diff --git a/.gitignore b/.gitignore index 1841233..dbc4dea 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -/xz-5.2.4.tar.xz +xz-5.6.2.tar.gz +xz-5.6.2.tar.gz.sig diff --git a/gating.yaml b/gating.yaml deleted file mode 100644 index eb7c84f..0000000 --- a/gating.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- !Policy -product_versions: - - rhel-8 -decision_context: osci_compose_gate -rules: - - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional} diff --git a/lasse_collin_pubkey.txt b/lasse_collin_pubkey.txt new file mode 100644 index 0000000..4a391c6 --- /dev/null +++ b/lasse_collin_pubkey.txt @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBEzEOZIBEACxg/IuXERlDB48JBWmF4NxNUuuup1IhJAJyFGFSKh3OGAO2Ard +sNuRLjANsFXA7m7P5eTFcG+BoHHuAVYmKnI3PPZtHVLnUt4pGItPczQZ2BE1WpcI +ayjGTBJeKItX3Npqg9D/odO9WWS1i3FQPVdrLn0YH37/BA66jeMQCRo7g7GLpaNf +IrvYGsqTbxCwsmA37rpE7oyU4Yrf74HT091WBsRIoq/MelhbxTDMR8eu/dUGZQVc +Kj3lN55RepwWwUUKyqarY0zMt4HkFJ7v7yRL+Cvzy92Ouv4Wf2FlhNtEs5LE4Tax +W0PO5AEmUoKjX87SezQK0f652018b4u6Ex52cY7p+n5TII/UyoowH6+tY8UHo9yb +fStrqgNE/mY2bhA6+AwCaOUGsFzVVPTbjtxL3HacUP/jlA1h78V8VTvTs5d55iG7 +jSqR9o05wje8rwNiXXK0xtiJahyNzL97Kn/DgPSqPIi45G+8nxWSPFM5eunBKRl9 +vAnsvwrdPRsR6YR3uMHTuVhQX9/CY891MHkaZJ6wydWtKt3yQwJLYqwo5d4DwnUX +CduUwSKv+6RmtWI5ZmTQYOcBRcZyGKml9X9Q8iSbm6cnpFXmLrNQwCJN+D3SiYGc +MtbltZo0ysPMa6Xj5xFaYqWk/BI4iLb2Gs+ByGo/+a0Eq4XYBMOpitNniQARAQAB +tCdMYXNzZSBDb2xsaW4gPGxhc3NlLmNvbGxpbkB0dWthYW5pLm9yZz6JAlEEEwEK +ADsCGwMCHgECF4AECwkIBwMVCggFFgIDAQAWIQQ2kMJAzlG0Zw0wrRw47nV9aRhG +IAUCZZwJyQUJGuHiNwAKCRA47nV9aRhGIE4qD/4jdFTe3WPpLgvz/jdlbnSZxr7q +OS6H/ZJFENHO4SbavXdoXLtj+t6/lqWq890Js8IpWaaiJLowzW1xJMEg99W6k0KD +3pHUbwPxf0GCSAt/W4JYxdTj+1ggdHjx5yBAmOakjnOH+ZDKQNBnDOI6ghf3ew+H +9z/b0mQX3rlQbtoqSPZtuDOdFcjCOSwEyqdV+9eNqnv2CoKZkiGoUB1WGCbqKUkY +KiUJ3WldmPQ5RQYjEi7zZWVac1VuwBA0XOku+W4cCJ5DnPyK7CtMwC84VvaodlOX +UAK3Y5BIZpZM2Rk6yMX5lFDA5nA8UuHJQRDjTVmh3BIdgRvp0ZV6ogtqNE7RifpW +aBWDIsCkimcbCJJM+edOLiVZog+ia1Ts8zu33wj7Tnvp5znLc8NLZIqwu1HKLS97 +m+Yf5oC3ObTZtXbVF+OglWe/3ljLHdL2bJxNdtcVlChSNPUW3fgLHk9Fzrlnqdab +tSGwI/0Ryt00cKjRiMOagTn5Nly6boCtgGYdQafQoSrs3eQjnWVgbNYDMgPyl4k+ +Q5RJLEY7AvtXo7FUEgOTfr9PWmjmc2JzGpxbtwl6sQi6yLrBZTRf1Xao2OjOje6G +XdUbXNmgOv16sWxcI0s4lX1z28BgHQfwXhBFBRjw2Sy+6TfFXjX24thcpMwvyJ3c +xhMtdY4N4jyfRjYe8LkCDQRMxDmSARAAv8XAp2PGA/G1KmCrVIzOBm1NPIuqGAYP +c1l9p0dYdhEgvfw0NXcl5MDv1jbOPZ2PspA8NP7Rqp6LNNXYTeM/eIJDndU5Phyi +ewFpACAp7Gmm2dL5PUOhu0gIUnQYbN/QdGPoo7bNI646K1Y9aVTBu9fszQssjb6G +qXHSNM+pskVn9lropO1tLrF0I9VSlSphlCmiQRlzBCZSnxD6UagkPaw1gJnJqnrd +f9oA6AIavZFdh104fl7y8bMZb6bC0K/5ZD0DLfmYaojkyqRtl3VBu6/ZvXrjsT9A +QS5x9EdVslUoYY+kUxQm1wi3LIi3mOj6v0IIvgKzjt0X/39E3C42+m8ddTKowFB1 +Y1lEzHiT80YP9a+I+L2bqYgy6Lqs5CxI5qph1xRfg2rY6uvc5rPYk9B1R94jbeKi +3W8ryHG9QJBNXcd8mCGLM3qylWXTJA4oGITyaIlGCuMeKUfeFNvGijjbEOQ0Cr4J +CjdACbWJsPEoIOrRFxY+NwJEA39Dkyalyh2l0qTNXTIYhLiDuzl+tWuBX+SjHavj +9jGyvwr3T37gfzYCNMoZf8GaxAUJMCoGTqnsjTPGMion/DfdNkFDQ+fivdYiVQ9p +/Njpr38sC83V8dHF/1KkIHImyzMPTdC7l/lMHyC2Gx2dWZOjuOOKit0Qoy3DZoQw +vN1ZZND9M1UAEQEAAYkCPAQYAQoAJgIbDBYhBDaQwkDOUbRnDTCtHDjudX1pGEYg +BQJlnAmyBQka4eIgAAoJEDjudX1pGEYguyYQAJo+5SnMMdu+d70mWfUb9PZg7P5C +GRepHnckx9Sis5oR5s7NNl5j5Yy4J1UwsmrP+mn52ujqewkkVsCq65NGQQx7+tkw +uKGvnGBkHdrI+aJk86qLMf4DlnNJEmN8t5jTGQfRLbFVf2I8EY6qXAzCSmL9Zs++ +rDUz65GOTB1EP0XmBRsuVYRfDbFezrPQH0JDucbXFi/2BDnl2/Mk9NBoQ0CvB4oG +tLDiQZ+jV7n1VXXJ1faD9s7i0hOTdcG6rlyIqi/LyAzdCnOYTkmv3U1kdmzkvrh1 +KEiejnM5fj27RE2v191vh3hgZ+X5+uwjNTP0QC4qP8XykQOAA8usOMVZ72lyXCAk +wiUcRdrAXLN/XbIFNcQ3m4d3W6t60Gk09wFlUKaEltDMlPUsxiSG3qFwFGPBP6UV +h3mjJMAl1jltLrR7ybez0SczfrcAtdCsKTvgzV9W2TzUfK2R9PBanmXTXK2M7yU3 +IquHt3Je4aSP7XYb5D+ajlbFNvnXOYcai8WryfC5nLAfV4MbPX+UlRaYCqqHVhut +gK93re1L5mMI3zjG5Ri5jLpUA9toSJCIJIY5zwr/8LL/ZL4TixXlouA17yjkpY/e +Bjs8cNj1O3aM4jY2FKCS8UbfxOiARk/5kBMRPEZ/mqpMQttzE8KVjOv6fRxy/eVE +888/gToe5kb8qYwy +=6rZC +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index fbd72ba..0d4bfbd 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (xz-5.2.4.tar.xz) = 00db7dd31a61541b1ce6946e0f21106f418dd1ac3f27cdb8682979cbc3bd777cd6dd1f04f9ba257a0a7e24041e15ca40d0dd5c130380dce62280af67a0beb97f +SHA512 (xz-5.6.2.tar.gz) = c32c32c95e3541b906e0284e66a953ace677e0ce6af2084e7b122600047bf7542c1b0fabb5909b19ff79fba6def530be674df1c675b22a47a8d57f3f0b736a82 +SHA512 (xz-5.6.2.tar.gz.sig) = f3d1055a2a6e96eec2fd5c0b733f2ab5e150bac9645f1fe9a7558ed6f34a241b4f57e17fd4504f311be26cf1e2b9b797f2e78b1b9d2db02e9cd0c1548cb6160b diff --git a/xz-cve-2025-31115.patch b/xz-cve-2025-31115.patch new file mode 100644 index 0000000..ccf6ffc --- /dev/null +++ b/xz-cve-2025-31115.patch @@ -0,0 +1,334 @@ +# Fix CVE-2025-31115 in XZ Utils 5.3.3alpha to 5.8.0 +# This applies to all affected releases. +# https://tukaani.org/xz/threaded-decoder-early-free.html + +From 831b55b971cf579ee16a854f177c36b20d3c6999 Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Thu, 3 Apr 2025 14:34:42 +0300 +Subject: [PATCH 1/4] liblzma: mt dec: Fix a comment + +Reviewed-by: Sebastian Andrzej Siewior +Thanks-to: Sam James +--- + src/liblzma/common/stream_decoder_mt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/liblzma/common/stream_decoder_mt.c b/src/liblzma/common/stream_decoder_mt.c +index 22c9375f..812b745d 100644 +--- a/src/liblzma/common/stream_decoder_mt.c ++++ b/src/liblzma/common/stream_decoder_mt.c +@@ -347,7 +347,7 @@ worker_enable_partial_update(void *thr_ptr) + + + /// Things do to at THR_STOP or when finishing a Block. +-/// This is called with thr->mutex locked. ++/// This is called with thr->coder->mutex locked. + static void + worker_stop(struct worker_thread *thr) + { +-- +2.49.0 + + +From c0c835964dfaeb2513a3c0bdb642105152fe9f34 Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Thu, 3 Apr 2025 14:34:42 +0300 +Subject: [PATCH 2/4] liblzma: mt dec: Simplify by removing the THR_STOP state + +The main thread can directly set THR_IDLE in threads_stop() which is +called when errors are detected. threads_stop() won't return the stopped +threads to the pool or free the memory pointed by thr->in anymore, but +it doesn't matter because the existing workers won't be reused after +an error. The resources will be cleaned up when threads_end() is +called (reinitializing the decoder always calls threads_end()). + +Reviewed-by: Sebastian Andrzej Siewior +Thanks-to: Sam James +--- + src/liblzma/common/stream_decoder_mt.c | 75 ++++++++++---------------- + 1 file changed, 29 insertions(+), 46 deletions(-) + +diff --git a/src/liblzma/common/stream_decoder_mt.c b/src/liblzma/common/stream_decoder_mt.c +index 812b745d..82962c64 100644 +--- a/src/liblzma/common/stream_decoder_mt.c ++++ b/src/liblzma/common/stream_decoder_mt.c +@@ -23,15 +23,10 @@ typedef enum { + THR_IDLE, + + /// Decoding is in progress. +- /// Main thread may change this to THR_STOP or THR_EXIT. ++ /// Main thread may change this to THR_IDLE or THR_EXIT. + /// The worker thread may change this to THR_IDLE. + THR_RUN, + +- /// The main thread wants the thread to stop whatever it was doing +- /// but not exit. Main thread may change this to THR_EXIT. +- /// The worker thread may change this to THR_IDLE. +- THR_STOP, +- + /// The main thread wants the thread to exit. + THR_EXIT, + +@@ -346,27 +341,6 @@ worker_enable_partial_update(void *thr_ptr) + } + + +-/// Things do to at THR_STOP or when finishing a Block. +-/// This is called with thr->coder->mutex locked. +-static void +-worker_stop(struct worker_thread *thr) +-{ +- // Update memory usage counters. +- thr->coder->mem_in_use -= thr->in_size; +- thr->in_size = 0; // thr->in was freed above. +- +- thr->coder->mem_in_use -= thr->mem_filters; +- thr->coder->mem_cached += thr->mem_filters; +- +- // Put this thread to the stack of free threads. +- thr->next = thr->coder->threads_free; +- thr->coder->threads_free = thr; +- +- mythread_cond_signal(&thr->coder->cond); +- return; +-} +- +- + static MYTHREAD_RET_TYPE + worker_decoder(void *thr_ptr) + { +@@ -397,17 +371,6 @@ next_loop_unlocked: + return MYTHREAD_RET_VALUE; + } + +- if (thr->state == THR_STOP) { +- thr->state = THR_IDLE; +- mythread_mutex_unlock(&thr->mutex); +- +- mythread_sync(thr->coder->mutex) { +- worker_stop(thr); +- } +- +- goto next_loop_lock; +- } +- + assert(thr->state == THR_RUN); + + // Update progress info for get_progress(). +@@ -510,7 +473,22 @@ next_loop_unlocked: + && thr->coder->thread_error == LZMA_OK) + thr->coder->thread_error = ret; + +- worker_stop(thr); ++ // Return the worker thread to the stack of available ++ // threads. ++ { ++ // Update memory usage counters. ++ thr->coder->mem_in_use -= thr->in_size; ++ thr->in_size = 0; // thr->in was freed above. ++ ++ thr->coder->mem_in_use -= thr->mem_filters; ++ thr->coder->mem_cached += thr->mem_filters; ++ ++ // Put this thread to the stack of free threads. ++ thr->next = thr->coder->threads_free; ++ thr->coder->threads_free = thr; ++ } ++ ++ mythread_cond_signal(&thr->coder->cond); + } + + goto next_loop_lock; +@@ -544,17 +522,22 @@ threads_end(struct lzma_stream_coder *coder, const lzma_allocator *allocator) + } + + ++/// Tell worker threads to stop without doing any cleaning up. ++/// The clean up will be done when threads_exit() is called; ++/// it's not possible to reuse the threads after threads_stop(). ++/// ++/// This is called before returning an unrecoverable error code ++/// to the application. It would be waste of processor time ++/// to keep the threads running in such a situation. + static void + threads_stop(struct