import UBI xz-5.6.2-4.el10_0

.gitignore

@@ -1 +1,2 @@
-/xz-5.2.4.tar.xz
+xz-5.6.2.tar.gz
+xz-5.6.2.tar.gz.sig

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

lasse_collin_pubkey.txt

@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBEzEOZIBEACxg/IuXERlDB48JBWmF4NxNUuuup1IhJAJyFGFSKh3OGAO2Ard
+sNuRLjANsFXA7m7P5eTFcG+BoHHuAVYmKnI3PPZtHVLnUt4pGItPczQZ2BE1WpcI
+ayjGTBJeKItX3Npqg9D/odO9WWS1i3FQPVdrLn0YH37/BA66jeMQCRo7g7GLpaNf
+IrvYGsqTbxCwsmA37rpE7oyU4Yrf74HT091WBsRIoq/MelhbxTDMR8eu/dUGZQVc
+Kj3lN55RepwWwUUKyqarY0zMt4HkFJ7v7yRL+Cvzy92Ouv4Wf2FlhNtEs5LE4Tax
+W0PO5AEmUoKjX87SezQK0f652018b4u6Ex52cY7p+n5TII/UyoowH6+tY8UHo9yb
+fStrqgNE/mY2bhA6+AwCaOUGsFzVVPTbjtxL3HacUP/jlA1h78V8VTvTs5d55iG7
+jSqR9o05wje8rwNiXXK0xtiJahyNzL97Kn/DgPSqPIi45G+8nxWSPFM5eunBKRl9
+vAnsvwrdPRsR6YR3uMHTuVhQX9/CY891MHkaZJ6wydWtKt3yQwJLYqwo5d4DwnUX
+CduUwSKv+6RmtWI5ZmTQYOcBRcZyGKml9X9Q8iSbm6cnpFXmLrNQwCJN+D3SiYGc
+MtbltZo0ysPMa6Xj5xFaYqWk/BI4iLb2Gs+ByGo/+a0Eq4XYBMOpitNniQARAQAB
+tCdMYXNzZSBDb2xsaW4gPGxhc3NlLmNvbGxpbkB0dWthYW5pLm9yZz6JAlEEEwEK
+ADsCGwMCHgECF4AECwkIBwMVCggFFgIDAQAWIQQ2kMJAzlG0Zw0wrRw47nV9aRhG
+IAUCZZwJyQUJGuHiNwAKCRA47nV9aRhGIE4qD/4jdFTe3WPpLgvz/jdlbnSZxr7q
+OS6H/ZJFENHO4SbavXdoXLtj+t6/lqWq890Js8IpWaaiJLowzW1xJMEg99W6k0KD
+3pHUbwPxf0GCSAt/W4JYxdTj+1ggdHjx5yBAmOakjnOH+ZDKQNBnDOI6ghf3ew+H
+9z/b0mQX3rlQbtoqSPZtuDOdFcjCOSwEyqdV+9eNqnv2CoKZkiGoUB1WGCbqKUkY
+KiUJ3WldmPQ5RQYjEi7zZWVac1VuwBA0XOku+W4cCJ5DnPyK7CtMwC84VvaodlOX
+UAK3Y5BIZpZM2Rk6yMX5lFDA5nA8UuHJQRDjTVmh3BIdgRvp0ZV6ogtqNE7RifpW
+aBWDIsCkimcbCJJM+edOLiVZog+ia1Ts8zu33wj7Tnvp5znLc8NLZIqwu1HKLS97
+m+Yf5oC3ObTZtXbVF+OglWe/3ljLHdL2bJxNdtcVlChSNPUW3fgLHk9Fzrlnqdab
+tSGwI/0Ryt00cKjRiMOagTn5Nly6boCtgGYdQafQoSrs3eQjnWVgbNYDMgPyl4k+
