Accepting request 994818 from home:dirkmueller:Factory
- update to 5.2.6 (CVE-2022-1271, bsc#1198062):
* xz:
- The --keep option now accepts symlinks, hardlinks, and
setuid, setgid, and sticky files.
- When copying metadata from the source file to the destination
file, don't try to set the group (GID) if it is already set
correctly. This avoids a failure on OpenBSD (and possibly on
a few other OSes) where files may get created so that their
group doesn't belong to the user, and fchown(2) can fail even
if it needs to do nothing.
- Cap --memlimit-compress to 2000 MiB instead of 4020 MiB on
MIPS32 because on MIPS32 userspace processes are limited
to 2 GiB of address space.
* liblzma:
- Fixed a missing error-check in the threaded encoder. If a
small memory allocation fails, a .xz file with an invalid
Index field would be created. Decompressing such a file would
produce the correct output but result in an error at the end.
Thus this is a "mild" data corruption bug. Note that while
a failed memory allocation can trigger the bug, it cannot
cause invalid memory access.
- The decoder for .lzma files now supports files that have
uncompressed size stored in the header and still use the
end of payload marker (end of stream marker) at the end
of the LZMA stream. Such files are rare but, according to
the documentation in LZMA SDK, they are valid.
doc/lzma-file-format.txt was updated too.
- Improved 32-bit x86 assembly files:
* Support Intel Control-flow Enforcement Technology (CET)
* Use non-executable stack on FreeBSD.
OBS-URL: https://build.opensuse.org/request/show/994818
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=111
This commit is contained in:
Git OBS Bridge
68
xz.changes
68
xz.changes
@@ -1,3 +1,71 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 12 20:50:23 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- update to 5.2.6 (CVE-2022-1271, bsc#1198062):
|
||||
* xz:
|
||||
- The --keep option now accepts symlinks, hardlinks, and
|
||||
setuid, setgid, and sticky files.
|
||||
- When copying metadata from the source file to the destination
|
||||
file, don't try to set the group (GID) if it is already set
|
||||
correctly. This avoids a failure on OpenBSD (and possibly on
|
||||
a few other OSes) where files may get created so that their
|
||||
group doesn't belong to the user, and fchown(2) can fail even
|
||||
if it needs to do nothing.
|
||||
- Cap --memlimit-compress to 2000 MiB instead of 4020 MiB on
|
||||
MIPS32 because on MIPS32 userspace processes are limited
|
||||
to 2 GiB of address space.
|
||||
* liblzma:
|
||||
- Fixed a missing error-check in the threaded encoder. If a
|
||||
small memory allocation fails, a .xz file with an invalid
|
||||
Index field would be created. Decompressing such a file would
|
||||
produce the correct output but result in an error at the end.
|
||||
Thus this is a "mild" data corruption bug. Note that while
|
||||
a failed memory allocation can trigger the bug, it cannot
|
||||
cause invalid memory access.
|
||||
- The decoder for .lzma files now supports files that have
|
||||
uncompressed size stored in the header and still use the
|
||||
end of payload marker (end of stream marker) at the end
|
||||
of the LZMA stream. Such files are rare but, according to
|
||||
the documentation in LZMA SDK, they are valid.
|
||||
doc/lzma-file-format.txt was updated too.
|
||||
- Improved 32-bit x86 assembly files:
|
||||
* Support Intel Control-flow Enforcement Technology (CET)
|
||||
* Use non-executable stack on FreeBSD.
|
||||
* xzgrep:
|
||||
- Fixed arbitrary command injection via a malicious filename
|
||||
(CVE-2022-1271, ZDI-CAN-16587). A standalone patch for
|
||||
this was released to the public on 2022-04-07. A slight
|
||||
robustness improvement has been made since then and, if
|
||||
using GNU or *BSD grep, a new faster method is now used
|
||||
that doesn't use the old sed-based construct at all. This
|
||||
also fixes bad output with GNU grep >= 3.5 (2020-09-27)
|
||||
when xzgrepping binary files.
|
||||
- Fixed detection of corrupt .bz2 files.
|
||||
- Improved error handling to fix exit status in some situations
|
||||
and to fix handling of signals: in some situations a signal
|
||||
didn't make xzgrep exit when it clearly should have. It's
|
||||
possible that the signal handling still isn't quite perfect
|
||||
but hopefully it's good enough.
|
||||
- Documented exit statuses on the man page.
|
||||
- xzegrep and xzfgrep now use "grep -E" and "grep -F" instead
|
||||
of the deprecated egrep and fgrep commands.
|
||||
- Fixed parsing of the options -E, -F, -G, -P, and -X. The
|
||||
problem occurred when multiple options were specied in
|
||||
a single argument, for example,
|
||||
echo foo | xzgrep -Fe foo
|
||||
treated foo as a filename because -Fe wasn't correctly
|
||||
split into -F -e.
|
||||
- Added zstd support.
|
||||
* xzdiff/xzcmp:
|
||||
- Fixed wrong exit status. Exit status could be 2 when the
|
||||
correct value is 1.
|
||||
- Documented on the man page that exit status of 2 is used
|
||||
for decompression errors.
|
||||
- Added zstd support.
|
||||
* xzless:
|
||||
- Fix less(1) version detection. It failed if the version number
|
||||
from "less -V" contained a dot.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 12 15:35:19 UTC 2022 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user