From 104f8dece2a96238b6a5794c046232319cbd3cfbd4d404af15fa39d524241ee1 Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Tue, 16 Aug 2022 06:45:42 +0000
Subject: [PATCH] Accepting request 994818 from home:dirkmueller:Factory

- update to 5.2.6 (CVE-2022-1271, bsc#1198062):
  * xz:
    - The --keep option now accepts symlinks, hardlinks, and
      setuid, setgid, and sticky files.
    - When copying metadata from the source file to the destination
      file, don't try to set the group (GID) if it is already set
      correctly. This avoids a failure on OpenBSD (and possibly on
      a few other OSes) where files may get created so that their
      group doesn't belong to the user, and fchown(2) can fail even
      if it needs to do nothing.
    - Cap --memlimit-compress to 2000 MiB instead of 4020 MiB on
      MIPS32 because on MIPS32 userspace processes are limited
      to 2 GiB of address space.
  * liblzma:
    - Fixed a missing error-check in the threaded encoder. If a
      small memory allocation fails, a .xz file with an invalid
      Index field would be created. Decompressing such a file would
      produce the correct output but result in an error at the end.
      Thus this is a "mild" data corruption bug. Note that while
      a failed memory allocation can trigger the bug, it cannot
      cause invalid memory access.
    - The decoder for .lzma files now supports files that have
      uncompressed size stored in the header and still use the
      end of payload marker (end of stream marker) at the end
      of the LZMA stream. Such files are rare but, according to
      the documentation in LZMA SDK, they are valid.
      doc/lzma-file-format.txt was updated too.
    - Improved 32-bit x86 assembly files:
        * Support Intel Control-flow Enforcement Technology (CET)
        * Use non-executable stack on FreeBSD.

OBS-URL: https://build.opensuse.org/request/show/994818
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=111
---
 xz-5.2.5.tar.gz     |   3 --
 xz-5.2.5.tar.gz.sig | Bin 566 -> 0 bytes
 xz-5.2.6.tar.gz     |   3 ++
 xz-5.2.6.tar.gz.sig | Bin 0 -> 566 bytes
 xz.changes          |  68 ++++++++++++++++++++++++++++++++++++++++++++
 xz.spec             |  20 ++++++++++++-
 6 files changed, 90 insertions(+), 4 deletions(-)
 delete mode 100644 xz-5.2.5.tar.gz
 delete mode 100644 xz-5.2.5.tar.gz.sig
 create mode 100644 xz-5.2.6.tar.gz
 create mode 100644 xz-5.2.6.tar.gz.sig

diff --git a/xz-5.2.5.tar.gz b/xz-5.2.5.tar.gz
deleted file mode 100644
index f23bea4..0000000
--- a/xz-5.2.5.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f6f4910fd033078738bd82bfba4f49219d03b17eb0794eb91efbae419f4aba10
-size 1791345
diff --git a/xz-5.2.5.tar.gz.sig b/xz-5.2.5.tar.gz.sig
deleted file mode 100644
index 734fe10f30e60a94a21ae9608ba312a39b596ff68f0ace6f201f97937b689b6f..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 566
zcmV-60?GY}0y6{v0SW*e79j*SkitODQM6|bFs&Ro?sa`>7)Brk0$y<y?f?o25IF92
zeQ6j*Al`ou|9RZph{f5H%&vlg@*}W+n<gVry%3OhIEDZcjKZ<mQo&1H)0Qy6GEC&G
zAUczAN{sA#llODE#@c%S;bR;{f%#Uaq(p#|f#V=#HDu5-4~<<}cVrZ<!!s4z<vVTX
z8Un~LbBQH|1T6S4&H@`-O$j6%Lr;S$GW-*?3{Ip>>IN)NvG%!KZy#Utrk!T(OE<1{
z1#Zc)a&3}M0u%Nuky{G*iNddKOKkQ*BVObJm+>1C`uI|*puy>IHqI+4m%)WovH?Ia
z2g^###~5P&=Qx5{KtC$4lNIjzLZwr0gxyE_9Px%&OS%>>hopA87l`PyK@V?6oP~Cx
ze=)2_edQT-n5b9+HUKHY1?azc&_YY#uH8T1r0`QE4I(Z++15&njGf2@wY;tOma+}G
zS~4`0<U679Zj)71&Jq#5|MYC-kbm9G?n;4v0z!pre(hKxvJI~*>0@*Ua9%cJgz=H!
zVjgnQ>iChrEe(K5zio-;F8vcFi7#62&Zt^6>nm&UKsH!X5m0E4KQijpe3~%A`VR*g
zOMeH@<K#*DU5O*wkLX7S$Q^MKi8>AG1XtB*-g9jt-Cdz0`2UZO*q*mp9t-XD<E%hn
z#jyqFT@PRiY6IEGPXrbMu^A;tU7vrLPO$VYtTjTL1d3~w=011LJnL7rklT*K0(~Sy
EV}$nx2LJ#7

diff --git a/xz-5.2.6.tar.gz b/xz-5.2.6.tar.gz
new file mode 100644
index 0000000..75d2edc
--- /dev/null
+++ b/xz-5.2.6.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a2105abee17bcd2ebd15ced31b4f5eda6e17efd6b10f921a01cda4a44c91b3a0
+size 2069602
diff --git a/xz-5.2.6.tar.gz.sig b/xz-5.2.6.tar.gz.sig
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..e0945d54e7620ae3b39b6b150a19f75e418331e8bf331fe9cab4432a2cf77021
GIT binary patch
literal 566
zcmV-60?GY}0y6{v0SW*e79j*SkitODQM6|bFs&Ro?sa`>7)Brk0%G=Y%K!=q5IF92
zeQ6j*AS+f6|4s~r*bIUUaQd1A$ho@D6D@G$$^*3g!=s>wLZz-+ANyJ#=GW}YT!0-%
z@d!=*gIX*!J1^DR)pS_JZO*OnU4=IFqYEhhan`Gab6I>$<3|%%dOI@^grNvL*4d9|
z@zI5ksnu4+hq27WSnqrxmX}cN2gaTLIm$b~%E0Q@)IOm*2vG(iaY0mdbNOI|bq|9b
z!Sy(0cwQ$@-$U_ucR8WVtvWZC2400*z8Q95zRW2bQ|}+z{j+Bo3gHP~Z5FzhdloU{
zrc*{RM8%3dWK%PS;x+s!7IwnVbcN!dJaEL(hs@TCvkoHc%S6qT5-K)c+<Sl+B(<F`
zuAf9D{w!5_#;9yho%%_SLmarksEaV+$0Dt!^ppEk_$rVMEu5H;;?9w`7LLxq4m8IO
z!KnVRCg%+-e+0r|Ve$tbVHQn~lUkl3i^+OOAT9ZtB^@bB#d&pC^K%MIHUT9L9JraA
z&Ix!T6tullK1Opbry-^`gtPrUM+jCCz;GmEI?m-~vjF!9NwrdWrLqZ@daX%(#+NR8
zAH1Y~va=pwBdolElcNL_5>M)erh2~Z?<29VYz^5b*VMbRB855D(0XXv-BJ1Ko&BT`
z^|erM+=SF7MN+ko<YL<vj6l}5ISQmyWoepx<@+bcy>D{A_cq}A6HlrR2}S)f2YWRK
EmW&V!1poj5

