SHA256
3
0
forked from pool/xz

Accepting request 994818 from home:dirkmueller:Factory

- update to 5.2.6 (CVE-2022-1271, bsc#1198062):
  * xz:
    - The --keep option now accepts symlinks, hardlinks, and
      setuid, setgid, and sticky files.
    - When copying metadata from the source file to the destination
      file, don't try to set the group (GID) if it is already set
      correctly. This avoids a failure on OpenBSD (and possibly on
      a few other OSes) where files may get created so that their
      group doesn't belong to the user, and fchown(2) can fail even
      if it needs to do nothing.
    - Cap --memlimit-compress to 2000 MiB instead of 4020 MiB on
      MIPS32 because on MIPS32 userspace processes are limited
      to 2 GiB of address space.
  * liblzma:
    - Fixed a missing error-check in the threaded encoder. If a
      small memory allocation fails, a .xz file with an invalid
      Index field would be created. Decompressing such a file would
      produce the correct output but result in an error at the end.
      Thus this is a "mild" data corruption bug. Note that while
      a failed memory allocation can trigger the bug, it cannot
      cause invalid memory access.
    - The decoder for .lzma files now supports files that have
      uncompressed size stored in the header and still use the
      end of payload marker (end of stream marker) at the end
      of the LZMA stream. Such files are rare but, according to
      the documentation in LZMA SDK, they are valid.
      doc/lzma-file-format.txt was updated too.
    - Improved 32-bit x86 assembly files:
        * Support Intel Control-flow Enforcement Technology (CET)
        * Use non-executable stack on FreeBSD.

OBS-URL: https://build.opensuse.org/request/show/994818
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=111
This commit is contained in:
Dirk Mueller 2022-08-16 06:45:42 +00:00 committed by Git OBS Bridge
parent 76d7fa9560
commit 104f8dece2
6 changed files with 90 additions and 4 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f6f4910fd033078738bd82bfba4f49219d03b17eb0794eb91efbae419f4aba10
size 1791345

Binary file not shown.

3
xz-5.2.6.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a2105abee17bcd2ebd15ced31b4f5eda6e17efd6b10f921a01cda4a44c91b3a0
size 2069602

BIN
xz-5.2.6.tar.gz.sig Normal file

Binary file not shown.

View File

@ -1,3 +1,71 @@
-------------------------------------------------------------------
Fri Aug 12 20:50:23 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to 5.2.6 (CVE-2022-1271, bsc#1198062):
* xz:
- The --keep option now accepts symlinks, hardlinks, and
setuid, setgid, and sticky files.
- When copying metadata from the source file to the destination
file, don't try to set the group (GID) if it is already set
correctly. This avoids a failure on OpenBSD (and possibly on
a few other OSes) where files may get created so that their
group doesn't belong to the user, and fchown(2) can fail even
if it needs to do nothing.
- Cap --memlimit-compress to 2000 MiB instead of 4020 MiB on
MIPS32 because on MIPS32 userspace processes are limited
to 2 GiB of address space.
* liblzma:
- Fixed a missing error-check in the threaded encoder. If a
small memory allocation fails, a .xz file with an invalid
Index field would be created. Decompressing such a file would
produce the correct output but result in an error at the end.
Thus this is a "mild" data corruption bug. Note that while
a failed memory allocation can trigger the bug, it cannot
cause invalid memory access.
- The decoder for .lzma files now supports files that have
uncompressed size stored in the header and still use the
end of payload marker (end of stream marker) at the end
of the LZMA stream. Such files are rare but, according to
the documentation in LZMA SDK, they are valid.
doc/lzma-file-format.txt was updated too.
- Improved 32-bit x86 assembly files:
* Support Intel Control-flow Enforcement Technology (CET)
* Use non-executable stack on FreeBSD.
* xzgrep:
- Fixed arbitrary command injection via a malicious filename
(CVE-2022-1271, ZDI-CAN-16587). A standalone patch for
this was released to the public on 2022-04-07. A slight
robustness improvement has been made since then and, if
using GNU or *BSD grep, a new faster method is now used
that doesn't use the old sed-based construct at all. This
also fixes bad output with GNU grep >= 3.5 (2020-09-27)
when xzgrepping binary files.
- Fixed detection of corrupt .bz2 files.
- Improved error handling to fix exit status in some situations
and to fix handling of signals: in some situations a signal
didn't make xzgrep exit when it clearly should have. It's
possible that the signal handling still isn't quite perfect
but hopefully it's good enough.
- Documented exit statuses on the man page.
- xzegrep and xzfgrep now use "grep -E" and "grep -F" instead
of the deprecated egrep and fgrep commands.
- Fixed parsing of the options -E, -F, -G, -P, and -X. The
problem occurred when multiple options were specied in
a single argument, for example,
echo foo | xzgrep -Fe foo
treated foo as a filename because -Fe wasn't correctly
split into -F -e.
- Added zstd support.
* xzdiff/xzcmp:
- Fixed wrong exit status. Exit status could be 2 when the
correct value is 1.
- Documented on the man page that exit status of 2 is used
for decompression errors.
- Added zstd support.
* xzless:
- Fix less(1) version detection. It failed if the version number
from "less -V" contained a dot.
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Apr 12 15:35:19 UTC 2022 - Marcus Meissner <meissner@suse.com> Tue Apr 12 15:35:19 UTC 2022 - Marcus Meissner <meissner@suse.com>

