------------------------------------------------------------------- Tue May 14 10:26:58 UTC 2024 - Fridrich Strba - Upgrade to 1.26.1 * Fixed Bugs + COMPRESS-659: TarArchiveOutputStream should use Commons IO Charsets instead of Commons Codec Charsets. + COMPRESS-660: Add org.apache.commons.codec to OSGi imports. + COMPRESS-664 Return null value from getNextEntry() for empty file. + COMPRESS-664: Remove unused variables in tests. + COMPRESS-666: Multithreaded access to Tar archive throws java.util.zip.ZipException: Corrupt GZIP trailer. + COMPRESS-644: ArchiveStreamFactory.detect(InputStream) returns TAR for ICO file. + COMPRESS-661: ArchiveInputStream markSupported should always return false. + COMPRESS-662: Remove out of date jar and scripts. ------------------------------------------------------------------- Tue Feb 20 10:24:11 UTC 2024 - Dominique Leuenberger - Use %patch -P N instead of deprecated %patchN. ------------------------------------------------------------------- Mon Feb 19 13:14:54 UTC 2024 - Fridrich Strba - Upgrade to 1.26 * Fixing several vulnerabilities + bsc#1220068, CVE-2024-26308 + bsc#1220070, CVE-2024-25710 * New Features + Add and use ZipFile.builder(), ZipFile.Builder, and deprecate constructors + Add and use SevenZFile.builder(), SevenZFile.Builder, and deprecate constructors + Add and use ArchiveInputStream.getCharset() + Add and use ArchiveEntry.resolveIn(Path) + Add Maven property project.build.outputTimestamp for build reproducibility * Fixed Bugs + COMPRESS-632: Check for invalid PAX values in TarArchiveEntry + COMPRESS-632: Fix for zero size headers in ArjInputStream + COMPRESS-632: Fixes and tests for ArInputStream + COMPRESS-632: Fixes for dump file parsing + COMPRESS-632: Improve CPIO exception detection and handling + Deprecate SkipShieldingInputStream without replacement (no longer used) + Reuse commons-codec, don't duplicate class PureJavaCrc32C (removed package-private class) + Reuse commons-codec, don't duplicate class XXHash32 (deprecated class) + Reuse commons-io, don't duplicate class Charsets (deprecated class) + Reuse commons-io, don't duplicate class IOUtils (deprecated methods) + Reuse commons-io, don't duplicate class BoundedInputStream (deprecated class) + Reuse commons-io, don't duplicate class FileTimes (deprecated TimeUtils methods) + Reuse Arrays.equals(byte[], byte[]) and deprecate ArchiveUtils.isEqual(byte[], byte[]) + Add a null-check for the class loader of OsgiUtils + Add a null-check in Pack200.newInstance(String, String) + Deprecate ChecksumCalculatingInputStream in favor of java.util.zip.CheckedInputStream + Deprecate CRC32VerifyingInputStream .CRC32VerifyingInputStream(InputStream, long, int) + COMPRESS-655: FramedSnappyCompressorOutputStream produces incorrect output when writing a large buffer + COMPRESS-657: Fix TAR directory entries being misinterpreted as files + Deprecate unused method FileNameUtils.getBaseName(String) + Deprecate unused method FileNameUtils.getExtension(String) + ArchiveInputStream.BoundedInputStream.read() incorrectly adds 1 for EOF to the bytes read count + Deprecate IOUtils.read(File, byte[]) + Deprecate IOUtils.copyRange(InputStream, long, OutputStream, int) + COMPRESS-653: ZipArchiveOutputStream multi archive updates metadata in incorrect file + Deprecate ByteUtils.InputStreamByteSupplier + Deprecate ByteUtils.fromLittleEndian(InputStream, int) + Deprecate ByteUtils.toLittleEndian(DataOutput, long, int) + Reduce duplication by having ArchiveInputStream extend FilterInputStream + Support preamble garbage in ZipArchiveInputStream + COMPRESS-658: Fix formatting the lowest expressable DOS time + Drop reflection from ExtraFieldUtils static initialization + Preserve exception causation in ExtraFieldUtils.register(Class) - Upgrade to 1.25.0 * New features: + Add GzipParameters.getFileName() and deprecate getFilename() + Add GzipParameters.setFileName(String) and deprecate setFilename(String) + Add FileNameUtil.getCompressedFileName(String) and