lzma_stream_coder *coder) + { + for (uint32_t i = 0; i < coder->threads_initialized; ++i) { ++ // The threads that are in the THR_RUN state will stop ++ // when they check the state the next time. There's no ++ // need to signal coder->threads[i].cond. + mythread_sync(coder->threads[i].mutex) { +- // The state must be changed conditionally because +- // THR_IDLE -> THR_STOP is not a valid state change. +- if (coder->threads[i].state != THR_IDLE) { +- coder->threads[i].state = THR_STOP; +- mythread_cond_signal(&coder->threads[i].cond); +- } ++ coder->threads[i].state = THR_IDLE; + } + } + +@@ -1941,7 +1924,7 @@ stream_decoder_mt_init(lzma_next_coder *next, const lzma_allocator *allocator, + // accounting from scratch, too. Changes in filter and block sizes may + // affect number of threads. + // +- // FIXME? Reusing should be easy but unlike the single-threaded ++ // Reusing threads doesn't seem worth it. Unlike the single-threaded + // decoder, with some types of input file combinations reusing + // could leave quite a lot of memory allocated but unused (first + // file could allocate a lot, the next files could use fewer +-- +2.49.0 + + +From d5a2ffe41bb77b918a8c96084885d4dbe4bf6480 Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Thu, 3 Apr 2025 14:34:42 +0300 +Subject: [PATCH 3/4] liblzma: mt dec: Don't free the input buffer too early + (CVE-2025-31115) + +The input buffer must be valid as long as the main thread is writing +to the worker-specific input buffer. Fix it by making the worker +thread not free the buffer on errors and not return the worker thread to +the pool. The input buffer will be freed when threads_end() is called. + +With invalid input, the bug could at least result in a crash. The +effects include heap use after free and writing to an address based +on the null pointer plus an offset. + +The bug has been there since the first committed version of the threaded +decoder and thus affects versions from 5.3.3alpha to 5.8.0. + +As the commit message in 4cce3e27f529 says, I had made significant +changes on top of Sebastian's patch. This bug was indeed introduced +by my changes; it wasn't in Sebastian's version. + +Thanks to Harri K. Koskinen for discovering and reporting this issue. + +Fixes: 4cce3e27f529 ("liblzma: Add threaded .xz decompressor.") +Reported-by: Harri K. Koskinen +Reviewed-by: Sebastian Andrzej Siewior +Thanks-to: Sam James +--- + src/liblzma/common/stream_decoder_mt.c | 31 ++++++++++++++++++-------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +diff --git a/src/liblzma/common/stream_decoder_mt.c b/src/liblzma/common/stream_decoder_mt.c +index 82962c64..98aabcff 100644 +--- a/src/liblzma/common/stream_decoder_mt.c ++++ b/src/liblzma/common/stream_decoder_mt.c +@@ -435,8 +435,7 @@ next_loop_unlocked: + } + + // Either we finished successfully (LZMA_STREAM_END) or an error +- // occurred. Both cases are handled almost identically. The error +- // case requires updating thr->coder->thread_error. ++ // occurred. + // + // The sizes are in the Block Header and the Block decoder + // checks that they match, thus we know these: +@@ -444,16 +443,30 @@ next_loop_unlocked: + assert(ret != LZMA_STREAM_END + || thr->out_pos == thr->block_options.uncompressed_size); + +- // Free the input buffer. Don't update in_size as we need +- // it later to update thr->coder->mem_in_use. +- lzma_free(thr->in, thr->allocator); +- thr->in = NULL; +- + mythread_sync(thr->mutex) { ++ // Block decoder ensures this, but do a sanity check anyway ++ // because thr->in_filled < thr->in_size means that the main ++ // thread is still writing to thr->in. ++ if (ret == LZMA_STREAM_END && thr->in_filled != thr->in_size) { ++ assert(0); ++ ret = LZMA_PROG_ERROR; ++ } ++ + if (thr->state != THR_EXIT) + thr->state = THR_IDLE; + } + ++ // Free the input buffer. Don't update in_size as we need ++ // it later to update thr->coder->mem_in_use. ++ // ++ // This step is skipped if an error occurred because the main thread ++ // might still be writing to thr->in. The memory will be freed after ++ // threads_end() sets thr->state = THR_EXIT. ++ if (ret == LZMA_STREAM_END) { ++ lzma_free(thr->in, thr->allocator); ++ thr->in = NULL; ++ } ++ + mythread_sync(thr->coder->mutex) { + // Move our progress info to the main thread. + thr->coder->progress_in += thr->in_pos; +@@ -474,8 +487,8 @@ next_loop_unlocked: + thr->coder->thread_error = ret; + + // Return the worker thread to the stack of available +- // threads. +- { ++ // threads only if no errors occurred. ++ if (ret == LZMA_STREAM_END) { + // Update memory usage counters. + thr->coder->mem_in_use -= thr->in_size; + thr->in_size = 0; // thr->in was freed above. +-- +2.49.0 + + +From 8188048854e8d11071b8a50d093c74f4c030acc9 Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Thu, 3 Apr 2025 14:34:42 +0300 +Subject: [PATCH 4/4] liblzma: mt dec: Don't modify thr->in_size in the worker + thread + +Don't set thr->in_size = 0 when returning the thread to the stack of +available threads. Not only is it useless, but the main thread may +read the value in SEQ_BLOCK_THR_RUN. With valid inputs, it made +no difference if the main thread saw the original value or 0. With +invalid inputs (when worker thread stops early), thr->in_size was +no longer modified after the previous commit with the security fix +("Don't free the input buffer too early"). + +So while the bug appears harmless now, it's important to fix it because +the variable was being modified without proper locking. It's trivial +to fix because there is no need to change the value. Only main thread +needs to set the value in (in SEQ_BLOCK_THR_INIT) when starting a new +Block before the worker thread is activated. + +Fixes: 4cce3e27f529 ("liblzma: Add threaded .xz decompressor.") +Reviewed-by: Sebastian Andrzej Siewior +Thanks-to: Sam James +--- + src/liblzma/common/stream_decoder_mt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/liblzma/common/stream_decoder_mt.c b/src/liblzma/common/stream_decoder_mt.c +index 98aabcff..1fa92220 100644 +--- a/src/liblzma/common/stream_decoder_mt.c ++++ b/src/liblzma/common/stream_decoder_mt.c +@@ -491,8 +491,6 @@ next_loop_unlocked: + if (ret == LZMA_STREAM_END) { + // Update memory usage counters. + thr->coder->mem_in_use -= thr->in_size; +- thr->in_size = 0; // thr->in was freed above. +- + thr->coder->mem_in_use -= thr->mem_filters; + thr->coder->mem_cached += thr->mem_filters; + +@@ -1554,6 +1552,10 @@ stream_decode_mt(void *coder_ptr, const lzma_allocator *allocator, + } + + // Return if the input didn't contain the whole Block. ++ // ++ // NOTE: When we updated coder->thr->in_filled a few lines ++ // above, the worker thread might by now have finished its ++ // work and returned itself back to the stack of free threads. + if (coder->thr->in_filled < coder->thr->in_size) { + assert(*in_pos == in_size); + return LZMA_OK; +-- +2.49.0 + diff --git a/xz.spec b/xz.spec index 328cb01..f0a5b9c 100644 --- a/xz.spec +++ b/xz.spec @@ -3,30 +3,43 @@ Summary: LZMA compression utilities Name: xz -Version: 5.2.4 -Release: 3%{?dist} +# **PLEASE NOTE**: when bumping xz version, please rebuild +# perl-Compress-Raw-Lzma, it has a strict xz version dep +Epoch: 1 +Version: 5.6.2 +Release: 4%{?dist} + +# liblzma - 0BSD +# xz{,dec}, lzma{dec,info} - 0BSD +# - getopt_long - LGPL-2.1-or-later - not built in Fedora +# xz{grep,diff,less,more} - GPL-2.0-or-later +# docs - BSD0 AND LicenseRef-Fedora-Public-Domain +# man pages and translations - 0BSD AND LicenseRef-Fedora-Public-Domain +# See: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/547 +License: 0BSD AND GPL-2.0-or-later AND LicenseRef-Fedora-Public-Domain -# Scripts xz{grep,diff,less,more} and symlinks (copied from gzip) are -# GPLv2+, binaries are Public Domain (linked against LGPL getopt_long but its -# OK), documentation is Public Domain. -License: GPLv2+ and Public Domain # official upstream release -Source0: http://tukaani.org/%{name}/%{name}-%{version}.tar.xz +Source0: https://github.com/tukaani-project/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz +Source1: https://github.com/tukaani-project/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz.sig +Source2: https://tukaani.org/misc/lasse_collin_pubkey.txt Source100: colorxzgrep.sh Source101: colorxzgrep.csh +Patch1: xz-cve-2025-31115.patch -URL: http://tukaani.org/%{name}/ -Requires: %{name}-libs%{?_isa} = %{version}-%{release} +URL: https://tukaani.org/%{name}/ +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} # For /usr/libexec/grepconf.sh (RHBZ#1189120). # Unfortunately F21 has a newer version of grep which doesn't # have grepconf, but we're only concerned with F22 here. Requires: grep >= 2.20-5 +BuildRequires: make BuildRequires: gcc +BuildRequires: gnupg2 BuildRequires: perl-interpreter - +BuildRequires: autoconf automake libtool gettext-devel %description XZ Utils are an attempt to make LZMA compression easy to use on free (as in @@ -41,7 +54,7 @@ decompression speed fast. %package libs Summary: Libraries for decoding LZMA compression -License: Public Domain +License: 0BSD Obsoletes: %{name}-compat-libs < %{version}-%{release} %description libs @@ -50,7 +63,7 @@ Libraries for decoding files compressed with LZMA or XZ utils. %package static Summary: Statically linked library for decoding LZMA compression -License: Public Domain +License: 0BSD %description static Statically linked library for decoding files compressed with LZMA or @@ -59,8 +72,8 @@ XZ utils. Most users should *not* install this. %package devel Summary: Devel libraries & headers for liblzma -License: Public Domain -Requires: %{name}-libs%{?