Accepting request 1317058 from Base:System

OBS-URL: https://build.opensuse.org/request/show/1317058
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/coreutils?expand=0&rev=167

coreutils-9.7-sort-CVE-2025-5278.patch

@@ -1,117 +0,0 @@
-# based on commit 8c9602e3a145e9596dc1a63c6ed67865814b6633
-# removed offsets and fuzziness
-Author: Pádraig Brady <P@draigBrady.com>
-Date:   Tue May 20 16:03:44 2025 +0100
-
-    sort: fix buffer under-read (CWE-127)
-    
-    * src/sort.c (begfield): Check pointer adjustment
-    to avoid Out-of-range pointer offset (CWE-823).
-    (limfield): Likewise.
-    * tests/sort/sort-field-limit.sh: Add a new test,
-    which triggers with ASAN or Valgrind.
-    * tests/local.mk: Reference the new test.
-    * NEWS: Mention bug fix introduced in v7.2 (2009).
-    Fixes https://bugs.gnu.org/78507
-
----
- NEWS                           |   10 ++++++++++
- src/sort.c                     |   12 ++++++++++--
- tests/local.mk                 |    1 +
- tests/sort/sort-field-limit.sh |   35 +++++++++++++++++++++++++++++++++++
- 4 files changed, 56 insertions(+), 2 deletions(-)
-
---- a/NEWS
-+++ b/NEWS
-@@ -1,5 +1,15 @@
- GNU coreutils NEWS                                    -*- outline -*-
- 
-+* Noteworthy changes in release ?.? (????-??-??) [?]
-+
-+** Bug fixes
-+
-+  sort with key character offsets of SIZE_MAX, could induce
-+  a read of 1 byte before an allocated heap buffer. For example:
-+  'sort +0.18446744073709551615R input' on 64 bit systems.
-+  [bug introduced in coreutils-7.2]
-+
-+
- * Noteworthy changes in release 9.7 (2025-04-09) [stable]
- 
- ** Bug fixes
---- a/src/sort.c
-+++ b/src/sort.c
-@@ -1793,7 +1793,11 @@ begfield_uni (const struct line *line, c
-       ++ptr;
- 
-   /* Advance PTR by SCHAR (if possible), but no further than LIM.  */
--  ptr = MIN (lim, ptr + schar);
-+  size_t remaining_bytes = lim - ptr;
-+  if (schar < remaining_bytes)
-+    ptr += schar;
-+  else
-+    ptr = lim;
- 
-   return ptr;
- }
-@@ -1954,7 +1958,11 @@ limfield_uni (struct line const *line, s
-           ++ptr;
- 
-       /* Advance PTR by ECHAR (if possible), but no further than LIM.  */
--      ptr = MIN (lim, ptr + echar);
-+      size_t remaining_bytes = lim - ptr;
-+      if (echar < remaining_bytes)
-+        ptr += echar;
-+      else
-+        ptr = lim;
-     }
- 
-   return ptr;
---- a/tests/local.mk
-+++ b/tests/local.mk
-@@ -388,6 +388,7 @@ all_tests =					\
-   tests/sort/sort-debug-keys.sh			\
-   tests/sort/sort-debug-warn.sh			\
-   tests/sort/sort-discrim.sh			\
-+  tests/sort/sort-field-limit.sh		\
-   tests/sort/sort-files0-from.pl		\
-   tests/sort/sort-float.sh			\
-   tests/misc/sort-mb-tests.sh			\
---- /dev/null
-+++ b/tests/sort/sort-field-limit.sh
-@@ -0,0 +1,35 @@
-+#!/bin/sh
-+# From 7.2-9.7, this would trigger an out of bounds mem read
-+
-+# Copyright (C) 2025 Free Software Foundation, Inc.
-+
-+# This program is free software: you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation, either version 3 of the License, or
-+# (at your option) any later version.
-+
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+
-+# You should have received a copy of the GNU General Public License
-+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
-+
-+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
-+print_ver_ sort
-+getlimits_
-+
-+# This issue triggers with valgrind or ASAN
-+valgrind --error-exitcode=1 sort --version 2>/dev/null &&
-+  VALGRIND='valgrind --error-exitcode=1'
-+
-+{ printf '%s\n' aa bb; } > in || framework_failure_
-+
-+_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1
-+compare in out || fail=1
-+
-+_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1
-+compare in out || fail=1
-+
-+Exit $fail