+Q5RJLEY7AvtXo7FUEgOTfr9PWmjmc2JzGpxbtwl6sQi6yLrBZTRf1Xao2OjOje6G
+XdUbXNmgOv16sWxcI0s4lX1z28BgHQfwXhBFBRjw2Sy+6TfFXjX24thcpMwvyJ3c
+xhMtdY4N4jyfRjYe8LkCDQRMxDmSARAAv8XAp2PGA/G1KmCrVIzOBm1NPIuqGAYP
+c1l9p0dYdhEgvfw0NXcl5MDv1jbOPZ2PspA8NP7Rqp6LNNXYTeM/eIJDndU5Phyi
+ewFpACAp7Gmm2dL5PUOhu0gIUnQYbN/QdGPoo7bNI646K1Y9aVTBu9fszQssjb6G
+qXHSNM+pskVn9lropO1tLrF0I9VSlSphlCmiQRlzBCZSnxD6UagkPaw1gJnJqnrd
+f9oA6AIavZFdh104fl7y8bMZb6bC0K/5ZD0DLfmYaojkyqRtl3VBu6/ZvXrjsT9A
+QS5x9EdVslUoYY+kUxQm1wi3LIi3mOj6v0IIvgKzjt0X/39E3C42+m8ddTKowFB1
+Y1lEzHiT80YP9a+I+L2bqYgy6Lqs5CxI5qph1xRfg2rY6uvc5rPYk9B1R94jbeKi
+3W8ryHG9QJBNXcd8mCGLM3qylWXTJA4oGITyaIlGCuMeKUfeFNvGijjbEOQ0Cr4J
+CjdACbWJsPEoIOrRFxY+NwJEA39Dkyalyh2l0qTNXTIYhLiDuzl+tWuBX+SjHavj
+9jGyvwr3T37gfzYCNMoZf8GaxAUJMCoGTqnsjTPGMion/DfdNkFDQ+fivdYiVQ9p
+/Njpr38sC83V8dHF/1KkIHImyzMPTdC7l/lMHyC2Gx2dWZOjuOOKit0Qoy3DZoQw
+vN1ZZND9M1UAEQEAAYkCPAQYAQoAJgIbDBYhBDaQwkDOUbRnDTCtHDjudX1pGEYg
+BQJlnAmyBQka4eIgAAoJEDjudX1pGEYguyYQAJo+5SnMMdu+d70mWfUb9PZg7P5C
+GRepHnckx9Sis5oR5s7NNl5j5Yy4J1UwsmrP+mn52ujqewkkVsCq65NGQQx7+tkw
+uKGvnGBkHdrI+aJk86qLMf4DlnNJEmN8t5jTGQfRLbFVf2I8EY6qXAzCSmL9Zs++
+rDUz65GOTB1EP0XmBRsuVYRfDbFezrPQH0JDucbXFi/2BDnl2/Mk9NBoQ0CvB4oG
+tLDiQZ+jV7n1VXXJ1faD9s7i0hOTdcG6rlyIqi/LyAzdCnOYTkmv3U1kdmzkvrh1
+KEiejnM5fj27RE2v191vh3hgZ+X5+uwjNTP0QC4qP8XykQOAA8usOMVZ72lyXCAk
+wiUcRdrAXLN/XbIFNcQ3m4d3W6t60Gk09wFlUKaEltDMlPUsxiSG3qFwFGPBP6UV
+h3mjJMAl1jltLrR7ybez0SczfrcAtdCsKTvgzV9W2TzUfK2R9PBanmXTXK2M7yU3
+IquHt3Je4aSP7XYb5D+ajlbFNvnXOYcai8WryfC5nLAfV4MbPX+UlRaYCqqHVhut
+gK93re1L5mMI3zjG5Ri5jLpUA9toSJCIJIY5zwr/8LL/ZL4TixXlouA17yjkpY/e
+Bjs8cNj1O3aM4jY2FKCS8UbfxOiARk/5kBMRPEZ/mqpMQttzE8KVjOv6fRxy/eVE
+888/gToe5kb8qYwy
+=6rZC
+-----END PGP PUBLIC KEY BLOCK-----

