From 1afea8e106c64c5020c8171802f3fc6d99708a347ec0b3963e6ca20287e66150 Mon Sep 17 00:00:00 2001
From: Antonio Teixeira <antonio.teixeira@suse.com>
Date: Fri, 31 May 2024 12:27:32 +0000
Subject: [PATCH] Accepting request 1177678 from
 home:polslinux:branches:Base:System

- Update to 5.6.2:
  * Remove the backdoor (CVE-2024-3094).
  * Not changed: Memory sanitizer (MSAN) has a false positive
    in the CRC CLMUL code which also makes OSS Fuzz unhappy.
    Valgrind is smarter and doesn't complain.
    A revision to the CLMUL code is coming anyway and this issue
    will be cleaned up as part of it. It won't be backported to
    5.6.x or 5.4.x because the old code isn't wrong. There is
    no reason to risk introducing regressions in old branches
    just to silence a false positive.
  * liblzma:
    - lzma_index_decoder() and lzma_index_buffer_decode(): Fix
      a missing output pointer initialization (*i = NULL) if the
      functions are called with invalid arguments. The API docs
      say that such an initialization is always done. In practice
      this matters very little because the problem can only occur
      if the calling application has a bug and these functions
      return LZMA_PROG_ERROR.
    - lzma_str_to_filters(): Fix a missing output pointer
      initialization (*error_pos = 0). This is very similar
      to the fix above.
    - Fix C standard conformance with function pointer types.
    - Remove GNU indirect function (IFUNC) support. This is *NOT*
      done for security reasons even though the backdoor relied on
      this code. The performance benefits of IFUNC are too tiny in
      this project to make the extra complexity worth it.
    - FreeBSD on ARM64: Add error checking to CRC32 instruction
      support detection.
    - Fix building with NVIDIA HPC SDK.
  * xz:

OBS-URL: https://build.opensuse.org/request/show/1177678
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=165
---
 xz-5.4.2.tar.gz     |   3 ---
 xz-5.4.2.tar.gz.sig | Bin 566 -> 0 bytes
 xz-5.6.2.tar.xz     |   3 +++
 xz-5.6.2.tar.xz.sig | Bin 0 -> 566 bytes
 xz.changes          |  40 ++++++++++++++++++++++++++++++++++++++++
 xz.spec             |  10 ++++------
 6 files changed, 47 insertions(+), 9 deletions(-)
 delete mode 100644 xz-5.4.2.tar.gz
 delete mode 100644 xz-5.4.2.tar.gz.sig
 create mode 100644 xz-5.6.2.tar.xz
 create mode 100644 xz-5.6.2.tar.xz.sig

diff --git a/xz-5.4.2.tar.gz b/xz-5.4.2.tar.gz
deleted file mode 100644
index c3b69b7..0000000
--- a/xz-5.4.2.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:87947679abcf77cc509d8d1b474218fd16b72281e2797360e909deaee1ac9d05
-size 2799022
diff --git a/xz-5.4.2.tar.gz.sig b/xz-5.4.2.tar.gz.sig
deleted file mode 100644
index 7876e927bd8c0a347b916bf841e7e4acb5a202e66a1552bd31b193d37bc858f4..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 566
zcmV-60?GY}0y6{v0SW*e79j*SkitODQM6|bFs&Ro?sa`>7)Brk0%R5CP5=rC5IF92
zeQ6j*AbZ{q|4z8BPxQ9l=?ie84$gtwNjGHtc7#xq9?tQL6SyPkL(11cxRYXb#Rj>%
zf@0%E66FIUH4k<W1H=Npw(;s2JmA1RAS$92bS4N#Ex{R~KZCQW)@fLEhn1OeL?hk6
zAu9VI*CPl|a!YA+R)llz;Eo-0xE8AGbbFD^BS-qVxBj}Gv^Yz)Z1eTn?cWg}X`Ia|
zH;X{Pg_<NmU_i-hzrO1aQ42<xTg0dUHWT?7Yu9XP9rF{97NwzUCU!$jo81RtQ@^T4
z<u|yCz-H(wlk0Z3jN2`X$UW&U>ZW_j>weKPH-cZFum{#-Q^EmB=TPA87sKKVkifaW
z1}(CfGE@O0HjVTor%jA5_|nzi{pd7y%DvWViwd;LjJ<gfBAZ-pu16dg|D1gQonk|U
z3i7$6d%LsvtIi?<0f<_P*0f<4Cm-VCD)Pa?o!?6BJ#>F{iIds}V4jd2Jg5swssAWl
zW7N2*B+eOu1;oC|iL#eKD1EOQuOPuKhdi9Qh@NwZatn&f`tI>h+kNp!Snzg1VV`hn
z(|_4l7dR+tn*?iHawG0=U1XApI%9X%j8LuTHvOlGE+^Y$=uE0usy&e!2X4Ya_mi))
z=}Ry|fk`fm6clQn$*`_?!23%(Y?<p##@QDl<=#CPNhzh=r%7ePA_-7UO5M^v>8>p!
EpEw^4;{X5v

