From a9acbf8874d45ea142502e8fca45c6674873d74a1a24c110b7d74a2ffcfe5d4a Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 5 Oct 2022 08:45:20 +0000 Subject: [PATCH] Accepting request 1007351 from home:CJ:branches:Base:System - update to 5.2.7: * liblzma: - Add API doc note about the .xz decoder LZMA_MEMLIMIT_ERROR bug. - Add dest and src NULL checks to lzma_index_cat. The documentation states LZMA_PROG_ERROR can be returned from lzma_index_cat. Previously, lzma_index_cat could not return LZMA_PROG_ERROR. Now, the validation is similar to lzma_index_append, which does a NULL check on the index parameter. - Fix copying of check type statistics in lzma_index_cat(). The check type of the last Stream in dest was never copied to dest->checks (the code tried to copy it but it was done too late). This meant that the value returned by lzma_index_checks() would only include the check type of the last Stream when multiple lzma_indexes had been concatenated. In xz --list this meant that the summary would only list the check type of the last Stream, so in this sense this was only a visual bug. However, it's possible that some applications use this information for purposes other than merely showing it to the users in an informational message. I'm not aware of such applications though and it's quite possible that such applications don't exist. Regular streamed decompression in xz or any other application doesn't use lzma_index_cat() and so this bug cannot affect them. - Stream decoder: Fix restarting after LZMA_MEMLIMIT_ERROR. If lzma_code() returns LZMA_MEMLIMIT_ERROR it is now possible to use lzma_memlimit_set() to increase the limit and continue decoding. This was supposed to work from the beginning but there was a bug. With other decoders (.lzma or threaded .xz) this already worked correctly. - lzma_filters_copy: Keep dest[] unmodified if an error occurs. lzma_stream_encoder() and lzma_stream_encoder_mt() always assumed this. Before this patch, failing lzma_filters_copy() could result in free(invalid_pointer) or invalid memory reads in stream_encoder.c or stream_encoder_mt.c. To trigger this, allocating memory for a filter options structure has to fail. These are tiny allocations so in practice they very rarely fail. Certain badness in the filter chain array could also make lzma_filters_copy() fail but both stream_encoder.c and stream_encoder_mt.c validate the filter chain before trying to copy it, so the crash cannot occur this way. - lzma_index_append: Add missing integer overflow check. The documentation in src/liblzma/api/lzma/index.h suggests that both the unpadded (compressed) size and the uncompressed size are checked for overflow, but only the unpadded size was checked. The uncompressed check is done first since that is more likely to occur than the unpadded or index field size overflows. - Vaccinate against an ill patch from RHEL/CentOS 7. * xzgrep: - Fix compatibility with old shells. Turns out that some old shells don't like apostrophes (') inside command substitutions. The problem was introduced by commits 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 (2022-03-29), bd7b290f3fe4faeceb7d3497ed9bf2e6ed5e7dc5 (2022-07-18), and a648978b20495b7aa4a8b029c5a810b5ad9d08ff (2022-07-19). 5.2.6 is the only stable release that included this problem. * Translations: Add Turkish translation. OBS-URL: https://build.opensuse.org/request/show/1007351 OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=113 --- xz-5.2.6.tar.gz | 3 -- xz-5.2.6.tar.gz.sig | Bin 566 -> 0 bytes xz-5.2.7.tar.gz | 3 ++ xz-5.2.7.tar.gz.sig | Bin 0 -> 566 bytes xz.changes | 65 ++++++++++++++++++++++++++++++++++++++++++++ xz.spec | 2 +- 6 files changed, 69 insertions(+), 4 deletions(-) delete mode 100644 xz-5.2.6.tar.gz delete mode 100644 xz-5.2.6.tar.gz.sig create mode 100644 xz-5.2.7.tar.gz create mode 100644 xz-5.2.7.tar.gz.sig diff --git a/xz-5.2.6.tar.gz b/xz-5.2.6.tar.gz deleted file mode 100644 index 75d2edc..0000000 --- a/xz-5.2.6.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a2105abee17bcd2ebd15ced31b4f5eda6e17efd6b10f921a01cda4a44c91b3a0 -size 2069602 diff --git a/xz-5.2.6.tar.gz.sig b/xz-5.2.6.tar.gz.sig deleted file mode 100644 index e0945d54e7620ae3b39b6b150a19f75e418331e8bf331fe9cab4432a2cf77021..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 566 zcmV-60?GY}0y6{v0SW*e79j*SkitODQM6|bFs&Ro?sa`>7)Brk0%G=Y%K!=q5IF92 zeQ6j*AS+f6|4s~r*bIUUaQd1A$ho@D6D@G$$^*3g!=s>wLZz-+ANyJ#=GW}YT!0-% z@d!=*gIX*!J1^DR)pS_JZO*OnU4=IFqYEhhan`Gab6I>$<3|%%dOI@^grNvL*4d9| z@zI5ksnu4+hq27WSnqrxmX}cN2gaTLIm$b~%E0Q@)IOm*2vG(iaY0mdbNOI|bq|9b z!Sy(0cwQ$@-$U_ucR8WVtvWZC2400*z8Q95zRW2bQ|}+z{j+Bo3gHP~Z5FzhdloU{ zrc*{RM8%3dWK%PS;x+s!7IwnVbcN!dJaEL(hs@TCvkoHc%S6qT5-K)c+M)erh2~Z?