diff --git a/xz-5.4.2.tar.gz b/xz-5.4.2.tar.gz deleted file mode 100644 index c3b69b7..0000000 --- a/xz-5.4.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:87947679abcf77cc509d8d1b474218fd16b72281e2797360e909deaee1ac9d05 -size 2799022 diff --git a/xz-5.4.2.tar.gz.sig b/xz-5.4.2.tar.gz.sig deleted file mode 100644 index 7876e92..0000000 Binary files a/xz-5.4.2.tar.gz.sig and /dev/null differ diff --git a/xz-5.6.2.tar.xz b/xz-5.6.2.tar.xz new file mode 100644 index 0000000..3d06995 --- /dev/null +++ b/xz-5.6.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a9db3bb3d64e248a0fae963f8fb6ba851a26ba1822e504dc0efd18a80c626caf +size 1307448 diff --git a/xz-5.6.2.tar.xz.sig b/xz-5.6.2.tar.xz.sig new file mode 100644 index 0000000..93d8424 Binary files /dev/null and b/xz-5.6.2.tar.xz.sig differ diff --git a/xz.changes b/xz.changes index 8a06f28..f59d27a 100644 --- a/xz.changes +++ b/xz.changes @@ -1,3 +1,43 @@ +------------------------------------------------------------------- +Thu May 30 06:08:18 UTC 2024 - Paolo Stivanin + +- Update to 5.6.2: + * Remove the backdoor (CVE-2024-3094). + * Not changed: Memory sanitizer (MSAN) has a false positive + in the CRC CLMUL code which also makes OSS Fuzz unhappy. + Valgrind is smarter and doesn't complain. + A revision to the CLMUL code is coming anyway and this issue + will be cleaned up as part of it. It won't be backported to + 5.6.x or 5.4.x because the old code isn't wrong. There is + no reason to risk introducing regressions in old branches + just to silence a false positive. + * liblzma: + - lzma_index_decoder() and lzma_index_buffer_decode(): Fix + a missing output pointer initialization (*i = NULL) if the + functions are called with invalid arguments. The API docs + say that such an initialization is always done. In practice + this matters very little because the problem can only occur + if the calling application has a bug and these functions + return LZMA_PROG_ERROR. + - lzma_str_to_filters(): Fix a missing output pointer + initialization (*error_pos = 0). This is very similar + to the fix above. + - Fix C standard conformance with function pointer types. + - Remove GNU indirect function (IFUNC) support. This is *NOT* + done for security reasons even though the backdoor relied on + this code. The performance benefits of IFUNC are too tiny in + this project to make the extra complexity worth it. + - FreeBSD on ARM64: Add error checking to CRC32 instruction + support detection. + - Fix building with NVIDIA HPC SDK. + * xz: + - Fix a C standard conformance issue in --block-list parsing + (arithmetic on a null pointer). + - Fix a warning from GNU groff when processing the man page: + "warning: cannot select font 'CW'" + * xzdec: Add support for Linux Landlock ABI version 4. xz already + had the v3-to-v4 change but it had been forgotten from xzdec. + ------------------------------------------------------------------- Fri Apr 12 16:22:12 UTC 2024 - Dirk Müller diff --git a/xz.spec b/xz.spec index 3c30e74..46d87ef 100644 --- a/xz.spec +++ b/xz.spec @@ -23,17 +23,15 @@ %bcond_with static %endif -%global real_ver 5.4.2 - Name: xz -Version: 5.6.1.revertto5.4 +Version: 5.6.2 Release: 0 Summary: A Program for Compressing Files with the Lempel–Ziv–Markov algorithm License: 0BSD AND GPL-2.0-or-later AND GPL-3.0-or-later AND LGPL-2.1-or-later Group: Productivity/Archiving/Compression URL: https://tukaani.org/xz/ -Source0: https://github.com/tukaani-project/xz/releases/download/v%{real_ver}/xz-%{real_ver}.tar.gz -Source1: https://github.com/tukaani-project/xz/releases/download/v%{real_ver}/xz-%{real_ver}.tar.gz.sig +Source0: https://github.com/tukaani-project/xz/releases/download/v%{version}/xz-%{version}.tar.xz +Source1: https://github.com/tukaani-project/xz/releases/download/v%{version}/xz-%{version}.tar.xz.sig Source2: baselibs.conf Source3: https://tukaani.org/misc/lasse_collin_pubkey.txt#/xz.keyring Source4: xznew @@ -93,7 +91,7 @@ Static library for the LZMA library %endif %prep -%autosetup -n xz-%{real_ver} +%autosetup -p1 %build %global _lto_cflags %{_lto_cflags} -ffat-lto-objects