Accepting request 995864 from Base:System

OBS-URL: https://build.opensuse.org/request/show/995864
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xz?expand=0&rev=69

xz-5.2.5.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f6f4910fd033078738bd82bfba4f49219d03b17eb0794eb91efbae419f4aba10
-size 1791345

xz-5.2.6.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a2105abee17bcd2ebd15ced31b4f5eda6e17efd6b10f921a01cda4a44c91b3a0
+size 2069602

xz.changes

@@ -1,3 +1,71 @@
+-------------------------------------------------------------------
+Fri Aug 12 20:50:23 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 5.2.6 (CVE-2022-1271, bsc#1198062):
+  * xz:
+    - The --keep option now accepts symlinks, hardlinks, and
+      setuid, setgid, and sticky files.
+    - When copying metadata from the source file to the destination
+      file, don't try to set the group (GID) if it is already set
+      correctly. This avoids a failure on OpenBSD (and possibly on
+      a few other OSes) where files may get created so that their
+      group doesn't belong to the user, and fchown(2) can fail even
+      if it needs to do nothing.
+    - Cap --memlimit-compress to 2000 MiB instead of 4020 MiB on
+      MIPS32 because on MIPS32 userspace processes are limited
+      to 2 GiB of address space.
+  * liblzma:
+    - Fixed a missing error-check in the threaded encoder. If a
+      small memory allocation fails, a .xz file with an invalid
+      Index field would be created. Decompressing such a file would
+      produce the correct output but result in an error at the end.
+      Thus this is a "mild" data corruption bug. Note that while
+      a failed memory allocation can trigger the bug, it cannot
+      cause invalid memory access.
+    - The decoder for .lzma files now supports files that have
+      uncompressed size stored in the header and still use the
+      end of payload marker (end of stream marker) at the end
+      of the LZMA stream. Such files are rare but, according to
+      the documentation in LZMA SDK, they are valid.
+      doc/lzma-file-format.txt was updated too.
+    - Improved 32-bit x86 assembly files:
+        * Support Intel Control-flow Enforcement Technology (CET)
+        * Use non-executable stack on FreeBSD.
+  * xzgrep:
+    - Fixed arbitrary command injection via a malicious filename
+      (CVE-2022-1271, ZDI-CAN-16587). A standalone patch for
+      this was released to the public on 2022-04-07. A slight
+      robustness improvement has been made since then and, if
+      using GNU or *BSD grep, a new faster method is now used
+      that doesn't use the old sed-based construct at all. This
+      also fixes bad output with GNU grep >= 3.5 (2020-09-27)
+      when xzgrepping binary files.
+    - Fixed detection of corrupt .bz2 files.
+    - Improved error handling to fix exit status in some situations
+      and to fix handling of signals: in some situations a signal
+      didn't make xzgrep exit when it clearly should have. It's
+      possible that the signal handling still isn't quite perfect
+      but hopefully it's good enough.
+    - Documented exit statuses on the man page.
+    - xzegrep and xzfgrep now use "grep -E" and "grep -F" instead
+      of the deprecated egrep and fgrep commands.
+    - Fixed parsing of the options -E, -F, -G, -P, and -X. The
+      problem occurred when multiple options were specied in
+      a single argument, for example,
+          echo foo | xzgrep -Fe foo
+      treated foo as a filename because -Fe wasn't correctly
+      split into -F -e.
+    - Added zstd support.
+  * xzdiff/xzcmp:
+    - Fixed wrong exit status. Exit status could be 2 when the
+      correct value is 1.
+    - Documented on the man page that exit status of 2 is used
+      for decompression errors.
+    - Added zstd support.
+  * xzless:
+    - Fix less(1) version detection. It failed if the version number
+      from "less -V" contained a dot.
+
 -------------------------------------------------------------------
 Tue Apr 12 15:35:19 UTC 2022 - Marcus Meissner <meissner@suse.com>
 

xz.spec

@@ -19,7 +19,7 @@
 # avoid bootstrapping problem
 %define _binary_payload w9.bzdio
 Name:           xz
-Version:        5.2.5
+Version:        5.2.6
 Release:        0
 Summary:        A Program for Compressing Files with the Lempel–Ziv–Markov algorithm
 License:        GPL-2.0-or-later AND LGPL-2.1-or-later AND SUSE-Public-Domain
@@ -172,6 +172,24 @@ rm -vf %{buildroot}%{_docdir}/%{name}/{COPYING,COPYING.GPLv2}
 %{_mandir}/man1/xzless.1%{ext_man}
 %{_mandir}/man1/xzmore.1%{ext_man}
 %{_mandir}/man1/xznew.1%{ext_man}
+%dir %{_mandir}/fr_FR
+%dir %{_mandir}/fr_FR/man1
+%{_mandir}/fr_FR/man1/lzcat.1%{ext_man}
+%{_mandir}/fr_FR/man1/lzcmp.1%{ext_man}
+%{_mandir}/fr_FR/man1/lzdiff.1%{ext_man}
+%{_mandir}/fr_FR/man1/lzless.1%{ext_man}
+%{_mandir}/fr_FR/man1/lzma.1%{ext_man}
+%{_mandir}/fr_FR/man1/lzmadec.1%{ext_man}
+%{_mandir}/fr_FR/man1/lzmore.1%{ext_man}
+%{_mandir}/fr_FR/man1/unlzma.1%{ext_man}
+%{_mandir}/fr_FR/man1/unxz.1%{ext_man}
+%{_mandir}/fr_FR/man1/xz.1%{ext_man}
+%{_mandir}/fr_FR/man1/xzcat.1%{ext_man}
+%{_mandir}/fr_FR/man1/xzcmp.1%{ext_man}
+%{_mandir}/fr_FR/man1/xzdec.1%{ext_man}
+%{_mandir}/fr_FR/man1/xzdiff.1%{ext_man}
+%{_mandir}/fr_FR/man1/xzless.1%{ext_man}
+%{_mandir}/fr_FR/man1/xzmore.1%{ext_man}
 %if 0%{!?lang_package:1}
 %{_datadir}/locale/*/LC_MESSAGES/xz.mo
 %endif