diff --git a/xz-5.6.2.tar.xz b/xz-5.6.2.tar.xz
new file mode 100644
index 0000000..3d06995
--- /dev/null
+++ b/xz-5.6.2.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a9db3bb3d64e248a0fae963f8fb6ba851a26ba1822e504dc0efd18a80c626caf
+size 1307448
diff --git a/xz-5.6.2.tar.xz.sig b/xz-5.6.2.tar.xz.sig
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..93d8424bce1de8fae7deb3ad9b76f5f1ccce03455d500f53df238c9c72a63ac6
GIT binary patch
literal 566
zcmV-60?GY}0y6{v0SW*e79j*SkitODQM6|bFs&Ro?sa`>7)Brk0%liRt^f)N5IF92
zeQ6j*AZ}$3{vn&m9l>+8M$1jMtwPjs_11aJU4=vLq9S5S?Lk#`Uhl9&h_-WrI});!
zjMZ&!_iU^&A!u9fQZoSM?<@4py4cHBm@soULY(^=c5JDCGatCp`$<Tgbk_<Q6uypc
zO}0B=X_+`hG1b`n<*e?2$VnoYE~M9Xp!d$QWxYInRBW&C2yIbY@zvnp1mCmr9Fv~(
z3W$nc{T4bg**sX-KG1@AG7=*mvKFVtT@4HL3iLA5H?u0GSgzCXM-r3?YhG141hb(g
z%Z+3y9&(Chcw)xwA?_j$2Vk$R@aAV6yNI83fFt)HC6VE=!E>cNmdCy2#16>;XMWA2
z%)*|eV0g?agqo)bKN=K&zZ0IOJ0iM1NC5KUDAqSt9qi`jjWPV2gW~`F7ApPVds6HA
zJ0}!i3AHbwSP%`}XN>kLEbjL=ZUKEvak$x}-Icru({9$@PAWDs?V)XUV*gx0x2Dx8
z5v&b^ay5d|X?>$|rSLtdzCWoTj=EjiOV7B6lhq0Ae?2f2MI(mDM5q>J+?DW)XjHpW
zK9H%6pp!yzCvn&H@p!Ek-T^sDcO4D@*AwB)<sr~J;yi?7;aybB31L8NG(uiGRXrw@
zZS&Vo!eS9@Jh2U?G$yi?9HQ!9Q|WIK+XGVJG0H#T{vrkv!o@mQemP?J4bZdS2dIH-
E*;aQA3jhEB

literal 0
HcmV?d00001

diff --git a/xz.changes b/xz.changes
index 8a06f28..f59d27a 100644
--- a/xz.changes
+++ b/xz.changes
@@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Thu May 30 06:08:18 UTC 2024 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 5.6.2:
+  * Remove the backdoor (CVE-2024-3094).
+  * Not changed: Memory sanitizer (MSAN) has a false positive
+    in the CRC CLMUL code which also makes OSS Fuzz unhappy.
+    Valgrind is smarter and doesn't complain.
+    A revision to the CLMUL code is coming anyway and this issue
+    will be cleaned up as part of it. It won't be backported to
+    5.6.x or 5.4.x because the old code isn't wrong. There is
+    no reason to risk introducing regressions in old branches
+    just to silence a false positive.
+  * liblzma:
+    - lzma_index_decoder() and lzma_index_buffer_decode(): Fix
+      a missing output pointer initialization (*i = NULL) if the
+      functions are called with invalid arguments. The API docs
+      say that such an initialization is always done. In practice
+      this matters very little because the problem can only occur
+      if the calling application has a bug and these functions
+      return LZMA_PROG_ERROR.
+    - lzma_str_to_filters(): Fix a missing output pointer
+      initialization (*error_pos = 0). This is very similar
+      to the fix above.
+    - Fix C standard conformance with function pointer types.
+    - Remove GNU indirect function (IFUNC) support. This is *NOT*
+      done for security reasons even though the backdoor relied on
+      this code. The performance benefits of IFUNC are too tiny in
+      this project to make the extra complexity worth it.
+    - FreeBSD on ARM64: Add error checking to CRC32 instruction
+      support detection.
+    - Fix building with NVIDIA HPC SDK.
+  * xz:
+    - Fix a C standard conformance issue in --block-list parsing
+      (arithmetic on a null pointer).
+     - Fix a warning from GNU groff when processing the man page:
+      "warning: cannot select font 'CW'"
+  * xzdec: Add support for Linux Landlock ABI version 4. xz already
+    had the v3-to-v4 change but it had been forgotten from xzdec.
+
 -------------------------------------------------------------------
 Fri Apr 12 16:22:12 UTC 2024 - Dirk Müller <dmueller@suse.com>
 
diff --git a/xz.spec b/xz.spec
index 3c30e74..46d87ef 100644
--- a/xz.spec
+++ b/xz.spec
@@ -23,17 +23,15 @@
 %bcond_with static
 %endif
 
-%global real_ver 5.4.2
-
 Name:           xz
-Version:        5.6.1.revertto5.4
+Version:        5.6.2
 Release:        0
 Summary:        A Program for Compressing Files with the Lempel–Ziv–Markov algorithm
 License:        0BSD AND GPL-2.0-or-later AND GPL-3.0-or-later AND LGPL-2.1-or-later
 Group:          Productivity/Archiving/Compression
 URL:            https://tukaani.org/xz/
-Source0:        https://github.com/tukaani-project/xz/releases/download/v%{real_ver}/xz-%{real_ver}.tar.gz
-Source1:        https://github.com/tukaani-project/xz/releases/download/v%{real_ver}/xz-%{real_ver}.tar.gz.sig
+Source0:        https://github.com/tukaani-project/xz/releases/download/v%{version}/xz-%{version}.tar.xz
+Source1:        https://github.com/tukaani-project/xz/releases/download/v%{version}/xz-%{version}.tar.xz.sig
 Source2:        baselibs.conf
 Source3:        https://tukaani.org/misc/lasse_collin_pubkey.txt#/xz.keyring
 Source4:        xznew
@@ -93,7 +91,7 @@ Static library for the LZMA library
 %endif
 
 %prep
-%autosetup -n xz-%{real_ver}
+%autosetup -p1
 
 %build
 %global _lto_cflags %{_lto_cflags} -ffat-lto-objects