coreutils-9.7.tar.xz.sig

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEbDfcEhIaUAa8HbgE32/ZcTBgN9kFAmf2WecACgkQ32/ZcTBg
-N9nppA/+MUNHBWrhVCFNzdMRQaSmwTyUkOpA+z4pL0a/i+9o3AD1RYF/Zrpen0+E
-6K9VTcYsmW/R7ZPL1xg4dl4WVBJ/1LrKu3D5ZP3kydpKH7PYriekeYR7dgJQMd9Q
-RIrE7RoXOWSa6aSEhQQ9U/9BQiGrwo46Ja9A3LSn/c8Ty1/49e5HA3pQG0U2GIGb
-cxLKz6nWcI2MYnTWm3nuSk0AlL9LetVEyoNR7SUufjzqCpgCZTAd7vN6y476A+kv
-ajsBVTj1OGj3FKNff/a5Qhc0i+Xmtn/81S5sG8DnTJtb7q1J7B/5odchq5jQsGyH
-8QfxYnu++pOgsLThGR98Io5hA/rqcofZFU2rIIXm65Qb7YB4yLgcS9m6STlUEFLU
-mOOF8I5pVvbxewUz0WVxit1ist1P+AIFwBvv3H/2zgl2AOua+WpKxt2gISRY9j1c
-E4KOvwlpu4ebFo2CcK0NxLF82YXY8sQQVtR1HCmg10inAZp0XsfRocbYj+dOnvY5
-7jthL4GxWAIeDrAiS/oJmtL0Savhq9hB6u6zR5G5Puh6SigDX0NmMPqMsGtQ3t8n
-GlnLldNVujaNe6NYYHSATGu6yHByBOSGNk7IDEeRFyF74p9w6gV+qJNYuS7EtXVt
-sdNiA/UIxhk0KyL4rhDwUw9AbbTP/HhlB+FD+LJX61bxQfFnWuQ=
-=YizV
------END PGP SIGNATURE-----

coreutils-9.9.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:19bcb6ca867183c57d77155eae946c5eced88183143b45ca51ad7d26c628ca75
+size 6295160

coreutils-9.9.tar.xz.sig

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEbDfcEhIaUAa8HbgE32/ZcTBgN9kFAmkR8Z4ACgkQ32/ZcTBg
+N9nk2w/7BxVw5Gl2ImShu2rjiB4gOUi3IhZ1CO6wLbV3aqifJLOtOZbTDNjdL/KZ
+82QqLRxSRQhhv/UrUCY+HhLlDw2g7pAxrdo8QWCmZJOItgy0+pwUDo93PRMNoq8E
+kse75cNku2YTfPgi5NF0tDb8Nn8cTiXtCCafNsxo/ru3PPJlod5xgnlaunIFujLK
+zNuaCZosgraBQyR6SRpKU6cV/4303KWx6k7zjv9RkZ9mjlFr+XNw/0lgHgIIUlVr
+dYfI1/dTrGfcLTTJfXDTDXiuVtnxOeSfh2L7+52QvIONIouOhip3Y72faIyfejzg
+KjS/mQmykQYKsXRzHQVgjGp4jetihvFoDbTa9Na0lGxE1iexwbtbHqXAVpSBl3it
+nam2nZZ7oL4sgJG2h6VZnYVzvdsHuc+uuYixylxQgE2JFlBFjhnAPAPoHijmQq05
+o++qAGGC7i5cLbq7au8GXLBD6KX+JEEnaxleHsE3jXqLgwceWsOzkVFVfp8NXjZ/
+TjrgkSPxKrLF1bwSKnGov7lwlEBvOlBa9E3RTpVxWKiQ32JWzaXSwj7eBddSBOAt
+OgRG8yq2pWPx+oiAE/LGPspodyviQhImcA6rkpXBLHPZOOVZHcNbHeV0ZBSiVAfG
+VzJi2gxelMmQ7cLhgH86sVKJ8BDzSMuqc4l3VOWtSqKNP9Qo5BM=
+=vXzy
+-----END PGP SIGNATURE-----

