diff --git a/backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch b/backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch deleted file mode 100644 index 11a241ddb136dae532ab15acd59703f92be1fd5c..0000000000000000000000000000000000000000 --- a/backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 68bda971bb8b666a009331455fcedb4e18d837a4 Mon Sep 17 00:00:00 2001 -From: Jia Tan -Date: Mon, 28 Aug 2023 21:31:25 +0800 -Subject: [PATCH] liblzma: Add overflow check for Unpadded size in - lzma_index_append(). - -This was not a security bug since there was no path to overflow -UINT64_MAX in lzma_index_append() or when it calls index_file_size(). -The bug was discovered by a failing assert() in vli_ceil4() when called -from index_file_size() when unpadded_sum (the sum of the compressed size -of current Stream and the unpadded_size parameter) exceeds LZMA_VLI_MAX. - -Previously, the unpadded_size parameter was checked to be not greater -than UNPADDED_SIZE_MAX, but no check was done once compressed_base was -added. - -This could not have caused an integer overflow in index_file_size() when -called by lzma_index_append(). The calculation for file_size breaks down -into the sum of: - -- Compressed base from all previous Streams -- 2 * LZMA_STREAM_HEADER_SIZE (size of the current Streams header and - footer) -- stream_padding (can be set by lzma_index_stream_padding()) -- Compressed base from the current Stream -- Unpadded size (parameter to lzma_index_append()) - -The sum of everything except for Unpadded size must be less than -LZMA_VLI_MAX. This is guarenteed by overflow checks in the functions -that can set these values including lzma_index_stream_padding(), -lzma_index_append(), and lzma_index_cat(). The maximum value for -Unpadded size is enforced by lzma_index_append() to be less than or -equal UNPADDED_SIZE_MAX. Thus, the sum cannot exceed UINT64_MAX since -LZMA_VLI_MAX is half of UINT64_MAX. - -Thanks to Joona Kannisto for reporting this. ---- - src/liblzma/common/index.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c -index 97cc9f95..8a35f439 100644 ---- a/src/liblzma/common/index.c -+++ b/src/liblzma/common/index.c -@@ -661,6 +661,12 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator, - if (uncompressed_base + uncompressed_size > LZMA_VLI_MAX) - return LZMA_DATA_ERROR; - -+ // Check that the new unpadded sum will not overflow. This is -+ // checked again in index_file_size(), but the unpadded sum is -+ // passed to vli_ceil4() which expects a valid lzma_vli value. -+ if (compressed_base + unpadded_size > UNPADDED_SIZE_MAX) -+ return LZMA_DATA_ERROR; -+ - // Check that the file size will stay within limits. - if (index_file_size(s->node.compressed_base, - compressed_base + unpadded_size, s->record_count + 1, --- -2.23.0 - diff --git a/xz-5.4.4.tar.xz b/xz-5.4.4.tar.xz deleted file mode 100644 index 42e46951dc2474b217a8e800005bc4368682ec87..0000000000000000000000000000000000000000 Binary files a/xz-5.4.4.tar.xz and /dev/null differ diff --git a/xz-5.4.7.tar.xz b/xz-5.4.7.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..6e7700ddd0d7a57e53af3ac9d455d7a830f61677 Binary files /dev/null and b/xz-5.4.7.tar.xz differ diff --git a/xz-5213-547-562-libtool.patch b/xz-5213-547-562-libtool.patch new file mode 100644 index 0000000000000000000000000000000000000000..3073645f07462a5e09bf68cf74d2488b9a4955fd --- /dev/null +++ b/xz-5213-547-562-libtool.patch @@ -0,0 +1,37 @@ +# Fix shared library building in XZ Utils 5.2.13, 5.4.7, and 5.6.2 +# +# The releases were made with a development version of GNU Libtool +# (2.5.0+1+g38c166c8). The benefit is that there tend to be fixes that +# aren't in a