sources

@@ -1 +1,2 @@
-SHA512 (xz-5.2.4.tar.xz) = 00db7dd31a61541b1ce6946e0f21106f418dd1ac3f27cdb8682979cbc3bd777cd6dd1f04f9ba257a0a7e24041e15ca40d0dd5c130380dce62280af67a0beb97f
+SHA512 (xz-5.6.2.tar.gz) = c32c32c95e3541b906e0284e66a953ace677e0ce6af2084e7b122600047bf7542c1b0fabb5909b19ff79fba6def530be674df1c675b22a47a8d57f3f0b736a82
+SHA512 (xz-5.6.2.tar.gz.sig) = f3d1055a2a6e96eec2fd5c0b733f2ab5e150bac9645f1fe9a7558ed6f34a241b4f57e17fd4504f311be26cf1e2b9b797f2e78b1b9d2db02e9cd0c1548cb6160b

xz-cve-2025-31115.patch

@@ -0,0 +1,334 @@
+# Fix CVE-2025-31115 in XZ Utils 5.3.3alpha to 5.8.0
+# This applies to all affected releases.
+# https://tukaani.org/xz/threaded-decoder-early-free.html
+
+From 831b55b971cf579ee16a854f177c36b20d3c6999 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Thu, 3 Apr 2025 14:34:42 +0300
+Subject: [PATCH 1/4] liblzma: mt dec: Fix a comment
+
+Reviewed-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Thanks-to: Sam James <sam@gentoo.org>
+---
+ src/liblzma/common/stream_decoder_mt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/liblzma/common/stream_decoder_mt.c b/src/liblzma/common/stream_decoder_mt.c
+index 22c9375f..812b745d 100644
+--- a/src/liblzma/common/stream_decoder_mt.c
++++ b/src/liblzma/common/stream_decoder_mt.c
+@@ -347,7 +347,7 @@ worker_enable_partial_update(void *thr_ptr)
+ 
+ 
+ /// Things do to at THR_STOP or when finishing a Block.
+-/// This is called with thr->mutex locked.
++/// This is called with thr->coder->mutex locked.
+ static void
+ worker_stop(struct worker_thread *thr)
+ {
+-- 
+2.49.0
+
+
+From c0c835964dfaeb2513a3c0bdb642105152fe9f34 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Thu, 3 Apr 2025 14:34:42 +0300
+Subject: [PATCH 2/4] liblzma: mt dec: Simplify by removing the THR_STOP state
+
+The main thread can directly set THR_IDLE in threads_stop() which is
+called when errors are detected. threads_stop() won't return the stopped
+threads to the pool or free the memory pointed by thr->in anymore, but
+it doesn't matter because the existing workers won't be reused after
+an error. The resources will be cleaned up when threads_end() is
+called (reinitializing the decoder always calls threads_end()).
+
+Reviewed-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Thanks-to: Sam James <sam@gentoo.org>
+---
+ src/liblzma/common/stream_decoder_mt.c | 75 ++++++++++----------------
+ 1 file changed, 29 insertions(+), 46 deletions(-)
+
+diff --git a/src/liblzma/common/stream_decoder_mt.c b/src/liblzma/common/stream_decoder_mt.c
+index 812b745d..82962c64 100644
+--- a/src/liblzma/common/stream_decoder_mt.c
++++ b/src/liblzma/common/stream_decoder_mt.c
+@@ -23,15 +23,10 @@ typedef enum {
+ 	THR_IDLE,
+ 
+ 	/// Decoding is in progress.
+-	/// Main thread may change this to THR_STOP or THR_EXIT.
++	/// Main thread may change this to THR_IDLE or THR_EXIT.
+ 	/// The worker thread may change this to THR_IDLE.
+ 	THR_RUN,
+ 
+-	/// The main thread wants the thread to stop whatever it was doing
+-	/// but not exit. Main thread may change this to THR_EXIT.
+-	/// The worker thread may change this to THR_IDLE.
+-	THR_STOP,
+-
+ 	/// The main thread wants the thread to exit.
+ 	THR_EXIT,
+ 
+@@ -346,27 +341,6 @@ worker_enable_partial_update(void *thr_ptr)
+ }
+ 
+ 
+-/// Things do to at THR_STOP or when finishing a Block.
+-/// This is called with thr->coder->mutex locked.
+-static void
+-worker_stop(struct worker_thread *thr)
+-{
+-	// Update memory usage counters.
+-	thr->coder->mem_in_use -= thr->in_size;
+-	thr->in_size = 0; // thr->in was freed above.
+-
+-	thr->coder->mem_in_use -= thr->mem_filters;
+-	thr->coder->mem_cached += thr->mem_filters;
+-
+-	// Put this thread to the stack of free threads.
+-	thr->next = thr->coder->threads_free;
+-	thr->coder->threads_free = thr;
+-
+-	mythread_cond_signal(&thr->coder->cond);
+-	return;
+-}
+-
+-
+ static MYTHREAD_RET_TYPE
+ worker_decoder(void *thr_ptr)
+ {
+@@ -397,17 +371,6 @@ next_loop_unlocked:
+ 		return MYTHREAD_RET_VALUE;
+ 	}
+ 
+-	if (thr->state == THR_STOP) {
+-		thr->state = THR_IDLE;
+-		mythread_mutex_unlock(&thr->mutex);
+-
+-		mythread_sync(thr->coder->mutex) {
+-			worker_stop(thr);
+-		}
+-
+-		goto next_loop_lock;
