* [PATCH] xz: Update to version 5.8.1
@ 2025-04-08 21:37 Adolf Belka
2025-04-10 10:18 ` Michael Tremer
0 siblings, 1 reply; 2+ messages in thread
From: Adolf Belka @ 2025-04-08 21:37 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
- Update from version 5.8.0 to 5.8.1
- Update of rootfile
- Changelog
5.8.1
IMPORTANT: This includes a security fix for CVE-2025-31115 which
affects XZ Utils from 5.3.3alpha to 5.8.0. No new 5.4.x or 5.6.x
releases will be made, but the fix is in the v5.4 and v5.6 branches
in the xz Git repository. A standalone patch for all affected
versions is available as well.
* Multithreaded .xz decoder (lzma_stream_decoder_mt()):
- Fix a bug that could at least result in a crash with
invalid input. (CVE-2025-31115)
- Fix a performance bug: Only one thread was used if the whole
input file was provided at once to lzma_code(), the output
buffer was big enough, timeout was disabled, and LZMA_FINISH
was used. There are no bug reports about this, thus it's
possible that no real-world application was affected.
* Avoid <stdalign.h> even with C11/C17 compilers. This fixes the
build with Oracle Developer Studio 12.6 on Solaris 10 when the
compiler is in C11 mode (the header doesn't exist).
* Autotools: Restore compatibility with GNU make versions older
than 4.0 by creating the package using GNU gettext 0.23.1
infrastructure instead of 0.24.
* Update Croatian translation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/xz | 2 +-
lfs/xz | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz
index 3873744c8..f836d4578 100644
--- a/config/rootfiles/common/xz
+++ b/config/rootfiles/common/xz
@@ -41,7 +41,7 @@ usr/bin/xzmore
#usr/lib/liblzma.la
#usr/lib/liblzma.so
usr/lib/liblzma.so.5
-usr/lib/liblzma.so.5.8.0
+usr/lib/liblzma.so.5.8.1
#usr/lib/pkgconfig/liblzma.pc
#usr/share/doc/xz
#usr/share/doc/xz/AUTHORS
diff --git a/lfs/xz b/lfs/xz
index 511848c1d..1ee1faa52 100644
--- a/lfs/xz
+++ b/lfs/xz
@@ -24,7 +24,7 @@
include Config
-VER = 5.8.0
+VER = 5.8.1
THISAPP = xz-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -45,7 +45,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 5087c88884a857b96bc5658548fc9b07ab2f14fe9eabfaeaa19e21810e7588c97621db08353632bd56e66ae2085ec5adc421c4d6849525b630d56dadd65c9f81
+$(DL_FILE)_BLAKE2 = f11be3971e181bb49b6a92d3cc07ebb1c6b5fb53bc5d079e0952eed94f069656cffb37a2e2e8f068a5f119c6ef5ee565b3ac9978a5afa24a40d49607d492d176
install : $(TARGET)
--
2.49.0
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] xz: Update to version 5.8.1
2025-04-08 21:37 [PATCH] xz: Update to version 5.8.1 Adolf Belka
@ 2025-04-10 10:18 ` Michael Tremer
0 siblings, 0 replies; 2+ messages in thread
From: Michael Tremer @ 2025-04-10 10:18 UTC (permalink / raw)
To: Adolf Belka; +Cc: development
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
This was obviously too late for c193, but I strongly suggest to ship this in c194.
Best,
-Michael
> On 8 Apr 2025, at 22:37, Adolf Belka <adolf.belka@ipfire.org> wrote:
>
> - Update from version 5.8.0 to 5.8.1
> - Update of rootfile
> - Changelog
> 5.8.1
> IMPORTANT: This includes a security fix for CVE-2025-31115 which
> affects XZ Utils from 5.3.3alpha to 5.8.0. No new 5.4.x or 5.6.x
> releases will be made, but the fix is in the v5.4 and v5.6 branches
> in the xz Git repository. A standalone patch for all affected
> versions is available as well.
> * Multithreaded .xz decoder (lzma_stream_decoder_mt()):
> - Fix a bug that could at least result in a crash with
> invalid input. (CVE-2025-31115)
> - Fix a performance bug: Only one thread was used if the whole
> input file was provided at once to lzma_code(), the output
> buffer was big enough, timeout was disabled, and LZMA_FINISH
> was used. There are no bug reports about this, thus it's
> possible that no real-world application was affected.
> * Avoid <stdalign.h> even with C11/C17 compilers. This fixes the
> build with Oracle Developer Studio 12.6 on Solaris 10 when the
> compiler is in C11 mode (the header doesn't exist).
> * Autotools: Restore compatibility with GNU make versions older
> than 4.0 by creating the package using GNU gettext 0.23.1
> infrastructure instead of 0.24.
> * Update Croatian translation.
>
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> config/rootfiles/common/xz | 2 +-
> lfs/xz | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz
> index 3873744c8..f836d4578 100644
> --- a/config/rootfiles/common/xz
> +++ b/config/rootfiles/common/xz
> @@ -41,7 +41,7 @@ usr/bin/xzmore
> #usr/lib/liblzma.la
> #usr/lib/liblzma.so
> usr/lib/liblzma.so.5
> -usr/lib/liblzma.so.5.8.0
> +usr/lib/liblzma.so.5.8.1
> #usr/lib/pkgconfig/liblzma.pc
> #usr/share/doc/xz
> #usr/share/doc/xz/AUTHORS
> diff --git a/lfs/xz b/lfs/xz
> index 511848c1d..1ee1faa52 100644
> --- a/lfs/xz
> +++ b/lfs/xz
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 5.8.0
> +VER = 5.8.1
>
> THISAPP = xz-$(VER)
> DL_FILE = $(THISAPP).tar.xz
> @@ -45,7 +45,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_BLAKE2 = 5087c88884a857b96bc5658548fc9b07ab2f14fe9eabfaeaa19e21810e7588c97621db08353632bd56e66ae2085ec5adc421c4d6849525b630d56dadd65c9f81
> +$(DL_FILE)_BLAKE2 = f11be3971e181bb49b6a92d3cc07ebb1c6b5fb53bc5d079e0952eed94f069656cffb37a2e2e8f068a5f119c6ef5ee565b3ac9978a5afa24a40d49607d492d176
>
> install : $(TARGET)
>
> --
> 2.49.0
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-04-10 10:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-04-08 21:37 [PATCH] xz: Update to version 5.8.1 Adolf Belka
2025-04-10 10:18 ` Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox