SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for liblzma5-5.6.2-3.1.x86_64.rpm :

* Thu May 30 2024 Paolo Stivanin - Update to 5.6.2:
* Remove the backdoor (CVE-2024-3094).
* Not changed: Memory sanitizer (MSAN) has a false positive in the CRC CLMUL code which also makes OSS Fuzz unhappy. Valgrind is smarter and doesn\'t complain. A revision to the CLMUL code is coming anyway and this issue will be cleaned up as part of it. It won\'t be backported to 5.6.x or 5.4.x because the old code isn\'t wrong. There is no reason to risk introducing regressions in old branches just to silence a false positive.
* liblzma: - lzma_index_decoder() and lzma_index_buffer_decode(): Fix a missing output pointer initialization (
*i = NULL) if the functions are called with invalid arguments. The API docs say that such an initialization is always done. In practice this matters very little because the problem can only occur if the calling application has a bug and these functions return LZMA_PROG_ERROR. - lzma_str_to_filters(): Fix a missing output pointer initialization (
*error_pos = 0). This is very similar to the fix above. - Fix C standard conformance with function pointer types. - Remove GNU indirect function (IFUNC) support. This is
*NOT
* done for security reasons even though the backdoor relied on this code. The performance benefits of IFUNC are too tiny in this project to make the extra complexity worth it. - FreeBSD on ARM64: Add error checking to CRC32 instruction support detection. - Fix building with NVIDIA HPC SDK.
* xz: - Fix a C standard conformance issue in --block-list parsing (arithmetic on a null pointer). - Fix a warning from GNU groff when processing the man page: \"warning: cannot select font \'CW\'\"
* xzdec: Add support for Linux Landlock ABI version 4. xz already had the v3-to-v4 change but it had been forgotten from xzdec.
* Fri Apr 12 2024 Dirk Müller - revert the switch to tar_scm which dropped the signature validation- switch back to tarballs because the upstream tarballs are not gone- reinstanciate keyring from Lasse- go back to the last release signed by Lasse (5.4.2)- revert multibuild, drop service and rpmlintrc- use real_ver for the Source, move everything else back to %version like before the hectic XZ downgrade- remove payload setting, we are using zstd now
* Thu Apr 04 2024 Dan Čermák - Switch to using tar_scm for fetching the sources as the upstream tarballs on github are gone- introduce _multibuild to allow building the translations outside of Ring0 and everything else in Ring0- add rpmlintrc to silence harmless warnings
* Thu Mar 28 2024 Dirk Müller - restore a bigger version number so that update works
* Mon Jan 29 2024 Danilo Spinella - Build static library on SLE
* Sun Jan 28 2024 Dirk Müller - update to 5.4.6:
* Fixed a bug involving internal function pointers in liblzma not being initialized to NULL. The bug can only be triggered if lzma_filters_update() is called on a LZMA1 encoder, so it does not affect xz or any application known to us that uses liblzma.
* Fixed a regression introduced in 5.4.2 that caused encoding in the raw format to unnecessarily fail if --suffix was not used. For instance, the following command no longer reports that --suffix must be used: echo foo | xz --format=raw --lzma2 | wc -c
* Fixed an issue on MinGW-w64 builds that prevented reading from or writing to non-terminal character devices like NUL.
* Added a new test.
* Tue Nov 07 2023 Andrea Manzini - Update to version 5.4.5:
* liblzma: - Fixed an assertion failure that could be triggered by a large unpadded_size argument. It was verified that there was no other bug than the assertion failure. - Fixed a bug that prevented building with Windows Vista threading when __attribute__((__constructor__)) is not supported.
* xz now properly handles special files such as \"con\" or \"nul\" on Windows. Before this fix, the following wrote \"foo\" to the console and deleted the input file \"con_xz\": echo foo | xz > con_xz xz --suffix=_xz --decompress con_xz
* Small fixes and improvements to the tests.
* Updated translations: Chinese (simplified) and Esperanto.