<29VYz^5b*VMbRB855D(0XXv-BJ1Ko&BT` z^|erM+=SF7MN+koD{A_cq}A6HlrR2}S)f2YWRK EmW&V!1poj5 diff --git a/xz-5.2.7.tar.gz b/xz-5.2.7.tar.gz new file mode 100644 index 0000000..b699809 --- /dev/null +++ b/xz-5.2.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:06327c2ddc81e126a6d9a78b0be5014b976a2c0832f492dcfc4755d7facf6d33 +size 2105803 diff --git a/xz-5.2.7.tar.gz.sig b/xz-5.2.7.tar.gz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..6605d7e5a2f40620da304361803f908ddc79532e1525369a5c3925e6a60fa46f GIT binary patch literal 566 zcmV-60?GY}0y6{v0SW*e79j*SkitODQM6|bFs&Ro?sa`>7)Brk0%JD?-T(>-5IF92 zeQ6j*ARV(0{yYG<^mGIq;OfN+<(Soq?fD%pt`}lo&ea2))6rs2`swqin%B#k)p#3S zsO^(rI5SRr1bKJhh*`YqOd-idq}xrGGEXEtAKgaFB-cK=W$?y)ygQb7WHoXSIi*WwWzX$Cg*^mRA<`x`S>fm=*CkhtiLw-K7r*ev zB}eRy9n;IL$GGW9y07LzJdA1xcMB+76K7zQclY=eE*jTK@)}L7cgL(Z&1L(%mo2au zVMIGBmj;S5)XKX|x$Iwu2&f?iMsR7Tfqxrbo8^ zbq=8PLzj*cb(3~l)Y<;P-&&^B-IdXWbH6@8#a9l5^P>ossl(eA7!-x|^d*SMe-+e? zH$=UucN>*;2@oC!q3ETzB-*5mDc!o+hqzc0^hMN9+hY6#9R zlviGMX&X3el6cc92dJdznzB4&%O&=Z{OhW~p$_nv|NFgCMjh$BfOD + +- update to 5.2.7: + * liblzma: + - Add API doc note about the .xz decoder LZMA_MEMLIMIT_ERROR bug. + - Add dest and src NULL checks to lzma_index_cat. + The documentation states LZMA_PROG_ERROR can be returned from + lzma_index_cat. Previously, lzma_index_cat could not return + LZMA_PROG_ERROR. Now, the validation is similar to + lzma_index_append, which does a NULL check on the index + parameter. + - Fix copying of check type statistics in lzma_index_cat(). + The check type of the last Stream in dest was never copied to + dest->checks (the code tried to copy it but it was done too late). + This meant that the value returned by lzma_index_checks() would + only include the check type of the last Stream when multiple + lzma_indexes had been concatenated. + In xz --list this meant that the summary would only list the + check type of the last Stream, so in this sense this was only + a visual bug. However, it's possible that some applications + use this information for purposes other than merely showing + it to the users in an informational message. I'm not aware of + such applications though and it's quite possible that such + applications don't exist. + Regular streamed decompression in xz or any other application + doesn't use lzma_index_cat() and so this bug cannot affect them. + - Stream decoder: Fix restarting after LZMA_MEMLIMIT_ERROR. + If lzma_code() returns LZMA_MEMLIMIT_ERROR it is now possible + to use lzma_memlimit_set() to increase the limit and continue + decoding. This was supposed to work from the beginning but + there was a bug. With other decoders (.lzma or threaded .xz) + this already worked correctly. + - lzma_filters_copy: Keep dest[] unmodified if an error occurs. + lzma_stream_encoder() and lzma_stream_encoder_mt() always assumed + this. Before this patch, failing lzma_filters_copy() could result + in free(invalid_pointer) or invalid memory reads in stream_encoder.c + or stream_encoder_mt.c. + To trigger this, allocating memory for a filter options structure + has to fail. These are tiny allocations so in practice they very + rarely fail. + Certain badness in the filter chain array could also make + lzma_filters_copy() fail but both stream_encoder.c and + stream_encoder_mt.c validate the filter chain before + trying to copy it, so the crash cannot occur this way. + - lzma_index_append: Add missing integer overflow check. + The documentation in src/liblzma/api/lzma/index.h suggests that + both the unpadded (compressed) size and the uncompressed size + are checked for overflow, but only the unpadded size was checked. + The uncompressed check is done first since that is more likely to + occur than the unpadded or index field size overflows. + - Vaccinate against an ill patch from RHEL/CentOS 7. + + * xzgrep: + - Fix compatibility with old shells. + Turns out that some old shells don't like apostrophes (') inside + command substitutions. The problem was introduced by commits + 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 (2022-03-29), + bd7b290f3fe4faeceb7d3497ed9bf2e6ed5e7dc5 (2022-07-18), and + a648978b20495b7aa4a8b029c5a810b5ad9d08ff (2022-07-19). + 5.2.6 is the only stable release that included + this problem. + + * Translations: Add Turkish translation. + ------------------------------------------------------------------- Fri Aug 12 20:50:23 UTC 2022 - Dirk Müller diff --git a/xz.spec b/xz.spec index 1e47362..84cb0df 100644 --- a/xz.spec +++ b/xz.spec @@ -19,7 +19,7 @@ # avoid bootstrapping problem %define _binary_payload w9.bzdio Name: xz -Version: 5.2.6 +Version: 5.2.7 Release: 0 Summary: A Program for Compressing Files with the Lempel–Ziv–Markov algorithm License: GPL-2.0-or-later AND LGPL-2.1-or-later AND SUSE-Public-Domain