20
xz.spec
View File

@ -19,7 +19,7 @@
# avoid bootstrapping problem # avoid bootstrapping problem
%define _binary_payload w9.bzdio %define _binary_payload w9.bzdio
Name: xz Name: xz
Version: 5.2.5 Version: 5.2.6
Release: 0 Release: 0
Summary: A Program for Compressing Files with the LempelZivMarkov algorithm Summary: A Program for Compressing Files with the LempelZivMarkov algorithm
License: GPL-2.0-or-later AND LGPL-2.1-or-later AND SUSE-Public-Domain License: GPL-2.0-or-later AND LGPL-2.1-or-later AND SUSE-Public-Domain
@ -172,6 +172,24 @@ rm -vf %{buildroot}%{_docdir}/%{name}/{COPYING,COPYING.GPLv2}
%{_mandir}/man1/xzless.1%{ext_man} %{_mandir}/man1/xzless.1%{ext_man}
%{_mandir}/man1/xzmore.1%{ext_man} %{_mandir}/man1/xzmore.1%{ext_man}
%{_mandir}/man1/xznew.1%{ext_man} %{_mandir}/man1/xznew.1%{ext_man}
%dir %{_mandir}/fr_FR
%dir %{_mandir}/fr_FR/man1
%{_mandir}/fr_FR/man1/lzcat.1%{ext_man}
%{_mandir}/fr_FR/man1/lzcmp.1%{ext_man}
%{_mandir}/fr_FR/man1/lzdiff.1%{ext_man}
%{_mandir}/fr_FR/man1/lzless.1%{ext_man}
%{_mandir}/fr_FR/man1/lzma.1%{ext_man}
%{_mandir}/fr_FR/man1/lzmadec.1%{ext_man}
%{_mandir}/fr_FR/man1/lzmore.1%{ext_man}
%{_mandir}/fr_FR/man1/unlzma.1%{ext_man}
%{_mandir}/fr_FR/man1/unxz.1%{ext_man}
%{_mandir}/fr_FR/man1/xz.1%{ext_man}
%{_mandir}/fr_FR/man1/xzcat.1%{ext_man}
%{_mandir}/fr_FR/man1/xzcmp.1%{ext_man}
%{_mandir}/fr_FR/man1/xzdec.1%{ext_man}
%{_mandir}/fr_FR/man1/xzdiff.1%{ext_man}
%{_mandir}/fr_FR/man1/xzless.1%{ext_man}
%{_mandir}/fr_FR/man1/xzmore.1%{ext_man}
%if 0%{!?lang_package:1} %if 0%{!?lang_package:1}
%{_datadir}/locale/*/LC_MESSAGES/xz.mo %{_datadir}/locale/*/LC_MESSAGES/xz.mo
%endif %endif