* Wed Aug 16 2023 Dominique Leuenberger - xznew: Remove bashsism.- build: pass CONFIG_SHELL=/bin/sh to configure: the posix tools are setting the current SHELL as the shebang, which is overkill: any posix compliant shell, aka /bin/sh, is sufficient.
* Thu Aug 03 2023 Paolo Stivanin - Update to version 5.4.4:
* liblzma and xzdec can now build against WASI SDK when threading support is disabled. xz and tests don\'t build yet.
* documentation update
* translations update
* Fri May 05 2023 Andreas Stieger - Update to version 5.4.3:
* Build system fixes
* Translation updates: Croatian- update signing key
* Thu Apr 06 2023 Frederic Crozat - Update license tag, there is GPL-3.0-or-later code too.
* Mon Mar 20 2023 Martin Pluskal - Update to version 5.4.2:
* All fixes from 5.2.11 that were not included in 5.4.1.
* If xz is built with support for the Capsicum sandbox but running in an environment that doesn\'t support Capsicum, xz now runs normally without sandboxing instead of exiting with an error.
* liblzma: - Documentation was updated to improve the style, consistency, and completeness of the liblzma API headers. - The Doxygen-generated HTML documentation for the liblzma API header files is now included in the source release and is installed as part of \"make install\". All JavaScript is removed to simplify license compliance and to reduce the install size. - Fixed a minor bug in lzma_str_from_filters() that produced too many filters in the output string instead of reporting an error if the input array had more than four filters. This bug did not affect xz.
* Build systems: - autogen.sh now invokes the doxygen tool via the new wrapper script doxygen/update-doxygen, unless the command line option - -no-doxygen is used. - Added microlzma_encoder.c and microlzma_decoder.c to the VS project files for Windows and to the CMake build. These should have been included in 5.3.2alpha.
* Tests: - Added a test to the CMake build that was forgotten in the previous release. - Added and refactored a few tests.
* Translations: - Updated the Brazilian Portuguese translation. - Added Brazilian Portuguese man page translation.
* Wed Mar 08 2023 Martin Pluskal - Build AVX2 enabled hwcaps library for x86_64-v3
* Sat Jan 21 2023 Dirk Müller - update to 5.4.1:
* liblzma: - Fixed the return value of lzma_microlzma_encoder() if the LZMA options lc/lp/pb are invalid. Invalid lc/lp/pb options made the function return LZMA_STREAM_END without encoding anything instead of returning LZMA_OPTIONS_ERROR.
* Tests: - Fixed test script compatibility with ancient /bin/sh versions. Now the five test_compress_
* tests should no longer fail on Solaris 10. - Added and refactored a few tests.
* Translations: - Updated the Catalan and Esperanto translations. - Added Korean and Ukrainian man page translations.
* Fri Dec 30 2022 Dirk Müller - update to 5.4.0: This bumps the minor version of liblzma because new features were added. The API and ABI are still backward compatible with liblzma 5.2.x and 5.0.x. Summary of new features added in the 5.3.x development releases:
* liblzma: - Added threaded .xz decompressor lzma_stream_decoder_mt(). It can use multiple threads with .xz files that have multiple Blocks with size information in Block Headers. The threaded encoder in xz has always created such files. Single-threaded encoder cannot store the size information in Block Headers even if one used LZMA_FULL_FLUSH to create multiple Blocks, so this threaded decoder cannot use multiple threads with such files. If there are multiple Streams (concatenated .xz files), one Stream will be decompressed completely before starting the next Stream. - A new decoder flag LZMA_FAIL_FAST was added. It makes the threaded decompressor report errors soon instead of first flushing all pending data before the error location. - New Filter IDs:
* LZMA_FILTER_ARM64 is for ARM64 binaries.
