- update to 5.2.7:
* liblzma:
- Add API doc note about the .xz decoder LZMA_MEMLIMIT_ERROR bug.
- Add dest and src NULL checks to lzma_index_cat.
The documentation states LZMA_PROG_ERROR can be returned from
lzma_index_cat. Previously, lzma_index_cat could not return
LZMA_PROG_ERROR. Now, the validation is similar to
lzma_index_append, which does a NULL check on the index
parameter.
- Fix copying of check type statistics in lzma_index_cat().
The check type of the last Stream in dest was never copied to
dest->checks (the code tried to copy it but it was done too late).
This meant that the value returned by lzma_index_checks() would
only include the check type of the last Stream when multiple
lzma_indexes had been concatenated.
In xz --list this meant that the summary would only list the
check type of the last Stream, so in this sense this was only
a visual bug. However, it's possible that some applications
use this information for purposes other than merely showing
it to the users in an informational message. I'm not aware of
such applications though and it's quite possible that such
applications don't exist.
Regular streamed decompression in xz or any other application
doesn't use lzma_index_cat() and so this bug cannot affect them.
- Stream decoder: Fix restarting after LZMA_MEMLIMIT_ERROR.
If lzma_code() returns LZMA_MEMLIMIT_ERROR it is now possible
to use lzma_memlimit_set() to increase the limit and continue
decoding. This was supposed to work from the beginning but
there was a bug. With other decoders (.lzma or threaded .xz)
this already worked correctly.
- lzma_filters_copy: Keep dest[] unmodified if an error occurs.
lzma_stream_encoder() and lzma_stream_encoder_mt() always assumed
this. Before this patch, failing lzma_filters_copy() could result
in free(invalid_pointer) or invalid memory reads in stream_encoder.c
or stream_encoder_mt.c.
To trigger this, allocating memory for a filter options structure
has to fail. These are tiny allocations so in practice they very
rarely fail.
Certain badness in the filter chain array could also make
lzma_filters_copy() fail but both stream_encoder.c and
stream_encoder_mt.c validate the filter chain before
trying to copy it, so the crash cannot occur this way.
- lzma_index_append: Add missing integer overflow check.
The documentation in src/liblzma/api/lzma/index.h suggests that
both the unpadded (compressed) size and the uncompressed size
are checked for overflow, but only the unpadded size was checked.
The uncompressed check is done first since that is more likely to
occur than the unpadded or index field size overflows.
- Vaccinate against an ill patch from RHEL/CentOS 7.
* xzgrep:
- Fix compatibility with old shells.
Turns out that some old shells don't like apostrophes (') inside
command substitutions. The problem was introduced by commits
69d1b3fc29677af8ade8dc15dba83f0589cb63d6 (2022-03-29),
bd7b290f3fe4faeceb7d3497ed9bf2e6ed5e7dc5 (2022-07-18), and
a648978b20495b7aa4a8b029c5a810b5ad9d08ff (2022-07-19).
5.2.6 is the only stable release that included
this problem.
* Translations: Add Turkish translation.
OBS-URL: https://build.opensuse.org/request/show/1007351
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=113
- update to 5.2.6 (CVE-2022-1271, bsc#1198062):
* xz:
- The --keep option now accepts symlinks, hardlinks, and
setuid, setgid, and sticky files.
- When copying metadata from the source file to the destination
file, don't try to set the group (GID) if it is already set
correctly. This avoids a failure on OpenBSD (and possibly on
a few other OSes) where files may get created so that their
group doesn't belong to the user, and fchown(2) can fail even
if it needs to do nothing.
- Cap --memlimit-compress to 2000 MiB instead of 4020 MiB on
MIPS32 because on MIPS32 userspace processes are limited
to 2 GiB of address space.
* liblzma:
- Fixed a missing error-check in the threaded encoder. If a
small memory allocation fails, a .xz file with an invalid
Index field would be created. Decompressing such a file would
produce the correct output but result in an error at the end.
Thus this is a "mild" data corruption bug. Note that while
a failed memory allocation can trigger the bug, it cannot
cause invalid memory access.
- The decoder for .lzma files now supports files that have
uncompressed size stored in the header and still use the
end of payload marker (end of stream marker) at the end
of the LZMA stream. Such files are rare but, according to
the documentation in LZMA SDK, they are valid.
doc/lzma-file-format.txt was updated too.
- Improved 32-bit x86 assembly files:
* Support Intel Control-flow Enforcement Technology (CET)
* Use non-executable stack on FreeBSD.
OBS-URL: https://build.opensuse.org/request/show/994818
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=111
- Update to 5.2.5:
* liblzma:
- Fixed several C99/C11 conformance bugs. Now the code is clean
under gcc/clang -fsanitize=undefined. Some of these changes
might have a negative effect on performance with old GCC
versions or compilers other than GCC and Clang. The configure
option --enable-unsafe-type-punning can be used to (mostly)
restore the old behavior but it shouldn't normally be used.
- Improved API documentation of lzma_properties_decode().
- Added a very minor encoder speed optimization.
* xz:
- Fixed a crash in "xz -dcfv not_an_xz_file". All four options
were required to trigger it. The crash occurred in the
progress indicator code when xz was in passthru mode where
xz works like "cat".