+-	}
+-
+ 	assert(thr->state == THR_RUN);
+ 
+ 	// Update progress info for get_progress().
+@@ -510,7 +473,22 @@ next_loop_unlocked:
+ 				&& thr->coder->thread_error == LZMA_OK)
+ 			thr->coder->thread_error = ret;
+ 
+-		worker_stop(thr);
++		// Return the worker thread to the stack of available
++		// threads.
++		{
++			// Update memory usage counters.
++			thr->coder->mem_in_use -= thr->in_size;
++			thr->in_size = 0; // thr->in was freed above.
++
++			thr->coder->mem_in_use -= thr->mem_filters;
++			thr->coder->mem_cached += thr->mem_filters;
++
++			// Put this thread to the stack of free threads.
++			thr->next = thr->coder->threads_free;
++			thr->coder->threads_free = thr;
++		}
++
++		mythread_cond_signal(&thr->coder->cond);
+ 	}
+ 
+ 	goto next_loop_lock;
+@@ -544,17 +522,22 @@ threads_end(struct lzma_stream_coder *coder, const lzma_allocator *allocator)
+ }
+ 
+ 
++/// Tell worker threads to stop without doing any cleaning up.
++/// The clean up will be done when threads_exit() is called;
++/// it's not possible to reuse the threads after threads_stop().
++///
++/// This is called before returning an unrecoverable error code
++/// to the application. It would be waste of processor time
++/// to keep the threads running in such a situation.
+ static void
+ threads_stop(struct lzma_stream_coder *coder)
+ {
+ 	for (uint32_t i = 0; i < coder->threads_initialized; ++i) {
++		// The threads that are in the THR_RUN state will stop
++		// when they check the state the next time. There's no
++		// need to signal coder->threads[i].cond.
+ 		mythread_sync(coder->threads[i].mutex) {
+-			// The state must be changed conditionally because
+-			// THR_IDLE -> THR_STOP is not a valid state change.
+-			if (coder->threads[i].state != THR_IDLE) {
+-				coder->threads[i].state = THR_STOP;
+-				mythread_cond_signal(&coder->threads[i].cond);
+-			}
++			coder->threads[i].state = THR_IDLE;
+ 		}
+ 	}
+ 
+@@ -1941,7 +1924,7 @@ stream_decoder_mt_init(lzma_next_coder *next, const lzma_allocator *allocator,
+ 	// accounting from scratch, too. Changes in filter and block sizes may
+ 	// affect number of threads.
+ 	//
+-	// FIXME? Reusing should be easy but unlike the single-threaded
++	// Reusing threads doesn't seem worth it. Unlike the single-threaded
+ 	// decoder, with some types of input file combinations reusing
+ 	// could leave quite a lot of memory allocated but unused (first
+ 	// file could allocate a lot, the next files could use fewer
+-- 
+2.49.0
+
+
+From d5a2ffe41bb77b918a8c96084885d4dbe4bf6480 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Thu, 3 Apr 2025 14:34:42 +0300
+Subject: [PATCH 3/4] liblzma: mt dec: Don't free the input buffer too early
+ (CVE-2025-31115)
+
+The input buffer must be valid as long as the main thread is writing
+to the worker-specific input buffer. Fix it by making the worker
+thread not free the buffer on errors and not return the worker thread to
+the pool. The input buffer will be freed when threads_end() is called.
+
+With invalid input, the bug could at least result in a crash. The
+effects include heap use after free and writing to an address based
+on the null pointer plus an offset.
+
+The bug has been there since the first committed version of the threaded
+decoder and thus affects versions from 5.3.3alpha to 5.8.0.
+
+As the commit message in 4cce3e27f529 says, I had made significant
+changes on top of Sebastian's patch. This bug was indeed introduced
+by my changes; it wasn't in Sebastian's version.
+
+Thanks to Harri K. Koskinen for discovering and reporting this issue.
+
+Fixes: 4cce3e27f529 ("liblzma: Add threaded .xz decompressor.")
+Reported-by: Harri K. Koskinen <x64nop@nannu.org>
+Reviewed-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Thanks-to: Sam James <sam@gentoo.org>
+---
+ src/liblzma/common/stream_decoder_mt.c | 31 ++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 9 deletions(-)
+
+diff --git a/src/liblzma/common/stream_decoder_mt.c b/src/liblzma/common/stream_decoder_mt.c
+index 82962c64..98aabcff 100644
+--- a/src/liblzma/common/stream_decoder_mt.c
++++ b/src/liblzma/common/stream_decoder_mt.c
+@@ -435,8 +435,7 @@ next_loop_unlocked:
+ 	}
+ 