* LZMA_FILTER_LZMA1EXT is for raw LZMA1 streams that don\'t necessarily use the end marker. - Added lzma_str_to_filters(), lzma_str_from_filters(), and lzma_str_list_filters() to convert a preset or a filter chain string to a lzma_filter[] and vice versa. These should make it easier to write applications that allow users to specify custom compression options. - Added lzma_filters_free() which can be convenient for freeing the filter options in a filter chain (an array of lzma_filter structures). - lzma_file_info_decoder() to makes it a little easier to get the Index field from .xz files. This helps in getting the uncompressed file size but an easy-to-use random access API is still missing which has existed in XZ for Java for a long time. - Added lzma_microlzma_encoder() and lzma_microlzma_decoder(). It is used by erofs-utils and may be used by others too. The MicroLZMA format is a raw LZMA stream (without end marker) whose first byte (always 0x00) has been replaced with bitwise-negation of the LZMA properties (lc/lp/pb). It was created for use in EROFS but may be used in other contexts as well where it is important to avoid wasting bytes for stream headers or footers. The format is also supported by XZ Embedded (the XZ Embedded version in Linux got MicroLZMA support in Linux 5.16). The MicroLZMA encoder API in liblzma can compress into a fixed-sized output buffer so that as much data is compressed as can be fit into the buffer while still creating a valid MicroLZMA stream. This is needed for EROFS. - Added lzma_lzip_decoder() to decompress the .lz (lzip) file format version 0 and the original unextended version 1 files. Also lzma_auto_decoder() supports .lz files. - lzma_filters_update() can now be used with the multi-threaded encoder (lzma_stream_encoder_mt()) to change the filter chain after LZMA_FULL_BARRIER or LZMA_FULL_FLUSH. - In lzma_options_lzma, allow nice_len = 2 and 3 with the match finders that require at least 3 or 4. Now it is internally rounded up if needed. - CLMUL-based CRC64 on x86-64 and E2K with runtime processor detection. On 32-bit x86 it currently isn\'t available unless - -disable-assembler is used which can make the non-CLMUL CRC64 slower; this might be fixed in the future. - Building with --disable-threads --enable-small is now thread-safe if the compiler supports __attribute__((__constructor__)).
* xz: - Using -T0 (--threads=0) will now use multi-threaded encoder even on a single-core system. This is to ensure that output from the same xz binary is identical on both single-core and multi-core systems. - --threads=+1 or -T+1 is now a way to put xz into multi-threaded mode while using only one worker thread. The + is ignored if the number is not 1. - A default soft memory usage limit is now used for compression when -T0 is used and no explicit limit has been specified. This soft limit is used to restrict the number of threads but if the limit is exceeded with even one thread then xz will continue with one thread using the multi-threaded encoder and this limit is ignored. If the number of threads is specified manually then no default limit will be used; this affects only -T0. This change helps on systems that have very many cores and using all of them for xz makes no sense. Previously xz -T0 could run out of memory on such systems because it attempted to reserve memory for too many threads. This also helps with 32-bit builds which don\'t have a large amount of address space that would be required for many threads. The default soft limit for -T0 is at most 1400 MiB on all 32-bit platforms. - Previously a low value in --memlimit-compress wouldn\'t cause xz to switch from multi-threaded mode to single-threaded mode if the limit cannot otherwise be met; xz failed instead. Now xz can switch to single-threaded mode and then, if needed, scale down the LZMA2 dictionary size too just like it already did when it was started in single-threaded mode. - The option --no-adjust no longer prevents xz from scaling down the number of threads as that doesn\'t affect the compressed output (only performance). Now --no-adjust only prevents adjustments that affect compressed output, that is, with - -no-adjust xz won\'t switch from multi-threaded mode to single-threaded mode and won\'t scale down the LZMA2 dictionary size. - Added a new option --memlimit-mt-decompress=LIMIT. This is used to limit the number of decompressor threads (possibly falling back to single-threaded mode) but it will never make xz refuse to decompress a file. This has a system-specific default value because without any limit xz could end up allocating memory for the whole compressed input file, the whole uncompressed output file, multiple thread-specific decompressor instances and so on. Basically xz