stable release yet. At the same time there is a higher +# risk of new bugs. Unfortunately there was a bug that breaks building +# of shared libraries on some systems like mips64. +# +# This patch was made by taking the upstream commit to m4/libtool.m4 +# and then running "autoconf" to update the generated "configure". +# This patch only modifies "configure" so that the changed timestamps +# won't cause the build system to regenerate more files, which would +# only work if one has all Autotools packages installed. +# +# https://git.savannah.gnu.org/cgit/libtool.git/commit/?id=9a4a02615c9e7cbcfd690ed31874822a7d6aaea2 +# https://lore.kernel.org/distributions/3299713.44csPzL39Z@pinacolada/ + +diff -rup xz-5.6.2.orig/configure xz-5.6.2/configure +--- xz-5.6.2.orig/configure ++++ xz-5.6.2/configure +@@ -9475,7 +9475,7 @@ do + esac + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then +- ac_cv_prog_FILECMD=":" ++ ac_cv_prog_FILECMD="file" + printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 + break 2 + fi +@@ -9483,6 +9483,7 @@ done + done + IFS=$as_save_IFS + ++ test -z "$ac_cv_prog_FILECMD" && ac_cv_prog_FILECMD=":" + fi ;; + esac + fi diff --git a/xz.spec b/xz.spec index 388216384527c36af56b87caafdea2398f478bcf..4d80b21addf9c4448d358880244828bd13ef0a19 100644 --- a/xz.spec +++ b/xz.spec @@ -1,13 +1,16 @@ Name: xz -Version: 5.4.4 -Release: 2 +Version: 5.4.7 +Release: 1 Summary: A free general-purpose data compreession software with LZMA2 algorithm License: GPL-3.0-only URL: http://tukaani.org/xz Source0: http://tukaani.org/%{name}/%{name}-%{version}.tar.xz Source1: colorxzgrep.sh Source2: colorxzgrep.csh -Patch0: backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch + +# https://github.com/tukaani-project/xz/releases/tag/v5.4.7 +# https://github.com/tukaani-project/xz/releases/download/v5.4.7/xz-5213-547-562-libtool.patch +Patch0: xz-5213-547-562-libtool.patch BuildRequires: perl-interpreter gcc @@ -47,12 +50,7 @@ Obsoletes: %{name}-compat-libs < %{version}-%{release} %description libs Libraries for decoding files compressed with LZMA or XZ utils. -%package help -Summary: Help documentation related to xz -BuildArch: noarch - -%description help -This package includes help documentation and manuals related to xz. +%package_help %prep %autosetup -n %{name}-%{version} -p1 @@ -65,6 +63,7 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool %install %make_install +%delete_la # config color alias for xz*grep %global profiledir %{_sysconfdir}/profile.d @@ -75,17 +74,14 @@ install -p -m 644 %{SOURCE2} %{buildroot}%{profiledir} %find_lang %name %check -LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check +LD_LIBRARY_PATH=$PWD/src/liblzma/.libs %make_build check %files -f %{name}.lang -%defattr(-,root,root) %doc %{_pkgdocdir} -%license %{_pkgdocdir}/COPYING* +%license COPYING* %{_bindir}/*xz* %{profiledir}/* - %exclude %_pkgdocdir/examples* -%exclude %{_libdir}/*.la %files libs %{_libdir}/lib*.so.5* @@ -104,17 +100,18 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check %{_libdir}/*.so %files help -%{_mandir}/man1/*lz* -%{_mandir}/man1/*xz* -%{_mandir}/de/man1/*lz* -%{_mandir}/de/man1/*xz* -%{_mandir}/fr/man1/* -%{_mandir}/ko/man1/* -%{_mandir}/ro/man1/* -%{_mandir}/uk/man1/* -%{_mandir}/pt_BR/man1/* +%{_mandir}/man1/* +%lang(de) %{_mandir}/de/man1/* +%lang(fr) %{_mandir}/fr/man1/* +%lang(ko) %{_mandir}/ko/man1/* +%lang(ro) %{_mandir}/ro/man1/* +%lang(uk) %{_mandir}/uk/man1/* +%lang(pt_BR) %{_mandir}/pt_BR/man1/* %changelog +* Thu Aug 01 2024 Funda Wang - 5.4.7-1 +- Update to 5.4.7 + * Tue Apr 30 2024 kouwenqi - 5.4.4-2 - liblzma: Add overflow check for Unpadded size in lzma_index_append