+ 	// Either we finished successfully (LZMA_STREAM_END) or an error
+-	// occurred. Both cases are handled almost identically. The error
+-	// case requires updating thr->coder->thread_error.
++	// occurred.
+ 	//
+ 	// The sizes are in the Block Header and the Block decoder
+ 	// checks that they match, thus we know these:
+@@ -444,16 +443,30 @@ next_loop_unlocked:
+ 	assert(ret != LZMA_STREAM_END
+ 		|| thr->out_pos == thr->block_options.uncompressed_size);
+ 
+-	// Free the input buffer. Don't update in_size as we need
+-	// it later to update thr->coder->mem_in_use.
+-	lzma_free(thr->in, thr->allocator);
+-	thr->in = NULL;
+-
+ 	mythread_sync(thr->mutex) {
++		// Block decoder ensures this, but do a sanity check anyway
++		// because thr->in_filled < thr->in_size means that the main
++		// thread is still writing to thr->in.
++		if (ret == LZMA_STREAM_END && thr->in_filled != thr->in_size) {
++			assert(0);
++			ret = LZMA_PROG_ERROR;
++		}
++
+ 		if (thr->state != THR_EXIT)
+ 			thr->state = THR_IDLE;
+ 	}
+ 
++	// Free the input buffer. Don't update in_size as we need
++	// it later to update thr->coder->mem_in_use.
++	//
++	// This step is skipped if an error occurred because the main thread
++	// might still be writing to thr->in. The memory will be freed after
++	// threads_end() sets thr->state = THR_EXIT.
++	if (ret == LZMA_STREAM_END) {
++		lzma_free(thr->in, thr->allocator);
++		thr->in = NULL;
++	}
++
+ 	mythread_sync(thr->coder->mutex) {
+ 		// Move our progress info to the main thread.
+ 		thr->coder->progress_in += thr->in_pos;
+@@ -474,8 +487,8 @@ next_loop_unlocked:
+ 			thr->coder->thread_error = ret;
+ 
+ 		// Return the worker thread to the stack of available
+-		// threads.
+-		{
++		// threads only if no errors occurred.
++		if (ret == LZMA_STREAM_END) {
+ 			// Update memory usage counters.
+ 			thr->coder->mem_in_use -= thr->in_size;
+ 			thr->in_size = 0; // thr->in was freed above.
+-- 
+2.49.0
+
+
+From 8188048854e8d11071b8a50d093c74f4c030acc9 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Thu, 3 Apr 2025 14:34:42 +0300
+Subject: [PATCH 4/4] liblzma: mt dec: Don't modify thr->in_size in the worker
+ thread
+
+Don't set thr->in_size = 0 when returning the thread to the stack of
+available threads. Not only is it useless, but the main thread may
+read the value in SEQ_BLOCK_THR_RUN. With valid inputs, it made
+no difference if the main thread saw the original value or 0. With
+invalid inputs (when worker thread stops early), thr->in_size was
+no longer modified after the previous commit with the security fix
+("Don't free the input buffer too early").
+
+So while the bug appears harmless now, it's important to fix it because
+the variable was being modified without proper locking. It's trivial
+to fix because there is no need to change the value. Only main thread
+needs to set the value in (in SEQ_BLOCK_THR_INIT) when starting a new
+Block before the worker thread is activated.
+
+Fixes: 4cce3e27f529 ("liblzma: Add threaded .xz decompressor.")
+Reviewed-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Thanks-to: Sam James <sam@gentoo.org>
+---
+ src/liblzma/common/stream_decoder_mt.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/liblzma/common/stream_decoder_mt.c b/src/liblzma/common/stream_decoder_mt.c
+index 98aabcff..1fa92220 100644
+--- a/src/liblzma/common/stream_decoder_mt.c
++++ b/src/liblzma/common/stream_decoder_mt.c
+@@ -491,8 +491,6 @@ next_loop_unlocked:
+ 		if (ret == LZMA_STREAM_END) {
+ 			// Update memory usage counters.
+ 			thr->coder->mem_in_use -= thr->in_size;
+-			thr->in_size = 0; // thr->in was freed above.
+-
+ 			thr->coder->mem_in_use -= thr->mem_filters;
+ 			thr->coder->mem_cached += thr->mem_filters;
+ 
+@@ -1554,6 +1552,10 @@ stream_decode_mt(void *coder_ptr, const lzma_allocator *allocator,
+ 		}
+ 
+ 		// Return if the input didn't contain the whole Block.
++		//
++		// NOTE: When we updated coder->thr->in_filled a few lines
++		// above, the worker thread might by now have finished its
++		// work and returned itself back to the stack of free threads.
+ 		if (coder->thr->in_filled < coder->thr->in_size) {
+ 			assert(*in_pos == in_size);
+ 			return LZMA_OK;
+-- 
+2.49.0
+