could attempt to use an insane amount of memory even with fairly common files. The system-specific default value is currently the same as the one used for compression with -T0. The new option works together with the existing option - -memlimit-decompress=LIMIT. The old option sets a hard limit that must not be exceeded (xz will refuse to decompress) while the new option only restricts the number of threads. If the limit set with --memlimit-mt-decompress is greater than the limit set with --memlimit-compress, then the latter value is used also for --memlimit-mt-decompress. - Added new information to the output of xz --info-memory and new fields to the output of xz --robot --info-memory. - In --lzma2=nice=NUMBER allow 2 and 3 with all match finders now that liblzma handles it. - Don\'t mention endianness for ARM and ARM-Thumb filters in - -long-help. The filters only work for little endian instruction encoding but modern ARM processors using big endian data access still use little endian instruction encoding. So the help text was misleading. In contrast, the PowerPC filter is only for big endian 32/64-bit PowerPC code. Little endian PowerPC would need a separate filter. - Added decompression support for the .lz (lzip) file format version 0 and the original unextended version 1. It is autodetected by default. See also the option --format on the xz man page. - Sandboxing enabled by default:
* Capsicum (FreeBSD)
* pledge(2) (OpenBSD)
* Scripts now support the .lz format using xz.
* A few new tests were added.
* The liblzma-specific tests are now supported in CMake-based builds too (\"make test\").
* Sat Dec 17 2022 Dirk Müller - update to 5.2.10:
* xz: Don\'t modify argv[] when parsing the --memlimit
* and - -block-list command line options. This fixes confusing arguments in process listing (like \"ps auxf\").
* GNU/Linux only: Use __has_attribute(__symver__) to detect if that attribute is supported. This fixes build on Mandriva where Clang is patched to define __GNUC__ to 11 by default (instead of 4 as used by Clang upstream).
* liblzma: - Fixed an infinite loop in LZMA encoder initialization if dict_size >= 2 GiB. - Fixed two cases of invalid free() that can happen if a tiny allocation fails in encoder re-initialization or in lzma_filters_update(). These bugs had some similarities with the bug fixed in 5.2.7. - Fixed lzma_block_encoder() not allowing the use of LZMA_SYNC_FLUSH with lzma_code() even though it was documented to be supported. The sync-flush code in the Block encoder was already used internally via lzma_stream_encoder(), so this was just a missing flag in the lzma_block_encoder() API function. - GNU/Linux only: Don\'t put symbol versions into static liblzma as it breaks things in some cases (and even if it didn\'t break anything, symbol versions in static libraries are useless anyway). The downside of the fix is that if the configure options --with-pic or --without-pic are used then it\'s not possible to build both shared and static liblzma at the same time on GNU/Linux anymore; with those options --disable-static or --disable-shared must be used too.- drop unused xz-devel-static which is no longer supported when using - -with-pic (which is needed for shared libs)
* Thu Dec 01 2022 Jan Engelhardt - Rename xz-static-devel -> xz-devel-static to follow the general naming used in openSUSE.
* Fri Nov 18 2022 Danilo Spinella - Update to 5.2.8:
* xz: - If xz cannot remove an input file when it should, this is now treated as a warning (exit status 2) instead of an error (exit status 1). This matches GNU gzip and it is more logical as at that point the output file has already been successfully closed. - Fix handling of .xz files with an unsupported check type. Previously such printed a warning message but then xz behaved as if an error had occurred (didn\'t decompress, exit status 1). Now a warning is printed, decompression is done anyway, and exit status is 2. This used to work slightly before 5.0.0. In practice this bug matters only if xz has been built with some check types disabled. As instructed in PACKAGERS, such builds should be done in special situations only. - Fix \"xz -dc --single-stream tests/files/good-0-empty.xz\" which failed with \"Internal error (bug)\". That is, - -single-stream was broken if the first .xz stream in the input file didn\'t contain any uncompressed data. - Fix displaying file sizes in the progress indicator when working in passthru mode and there are multiple input files. Just like \"gzip -cdf\", \"xz -cdf\" works like \"cat\" when the input file isn\'t a supported compressed file format. In this case the file size counters weren\'t reset between files so with multiple input files the progress indicator displayed an incorrect (too large) value.