deprecate getCompressedFilename(String) + Add FileNameUtil.getUncompressedFileName(String) and deprecate getUncompressedFilename(String) + Add FileNameUtil.isCompressedFileName(String) and deprecate isCompressedFilename(String) + Add BZip2Utils.getCompressedFileName(String) and deprecate getCompressedFilename(String) + Add BZip2Utils.getUncompressedFileName(String) and deprecate getUncompressedFilename(String) + Add BZip2Utils.isCompressedFileName(String) and deprecate isCompressedFilename(String) + Add LZMAUtils.getCompressedFileName(String) and deprecate getCompressedFilename(String) + Add LZMAUtils.getUncompressedFileName(String) and deprecate getUncompressedFilename(String) + Add LZMAUtils.isCompressedFileName(String) and deprecate isCompressedFilename(String) + Add XYUtils.getCompressedFileName(String) and deprecate getCompressedFilename(String) + Add XYUtils.getUncompressedFileName(String) and deprecate getUncompressedFilename(String) + Add XYUtils.isCompressedFileName(String) and deprecate isCompressedFilename(String) + Add GzipUtils.getCompressedFileName(String) and deprecate getCompressedFilename(String) + Add GzipUtils.getUncompressedFileName(String) and deprecate getUncompressedFilename(String) + Add GzipUtils.isCompressedFileName(String) and deprecate isCompressedFilename(String) + Add SevenZOutputFile.putArchiveEntry(SevenZArchiveEntry) and deprecate putArchiveEntry(ArchiveEntry) + Add generics to ChangeSet and ChangeSetPerformer + Add generics to ArchiveStreamProvider and friends + Add a generic type parameter to ArchiveOutputStream and avoid unchecked/unconfirmed type casts in subclasses + Add a generic type parameter to ArchiveInputStream and deprecate redundant get methods in subclasses + COMPRESS-648: Add ability to restrict autodetection in CompressorStreamFactory * Fixed Bugs: + Precompile regular expression in ArArchiveInputStream.isBSDLongName(String) + Precompile regular expression in ArArchiveInputStream.isGNULongName(String) + Precompile regular expression in TarArchiveEntry.parseInstantFromDecimalSeconds(String) + Precompile regular expression in ChangeSet.addDeletion(Change) + COMPRESS-649: Improve performance in BlockLZ4CompressorOutputStream + Null-guard Lister.main(String[]) for programmatic invocation + NPE in pack200.NewAttributeBands.Reference .addAttributeToBand(NewAttribute, InputStream) + Incorrect lazy initialization and update of static field in pack200.CodecEncoding.getSpecifier(Codec, Codec) + Incorrect string comparison in unpack200.AttributeLayout .numBackwardsCallables() + Inefficient use of keySet iterator instead of entrySet iterator in pack200.PackingOptions .addOrUpdateAttributeActions(List, Map, int) + Package private class pack200.IcBands.IcTuple should be a static inner class + Private class ZipFile.BoundedFileChannelInputStream should be a static inner class + Refactor internal SevenZ AES256SHA256Decoder InputStream into a named static inner class + Refactor internal SevenZ AES256SHA256Decoder OutputStream into a named static inner class + Use the root Locale for string conversion of command line options in org.apache.commons.compress.archivers.sevenz.CLI + Calling PackingUtils.config(PackingOptions) with null now closes the internal FileHandler + COMPRESS-650: LZ4 compressor throws IndexOutOfBoundsException + COMPRESS-632: LZWInputStream.initializeTables(int) should throw IllegalArgumentException instead of ArrayIndexOutOfBoundsException + COMPRESS-647: Throw IOException instead of ArrayIndexOutOfBoundsException when reading Zip with data descriptor entries - Update to 1.24.0 * New features: + Make ZipArchiveEntry.getLocalHeaderOffset() public * Fixed Bugs: + Use try-with-resources in ArchiveStreamFactory + Javadoc and code comments: Sanitize grammar issues and typos + Remove redundant (null) initializations + [StepSecurity] ci: Harden GitHub Actions - Update to 1.23.0 * New features: + COMPRESS-614: Use FileTime for time fields in SevenZipArchiveEntry + COMPRESS-621: Fix calculation