literal 0
HcmV?d00001

diff --git a/xz.changes b/xz.changes
index ba597d8..a02e51d 100644
--- a/xz.changes
+++ b/xz.changes
@@ -1,3 +1,71 @@
+-------------------------------------------------------------------
+Fri Aug 12 20:50:23 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 5.2.6 (CVE-2022-1271, bsc#1198062):
+  * xz:
+    - The --keep option now accepts symlinks, hardlinks, and
+      setuid, setgid, and sticky files.
+    - When copying metadata from the source file to the destination
+      file, don't try to set the group (GID) if it is already set
+      correctly. This avoids a failure on OpenBSD (and possibly on
+      a few other OSes) where files may get created so that their
+      group doesn't belong to the user, and fchown(2) can fail even
+      if it needs to do nothing.
+    - Cap --memlimit-compress to 2000 MiB instead of 4020 MiB on
+      MIPS32 because on MIPS32 userspace processes are limited
+      to 2 GiB of address space.
+  * liblzma:
+    - Fixed a missing error-check in the threaded encoder. If a
+      small memory allocation fails, a .xz file with an invalid
+      Index field would be created. Decompressing such a file would
+      produce the correct output but result in an error at the end.
+      Thus this is a "mild" data corruption bug. Note that while
+      a failed memory allocation can trigger the bug, it cannot
+      cause invalid memory access.
+    - The decoder for .lzma files now supports files that have
+      uncompressed size stored in the header and still use the
+      end of payload marker (end of stream marker) at the end
+      of the LZMA stream. Such files are rare but, according to
+      the documentation in LZMA SDK, they are valid.
+      doc/lzma-file-format.txt was updated too.
+    - Improved 32-bit x86 assembly files:
+        * Support Intel Control-flow Enforcement Technology (CET)
+        * Use non-executable stack on FreeBSD.
+  * xzgrep:
+    - Fixed arbitrary command injection via a malicious filename
+      (CVE-2022-1271, ZDI-CAN-16587). A standalone patch for
+      this was released to the public on 2022-04-07. A slight
+      robustness improvement has been made since then and, if
+      using GNU or *BSD grep, a new faster method is now used
+      that doesn't use the old sed-based construct at all. This
+      also fixes bad output with GNU grep >= 3.5 (2020-09-27)
+      when xzgrepping binary files.
+    - Fixed detection of corrupt .bz2 files.
+    - Improved error handling to fix exit status in some situations
+      and to fix handling of signals: in some situations a signal
+      didn't make xzgrep exit when it clearly should have. It's
+      possible that the signal handling still isn't quite perfect
+      but hopefully it's good enough.
+    - Documented exit statuses on the man page.
+    - xzegrep and xzfgrep now use "grep -E" and "grep -F" instead
+      of the deprecated egrep and fgrep commands.
+    - Fixed parsing of the options -E, -F, -G, -P, and -X. The
+      problem occurred when multiple options were specied in
+      a single argument, for example,
+          echo foo | xzgrep -Fe foo
+      treated foo as a filename because -Fe wasn't correctly
+      split into -F -e.
+    - Added zstd support.
+  * xzdiff/xzcmp:
+    - Fixed wrong exit status. Exit status could be 2 when the
+      correct value is 1.
+    - Documented on the man page that exit status of 2 is used
+      for decompression errors.
+    - Added zstd support.
+  * xzless:
+    - Fix less(1) version detection. It failed if the version number
+      from "less -V" contained a dot.
+
 -------------------------------------------------------------------
 Tue Apr 12 15:35:19 UTC 2022 - Marcus Meissner <meissner@suse.com>
 
diff --git a/xz.spec b/xz.spec
index 517afc1..1e47362 100644
--- a/xz.spec
+++ b/xz.spec
@@ -19,7 +19,7 @@
 # avoid bootstrapping problem
 %define _binary_payload w9.bzdio
 Name:           xz
-Version:        5.2.5
+Version:        5.2.6
 Release:        0
 Summary:        A Program for Compressing Files with the Lempel–Ziv–Markov algorithm
 License:        GPL-2.0-or-later AND LGPL-2.1-or-later AND SUSE-Public-Domain
@@ -172,6 +172,24 @@ rm -vf %{buildroot}%{_docdir}/%{name}/{COPYING,COPYING.GPLv2}
 %{_mandir}/man1/xzless.1%{ext_man}
 %{_mandir}/man1/xzmore.1%{ext_man}
 %{_mandir}/man1/xznew.1%{ext_man}
+%dir %{_mandir}/fr_FR
+%dir %{_mandir}/fr_FR/man1
+%{_mandir}/fr_FR/man1/lzcat.1%{ext_man}
+%{_mandir}/fr_FR/man1/lzcmp.1%{ext_man}
+%{_mandir}/fr_FR/man1/lzdiff.1%{ext_man}
+%{_mandir}/fr_FR/man1/lzless.1%{ext_man}
+%{_mandir}/fr_FR/man1/lzma.1%{ext_man}
+%{_mandir}/fr_FR/man1/lzmadec.1%{ext_man}
+%{_mandir}/fr_FR/man1/lzmore.1%{ext_man}
+%{_mandir}/fr_FR/man1/unlzma.1%{ext_man}
+%{_mandir}/fr_FR/man1/unxz.1%{ext_man}
+%{_mandir}/fr_FR/man1/xz.1%{ext_man}
+%{_mandir}/fr_FR/man1/xzcat.1%{ext_man}
+%{_mandir}/fr_FR/man1/xzcmp.1%{ext_man}
+%{_mandir}/fr_FR/man1/xzdec.1%{ext_man}
+%{_mandir}/fr_FR/man1/xzdiff.1%{ext_man}
+%{_mandir}/fr_FR/man1/xzless.1%{ext_man}
+%{_mandir}/fr_FR/man1/xzmore.1%{ext_man}
 %if 0%{!?lang_package:1}
 %{_datadir}/locale/*/LC_MESSAGES/xz.mo
 %endif