coreutils-disable_tests.patch

@@ -6,18 +6,18 @@ Index: gnulib-tests/gnulib.mk
 ===================================================================
 --- gnulib-tests/gnulib.mk.orig
 +++ gnulib-tests/gnulib.mk
-@@ -1548,10 +1548,10 @@ EXTRA_DIST += getlocalename_l-unsafe.h l
+@@ -1604,10 +1604,10 @@ EXTRA_DIST += test-getloadavg.c signatur
  
  ## begin gnulib module getlogin-tests
  
 -TESTS += test-getlogin
 -check_PROGRAMS += test-getlogin
--test_getlogin_LDADD = $(LDADD) $(GETLOGIN_LIB)
+-test_getlogin_LDADD = $(LDADD) $(GETLOGIN_LIB) $(LIBINTL)
 -EXTRA_DIST += test-getlogin.c test-getlogin.h signature.h macros.h
-+# TESTS += test-getlogin
-+# check_PROGRAMS += test-getlogin
-+# test_getlogin_LDADD = $(LDADD) $(GETLOGIN_LIB)
-+# EXTRA_DIST += test-getlogin.c test-getlogin.h signature.h macros.h
++#TESTS += test-getlogin
++#check_PROGRAMS += test-getlogin
++#test_getlogin_LDADD = $(LDADD) $(GETLOGIN_LIB) $(LIBINTL)
++#EXTRA_DIST += test-getlogin.c test-getlogin.h signature.h macros.h
  
  ## end   gnulib module getlogin-tests
  

coreutils-getaddrinfo.patch

@@ -1,21 +0,0 @@
----
- gnulib-tests/test-getaddrinfo.c |    6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-Index: gnulib-tests/test-getaddrinfo.c
-===================================================================
---- gnulib-tests/test-getaddrinfo.c.orig
-+++ gnulib-tests/test-getaddrinfo.c
-@@ -115,11 +115,7 @@ simple (int pass, char const *host, char
-          the test merely because someone is down the country on their
-          in-law's farm. */
-       if (res == EAI_AGAIN)
--        {
--          skip++;
--          fprintf (stderr, "skipping getaddrinfo test: no network?\n");
--          return 77;
--        }
-+        return 0;
-       /* IRIX reports EAI_NONAME for "https".  Don't fail the test
-          merely because of this.  */
-       if (res == EAI_NONAME)

coreutils-remove_hostname_documentation.patch

@@ -6,7 +6,7 @@ Index: doc/coreutils.texi
 ===================================================================
 --- doc/coreutils.texi.orig
 +++ doc/coreutils.texi
-@@ -73,7 +73,6 @@
+@@ -69,7 +69,6 @@
  * groups: (coreutils)groups invocation.         Print group names a user is in.
  * head: (coreutils)head invocation.             Output the first part of files.
  * hostid: (coreutils)hostid invocation.         Print numeric host identifier.
@@ -14,7 +14,7 @@ Index: doc/coreutils.texi
  * id: (coreutils)id invocation.                 Print user identity.
  * install: (coreutils)install invocation.       Copy files and set attributes.
  * join: (coreutils)join invocation.             Join lines on a common field.
-@@ -206,7 +205,7 @@ Free Documentation License''.
+@@ -202,7 +201,7 @@ Free Documentation License''.
  * File name manipulation::       dirname basename pathchk mktemp realpath
  * Working context::              pwd stty printenv tty
  * User information::             id logname whoami groups users who
@@ -23,7 +23,7 @@ Index: doc/coreutils.texi
  * SELinux context::              chcon runcon
  * Modified command invocation::  chroot env nice nohup stdbuf timeout
  * Process control::              kill
-@@ -430,7 +429,6 @@ System context
+@@ -427,7 +426,6 @@ System context
  * date invocation::              Print or set system date and time
  * nproc invocation::             Print the number of processors
  * uname invocation::             Print system information
@@ -31,7 +31,7 @@ Index: doc/coreutils.texi
  * hostid invocation::            Print numeric host identifier
  * uptime invocation::            Print system uptime and load
  