xz.spec

@@ -3,30 +3,43 @@
 
 Summary:	LZMA compression utilities
 Name:		xz
-Version:	5.2.4
-Release:	3%{?dist}
+# **PLEASE NOTE**: when bumping xz version, please rebuild
+# perl-Compress-Raw-Lzma, it has a strict xz version dep
+Epoch:		1
+Version:	5.6.2
+Release:	4%{?dist}
+
+# liblzma - 0BSD
+# xz{,dec}, lzma{dec,info} - 0BSD
+#    - getopt_long - LGPL-2.1-or-later - not built in Fedora
+# xz{grep,diff,less,more} - GPL-2.0-or-later
+# docs - BSD0 AND LicenseRef-Fedora-Public-Domain
+# man pages and translations - 0BSD AND LicenseRef-Fedora-Public-Domain
+# See: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/547
+License:	0BSD AND GPL-2.0-or-later AND LicenseRef-Fedora-Public-Domain
 
-# Scripts xz{grep,diff,less,more} and symlinks (copied from gzip) are
-# GPLv2+, binaries are Public Domain (linked against LGPL getopt_long but its
-# OK), documentation is Public Domain.
-License:	GPLv2+ and Public Domain
 # official upstream release
-Source0:	http://tukaani.org/%{name}/%{name}-%{version}.tar.xz
+Source0:	https://github.com/tukaani-project/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
+Source1:	https://github.com/tukaani-project/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz.sig
+Source2:	https://tukaani.org/misc/lasse_collin_pubkey.txt
 
 Source100:	colorxzgrep.sh
 Source101:	colorxzgrep.csh
+Patch1: xz-cve-2025-31115.patch
 
-URL:		http://tukaani.org/%{name}/
-Requires:	%{name}-libs%{?_isa} = %{version}-%{release}
+URL:		https://tukaani.org/%{name}/
+Requires:	%{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 
 # For /usr/libexec/grepconf.sh (RHBZ#1189120).
 # Unfortunately F21 has a newer version of grep which doesn't
 # have grepconf, but we're only concerned with F22 here.
 Requires:	grep >= 2.20-5
 
+BuildRequires:	make
 BuildRequires:	gcc
+BuildRequires:	gnupg2
 BuildRequires:	perl-interpreter
-
+BuildRequires:	autoconf automake libtool gettext-devel
 
 %description
 XZ Utils are an attempt to make LZMA compression easy to use on free (as in
@@ -41,7 +54,7 @@ decompression speed fast.
 