_isa} = %{version}-%{release} +License: 0BSD +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} %description devel Devel libraries and headers for liblzma. @@ -68,9 +81,9 @@ Devel libraries and headers for liblzma. %package lzma-compat Summary: Older LZMA format compatibility binaries -# Just a set of symlinks to 'xz' + two Public Domain binaries. -License: Public Domain -Requires: %{name}%{?_isa} = %{version}-%{release} +# Just a set of symlinks to some files in the 'xz' package. +License: 0BSD AND GPL-2.0-or-later AND LicenseRef-Fedora-Public-Domain +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} Obsoletes: lzma < %{version} Provides: lzma = %{version} @@ -80,16 +93,14 @@ commands that deal with the older LZMA format. %prep -%autosetup +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +%autosetup -p1 +autoreconf -fi %build export CFLAGS="%optflags" -%ifarch %{power64} - CFLAGS="$CFLAGS -O3" -%endif - %ifarch %ix86 # rhbz#1630650, annocheck reports the following message because liblzma uses # crc*_x86.S asm code on i686: @@ -122,21 +133,27 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check %files -f %{name}.lang -%license %{_pkgdocdir}/COPYING* +%license COPYING* %doc %{_pkgdocdir} %exclude %_pkgdocdir/examples* %{_bindir}/*xz* %{_mandir}/man1/*xz* +%lang(de) %{_mandir}/de/man1/*xz* +%lang(fr) %{_mandir}/fr/man1/*xz* +%lang(ko) %{_mandir}/ko/man1/*xz* +%lang(ro) %{_mandir}/ro/man1/*xz* +%lang(uk) %{_mandir}/uk/man1/*xz* +%lang(pt_BR) %{_mandir}/pt_BR/man1/*xz* %{profiledir}/* %files libs -%license %{_pkgdocdir}/COPYING +%license COPYING %{_libdir}/lib*.so.5* %files static -%license %{_pkgdocdir}/COPYING +%license COPYING %{_libdir}/liblzma.a @@ -152,12 +169,130 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check %files lzma-compat %{_bindir}/*lz* %{_mandir}/man1/*lz* +%lang(de) %{_mandir}/de/man1/*lz* +%lang(fr) %{_mandir}/fr/man1/*lz* +%lang(ko) %{_mandir}/ko/man1/*lz* +%lang(ro) %{_mandir}/ro/man1/*lz* +%lang(uk) %{_mandir}/uk/man1/*lz* +%lang(pt_BR) %{_mandir}/pt_BR/man1/*lz* %changelog -* Thu Nov 22 2018 Pavel Raiskup - 5.2.4-3 +* Tue May 13 2025 Jakub Martisko - 1:5.6.2-4 +- Fix: heap-use-after-free bug in threaded .xz decoder (CVE-2025-31115) +- Resolves: RHEL-86029 + +* Tue Oct 29 2024 Troy Dawson - 1:5.6.2-3 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Thu Aug 01 2024 Lukáš Zaoral - 1:5.6.2-2 +- finish SPDX license conversion (RHEL-46960) + +* Tue Jul 16 2024 Jindrich Novy +- Update to https://github.com/tukaani-project/xz/releases/tag/v5.6.2 +- Resolves: RHEL-43733 + +* Wed Jul 10 2024 Filip Janus - 5.4.6-3 +- Build package with correct SPDX licence + +* Mon Jun 24 2024 Troy Dawson - 5.4.6-2 +- Bump release for June 2024 mass rebuild + +* Mon Jan 29 2024 Richard W.M. Jones - 5.4.6-1 +- New version 5.4.6 (RHBZ#2260521) +- Fix Source URLs. + +* Sat Jan 27 2024 Fedora Release Engineering - 5.4.