Accepting request 1177928 from Base:System

OBS-URL: https://build.opensuse.org/request/show/1177928
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xz?expand=0&rev=91

xz-5.4.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:87947679abcf77cc509d8d1b474218fd16b72281e2797360e909deaee1ac9d05
-size 2799022

xz.changes

@@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Thu May 30 06:08:18 UTC 2024 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 5.6.2:
+  * Remove the backdoor (CVE-2024-3094).
+  * Not changed: Memory sanitizer (MSAN) has a false positive
+    in the CRC CLMUL code which also makes OSS Fuzz unhappy.
+    Valgrind is smarter and doesn't complain.
+    A revision to the CLMUL code is coming anyway and this issue
+    will be cleaned up as part of it. It won't be backported to
+    5.6.x or 5.4.x because the old code isn't wrong. There is
+    no reason to risk introducing regressions in old branches
+    just to silence a false positive.
+  * liblzma:
+    - lzma_index_decoder() and lzma_index_buffer_decode(): Fix
+      a missing output pointer initialization (*i = NULL) if the
+      functions are called with invalid arguments. The API docs
+      say that such an initialization is always done. In practice
+      this matters very little because the problem can only occur
+      if the calling application has a bug and these functions
+      return LZMA_PROG_ERROR.
+    - lzma_str_to_filters(): Fix a missing output pointer
+      initialization (*error_pos = 0). This is very similar
+      to the fix above.
+    - Fix C standard conformance with function pointer types.
+    - Remove GNU indirect function (IFUNC) support. This is *NOT*
+      done for security reasons even though the backdoor relied on
+      this code. The performance benefits of IFUNC are too tiny in
+      this project to make the extra complexity worth it.
+    - FreeBSD on ARM64: Add error checking to CRC32 instruction
+      support detection.
+    - Fix building with NVIDIA HPC SDK.
+  * xz:
+    - Fix a C standard conformance issue in --block-list parsing
+      (arithmetic on a null pointer).
+     - Fix a warning from GNU groff when processing the man page:
+      "warning: cannot select font 'CW'"
+  * xzdec: Add support for Linux Landlock ABI version 4. xz already
+    had the v3-to-v4 change but it had been forgotten from xzdec.
+
 -------------------------------------------------------------------
 Fri Apr 12 16:22:12 UTC 2024 - Dirk Müller <dmueller@suse.com>
 

xz.spec

@@ -23,17 +23,15 @@
 %bcond_with static
 %endif
 
-%global real_ver 5.4.2
-
 Name:           xz
-Version:        5.6.1.revertto5.4
+Version:        5.6.2
 Release:        0
 Summary:        A Program for Compressing Files with the Lempel–Ziv–Markov algorithm
 License:        0BSD AND GPL-2.0-or-later AND GPL-3.0-or-later AND LGPL-2.1-or-later
 Group:          Productivity/Archiving/Compression
 URL:            https://tukaani.org/xz/
-Source0:        https://github.com/tukaani-project/xz/releases/download/v%{real_ver}/xz-%{real_ver}.tar.gz
+Source0:        https://github.com/tukaani-project/xz/releases/download/v%{version}/xz-%{version}.tar.xz
-Source1:        https://github.com/tukaani-project/xz/releases/download/v%{real_ver}/xz-%{real_ver}.tar.gz.sig
+Source1:        https://github.com/tukaani-project/xz/releases/download/v%{version}/xz-%{version}.tar.xz.sig
 Source2:        baselibs.conf
 Source3:        https://tukaani.org/misc/lasse_collin_pubkey.txt#/xz.keyring
 Source4:        xznew
@@ -93,7 +91,7 @@ Static library for the LZMA library
 %endif
 
 %prep
-%autosetup -n xz-%{real_ver}
+%autosetup -p1
 
 %build
 %global _lto_cflags %{_lto_cflags} -ffat-lto-objects