-@@ -16482,7 +16480,6 @@ information.
+@@ -16609,7 +16607,6 @@ information.
  * arch invocation::             Print machine hardware name.
  * nproc invocation::            Print the number of processors.
  * uname invocation::            Print system information.
@@ -39,7 +39,7 @@ Index: doc/coreutils.texi
  * hostid invocation::           Print numeric host identifier.
  * uptime invocation::           Print system uptime and load.
  @end menu
-@@ -17395,15 +17392,6 @@ This is non-portable, even across GNU/Li
+@@ -17614,15 +17611,6 @@ This is non-portable, even across GNU/Li
  Print the machine hardware name (sometimes called the hardware class
  or hardware type).
  
@@ -55,7 +55,7 @@ Index: doc/coreutils.texi
  @item -p
  @itemx --processor
  @opindex -p
-@@ -17457,34 +17445,6 @@ Print the kernel version.
+@@ -17676,34 +17664,6 @@ Print the kernel version.
  
  @exitstatus
  

coreutils-remove_kill_documentation.patch

@@ -6,7 +6,7 @@ Index: doc/coreutils.texi
 ===================================================================
 --- doc/coreutils.texi.orig
 +++ doc/coreutils.texi
-@@ -76,7 +76,6 @@
+@@ -72,7 +72,6 @@
  * id: (coreutils)id invocation.                 Print user identity.
  * install: (coreutils)install invocation.       Copy files and set attributes.
  * join: (coreutils)join invocation.             Join lines on a common field.
@@ -14,7 +14,7 @@ Index: doc/coreutils.texi
  * link: (coreutils)link invocation.             Make hard links between files.
  * ln: (coreutils)ln invocation.                 Make links between files.
  * logname: (coreutils)logname invocation.       Print current login name.
-@@ -208,7 +207,6 @@ Free Documentation License''.
+@@ -204,7 +203,6 @@ Free Documentation License''.
  * System context::               date arch nproc uname hostid uptime
  * SELinux context::              chcon runcon
  * Modified command invocation::  chroot env nice nohup stdbuf timeout
@@ -22,7 +22,7 @@ Index: doc/coreutils.texi
  * Delaying::                     sleep
  * Numeric operations::           factor numfmt seq
  * File permissions::             Access modes
-@@ -457,10 +455,6 @@ Modified command invocation
+@@ -454,10 +452,6 @@ Modified command invocation
  * stdbuf invocation::            Run a command with modified I/O buffering
  * timeout invocation::           Run a command with a time limit
  
@@ -33,7 +33,7 @@ Index: doc/coreutils.texi
  Delaying
  
  * sleep invocation::             Delay for a specified time
-@@ -18923,90 +18917,6 @@ timeout -s INT 5s env --ignore-signal=IN
+@@ -19141,90 +19135,6 @@ timeout -s INT 5s env --ignore-signal=IN
  timeout -s INT -k 3s 5s env --ignore-signal=INT sleep 20
  @end example
  

coreutils-skip-gnulib-test-tls.patch

@@ -21,7 +21,7 @@ Index: gnulib-tests/gnulib.mk
 ===================================================================
 --- gnulib-tests/gnulib.mk.orig
 +++ gnulib-tests/gnulib.mk
-@@ -3605,9 +3605,10 @@ EXTRA_DIST += test-timespec.c macros.h
+@@ -3844,9 +3844,10 @@ EXTRA_DIST += test-timespec.c macros.h
  
