diff mbox series

xz: Update to version 5.8.3

Message ID 20260407151108.3472751-35-adolf.belka@ipfire.org
State Staged
Commit d135d565f45c2d4286137ad811b48b0a5d61d599
Headers
Series xz: Update to version 5.8.3 |

Commit Message

Adolf Belka 7 Apr 2026, 3:11 p.m. UTC 
- Update from version 5.8.2 to 5.8.3
- Update of rootfile
- Fix for a CVE
- Changelog
    5.8.3
    IMPORTANT: This includes a fix for CVE-2026-34743 which affects all
    XZ Utils versions since 5.0.0. No new 5.2.x, 5.4.x, or 5.6.x
    releases will be made, but the fix is in the v5.2, v5.4, and v5.6
    branches in the xz Git repository.
    * liblzma:
        - Fix a buffer overflow in lzma_index_append(): If
          lzma_index_decoder() was used to decode an Index that
          contained no Records, the resulting lzma_index was left in
          a state where where a subsequent lzma_index_append() would
          allocate too little memory, and a buffer overflow would occur.
          The lzma_index functions are rarely used by applications
          directly. In the few applications that do use these functions,
          the combination of function calls required to trigger this bug
          are unlikely to exist, because there typically is no reason to
          append Records to a decoded lzma_index. Thus, it's likely that
          this bug cannot be triggered in any real-world application.
          The bug was reported and discovered by Cantina using their
          AppSec agent, Apex.
        - Fix the build on Windows ARM64EC.
        - Add "License: 0BSD" to liblzma.pc.
    * xz:
        - Fix invalid memory access in --files and --files0. All of
          the following must be true to trigger it:
            1. A string being read (which supposedly is a filename) is
               at least SIZE_MAX / 2 bytes long. This size is plausible
               on 32-bit platforms (2 GiB - 1 B).
            2. realloc(ptr, SIZE_MAX / 2 + 1) must succeed.
               On glibc >= 2.30 it shouldn't because the value
               exceeds PTRDIFF_MAX.
            3. An integer overflow results in a realloc(ptr, 0) call.
               If it doesn't return NULL, then invalid memory access
               will occur.
        - On QNX, don't use fsync() on directories because it fails.
    * Autotools: Enable 32-bit x86 assembler on Hurd by default.
      It was already enabled in the CMake-based build.
    * Translations: Add Arabic man page translations.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/xz | 27 ++++++++++++++++++++++++++-
 lfs/xz                     |  9 +++++----
 2 files changed, 31 insertions(+), 5 deletions(-)
diff mbox series

Patch

diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz
index c6b433803..5debdf404 100644
--- a/config/rootfiles/common/xz
+++ b/config/rootfiles/common/xz
@@ -41,7 +41,7 @@  usr/bin/xzmore
 #usr/lib/liblzma.la
 #usr/lib/liblzma.so
 usr/lib/liblzma.so.5
-usr/lib/liblzma.so.5.8.2
+usr/lib/liblzma.so.5.8.3
 #usr/lib/pkgconfig/liblzma.pc
 #usr/share/doc/xz
 #usr/share/doc/xz/AUTHORS
@@ -88,6 +88,31 @@  usr/lib/liblzma.so.5.8.2
 #usr/share/locale/vi/LC_MESSAGES/xz.mo
 #usr/share/locale/zh_CN/LC_MESSAGES/xz.mo
 #usr/share/locale/zh_TW/LC_MESSAGES/xz.mo
+#usr/share/man/ar
+#usr/share/man/ar/man1
+#usr/share/man/ar/man1/lzcat.1
+#usr/share/man/ar/man1/lzcmp.1
+#usr/share/man/ar/man1/lzdiff.1
+#usr/share/man/ar/man1/lzegrep.1
+#usr/share/man/ar/man1/lzfgrep.1
+#usr/share/man/ar/man1/lzgrep.1
+#usr/share/man/ar/man1/lzless.1
+#usr/share/man/ar/man1/lzma.1
+#usr/share/man/ar/man1/lzmadec.1
+#usr/share/man/ar/man1/lzmainfo.1
+#usr/share/man/ar/man1/lzmore.1
+#usr/share/man/ar/man1/unlzma.1
+#usr/share/man/ar/man1/unxz.1
+#usr/share/man/ar/man1/xz.1
+#usr/share/man/ar/man1/xzcat.1
+#usr/share/man/ar/man1/xzcmp.1
+#usr/share/man/ar/man1/xzdec.1
+#usr/share/man/ar/man1/xzdiff.1
+#usr/share/man/ar/man1/xzegrep.1
+#usr/share/man/ar/man1/xzfgrep.1
+#usr/share/man/ar/man1/xzgrep.1
+#usr/share/man/ar/man1/xzless.1
+#usr/share/man/ar/man1/xzmore.1
 #usr/share/man/de
 #usr/share/man/de/man1
 #usr/share/man/de/man1/lzcat.1
diff --git a/lfs/xz b/lfs/xz
index 465a3b183..a8de6c5d7 100644
--- a/lfs/xz
+++ b/lfs/xz
@@ -1,7 +1,7 @@ 
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@ 
 
 include Config
 
-VER        = 5.8.2
+VER        = 5.8.3
 
 THISAPP    = xz-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -45,7 +45,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 3788b52c41adb4af32a5221b9c497044068343f1489508b90c9fb00188463e1eb3bc9df91b0457f1e9524c5e45dd2c374fd26f535994f04f94d2d200ccc4d85c
+$(DL_FILE)_BLAKE2 = 36d6ae3ce1ee70f1d18d10107f7d6b4dfb43c34e11d8ec4504feeaa50b43cfa8d80de2b8ac2a1b66478723a83b4ebacf4179b69fb4d746f08b120b2e804fc2ce
 
 install : $(TARGET)
 
@@ -75,7 +75,8 @@  $(subst %,%_BLAKE2,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && ./configure --prefix=$(PREFIX)
+	cd $(DIR_APP) && ./configure \
+				--prefix=$(PREFIX)
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
 	@rm -rf $(DIR_APP)