- Fixed an integer overflow with 32-bit off_t. It could happen
when decompressing a file that has a long run of zero bytes
which xz would try to write as a sparse file. Since the build
system enables large file support by default, off_t is
normally 64-bit even on 32-bit systems.
- Fixes for --flush-timeout:
* Fix semi-busy-waiting.
* Avoid unneeded flushes when no new input has arrived
since the previous flush was completed.
- Added a special case for 32-bit xz: If --memlimit-compress is
used to specify a limit that exceeds 4020 MiB, the limit will
be set to 4020 MiB. The values "0" and "max" aren't affected
by this and neither is decompression. This hack can be
helpful when a 32-bit xz has access to 4 GiB address space
but the specified memlimit exceeds 4 GiB. This can happen
e.g. with some scripts.
- Capsicum sandbox is now enabled by default where available
(FreeBSD >= 10). The sandbox debug messages (xz -vv) were
removed since they seemed to be more annoying than useful.
OBS-URL: https://build.opensuse.org/request/show/786367
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=105
Hi Andreas,
thanks for catching the missed parts.
To be honest, I don't get the meaning of of the 2nd sentence of the
description in the man page, but I'm probably too simple minded for
a couple of GNU tools (code and description). ;)
Cheers,
Pete
- fix conversion: spell the missed parts correctly
- add xznew{,.1}, converted from bznew
OBS-URL: https://build.opensuse.org/request/show/343469
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=78
* http://lists.opensuse.org/opensuse-buildservice/2013-10/msg00079.html
- Add a signature and keyring file for source verification
* not enable in spec due bootstrapping issues
- Update to version 5.0.5
* lzmadec and liblzma's lzma_alone_decoder(): Support decompressing
.lzma files that have less common settings in the headers
(dictionary size other than 2^n or 2^n + 2^(n-1), or uncompressed
size greater than 256 GiB).
* xz:
- Fixes and improvements to error handling.
- Various fixes to the man page.
* xzless: Fixed to work with "less" versions 448 and later
* xzgrep: Made -h an alias for --no-filename.
- Disable profiling for aarch64 arch
- Update to version 5.0.4
* liblzma:
- Fix lzma_index_init(). It could crash if memory allocation
failed.
- Fix the possibility of an incorrect LZMA_BUF_ERROR when a BCJ
filter is used and the application only provides exactly as
much output space as is the uncompressed size of the file.
- Fix a bug in doc/examples_old/xz_pipe_decompress.c. It didn't
check if the last call to lzma_code() really returned
LZMA_STREAM_END, which made the program think that truncated
files are valid.
- New example programs in doc/examples (old programs are now in
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=59
- Update to version 5.0.5
* lzmadec and liblzma's lzma_alone_decoder(): Support decompressing
.lzma files that have less common settings in the headers
(dictionary size other than 2^n or 2^n + 2^(n-1), or uncompressed
size greater than 256 GiB).
* xz:
- Fixes and improvements to error handling.
- Various fixes to the man page.
* xzless: Fixed to work with "less" versions 448 and later
* xzgrep: Made -h an alias for --no-filename.
OBS-URL: https://build.opensuse.org/request/show/183430
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=54
- Update to version 5.0.4
* liblzma:
- Fix lzma_index_init(). It could crash if memory allocation
failed.
- Fix the possibility of an incorrect LZMA_BUF_ERROR when a BCJ
filter is used and the application only provides exactly as
much output space as is the uncompressed size of the file.
- Fix a bug in doc/examples_old/xz_pipe_decompress.c. It didn't
check if the last call to lzma_code() really returned
LZMA_STREAM_END, which made the program think that truncated
files are valid.
- New example programs in doc/examples (old programs are now in
doc/examples_old). These have more comments and more detailed
error handling.
* Fix "xz -lvv foo.xz". It could crash on some corrupted files.
* Fix output of "xz --robot -lv" and "xz --robot -lvv" which
incorrectly printed the filename also in the "foo (x/x)" format.
* Fix exit status of "xzdiff foo.xz bar.xz".
* Fix exit status of "xzgrep foo binary_file".
* Fix portability to EBCDIC systems.
* Fix a configure issue on AIX with the XL C compiler. See INSTALL
for details.
* Update French, German, Italian, and Polish translations
OBS-URL: https://build.opensuse.org/request/show/143030
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=50
* liblzma fixes:
- A memory leak was fixed.
- lzma_stream_buffer_encode() no longer creates an empty .xz
Block if encoding an empty buffer. Such an empty Block with
LZMA2 data would trigger a bug in 5.0.1 and older (see the
first bullet point in 5.0.2 notes). When releasing 5.0.2,
I thought that no encoder creates this kind of files but
I was wrong.
- Validate function arguments better in a few functions. Most
importantly, specifying an unsupported integrity check to
lzma_stream_buffer_encode() no longer creates a corrupt .xz
file. Probably no application tries to do that, so this
shouldn't be a big problem in practice.
- Document that lzma_block_buffer_encode(),
lzma_easy_buffer_encode(), lzma_stream_encoder(), and
lzma_stream_buffer_encode() may return LZMA_UNSUPPORTED_CHECK.
- The return values of the _memusage() functions are now
documented better.
* Fix command name detection in xzgrep. xzegrep and xzfgrep now
correctly use egrep and fgrep instead of grep.
* French translation was added.
OBS-URL: https://build.opensuse.org/package/show/Base:System/xz?expand=0&rev=26