  ## begin gnulib module tls-tests
  

coreutils-tests-shorten-extreme-factor-tests.patch

@@ -9,14 +9,14 @@ or arm6l.  Strip the tests down from 37 to 3.
 * tests/local.mk (factor_tests): From the sequence of the tests
 00..36, remove all but t00, t05 and t36.
 ---
- tests/local.mk |   11 +++--------
- 1 file changed, 3 insertions(+), 8 deletions(-)
+ tests/local.mk |    9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
 
 Index: tests/local.mk
 ===================================================================
 --- tests/local.mk.orig
 +++ tests/local.mk
-@@ -759,14 +759,9 @@ all_tests =					\
+@@ -783,13 +783,8 @@ all_tests =					\
  # See tests/factor/create-test.sh.
  tf = tests/factor
  factor_tests = \
@@ -27,10 +27,8 @@ Index: tests/local.mk
 -  $(tf)/t20.sh $(tf)/t21.sh $(tf)/t22.sh $(tf)/t23.sh $(tf)/t24.sh \
 -  $(tf)/t25.sh $(tf)/t26.sh $(tf)/t27.sh $(tf)/t28.sh $(tf)/t29.sh \
 -  $(tf)/t30.sh $(tf)/t31.sh $(tf)/t32.sh $(tf)/t33.sh $(tf)/t34.sh \
--  $(tf)/t35.sh $(tf)/t36.sh $(tf)/t37.sh
 +  $(tf)/t00.sh \
 +  $(tf)/t05.sh \
-+  $(tf)/t36.sh $(tf)/t37.sh
+   $(tf)/t35.sh $(tf)/t36.sh $(tf)/t37.sh $(tf)/t38.sh $(tf)/t39.sh \
+   $(tf)/t40.sh
  
- $(factor_tests): $(tf)/run.sh $(tf)/create-test.sh
- 	$(AM_V_GEN)$(MKDIR_P) $(tf)

coreutils-tests-workaround-make-fdleak.patch

@@ -6,7 +6,7 @@ Index: tests/init.sh
 ===================================================================
 --- tests/init.sh.orig
 +++ tests/init.sh
-@@ -731,6 +731,16 @@ compare ()
+@@ -738,6 +738,16 @@ compare ()
  }
  
