xz: Update to version 5.6.3

  - Update from version 5.4.5 to 5.6.3
- Update of rootfile
- This update is now done only by the xz originator Lasse Collin (Larhzu). A new github
   repo was created by Lasse for xz and this does not contain the malicious versions -
   5.6.0 & 5.6.1  https://github.com/tukaani-project/xz/releases
- Version 5.6.3 is being used by Arch Linux and Ubuntu plucky
- Changelog
    5.6.3
	    IMPORTANT: This includes a Windows-specific security fix to
	    the command line tools. liblzma isn't affected by this issue.
	    * liblzma:
	        - Fix x86-64 inline assembly compatibility with GNU Binutils
	          older than 2.27.
	        - Fix the build with GCC 4.2 on OpenBSD/sparc64.
	    * xzdec: Display an error instead of failing silently if the
	      unsupported option -M is specified.
	    * lzmainfo: Fix integer overflows when rounding the dictionary and
	      uncompressed sizes to the nearest mebibyte.
	    * Windows (except Cygwin and MSYS2): Add an application manifest to
	      xz, xzdec, lzmadec, and lzmainfo executables:
	        - Declare them compatible with Vista/7/8/8.1/10/11. This way
	          the programs won't needlessly use Operating System Context
	          of Vista when running on later Windows versions. This setting
	          doesn't mean that the executables cannot run on even older
	          versions if otherwise built that way.
	        - Declare them as UAC-compliant. MSVC added this by default
	          already but it wasn't done with MinGW-w64, at least not
	          with all toolchain variants.
	        - Declare them long path aware. This makes long path names
	          work on Windows 10 and 11 if the feature has been enabled
	          in the Windows registry.
	        - Use the UTF-8 code page on Windows 10 version 1903 and later.
	            * Now command line tools can access files whose names
	              contain characters that don't exist in the current
	              legacy code page.
	            * The options --files and --files0 now expect file lists
	              to be in UTF-8 instead of the legacy code page.
	            * This fixes a security issue: If a command line contains
	              Unicode characters (for example, filenames) that don't
	              exist in the current legacy code page, the characters are
	              converted to similar-looking characters with best-fit
	              mapping. Some best-fit mappings result in ASCII
	              characters that change the meaning of the command line,
	              which can be exploited with malicious filenames to do
	              argument injection or directory traversal attacks.
	              UTF-8 avoids best-fit mappings and thus fixes the issue.
	              Forcing the process code page to UTF-8 is possible only
	              on Windows 10 version 1903 and later. The command line
	              tools remain vulnerable if used on an old older
	              version of Windows.
	              This issue was discovered by Orange Tsai and splitline
	              from DEVCORE Research Team.
	              A related smaller issue remains: Windows filenames may
	              contain unpaired surrogates (invalid UTF-16). These are
	              converted to the replacement character U+FFFD in the
	              UTF-8 code page. Thus, filenames with different unpaired
	              surrogates appear identical and aren't distinguishable
	              from filenames that contain the actual replacement
	              character U+FFFD.
	            * When building with MinGW-w64, it is recommended to use
	              UCRT version instead of the old MSVCRT. For example,
	              non-ASCII characters from filenames won't print
	              correctly in messages to console with MSVCRT with
	              the UTF-8 code page (a cosmetic issue). liblzma-only
	              builds are still fine with MSVCRT.
	        - Cygwin and MSYS2 process command line options differently and
	          the above issues don't exist. There is no need to replace the
	          default application manifest on Cygwin and MSYS2.
	    * Autotools-based build:
	        - Fix feature checks with link-time optimization (-flto).
	        - Solaris: Fix a compatibility issue in version.sh. It matters
	          if one wants to regenerate configure by running autoconf.
	    * CMake:
	        - Use paths relative to ${prefix} in liblzma.pc when possible.
	          This is done only with CMake >= 3.20.
	        - MSVC: Install liblzma.pc as it can be useful with MSVC too.
	        - Windows: Fix liblzma filename prefix, for example:
	            * Cygwin: The DLL was incorrectly named liblzma-5.dll.
	              Now it is cyglzma-5.dll.
	            * MSVC: Rename import library from liblzma.lib to lzma.lib
	              while keeping liblzma.dll name as is. This helps with
	              "pkgconf --msvc-syntax --libs liblzma" because it mungles
	              "-llzma" in liblzma.pc to "lzma.lib".
	            * MinGW-w64: No changes.
