* Multithreaded .xz decoder (lzma_stream_decoder_mt()):
- Fix a bug that could at least result in a crash with
invalid input. (bsc#1240414, CVE-2025-31115)
- Fix a performance bug: Only one thread was used if the whole
input file was provided at once to lzma_code(), the output
buffer was big enough, timeout was disabled, and LZMA_FINISH
was used. There are no bug reports about this, thus it's
possible that no real-world application was affected.
* Avoid <stdalign.h> even with C11/C17 compilers. This fixes the
build with Oracle Developer Studio 12.6 on Solaris 10 when the
compiler is in C11 mode (the header doesn't exist).
* Autotools: Restore compatibility with GNU make versions older
than 4.0 by creating the package using GNU gettext 0.23.1
infrastructure instead of 0.24.
* Update Croatian translation.
- 5.8.0 changelog:
* liblzma on 32/64-bit x86: When possible, use SSE2 intrinsics
instead of memcpy() in the LZMA/LZMA2 decoder. In typical cases,
this may reduce decompression time by 0-5 %. However, when built
against musl libc, over 15 % time reduction was observed with
highly compressed files.
* CMake: Make the feature test macros match the Autotools-based
build on NetBSD, Darwin, and mingw-w64.
* Update the Croatian, Italian, Portuguese, and Romanian
translations.
* Update the German, Italian, Korean, Romanian, Serbian, and
Ukrainian man page translations.
- Summary of changes in the 5.7.x development releases:
* Mark the following LZMA Utils script aliases as deprecated:
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=171
* liblzma:
- Fix x86-64 inline assembly compatibility with GNU Binutils
older than 2.27.
- Fix the build with GCC 4.2 on OpenBSD/sparc64.
* xzdec: Display an error instead of failing silently if the
unsupported option -M is specified.
* lzmainfo: Fix integer overflows when rounding the dictionary and
uncompressed sizes to the nearest mebibyte.
* Autotools-based build:
- Fix feature checks with link-time optimization (-flto).
- Solaris: Fix a compatibility issue in version.sh. It matters
if one wants to regenerate configure by running autoconf.
* CMake:
- Use paths relative to ${prefix} in liblzma.pc when possible.
This is done only with CMake >= 3.20.
- Prefer a C11 compiler over a C99 compiler but accept both.
- Link Threads::Threads against liblzma using PRIVATE so that
-pthread and such flags won't unnecessarily get included in
the usage requirements of shared liblzma. That is,
target_link_libraries(foo PRIVATE liblzma::liblzma) no
longer adds -pthread if using POSIX threads and linking
against shared liblzma. The threading flags are still added
if linking against static liblzma.
* Updated translations: Catalan, Chinese (simplified), and
Brazilian Portuguese.
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=167
- Update to 5.6.2:
* Remove the backdoor (CVE-2024-3094).
* Not changed: Memory sanitizer (MSAN) has a false positive
in the CRC CLMUL code which also makes OSS Fuzz unhappy.
Valgrind is smarter and doesn't complain.
A revision to the CLMUL code is coming anyway and this issue
will be cleaned up as part of it. It won't be backported to
5.6.x or 5.4.x because the old code isn't wrong. There is
no reason to risk introducing regressions in old branches
just to silence a false positive.
* liblzma:
- lzma_index_decoder() and lzma_index_buffer_decode(): Fix
a missing output pointer initialization (*i = NULL) if the
functions are called with invalid arguments. The API docs
say that such an initialization is always done. In practice
this matters very little because the problem can only occur
if the calling application has a bug and these functions
return LZMA_PROG_ERROR.
- lzma_str_to_filters(): Fix a missing output pointer
initialization (*error_pos = 0). This is very similar
to the fix above.
- Fix C standard conformance with function pointer types.
- Remove GNU indirect function (IFUNC) support. This is *NOT*
done for security reasons even though the backdoor relied on
this code. The performance benefits of IFUNC are too tiny in
this project to make the extra complexity worth it.
- FreeBSD on ARM64: Add error checking to CRC32 instruction
support detection.
- Fix building with NVIDIA HPC SDK.
* xz:
OBS-URL: https://build.opensuse.org/request/show/1177678
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=165
- revert the switch to tar_scm which dropped the signature
validation
- switch back to tarballs because the upstream tarballs are not
gone
- reinstanciate keyring from Lasse
- go back to the last release signed by Lasse (5.4.2)
- revert multibuild, drop service and rpmlintrc
- use real_ver for the Source, move everything else back to
%version like before the hectic XZ downgrade
- remove payload setting, we are using zstd now
- Switch to using tar_scm for fetching the sources as the upstream
tarballs on github are gone
- introduce _multibuild to allow building the translations outside
of Ring0 and everything else in Ring0
- add rpmlintrc to silence harmless warnings
OBS-URL: https://build.opensuse.org/request/show/1167536
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xz?expand=0&rev=90
- update to 5.6.0:
* This bumps the minor version of liblzma because new
features were added. The API and ABI are still backward
compatible with liblzma 5.4.x and 5.2.x and 5.0.x.
* liblzma:
- Disabled the branchless C variant in the LZMA
decoder based on the benchmark results from the community.
- Disabled x86-64 inline assembly on x32 to fix the
build.
* Sandboxing support in xz:
- Landlock is now used even when xz needs to create
files.
- Landlock and pledge(2) are now stricter when
reading from more than one input file and only writing to
standard output.