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Nov 01 2023 Richard W.M. Jones - 5.4.5-1 +- New version 5.4.5 (RHBZ#2247487) + +* Thu Oct 19 2023 Debarshi Ray - 5.4.4-2 +- Mark translations of manuals with %%lang() + +* Wed Aug 02 2023 Richard W.M. Jones - 5.4.4-1 +- New version 5.4.4 (RHBZ#2228542) + +* Sat Jul 22 2023 Fedora Release Engineering - 5.4.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu May 04 2023 Richard W.M. Jones - 5.4.3-1 +- Rebase to version 5.4.3 (RHBZ#2179570) +- Update the pubkey which appears to have changed. + +* Mon Apr 17 2023 Matej Mužila - 5.4.2-1 +- Rebase to version 5.4.2 (#2179570) + +* Mon Jan 23 2023 Richard W.M. Jones - 5.4.1-1 +- Rebase to version 5.4.1 (#2142405) + +* Sat Jan 21 2023 Fedora Release Engineering - 5.2.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Dec 01 2022 Richard W.M. Jones - 5.2.9-1 +- Rebase to version 5.2.9 (#2142405) + +* Tue Nov 22 2022 Matej Mužila - 5.2.8-1 +- Rebase to version 5.2.8 (#2142405) + +* Tue Aug 30 2022 Matej Mužila - 5.2.7-1 +- Rebase to version 5.2.7 (#2131313) + +* Tue Aug 30 2022 Matej Mužila - 5.2.6-1 +- Rebase to version 5.2.6 (#2117931) + +* Sat Jul 23 2022 Fedora Release Engineering - 5.2.5-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Sat Apr 16 2022 Todd Zullinger - 5.2.5-9 +- verify upstream GPG signature +- xzgrep: arbitrary-file-write vulnerability (#2073310, CVE-2022-1271) + +* Sat Jan 22 2022 Fedora Release Engineering - 5.2.5-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Fri Jul 23 2021 Fedora Release Engineering - 5.2.5-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Feb 12 2021 Michal Schorm - 5.2.5-6 +- Remove the ancient PPC64 hack + +* Thu Jan 28 2021 Fedora Release Engineering - 5.2.5-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jan 04 2021 Ondrej Dubaj - 5.2.5-4 +- Enabled CET for i686 (#1910368) + +* Wed Jul 29 2020 Fedora Release Engineering - 5.2.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jun 8 2020 Richard W.M. Jones - 5.2.5-2 +- Fix location of German man pages (RHBZ#1844813). + +* Mon Mar 30 2020 Ondrej Dubaj - 5.2.5-1 +- Rebase to version 5.2.5 (#1818418) + +* Fri Jan 31 2020 Fedora Release Engineering - 5.2.4-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Aug 21 2019 Petr Kubat - 5.2.4-7 +- Use relative path for COPYING files so that rpm moves them to correct place + Related: rhbz#1741074 + +* Sat Jul 27 2019 Fedora Release Engineering - 5.2.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 5.2.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Nov 22 2018 Pavel Raiskup - 5.2.4-4 - fix annocheck failures on i686 (rhbz#1630650) +* Sat Jul 14 2018 Fedora Release Engineering - 5.2.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Wed May 09 2018 Pavel Raiskup - 5.2.4-2 - drop ppc64p7 hack, per fedora devel list discussion: https://lists.fedoraproject.org/archives/list/ @@ -178,6 +313,7 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check - Cleanup spec * Thu Aug 03 2017 Fedora Release Engineering - 5.2.3-4 + - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild * Thu Jul 27 2017 Fedora Release Engineering - 5.2.3-3