* liblzma: - API docs in lzma/container.h:
* Update the list of decoder flags in the decoder function docs.
* Explain LZMA_CONCATENATED behavior with .lzma files in lzma_auto_decoder() docs. - OpenBSD: Use HW_NCPUONLINE to detect the number of available hardware threads in lzma_physmem(). - Fix use of wrong macro to detect x86 SSE2 support. __SSE2_MATH__ was used with GCC/Clang but the correct one is __SSE2__. The first one means that SSE2 is used for floating point math which is irrelevant here. The affected SSE2 code isn\'t used on x86-64 so this affects only 32-bit x86 builds that use -msse2 without -mfpmath=sse (there is no runtime detection for SSE2). It improves LZMA compression speed (not decompression). - Fix the build with Intel C compiler 2021 (ICC, not ICX) on Linux. It defines __GNUC__ to 10 but doesn\'t support the __symver__ attribute introduced in GCC 10.
* Scripts: Ignore warnings from xz by using --quiet --no-warn. This is needed if the input .xz files use an unsupported check type.
* Translations: - Updated Croatian and Turkish translations. - One new translations wasn\'t included because it needed technical fixes. It will be in upcoming 5.4.0. No new translations will be added to the 5.2.x branch anymore. - Renamed the French man page translation file from fr_FR.po to fr.po and thus also its install directory (like /usr/share/man/fr_FR -> .../fr). - Man page translations for upcoming 5.4.0 are now handled in the Translation Project.
* Update doc/faq.txt a little so it\'s less out-of-date.
* Tue Oct 04 2022 Callum Farmer - Move localised man pages to lang subpackage
* Fri Sep 30 2022 C J - update to 5.2.7:
* liblzma: - Add API doc note about the .xz decoder LZMA_MEMLIMIT_ERROR bug. - Add dest and src NULL checks to lzma_index_cat. The documentation states LZMA_PROG_ERROR can be returned from lzma_index_cat. Previously, lzma_index_cat could not return LZMA_PROG_ERROR. Now, the validation is similar to lzma_index_append, which does a NULL check on the index parameter. - Fix copying of check type statistics in lzma_index_cat(). The check type of the last Stream in dest was never copied to dest->checks (the code tried to copy it but it was done too late). This meant that the value returned by lzma_index_checks() would only include the check type of the last Stream when multiple lzma_indexes had been concatenated. In xz --list this meant that the summary would only list the check type of the last Stream, so in this sense this was only a visual bug. However, it\'s possible that some applications use this information for purposes other than merely showing it to the users in an informational message. I\'m not aware of such applications though and it\'s quite possible that such applications don\'t exist. Regular streamed decompression in xz or any other application doesn\'t use lzma_index_cat() and so this bug cannot affect them. - Stream decoder: Fix restarting after LZMA_MEMLIMIT_ERROR. If lzma_code() returns LZMA_MEMLIMIT_ERROR it is now possible to use lzma_memlimit_set() to increase the limit and continue decoding. This was supposed to work from the beginning but there was a bug. With other decoders (.lzma or threaded .xz) this already worked correctly. - lzma_filters_copy: Keep dest[] unmodified if an error occurs. lzma_stream_encoder() and lzma_stream_encoder_mt() always assumed this. Before this patch, failing lzma_filters_copy() could result in free(invalid_pointer) or invalid memory reads in stream_encoder.c or stream_encoder_mt.c. To trigger this, allocating memory for a filter options structure has to fail. These are tiny allocations so in practice they very rarely fail. Certain badness in the filter chain array could also make lzma_filters_copy() fail but both stream_encoder.c and stream_encoder_mt.c validate the filter chain before trying to copy it, so the crash cannot occur this way. - lzma_index_append: Add missing integer overflow check. The documentation in src/liblzma/api/lzma/index.h suggests that both the unpadded (compressed) size and the uncompressed size are checked for overflow, but only the unpadded size was checked. The uncompressed check is done first since that is more likely to occur than the unpadded or index field size overflows. - Vaccinate against an ill patch from RHEL/CentOS 7.