  # -----------------------------------------------------------------------------

coreutils.changes

@@ -1,3 +1,215 @@
+-------------------------------------------------------------------
+Tue Nov 11 08:12:40 UTC 2025 - Bernhard Voelker <mail@bernhard-voelker.de>
+
+- Update to 9.9:
+  Bug fixes
+  * `basenc --base58` would not operate correctly with input > 15561475 bytes.
+    [bug introduced with --base58 in coreutils-9.8]
+  * 'cksum --check' now supports base64 encoded input in untagged format:
+     - for all length adjustable algorithms (blake2b, sha2, sha3),
+     - if that base64 input starts with a tag like "SHA1" etc.
+    Previously an error was given, about invalid input format.
+    [bug introduced in coreutils-9.2]
+  * 'cksum --check -a sha2' has better support for tagged format.  Previously
+    an unneeded but explicit '-a sha2' did not match standard tags like SHA256.
+    Also non standard SHA2 tags with a bad length resulted in undefined behavior.
+    [bug introduced in coreutils-9.8]
+  * 'cp' restores performance with transparently compressed files, which
+    regressed due to the avoidance of copy offload, seen with OpenZFS at least.
+    [bug introduced in coreutils-9.8]
+  * `env` on macOS, for now only when built with --disable-nls,
+    will no longer always set a __CF_USER_TEXT_ENCODING environment variable.
+    [bug introduced in coreutils-9.8]
+  * 'nice' now limits the adjusted niceness value to its supported range on
+    GNU/Hurd.
+    [This bug was present in "the beginning".]
+  * 'numfmt' no longer reads out-of-bounds memory with trailing blanks in input.
+    [bug introduced with numfmt in coreutils-8.21]
+  * 'numfmt' no longer outputs invalid characters with multi-byte blanks in input.
+    [bug introduced in coreutils-9.5]
+  * 'rm -d DIR' no longer fails on Ceph snapshot directories.
+    Although these directories are nonempty, 'rmdir DIR' succeeds on them.
+    [bug introduced in coreutils-8.16]
+  * 'sort --compress-program' now diagnoses if it can't write more data to an
+    exited compressor.  Previously sort could have exited silently in this case.
+    [bug introduced in coreutils-6.8]
+  * 'tail' outputs the correct number of lines again for non-small -n values.
+    Previously it may have output too few lines.
+    [bug introduced in coreutils-9.8]
+  * 'unexpand' no longer triggers a heap buffer overflow with --tabs arguments
+    that use the GNU extension /NUM or +NUM formats.
+    [bug introduced in coreutils-8.28]
+  Changes in behavior
+  * 'cp' with default options may again, like with versions before v9.8,
+    miss opportunities to create holes with file systems that support
+    SEEK_HOLE only trivially.  This change is a consequence of the
+    abovementioned copy offload fix.
+  * 'sort --compress-program' will continue without compressing temporary files
+    if the specified program cannot be executed.  Also malformed shell scripts
+    without a "shebang line" will no longer be executed.
+  New Features
+  * 'numfmt' now accepts the --unit-separator=SEP option, to output or accept
+    a separator between the number and unit.  For e.g. "1234 M".
+  Improvements
+  * 'fmt', 'date', 'nl', and 'pr' will now exit promptly upon receiving a write
+    error, which is significant when reading large / unbounded inputs.
+  * install, sort, and split now use posix_spawn() to invoke child programs more
+    efficiently and more independently from their own memory usage.
+  * 'numfmt':
+    - parses numbers with a non-breaking space character before a unit
+    - parses numbers containing grouping characters from the current locale
+    - supports a multi-byte --delimiter character
+    - no longer processes input indefinitely in the presence of write errors
+  *  wc -l now operates 10% faster on hosts that support AVX512 instructions.
+  Build-related
+  * chcon and runcon are not built by default if selinux headers are not present,
+    or if the --without-selinux configure option is specified.
+    This can be overridden with the --with-selinux configure option.
+  * nproc no longer fails to build with Android API level <= 20.
+    [build issue introduced in coreutils-9.8]
+- coreutils-9.8-tail-large-num-of-files.patch: Remove now-upstream patch.
+- coreutils-i18n.patch: Refresh patch.
+- Refresh all other patches.
+
+
+-------------------------------------------------------------------
+Thu Sep 25 18:57:34 UTC 2025 - Bernhard Voelker <mail@bernhard-voelker.de>
+
+- coreutils-9.8-tail-large-num-of-files.patch: Add upstream patch:
+  https://cgit.git.sv.gnu.org/cgit/coreutils.git/commit/?id=914972e80dbf82aac9ffe
+  tail: fix tailing larger number of lines in regular files [rh#2398008]
+
+-------------------------------------------------------------------
+Tue Sep 23 19:39:43 UTC 2025 - Bernhard Voelker <mail@bernhard-voelker.de>
+
+- Update to 9.8:
+  Bug fixes
+  * 'b2sum' will diagnose --length values that are too big.
+    Previously it would have silently assumed 512 for any larger values.
+    [bug introduced in coreutils-9.6]
+  * 'base32' and 'base64' when decoding will again diagnose partially
+    padded data that ends with a newline.
+    [bug introduced in coreutils-9.5]
+  * 'basenc -d -i' will now strip '=' characters from the input
+    in encodings where padding characters are not valid.
+    [bug introduced with the basenc program in coreutils-8.31]
+  * 'cp -p' had spurious "Operation not supported" failures when
+    copying to non-NFS files from NFSv4 files with trivial ACLs.
+    [bug introduced in coreutils-9.6]
+  * 'cp --sparse=always' missed some opportunities to create holes.
+    That is, although the copies had the correct data, sometimes
+    data zeros used extents rather than holes.
+    [This bug was present in "the beginning".]
+  * cp missed opportunities to create holes when copying from file
+    systems like squashfs that support SEEK_HOLE only trivially.
+    [bug introduced in coreutils-9.0]
+  * cp, install, and mv now avoid possible data corruption on
+    glibc 2.41 and 2.42 systems when copy_file_range is used with ranges > 2GiB,