 %package 	libs
 Summary:	Libraries for decoding LZMA compression
-License:	Public Domain
+License:	0BSD
 Obsoletes:	%{name}-compat-libs < %{version}-%{release}
 
 %description 	libs
@@ -50,7 +63,7 @@ Libraries for decoding files compressed with LZMA or XZ utils.
 
 %package 	static
 Summary:	Statically linked library for decoding LZMA compression
-License:	Public Domain
+License:	0BSD
 
 %description 	static
 Statically linked library for decoding files compressed with LZMA or
@@ -59,8 +72,8 @@ XZ utils.  Most users should *not* install this.
 
 %package 	devel
 Summary:	Devel libraries & headers for liblzma
-License:	Public Domain
-Requires:	%{name}-libs%{?_isa} = %{version}-%{release}
+License:	0BSD
+Requires:	%{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 
 %description	devel
 Devel libraries and headers for liblzma.
@@ -68,9 +81,9 @@ Devel libraries and headers for liblzma.
 
 %package 	lzma-compat
 Summary:	Older LZMA format compatibility binaries
-# Just a set of symlinks to 'xz' + two Public Domain binaries.
-License:	Public Domain
-Requires:	%{name}%{?_isa} = %{version}-%{release}
+# Just a set of symlinks to some files in the 'xz' package.
+License:	0BSD AND GPL-2.0-or-later AND LicenseRef-Fedora-Public-Domain
+Requires:	%{name}%{?_isa} = %{epoch}:%{version}-%{release}
 Obsoletes:	lzma < %{version}
 Provides:	lzma = %{version}
 
@@ -80,16 +93,14 @@ commands that deal with the older LZMA format.
 
 
 %prep
-%autosetup
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%autosetup -p1
+autoreconf -fi
 
 
 %build
 export CFLAGS="%optflags"
 
-%ifarch %{power64}
-  CFLAGS="$CFLAGS -O3"
-%endif
-
 %ifarch %ix86
   # rhbz#1630650, annocheck reports the following message because liblzma uses
   # crc*_x86.S asm code on i686:
@@ -122,21 +133,27 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check
 
 
 %files -f %{name}.lang
-%license %{_pkgdocdir}/COPYING*
+%license COPYING*
 %doc %{_pkgdocdir}
 %exclude %_pkgdocdir/examples*
 %{_bindir}/*xz*
 %{_mandir}/man1/*xz*
+%lang(de) %{_mandir}/de/man1/*xz*
+%lang(fr) %{_mandir}/fr/man1/*xz*
+%lang(ko) %{_mandir}/ko/man1/*xz*
+%lang(ro) %{_mandir}/ro/man1/*xz*
+%lang(uk) %{_mandir}/uk/man1/*xz*
+%lang(pt_BR) %{_mandir}/pt_BR/man1/*xz*
 %{profiledir}/*
 
 
 %files libs
-%license %{_pkgdocdir}/COPYING
+%license COPYING
 %{_libdir}/lib*.so.5*
 
 
 %files static
-%license %{_pkgdocdir}/COPYING
+%license COPYING
 %{_libdir}/liblzma.a
 
 
@@ -152,12 +169,130 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check
 %files lzma-compat
 %{_bindir}/*lz*
 %{_mandir}/man1/*lz*
+%lang(de) %{_mandir}/de/man1/*lz*
+%lang(fr) %{_mandir}/fr/man1/*lz*
+%lang(ko) %{_mandir}/ko/man1/*lz*
+%lang(ro) %{_mandir}/ro/man1/*lz*
+%lang(uk) %{_mandir}/uk/man1/*lz*
+%lang(pt_BR) %{_mandir}/pt_BR/man1/*lz*
 