* xzgrep: - Fix compatibility with old shells. Turns out that some old shells don\'t like apostrophes (\') inside command substitutions. The problem was introduced by commits 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 (2022-03-29), bd7b290f3fe4faeceb7d3497ed9bf2e6ed5e7dc5 (2022-07-18), and a648978b20495b7aa4a8b029c5a810b5ad9d08ff (2022-07-19). 5.2.6 is the only stable release that included this problem.
* Translations: Add Turkish translation.
* Fri Aug 12 2022 Dirk Müller - update to 5.2.6 (CVE-2022-1271, bsc#1198062):
* xz: - The --keep option now accepts symlinks, hardlinks, and setuid, setgid, and sticky files. - When copying metadata from the source file to the destination file, don\'t try to set the group (GID) if it is already set correctly. This avoids a failure on OpenBSD (and possibly on a few other OSes) where files may get created so that their group doesn\'t belong to the user, and fchown(2) can fail even if it needs to do nothing. - Cap --memlimit-compress to 2000 MiB instead of 4020 MiB on MIPS32 because on MIPS32 userspace processes are limited to 2 GiB of address space.
* liblzma: - Fixed a missing error-check in the threaded encoder. If a small memory allocation fails, a .xz file with an invalid Index field would be created. Decompressing such a file would produce the correct output but result in an error at the end. Thus this is a \"mild\" data corruption bug. Note that while a failed memory allocation can trigger the bug, it cannot cause invalid memory access. - The decoder for .lzma files now supports files that have uncompressed size stored in the header and still use the end of payload marker (end of stream marker) at the end of the LZMA stream. Such files are rare but, according to the documentation in LZMA SDK, they are valid. doc/lzma-file-format.txt was updated too. - Improved 32-bit x86 assembly files:
* Support Intel Control-flow Enforcement Technology (CET)
* Use non-executable stack on FreeBSD.
* xzgrep: - Fixed arbitrary command injection via a malicious filename (CVE-2022-1271, ZDI-CAN-16587). A standalone patch for this was released to the public on 2022-04-07. A slight robustness improvement has been made since then and, if using GNU or
*BSD grep, a new faster method is now used that doesn\'t use the old sed-based construct at all. This also fixes bad output with GNU grep >= 3.5 (2020-09-27) when xzgrepping binary files. - Fixed detection of corrupt .bz2 files. - Improved error handling to fix exit status in some situations and to fix handling of signals: in some situations a signal didn\'t make xzgrep exit when it clearly should have. It\'s possible that the signal handling still isn\'t quite perfect but hopefully it\'s good enough. - Documented exit statuses on the man page. - xzegrep and xzfgrep now use \"grep -E\" and \"grep -F\" instead of the deprecated egrep and fgrep commands. - Fixed parsing of the options -E, -F, -G, -P, and -X. The problem occurred when multiple options were specied in a single argument, for example, echo foo | xzgrep -Fe foo treated foo as a filename because -Fe wasn\'t correctly split into -F -e. - Added zstd support.
* xzdiff/xzcmp: - Fixed wrong exit status. Exit status could be 2 when the correct value is 1. - Documented on the man page that exit status of 2 is used for decompression errors. - Added zstd support.
* xzless: - Fix less(1) version detection. It failed if the version number from \"less -V\" contained a dot.
* Tue Apr 12 2022 Marcus Meissner - use https urls.
* Mon Jun 07 2021 Jan Engelhardt - Upgrade old rpm constructs.
 
ICM