+    avoiding https://sourceware.org/PR33245
+    [bug triggered since coreutils-9.0]
+  * 'date' supports specifying multiple named formats with the last taking
+    precedence.  Previously multiple specifications would induce an error.
+    [bug introduced in coreutils-5.90]
+  * 'dd oflag=seek_bytes' no longer mistakenly reports errors when the
+    output file exists on GNU/Hurd.
+    [bug introduced in coreutils-8.16]
+  * 'fold' no longer exhausts memory when processing large inputs
+    with a very large --width argument.
+    [This bug was present in "the beginning".]
+  * 'install -d' now produces the correct diagnostic upon failure
+    to create a directory.  Previously it would have produced
+    a confusing error about changing permissions.
+    [This bug was present in "the beginning".]
+  * "ls --size --block-size=\'k" could misalign output in locales
+    with multi-byte thousands grouping characters.
+    [This bug was present in "the beginning".]
+  * 'nohup' avoids implementation defined behavior setting umask,
+    avoiding a FORTIFY runtime failure on Bionic libc.
+    [This bug was present in "the beginning".]
+  * 'od --strings' with '-N' now works correctly.  Previously od might
+    write a NUL byte after a heap buffer, or output invalid addresses.
+    [These bugs were present in "the beginning".]
+  * 'od -w0' will now issue a diagnostic and exit gracefully.
+    Previously it would have aborted.
+    [bug introduced in coreutils-9.3]
+  * 'od -w' no longer silently mishandles enormous widths like 3037000500.
+    Instead, it either outputs correctly or diagnoses a too-large width.
+    [This bug was present in "the beginning".]
+  * 'od +N.' (where N is a decimal number) works again as per POSIX.
+    [bug introduced in textutils-2.0]
+  * 'od /dev/null ++0' no longer mistakenly treats the ++0 as an offset.
+    [This bug was present in "the beginning".]
+  * 'sort' with key character offsets of SIZE_MAX, could induce
+    a read of 1 byte before an allocated heap buffer. For example:
+    'sort +0.18446744073709551615R input' on 64 bit systems.
+    [bug introduced in coreutils-7.2]
+  * stdbuf now works on AIX.  Previously it would have been ineffective.
+    [bug introduced with the stdbuf program in coreutils-7.5]
+  * 'tail -n NUM' no longer can output more than NUM lines if stdin
+    is a largish regular file with a nonzero initial offset, and grows
+    while 'tail' is reading it.
+    [This bug was present in "the beginning".]
+  * 'tail -f -n +NUM' no longer mishandles NUM values >= UINTMAX_MAX
+    when the input is seekable.
+    [bug introduced in coreutils-9.6]
+  * 'tail --pid' avoids some unlikely races if the kernel reuses PIDs.
+    [bug introduced in coreutils-9.5]
+  * 'tty' now exits with status 4 with a special diagnostic if ttyname
+    fails even though standard input is a tty.  Formerly it quietly
+    pretended that standard input was not a tty.
+    [This bug was present in "the beginning".]
+  New Features
+  * basenc supports the --base58 option to encode and decode
+    the visually unambiguous Base58 encoding.
+  * 'cksum -a' now supports the 'sha3' argument, to use the SHA3-224,
+    SHA3-256, SHA3-384, SHA3-512 message digest algorithms depending on
+    the argument passed to the required --length (-l) option.
+  * 'cksum -a' now supports the 'sha2' argument, as a more consistent
+    interface than the existing 'sha224', 'sha256', 'sha384', 'sha512'
+    arguments, which are now selected with the --length (-l) option.
+  * 'date' now outputs dates in the country's native calendar for the
+    Iranian locale (fa_IR) and for the Ethiopian locale (am_ET), and also
+    does so more consistently for the Thailand locale (th_TH.UTF-8).
+  * fold now supports multi-byte characters, honoring their column width.
+    Also the --characters (-c) option was added to wrap at a certain
+    number of characters, similarly to --bytes in uni-byte locales.
+  * nproc now honors any cgroup v2 configured CPU quotas,
+    which may reduce the effective number of processors available.
+  * stty supports setting arbitrary baud rates on supported systems,
+    like Hurd, Linux with glibc >= 2.42, and some BSDs.
+    Also on other systems the full set of supported baud rates
+    is determined at build time if possible.
+  * Commands that support hardware acceleration like cksum and wc
+    can now disable this acceleration at runtime through the
+    commonly used GLIBC_TUNABLES environment variable.  For example
+    to disable the use of AVX512 instructions in cksum, you can:
+      export GLIBC_TUNABLES='glibc.cpu.hwcaps=-AVX512F'
+  Changes to conform better to POSIX.1-2024
+  * readlink now defaults to being verbose if the POSIXLY_CORRECT
+    environment variable is set.
+  * realpath now supports -E, which specifies the default behavior.
+    The corresponding long option is --canonicalize.
+  * tsort now accepts and ignores -w.
+  Improvements
+  * 'factor' is now much faster at identifying large prime numbers,
+    and significantly faster on composite numbers greater than 2^128.
+  * fold now exits immediately upon receiving a write error,
+    which is significant when reading large / unbounded inputs.
+  * 'seq' is more accurate with large integer start values.
+    Previously 'seq 18446744073709551617 inf | head -n1' would
+    output the number before the user specified start value.
+  Build-related
+  * cksum was not compilable by Apple LLVM 10.0.0 x86-64, which
+    lacks support for checking for the VPCLMULQDQ instruction.
+    [bug introduced in coreutils-9.6]
+- coreutils-9.7-sort-CVE-2025-5278.patch: Remove now-upstream patch.
+- coreutils-getaddrinfo.patch: Likewise.
+- coreutils-i18n.patch: Refresh patch.
+  Remove i18n part for fold(1).
+  Remove the mbchar part as it is now already pulled in upstream
+  indirectly via the manywarnings gnulib module.
+- Refresh all other patches.
+
 -------------------------------------------------------------------
 Mon Jun  2 09:30:09 UTC 2025 - rw@suse.com
 