- Added support for Landlock ABI version 4.
- Now builds lzmainfo and lzmadec.
- xzdiff, xzgrep, xzless, xzmore, and their symlinks
are now installed. The scripts are also tested during "make
test".
- Added translation support for xz, lzmainfo, and the
man pages.
- Minimum required CMake version is now 3.14.
* liblzma:
- LZMA decoder: Speed optimizations to the C code and
added GCC & Clang compatible inline assembly for
x86-64.
- Added lzma_mt_block_size() to recommend a Block
size for multithreaded encoding.
- Added CLMUL-based CRC32 on x86-64 and E2K with
OBS-URL: https://build.opensuse.org/request/show/1155110
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xz?expand=0&rev=85
* This bumps the minor version of liblzma because new
features were added. The API and ABI are still backward
compatible with liblzma 5.4.x and 5.2.x and 5.0.x.
* liblzma:
- Disabled the branchless C variant in the LZMA
decoder based on the benchmark results from the community.
- Disabled x86-64 inline assembly on x32 to fix the
build.
* Sandboxing support in xz:
- Landlock is now used even when xz needs to create
files.
- Landlock and pledge(2) are now stricter when
reading from more than one input file and only writing to
standard output.
- Added support for Landlock ABI version 4.
- Now builds lzmainfo and lzmadec.
- xzdiff, xzgrep, xzless, xzmore, and their symlinks
are now installed. The scripts are also tested during "make
test".
- Added translation support for xz, lzmainfo, and the
man pages.
- Minimum required CMake version is now 3.14.
* liblzma:
- LZMA decoder: Speed optimizations to the C code and
added GCC & Clang compatible inline assembly for
x86-64.
- Added lzma_mt_block_size() to recommend a Block
size for multithreaded encoding.
- Added CLMUL-based CRC32 on x86-64 and E2K with
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=145
* Fixed a bug involving internal function pointers in liblzma
not being initialized to NULL. The bug can only be
triggered if lzma_filters_update() is called on a LZMA1
encoder, so it does not affect xz or any application known
to us that uses liblzma.
* Fixed a regression introduced in 5.4.2 that caused
encoding in the raw format to unnecessarily fail if --suffix
was not used. For instance, the following command no longer
reports that --suffix must be used:
echo foo | xz --format=raw --lzma2 | wc -c
* Fixed an issue on MinGW-w64 builds that prevented
reading from or writing to non-terminal character devices
like NUL.
* Added a new test.
- Build XZ with full RELRO.
- Put libraries back in %{_libdir}, /usr merge project.
- Fix build in armv5el doesnt like profiling
* Polish translation was added.
* Support for "xz --list" was added
- remove static libraries, see bnc#509945 for details
- added baselibs.conf (for rpm-32bit)
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=142
- Update to version 5.4.5:
* liblzma:
- Fixed an assertion failure that could be triggered by a large
unpadded_size argument. It was verified that there was no
other bug than the assertion failure.
- Fixed a bug that prevented building with Windows Vista
threading when __attribute__((__constructor__)) is not
supported.
* xz now properly handles special files such as "con" or "nul" on
Windows. Before this fix, the following wrote "foo" to the
console and deleted the input file "con_xz":
echo foo | xz > con_xz
xz --suffix=_xz --decompress con_xz
* Small fixes and improvements to the tests.
* Updated translations: Chinese (simplified) and Esperanto.
OBS-URL: https://build.opensuse.org/request/show/1124051
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=140
- Update to version 5.4.2:
* All fixes from 5.2.11 that were not included in 5.4.1.
* If xz is built with support for the Capsicum sandbox but running
in an environment that doesn't support Capsicum, xz now runs
normally without sandboxing instead of exiting with an error.
* liblzma:
- Documentation was updated to improve the style, consistency,
and completeness of the liblzma API headers.
- The Doxygen-generated HTML documentation for the liblzma API
header files is now included in the source release and is
installed as part of "make install". All JavaScript is
removed to simplify license compliance and to reduce the
install size.
- Fixed a minor bug in lzma_str_from_filters() that produced
too many filters in the output string instead of reporting
an error if the input array had more than four filters. This
bug did not affect xz.
* Build systems:
- autogen.sh now invokes the doxygen tool via the new wrapper
script doxygen/update-doxygen, unless the command line option
--no-doxygen is used.
- Added microlzma_encoder.c and microlzma_decoder.c to the
VS project files for Windows and to the CMake build. These
should have been included in 5.3.2alpha.
* Tests:
- Added a test to the CMake build that was forgotten in the
previous release.
- Added and refactored a few tests.
* Translations:
- Updated the Brazilian Portuguese translation.
OBS-URL: https://build.opensuse.org/request/show/1073266
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=129
- update to 5.4.1:
* liblzma:
- Fixed the return value of lzma_microlzma_encoder() if the
LZMA options lc/lp/pb are invalid. Invalid lc/lp/pb options
made the function return LZMA_STREAM_END without encoding
anything instead of returning LZMA_OPTIONS_ERROR.
* Tests:
- Fixed test script compatibility with ancient /bin/sh
versions. Now the five test_compress_* tests should
no longer fail on Solaris 10.
- Added and refactored a few tests.
* Translations:
- Updated the Catalan and Esperanto translations.
- Added Korean and Ukrainian man page translations.
OBS-URL: https://build.opensuse.org/request/show/1060588
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=125