 
 %changelog
-* Thu Nov 22 2018 Pavel Raiskup <praiskup@redhat.com> - 5.2.4-3
+* Tue May 13 2025 Jakub Martisko <jamartis@redhat.com> - 1:5.6.2-4
+- Fix: heap-use-after-free bug in threaded .xz decoder (CVE-2025-31115)
+- Resolves: RHEL-86029
+
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:5.6.2-3
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
+
+* Thu Aug 01 2024 Lukáš Zaoral <lzaoral@redhat.com> - 1:5.6.2-2
+- finish SPDX license conversion (RHEL-46960)
+
+* Tue Jul 16 2024 Jindrich Novy <jnovy@redhat.com>
+- Update to https://github.com/tukaani-project/xz/releases/tag/v5.6.2
+- Resolves: RHEL-43733
+
+* Wed Jul 10 2024 Filip Janus <fjanus@redhat.com> - 5.4.6-3
+- Build package with correct SPDX licence
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 5.4.6-2
+- Bump release for June 2024 mass rebuild
+
+* Mon Jan 29 2024 Richard W.M. Jones <rjones@redhat.com> - 5.4.6-1
+- New version 5.4.6 (RHBZ#2260521)
+- Fix Source URLs.
+
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.4.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Wed Nov 01 2023 Richard W.M. Jones <rjones@redhat.com> - 5.4.5-1
+- New version 5.4.5 (RHBZ#2247487)
+
+* Thu Oct 19 2023 Debarshi Ray <rishi@fedoraproject.org> - 5.4.4-2
+- Mark translations of manuals with %%lang()
+
+* Wed Aug 02 2023 Richard W.M. Jones <rjones@redhat.com> - 5.4.4-1
+- New version 5.4.4 (RHBZ#2228542)
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.4.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu May 04 2023 Richard W.M. Jones <rjones@redhat.com> - 5.4.3-1
+- Rebase to version 5.4.3 (RHBZ#2179570)
+- Update the pubkey which appears to have changed.
+
+* Mon Apr 17 2023 Matej Mužila <mmuzila@redhat.com> - 5.4.2-1
+- Rebase to version 5.4.2 (#2179570)
+
+* Mon Jan 23 2023 Richard W.M. Jones <rjones@redhat.com> - 5.4.1-1
+- Rebase to version 5.4.1 (#2142405)
+
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Dec 01 2022 Richard W.M. Jones <rjones@redhat.com> - 5.2.9-1
+- Rebase to version 5.2.9 (#2142405)
+
+* Tue Nov 22 2022 Matej Mužila <mmuzila@redhat.com> - 5.2.8-1
+- Rebase to version 5.2.8 (#2142405)
+
+* Tue Aug 30 2022 Matej Mužila <mmuzila@redhat.com> - 5.2.7-1
+- Rebase to version 5.2.7 (#2131313)
+
+* Tue Aug 30 2022 Matej Mužila <mmuzila@redhat.com> - 5.2.6-1
+- Rebase to version 5.2.6 (#2117931)
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.5-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Sat Apr 16 2022 Todd Zullinger <tmz@pobox.com> - 5.2.5-9
+- verify upstream GPG signature
+- xzgrep: arbitrary-file-write vulnerability (#2073310, CVE-2022-1271)
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.5-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.5-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri Feb 12 2021 Michal Schorm <mschorm@redhat.com> - 5.2.5-6
+- Remove the ancient PPC64 hack
+
+* Thu Jan 28 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.5-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jan 04 2021 Ondrej Dubaj <odubaj@redhat.com> - 5.2.5-4
+- Enabled CET for i686 (#1910368)
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jun  8 2020 Richard W.M. Jones <rjones@redhat.com> - 5.2.5-2
+- Fix location of German man pages (RHBZ#1844813).
+
+* Mon Mar 30 2020 Ondrej Dubaj <odubaj@redhat.com> - 5.2.5-1
+- Rebase to version 5.2.5 (#1818418)
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.4-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Aug 21 2019 Petr Kubat <pkubat@redhat.com> - 5.2.4-7
+- Use relative path for COPYING files so that rpm moves them to correct place
+  Related: rhbz#1741074
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.4-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Nov 22 2018 Pavel Raiskup <praiskup@redhat.com> - 5.2.4-4
 - fix annocheck failures on i686 (rhbz#1630650)
 
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
 * Wed May 09 2018 Pavel Raiskup <praiskup@redhat.com> - 5.2.4-2
 - drop ppc64p7 hack, per fedora devel list discussion:
   https://lists.fedoraproject.org/archives/list/
@@ -178,6 +313,7 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check
 - Cleanup spec
 
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.3-4
+
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 
 * Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.3-3