Accepting request 1177678 from home:polslinux:branches:Base:System

- Update to 5.6.2: * Remove the backdoor (CVE-2024-3094). * Not changed: Memory sanitizer (MSAN) has a false positive in the CRC CLMUL code which also makes OSS Fuzz unhappy. Valgrind is smarter and doesn't complain. A revision to the CLMUL code is coming anyway and this issue will be cleaned up as part of it. It won't be backported to 5.6.x or 5.4.x because the old code isn't wrong. There is no reason to risk introducing regressions in old branches just to silence a false positive. * liblzma: - lzma_index_decoder() and lzma_index_buffer_decode(): Fix a missing output pointer initialization (*i = NULL) if the functions are called with invalid arguments. The API docs say that such an initialization is always done. In practice this matters very little because the problem can only occur if the calling application has a bug and these functions return LZMA_PROG_ERROR. - lzma_str_to_filters(): Fix a missing output pointer initialization (*error_pos = 0). This is very similar to the fix above. - Fix C standard conformance with function pointer types. - Remove GNU indirect function (IFUNC) support. This is *NOT* done for security reasons even though the backdoor relied on this code. The performance benefits of IFUNC are too tiny in this project to make the extra complexity worth it. - FreeBSD on ARM64: Add error checking to CRC32 instruction support detection. - Fix building with NVIDIA HPC SDK. * xz: OBS-URL: https://build.opensuse.org/request/show/1177678 OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=165
2024-05-31 12:27:32 +00:00 · 2024-05-31 12:27:32 +00:00 · 1afea8e106
commit 1afea8e106
parent 08a869d68c
6 changed files with 47 additions and 9 deletions
--- a/xz-5.4.2.tar.gz
+++ b/xz-5.4.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:87947679abcf77cc509d8d1b474218fd16b72281e2797360e909deaee1ac9d05
-size 2799022
--- a/xz-5.4.2.tar.gz.sig
+++ b/xz-5.4.2.tar.gz.sig
--- a/xz-5.6.2.tar.xz
+++ b/xz-5.6.2.tar.xz
--- a/xz-5.6.2.tar.xz.sig
+++ b/xz-5.6.2.tar.xz.sig
--- a/xz.changes
+++ b/xz.changes
@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Thu May 30 06:08:18 UTC 2024 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 5.6.2:
+  * Remove the backdoor (CVE-2024-3094).
+  * Not changed: Memory sanitizer (MSAN) has a false positive
+    in the CRC CLMUL code which also makes OSS Fuzz unhappy.
+    Valgrind is smarter and doesn't complain.
+    A revision to the CLMUL code is coming anyway and this issue
+    will be cleaned up as part of it. It won't be backported to
+    5.6.x or 5.4.x because the old code isn't wrong. There is
+    no reason to risk introducing regressions in old branches
+    just to silence a false positive.
+  * liblzma:
+    - lzma_index_decoder() and lzma_index_buffer_decode(): Fix
+      a missing output pointer initialization (*i = NULL) if the
+      functions are called with invalid arguments. The API docs
+      say that such an initialization is always done. In practice
+      this matters very little because the problem can only occur
+      if the calling application has a bug and these functions
+      return LZMA_PROG_ERROR.
+    - lzma_str_to_filters(): Fix a missing output pointer
+      initialization (*error_pos = 0). This is very similar
+      to the fix above.
+    - Fix C standard conformance with function pointer types.
+    - Remove GNU indirect function (IFUNC) support. This is *NOT*
+      done for security reasons even though the backdoor relied on
+      this code. The performance benefits of IFUNC are too tiny in
+      this project to make the extra complexity worth it.
+    - FreeBSD on ARM64: Add error checking to CRC32 instruction
+      support detection.
+    - Fix building with NVIDIA HPC SDK.
+  * xz:
+    - Fix a C standard conformance issue in --block-list parsing
+      (arithmetic on a null pointer).
+     - Fix a warning from GNU groff when processing the man page:
+      "warning: cannot select font 'CW'"
+  * xzdec: Add support for Linux Landlock ABI version 4. xz already
+    had the v3-to-v4 change but it had been forgotten from xzdec.
+
 -------------------------------------------------------------------
 Fri Apr 12 16:22:12 UTC 2024 - Dirk Müller <dmueller@suse.com>

--- a/xz.spec
+++ b/xz.spec
@ -23,17 +23,15 @@
 %bcond_with static
 %endif

-%global real_ver 5.4.2
-
 Name:           xz
-Version:        5.6.1.revertto5.4
+Version:        5.6.2
 Release:        0
 Summary:        A Program for Compressing Files with the Lempel–Ziv–Markov algorithm
 License:        0BSD AND GPL-2.0-or-later AND GPL-3.0-or-later AND LGPL-2.1-or-later
 Group:          Productivity/Archiving/Compression
 URL:            https://tukaani.org/xz/
-Source0:        https://github.com/tukaani-project/xz/releases/download/v%{real_ver}/xz-%{real_ver}.tar.gz
-Source1:        https://github.com/tukaani-project/xz/releases/download/v%{real_ver}/xz-%{real_ver}.tar.gz.sig
+Source0:        https://github.com/tukaani-project/xz/releases/download/v%{version}/xz-%{version}.tar.xz
+Source1:        https://github.com/tukaani-project/xz/releases/download/v%{version}/xz-%{version}.tar.xz.sig
 Source2:        baselibs.conf
 Source3:        https://tukaani.org/misc/lasse_collin_pubkey.txt#/xz.keyring
 Source4:        xznew
@ -93,7 +91,7 @@ Static library for the LZMA library
 %endif

 %prep
-%autosetup -n xz-%{real_ver}
+%autosetup -p1

 %build
 %global _lto_cflags %{_lto_cflags} -ffat-lto-objects