the offset of the first ZIP central directory entry + COMPRESS-633:Add encryption support for SevenZ + COMPRESS-613: Support for extra time data in Zip archives + COMPRESS-621: Add org.apache.commons.compress.archivers.zip .DefaultBackingStoreSupplier to write to a custom folder instead of the default temporary folder. + COMPRESS-600: Add capability to configure Deflater strategy in GzipCompressorOutputStream: GzipParameters.setDeflateStrategy(int). * Fixed Bugs: + Implicit narrowing conversion in compound assignment + Avoid NPE in FileNameUtils.getBaseName(Path) for paths with zero elements like root paths + Avoid NPE in FileNameUtils.getExtension(Path) for paths with zero elements like root paths + LZMA2Decoder.decode() looses original exception + Extract conditions and avoid duplicate code. + Remove duplicate conditions. Use switch instead. + Replace JUnit 3 and 4 with JUnit 5 + Make 'ZipFile.offsetComparator' static + COMPRESS-638: The GzipCompressorOutputStream#writeHeader() uses ISO_8859_1 to write the file name and comment. If the strings contains non-ISO_8859_1 characters, unknown characters are displayed after decompression. Use percent encoding for non ISO_8859_1 characters. + Port some code from IO to NIO APIs + pack200: Fix FileBands misusing InputStream#read(byte[]) + COMPRESS-641: Add TarArchiveEntry.getLinkFlag() + COMPRESS-642: Integer overflow ArithmeticException in TarArchiveOutputStream + COMPRESS-642: org.apache.commons.compress.archivers.zip .ZipFile.finalize() should not write to std err. * Removed: + Remove BZip2CompressorOutputStream.finalize() which only wrote to std err - Update to 1.22 * New features: + COMPRESS-602: Migrate zip package to use NIO + Add APK file extension constants: ArchiveStreamFactory.APK, APKM, APKS, XAPK + ArchiveStreamFactory.createArchiveInputStream(String, InputStream, String) supports the "APK" format (it's a JAR) + Expander example now has NIO Path versions of IO File APIs + COMPRESS-612: Improve TAR support for file times + Add SevenZArchiveEntry.setContentMethods(SevenZMethodConfiguration...) * Fixed Bugs: + Fix some compiler warnings in pack200 packages + Close File input stream after unpacking in Pack200UnpackerAdapter.unpack(File, JarOutputStream) + Pack200UnpackerAdapter.unpack(InputStream, JarOutputStream) should not close its given input stream + COMPRESS-596: Fix minor problem in examples. + COMPRESS-584: Add a limit to the copy buffer in IOUtils.readRange() to avoid reading more from a channel than asked for + Documentation nits + Replace wrapper Collections.sort is with an instance method directly + Replace manual comparisons with Comparator.comparingInt() + Replace manual copy of array contents with System.arraycopy() + Fix thread safety issues when encoding 7z password + bzip2: calculate median-of-3 on unsigned values + Use Math.min and Math.max calculations. + COMPRESS-603: Expander should be able to work if an entry's name is "./". + COMPRESS-604: Ensure compatibility with Java 8 + Use StringBuilder instead of StringBuffer. + Inline variable. Remove redundant local variable. + Use compare method + Remove Unnecessary interface modifiers + Avoid use C-style array declaration. + ChecksumVerifyingInputStream.read() does not always validate checksum at end-of-stream + Fix TarFileTest + COMPRESS-625: Update Wikipedia link in TarUtils.java:627. + COMPRESS-626: OutOfMemoryError on malformed pack200 input (attributes). + COMPRESS-628: OutOfMemoryError on malformed pack200 input (org.apache.commons.compress.harmony.pack200.NewAttributeBands .readNextUnionCase). + COMPRESS-628: OutOfMemoryError on malformed unpack200 input (org.apache.commons.compress.harmony.unpack200 .NewAttributeBands.readNextUnionCase). + Some input streams are not closed in org.apache.commons .compress.harmony.pack200.PackingUtils + COMPRESS-627: Pack200 causes a 'archive.3E' error if it's not in the system class loader. - Modified patches: * 0001-Remove-Brotli-compressor.patch * 0002-Remove-ZSTD-compressor.patch * 0003-Remove-Pack200-compressor.patch + rediff to changed context - Removed patch: * fix_java_8_compatibility.patch + not needed, since we handle the compatibility differently ------------------------------------------------------------------- Mon Mar 21 08:57:33 UTC 2022 - Fridrich Strba - Added patch: * 0003-Remove-Pack200-compressor.patch + Remove support for pack200 which depends on old asm3 ------------------------------------------------------------------- Tue Jul 20 07:17:33 UTC 2021 - Fridrich Strba - Updated to 1.21 * When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. (CVE-2021-35515, bsc#1188463) * When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. (CVE-2021-35516, bsc#1188464) * When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. (CVE-2021-35517, bsc#1188465) * When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. (CVE-2021-36090, bsc#1188466) - New dependency on asm3 for Pack200 compressor - Rebased patch fix_java_8_compatibility.patch to a new context and added some new ocurrences ------------------------------------------------------------------- Wed Aug 28 08:57:02 UTC 2019 - Pedro Monreal Gonzalez - Updated to 1.19 [bsc#1148475, CVE-2019-12402] * ZipFile could get stuck in an infinite loop when parsing ZIP archives with certain strong encryption headers (CVE-2019-12402). * ZipArchiveInputStream and ZipFile will no longer throw an exception if an extra field generally understood by Commons Compress is malformed but rather turn them into UnrecognizedExtraField instances. You can influence the way extra fields are parsed in more detail by using the new getExtraFields(ExtraFieldParsingBehavior) method of ZipArchiveEntry now. * Some of the ZIP extra fields related to strong encryption will now throw ZipExceptions rather than ArrayIndexOutOfBoundsExceptions in certain cases when used directly. There is no practical difference when they are read via ZipArchiveInputStream or ZipFile. * ParallelScatterZipCreator now writes entries in the same order they have been added to the archive. * ZipArchiveInputStream and ZipFile are more forgiving when parsing extra fields by default now. * TarArchiveInputStream has a new lenient mode that may allow it to read certain broken archives. - Rebased patch fix_java_8_compatibility.patch ------------------------------------------------------------------- Mon Mar 25 17:32:03 UTC 2019 - Fridrich Strba - Remove pom parent, since we don't use it when not building with maven ------------------------------------------------------------------- Sun Jan 27 16:48:58 UTC 2019 - Jan Engelhardt - Add missing RPM group for %name-javadoc. ------------------------------------------------------------------- Fri Jan 25 09:10:54 UTC 2019 - Fridrich Strba - Rename package to apache-commons-compress * Upgrade to version 1.18 * Use build.xml file generated ba mvn ant:ant and simplified manually after + Allows building with ant and considerably shortens build cycle - Added patches * 0001-Remove-Brotli-compressor.patch + do not build Brotli compressor, since we don't have its dependencies * 0002-Remove-ZSTD-compressor.patch + do not build ZSTD compressor, since we don't have its dependencies * fix_java_8_compatibility.patch + restore Java 8 compatibility in java.nio.ByteBuffer use ------------------------------------------------------------------- Mon Sep 18 10:43:23 UTC 2017 - fstrba@suse.com - Fix build with jdk9: specify java source and target 1.6 - Build also the javadoc package ------------------------------------------------------------------- Fri May 19 16:04:30 UTC 2017 - tchvatal@suse.com - Fix build under new javapackage-tools ------------------------------------------------------------------- Thu Nov 29 14:57:33 UTC 2012 - mvyskocil@suse.com - use saxon and saxon-scripts only when using maven ------------------------------------------------------------------- Thu May 14 16:05:37 CEST 2009 - mvyskocil@suse.cz - 'Initial SUSE packaging from jpackage.org 5.0'