diff --git a/xz-5.2.5.tar.gz b/xz-5.2.5.tar.gz deleted file mode 100644 index f23bea4..0000000 --- a/xz-5.2.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f6f4910fd033078738bd82bfba4f49219d03b17eb0794eb91efbae419f4aba10 -size 1791345 diff --git a/xz-5.2.5.tar.gz.sig b/xz-5.2.5.tar.gz.sig deleted file mode 100644 index 734fe10..0000000 Binary files a/xz-5.2.5.tar.gz.sig and /dev/null differ diff --git a/xz-5.2.6.tar.gz b/xz-5.2.6.tar.gz new file mode 100644 index 0000000..75d2edc --- /dev/null +++ b/xz-5.2.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a2105abee17bcd2ebd15ced31b4f5eda6e17efd6b10f921a01cda4a44c91b3a0 +size 2069602 diff --git a/xz-5.2.6.tar.gz.sig b/xz-5.2.6.tar.gz.sig new file mode 100644 index 0000000..e0945d5 Binary files /dev/null and b/xz-5.2.6.tar.gz.sig differ diff --git a/xz.changes b/xz.changes index ba597d8..a02e51d 100644 --- a/xz.changes +++ b/xz.changes @@ -1,3 +1,71 @@ +------------------------------------------------------------------- +Fri Aug 12 20:50:23 UTC 2022 - Dirk Müller + +- update to 5.2.6 (CVE-2022-1271, bsc#1198062): + * xz: + - The --keep option now accepts symlinks, hardlinks, and + setuid, setgid, and sticky files. + - When copying metadata from the source file to the destination + file, don't try to set the group (GID) if it is already set + correctly. This avoids a failure on OpenBSD (and possibly on + a few other OSes) where files may get created so that their + group doesn't belong to the user, and fchown(2) can fail even + if it needs to do nothing. + - Cap --memlimit-compress to 2000 MiB instead of 4020 MiB on + MIPS32 because on MIPS32 userspace processes are limited + to 2 GiB of address space. + * liblzma: + - Fixed a missing error-check in the threaded encoder. If a + small memory allocation fails, a .xz file with an invalid + Index field would be created. Decompressing such a file would + produce the correct output but result in an error at the end. + Thus this is a "mild" data corruption bug. Note that while + a failed memory allocation can trigger the bug, it cannot + cause invalid memory access. + - The decoder for .lzma files now supports files that have + uncompressed size stored in the header and still use the + end of payload marker (end of stream marker) at the end + of the LZMA stream. Such files are rare but, according to + the documentation in LZMA SDK, they are valid. + doc/lzma-file-format.txt was updated too. + - Improved 32-bit x86 assembly files: + * Support Intel Control-flow Enforcement Technology (CET) + * Use non-executable stack on FreeBSD. + * xzgrep: + - Fixed arbitrary command injection via a malicious filename + (CVE-2022-1271, ZDI-CAN-16587). A standalone patch for + this was released to the public on 2022-04-07. A slight + robustness improvement has been made since then and, if + using GNU or *BSD grep, a new faster method is now used + that doesn't use the old sed-based construct at all. This + also fixes bad output with GNU grep >= 3.5 (2020-09-27) + when xzgrepping binary files. + - Fixed detection of corrupt .bz2 files. + - Improved error handling to fix exit status in some situations + and to fix handling of signals: in some situations a signal + didn't make xzgrep exit when it clearly should have. It's + possible that the signal handling still isn't quite perfect + but hopefully it's good enough. + - Documented exit statuses on the man page. + - xzegrep and xzfgrep now use "grep -E" and "grep -F" instead + of the deprecated egrep and fgrep commands. + - Fixed parsing of the options -E, -F, -G, -P, and -X. The + problem occurred when multiple options were specied in + a single argument, for example, + echo foo | xzgrep -Fe foo + treated foo as a filename because -Fe wasn't correctly + split into -F -e. + - Added zstd support. + * xzdiff/xzcmp: + - Fixed wrong exit status. Exit status could be 2 when the + correct value is 1. + - Documented on the man page that exit status of 2 is used + for decompression errors. + - Added zstd support. + * xzless: + - Fix less(1) version detection. It failed if the version number + from "less -V" contained a dot. + ------------------------------------------------------------------- Tue Apr 12 15:35:19 UTC 2022 - Marcus Meissner diff --git a/xz.spec b/xz.spec index 517afc1..1e47362 100644 --- a/xz.spec +++ b/xz.spec @@ -19,7 +19,7 @@ # avoid bootstrapping problem %define _binary_payload w9.bzdio Name: xz -Version: 5.2.5 +Version: 5.2.6 Release: 0 Summary: A Program for Compressing Files with the Lempel–Ziv–Markov algorithm License: GPL-2.0-or-later AND LGPL-2.1-or-later AND SUSE-Public-Domain @@ -172,6 +172,24 @@ rm -vf %{buildroot}%{_docdir}/%{name}/{COPYING,COPYING.GPLv2} %{_mandir}/man1/xzless.1%{ext_man} %{_mandir}/man1/xzmore.1%{ext_man} %{_mandir}/man1/xznew.1%{ext_man} +%dir %{_mandir}/fr_FR +%dir %{_mandir}/fr_FR/man1 +%{_mandir}/fr_FR/man1/lzcat.1%{ext_man} +%{_mandir}/fr_FR/man1/lzcmp.1%{ext_man} +%{_mandir}/fr_FR/man1/lzdiff.1%{ext_man} +%{_mandir}/fr_FR/man1/lzless.1%{ext_man} +%{_mandir}/fr_FR/man1/lzma.1%{ext_man} +%{_mandir}/fr_FR/man1/lzmadec.1%{ext_man} +%{_mandir}/fr_FR/man1/lzmore.1%{ext_man} +%{_mandir}/fr_FR/man1/unlzma.1%{ext_man} +%{_mandir}/fr_FR/man1/unxz.1%{ext_man} +%{_mandir}/fr_FR/man1/xz.1%{ext_man} +%{_mandir}/fr_FR/man1/xzcat.1%{ext_man} +%{_mandir}/fr_FR/man1/xzcmp.1%{ext_man} +%{_mandir}/fr_FR/man1/xzdec.1%{ext_man} +%{_mandir}/fr_FR/man1/xzdiff.1%{ext_man} +%{_mandir}/fr_FR/man1/xzless.1%{ext_man} +%{_mandir}/fr_FR/man1/xzmore.1%{ext_man} %if 0%{!?lang_package:1} %{_datadir}/locale/*/LC_MESSAGES/xz.mo %endif