	        - Windows: Use the correct resource file for lzmadec.exe.
	          Previously the resource file for xzdec.exe was used for both.
	          Autotools-based build isn't affected.
	        - Prefer a C11 compiler over a C99 compiler but accept both.
	        - Link Threads::Threads against liblzma using PRIVATE so that
	          -pthread and such flags won't unnecessarily get included in
	          the usage requirements of shared liblzma. That is,
	          target_link_libraries(foo PRIVATE liblzma::liblzma) no
	          longer adds -pthread if using POSIX threads and linking
	          against shared liblzma. The threading flags are still added
	          if linking against static liblzma.
	    * Updated translations: Catalan, Chinese (simplified), and
	      Brazilian Portuguese.
    5.6.2
	    * Remove the backdoor (CVE-2024-3094).
	    * Not changed: Memory sanitizer (MSAN) has a false positive
	      in the CRC CLMUL code which also makes OSS Fuzz unhappy.
	      Valgrind is smarter and doesn't complain.
	      A revision to the CLMUL code is coming anyway and this issue
	      will be cleaned up as part of it. It won't be backported to
	      5.6.x or 5.4.x because the old code isn't wrong. There is
	      no reason to risk introducing regressions in old branches
	      just to silence a false positive.
	    * liblzma:
	        - lzma_index_decoder() and lzma_index_buffer_decode(): Fix
	          a missing output pointer initialization (*i = NULL) if the
	          functions are called with invalid arguments. The API docs
	          say that such an initialization is always done. In practice
	          this matters very little because the problem can only occur
	          if the calling application has a bug and these functions
	          return LZMA_PROG_ERROR.
	        - lzma_str_to_filters(): Fix a missing output pointer
	          initialization (*error_pos = 0). This is very similar
	          to the fix above.
	        - Fix C standard conformance with function pointer types.
	        - Remove GNU indirect function (IFUNC) support. This is *NOT*
	          done for security reasons even though the backdoor relied on
	          this code. The performance benefits of IFUNC are too tiny in
	          this project to make the extra complexity worth it.
	        - FreeBSD on ARM64: Add error checking to CRC32 instruction
	          support detection.
	        - Fix building with NVIDIA HPC SDK.
	    * xz:
	        - Fix a C standard conformance issue in --block-list parsing
	          (arithmetic on a null pointer).
	        - Fix a warning from GNU groff when processing the man page:
	          "warning: cannot select font 'CW'"
	    * xzdec: Add support for Linux Landlock ABI version 4. xz already
	      had the v3-to-v4 change but it had been forgotten from xzdec.
	    * Autotools-based build system (configure):
	        - Symbol versioning variant can now be overridden with
	          --enable-symbol-versions. Documentation in INSTALL was
	          updated to match.
	        - Add new configure option --enable-doxygen to enable
	          generation and installation of the liblzma API documentation
	          using Doxygen. Documentation in INSTALL and PACKAGERS was
	          updated to match.
	    CMake:
	        - Fix detection of Linux Landlock support. The detection code
	          in CMakeLists.txt had been sabotaged.
	        - Disable symbol versioning on non-glibc Linux to match what
	          the Autotools build does. For example, symbol versioning
	          isn't enabled with musl.
	        - Symbol versioning variant can now be overridden by setting
	          SYMBOL_VERSIONING to "OFF", "generic", or "linux".
	        - Add support for all tests in typical build configurations.
	          Now the only difference to the tests coverage to Autotools
	          is that CMake-based build will skip more tests if features
	          are disabled. Such builds are only for special cases like
	          embedded systems.
	        - Separate the CMake code for the tests into tests/tests.cmake.
	          It is used conditionally, thus it is possible to
	              rm -rf tests
	          and the CMake-based build will still work normally except
	          that no tests are then available.
	        - Add a option ENABLE_DOXYGEN to enable generation and
	          installation of the liblzma API documentation using Doxygen.
	    * Documentation:
	        - Omit the Doxygen-generated liblzma API documentation from the
	          package. Instead, the generation and installation of the API
	          docs can be enabled with a configure or CMake option if
	          Doxygen is available.
	        - Remove the XZ logo which was used in the API documentation.
	          The logo has been retired and isn't used by the project
	          anymore. However, it's OK to use it in contexts that refer
	          to the backdoor incident.