coreutils.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package coreutils
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -30,7 +30,7 @@
 %global psuffix %{nil}
 %endif
 Name:           coreutils%{?psuffix}
-Version:        9.7
+Version:        9.9
 Release:        0
 Summary:        GNU Core Utilities
 License:        GPL-3.0-or-later
@@ -44,11 +44,8 @@ Patch1:         coreutils-remove_hostname_documentation.patch
 Patch3:         coreutils-remove_kill_documentation.patch
 Patch4:         coreutils-i18n.patch
 Patch8:         coreutils-sysinfo.patch
-Patch10:        coreutils-9.7-sort-CVE-2025-5278.patch
 # OBS / RPMLINT require /usr/bin/timeout to be built with the -fpie option.
 Patch100:       coreutils-build-timeout-as-pie.patch
-# There is no network in the build root so make the test succeed
-Patch112:       coreutils-getaddrinfo.patch
 # Assorted fixes
 Patch113:       coreutils-misc.patch
 # Skip 2 valgrind'ed sort tests on ppc/ppc64 which would fail due to
@@ -143,16 +140,14 @@ This package contains the documentation for the GNU Core Utilities.
 
 %prep
 %setup -q -n coreutils-%{version}
-%patch -P 4 -p1
+%patch -P 4
 %patch -P 1
 %patch -P 3
 %patch -P 8
-%patch -P 10 -p1
 #
 %if 0%{?suse_version} <= 1320
 %patch -P 100
 %endif
-%patch -P 112
 %patch -P 113
 
 %patch -P 300