
of Ring0 and everything else in Ring0
- add rpmlintrc to silence harmless warnings
OBS-URL: https://build.opensuse.org/request/show/1167536
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xz?expand=0&rev=90
- revert the switch to tar_scm which dropped the signature
validation
- switch back to tarballs because the upstream tarballs are not
gone
- reinstanciate keyring from Lasse
- go back to the last release signed by Lasse (5.4.2)
- revert multibuild, drop service and rpmlintrc
- use real_ver for the Source, move everything else back to
%version like before the hectic XZ downgrade
- remove payload setting, we are using zstd now
- Switch to using tar_scm for fetching the sources as the upstream
tarballs on github are gone
- introduce _multibuild to allow building the translations outside
of Ring0 and everything else in Ring0
- add rpmlintrc to silence harmless warnings
OBS-URL: https://build.opensuse.org/request/show/1167536
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xz?expand=0&rev=90