	        - Remove the PDF versions of the man pages from the source
	          package. These existed primarily for users of operating
	          systems which don't come with tools to render man page
	          source files. The plain text versions are still included
	          in doc/man/txt. PDF files can still be generated to doc/man,
	          if the required tools are available, using "make pdf" after
	          running "configure".
	        - Update home page URLs back to their old locations on
	          tukaani.org.
	        - Update maintainer info.
	    * Tests:
	        - In tests/files/README, explain how to recreate the ARM64
	          test files.
	        - Remove two tests that used tiny x86 and SPARC object files
	          as the input files. The matching .c file was included but
	          the object files aren't easy to reproduce. The test cases
	          weren't great anyway; they were from the early days (2009)
	          of the project when the test suite had very few tests.
	        - Improve a few tests.
    5.4.7
	    * Not changed: Memory sanitizer (MSAN) has a false positive
	      in the CRC CLMUL code which also makes OSS Fuzz unhappy.
	      Valgrind is smarter and doesn't complain.
	      A revision to the CLMUL code is coming anyway and this issue
	      will be cleaned up as part of it. It won't be backported to
	      5.6.x or 5.4.x because the old code isn't wrong. There is
	      no reason to risk introducing regressions in old branches
	      just to silence a false positive.
	    * liblzma:
	        - lzma_index_decoder() and lzma_index_buffer_decode(): Fix
	          a missing output pointer initialization (*i = NULL) if the
	          functions are called with invalid arguments. The API docs
	          say that such an initialization is always done. In practice
	          this matters very little because the problem can only occur
	          if the calling application has a bug and these functions
	          return LZMA_PROG_ERROR.
	        - lzma_str_to_filters(): Fix a missing output pointer
	          initialization (*error_pos = 0). This is very similar
	          to the fix above.
	        - Fix C standard conformance with function pointer types.
	          This newly showed up with Clang 17 with -fsanitize=undefined.
	          There are no bug reports about this.
	        - Fix building with NVIDIA HPC SDK.
	    * xz:
	        - Fix a C standard conformance issue in --block-list parsing
	          (arithmetic on a null pointer).
	        - Fix a warning from GNU groff when processing the man page:
	          "warning: cannot select font 'CW'"
	        - Fix outdated threading related information on the man page.
	    * xzless:
	        - With "less" version 451 and later, use "||-" instead of "|-"
	          in the environment variable LESSOPEN. This way compressed
	          files that contain no uncompressed data are shown correctly
	          as empty.
	        - With "less" version 632 and later, use --show-preproc-errors
	          to make "less" show a warning on decompression errors.
	    * Autotools-based build system (configure):
	        - Symbol versioning variant can now be overridden with
	          --enable-symbol-versions. Documentation in INSTALL was
	          updated to match.
	    CMake:
	        - Linux on MicroBlaze is handled specially now. This matches
	          the changes made to the Autotools-based build in XZ Utils
	          5.4.2 and 5.2.11.
	        - Disable symbol versioning on non-glibc Linux to match what
	          the Autotools build does. For example, symbol versioning
	          isn't enabled with musl.
	        - Symbol versioning variant can now be overridden by setting
	          SYMBOL_VERSIONING to "OFF", "generic", or "linux".
	    * Documentation:
	        - Clarify the description of --disable-assembler in INSTALL.
	          The option only affects 32-bit x86 assembly usage.
	        - Add doc/examples/11_file_info.c. It was added to the
	          Git repository in 2017 but forgotten to be added into
	          distribution tarballs.
	        - Don't install the TODO file as part of the documentation.
	          The file is out of date.
	        - Update home page URLs back to their old locations on
	          tukaani.org.
	        - Update maintainer info.
    5.4.6
	    * Fixed a bug involving internal function pointers in liblzma not
	      being initialized to NULL. The bug can only be triggered if
	      lzma_filters_update() is called on a LZMA1 encoder, so it does
	      not affect xz or any application known to us that uses liblzma.
	    * xz:
	        - Fixed a regression introduced in 5.4.2 that caused encoding
	          in the raw format to unnecessarily fail if --suffix was not
	          used. For instance, the following command no longer reports
	          that --suffix must be used:
	              echo foo | xz --format=raw --lzma2 | wc -c
	        - Fixed an issue on MinGW-w64 builds that prevented reading
	          from or writing to non-terminal character devices like NUL.
	    * Added a new test.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/xz | 101 ++++---------------------------------
 lfs/xz                     |   4 +-
 2 files changed, 11 insertions(+), 94 deletions(-)