From patchwork Tue Apr 7 15:11:08 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9644 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4fqqRm0cPzz3x93 for ; Tue, 07 Apr 2026 15:12:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E7" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4fqqRl5FHYz5fw for ; Tue, 07 Apr 2026 15:12:03 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4fqqRG1cDXz36VF for ; Tue, 07 Apr 2026 15:11:38 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4fqqQz26HVz34Qt for ; Tue, 07 Apr 2026 15:11:23 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4fqqQy4m5Fz6Vq; Tue, 07 Apr 2026 15:11:22 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1775574682; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yY3XjCSMaGn6RtN7OwCQSiLoWM2J8PQOoVhPRnSgqvY=; b=LXyDIcXTkliny9qkpuYBqDDTcHz34FxQ2zndL2TcFJbkCAdostbnLZQoCffPXhL7fvNN3f DDuhxA95U8PcMUCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1775574682; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yY3XjCSMaGn6RtN7OwCQSiLoWM2J8PQOoVhPRnSgqvY=; b=A2Ftq1lExlyqa2626l+mgkDd4ytNrFLPNSlzA+g7VDBJwJ9apMW4biQRaNBxUf18vr2mo5 aPRHxinLkJGg+fA+MMGHQfsr5RWwsmfNtls1EFzbC9GetqJhEYKQ5Csrk/PH/5z3CGAI0G VDppNdzmebLhiNNlOa4k8NaTI4oAmvMJvQO1iG8EPmPHBx4OxUN8Gio7h7EMCyPrcnkBgW 6dUjgqWp4gBlNsV+wiTQ4wIHXkVhrJOe3kwrH6WDwRD7wtBipNoSD6bm5C5mM1k2vswOl/ u27CWDgChfWvRpQ6a4sKMKRMfaggzN2NnzXm+QIpKkxe0ULnZ0ocU4+FiECzsw== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] xz: Update to version 5.8.3 Date: Tue, 7 Apr 2026 17:11:08 +0200 Message-ID: <20260407151108.3472751-35-adolf.belka@ipfire.org> In-Reply-To: <20260407151108.3472751-1-adolf.belka@ipfire.org> References: <20260407151108.3472751-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 5.8.2 to 5.8.3 - Update of rootfile - Fix for a CVE - Changelog 5.8.3 IMPORTANT: This includes a fix for CVE-2026-34743 which affects all XZ Utils versions since 5.0.0. No new 5.2.x, 5.4.x, or 5.6.x releases will be made, but the fix is in the v5.2, v5.4, and v5.6 branches in the xz Git repository. * liblzma: - Fix a buffer overflow in lzma_index_append(): If lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. The lzma_index functions are rarely used by applications directly. In the few applications that do use these functions, the combination of function calls required to trigger this bug are unlikely to exist, because there typically is no reason to append Records to a decoded lzma_index. Thus, it's likely that this bug cannot be triggered in any real-world application. The bug was reported and discovered by Cantina using their AppSec agent, Apex. - Fix the build on Windows ARM64EC. - Add "License: 0BSD" to liblzma.pc. * xz: - Fix invalid memory access in --files and --files0. All of the following must be true to trigger it: 1. A string being read (which supposedly is a filename) is at least SIZE_MAX / 2 bytes long. This size is plausible on 32-bit platforms (2 GiB - 1 B). 2. realloc(ptr, SIZE_MAX / 2 + 1) must succeed. On glibc >= 2.30 it shouldn't because the value exceeds PTRDIFF_MAX. 3. An integer overflow results in a realloc(ptr, 0) call. If it doesn't return NULL, then invalid memory access will occur. - On QNX, don't use fsync() on directories because it fails. * Autotools: Enable 32-bit x86 assembler on Hurd by default. It was already enabled in the CMake-based build. * Translations: Add Arabic man page translations. Signed-off-by: Adolf Belka --- config/rootfiles/common/xz | 27 ++++++++++++++++++++++++++- lfs/xz | 9 +++++---- 2 files changed, 31 insertions(+), 5 deletions(-) diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz index c6b433803..5debdf404 100644 --- a/config/rootfiles/common/xz +++ b/config/rootfiles/common/xz @@ -41,7 +41,7 @@ usr/bin/xzmore #usr/lib/liblzma.la #usr/lib/liblzma.so usr/lib/liblzma.so.5 -usr/lib/liblzma.so.5.8.2 +usr/lib/liblzma.so.5.8.3 #usr/lib/pkgconfig/liblzma.pc #usr/share/doc/xz #usr/share/doc/xz/AUTHORS @@ -88,6 +88,31 @@ usr/lib/liblzma.so.5.8.2 #usr/share/locale/vi/LC_MESSAGES/xz.mo #usr/share/locale/zh_CN/LC_MESSAGES/xz.mo #usr/share/locale/zh_TW/LC_MESSAGES/xz.mo +#usr/share/man/ar +#usr/share/man/ar/man1 +#usr/share/man/ar/man1/lzcat.1 +#usr/share/man/ar/man1/lzcmp.1 +#usr/share/man/ar/man1/lzdiff.1 +#usr/share/man/ar/man1/lzegrep.1 +#usr/share/man/ar/man1/lzfgrep.1 +#usr/share/man/ar/man1/lzgrep.1 +#usr/share/man/ar/man1/lzless.1 +#usr/share/man/ar/man1/lzma.1 +#usr/share/man/ar/man1/lzmadec.1 +#usr/share/man/ar/man1/lzmainfo.1 +#usr/share/man/ar/man1/lzmore.1 +#usr/share/man/ar/man1/unlzma.1 +#usr/share/man/ar/man1/unxz.1 +#usr/share/man/ar/man1/xz.1 +#usr/share/man/ar/man1/xzcat.1 +#usr/share/man/ar/man1/xzcmp.1 +#usr/share/man/ar/man1/xzdec.1 +#usr/share/man/ar/man1/xzdiff.1 +#usr/share/man/ar/man1/xzegrep.1 +#usr/share/man/ar/man1/xzfgrep.1 +#usr/share/man/ar/man1/xzgrep.1 +#usr/share/man/ar/man1/xzless.1 +#usr/share/man/ar/man1/xzmore.1 #usr/share/man/de #usr/share/man/de/man1 #usr/share/man/de/man1/lzcat.1 diff --git a/lfs/xz b/lfs/xz index 465a3b183..a8de6c5d7 100644 --- a/lfs/xz +++ b/lfs/xz @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2025 IPFire Team # +# Copyright (C) 2007-2026 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 5.8.2 +VER = 5.8.3 THISAPP = xz-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -45,7 +45,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 3788b52c41adb4af32a5221b9c497044068343f1489508b90c9fb00188463e1eb3bc9df91b0457f1e9524c5e45dd2c374fd26f535994f04f94d2d200ccc4d85c +$(DL_FILE)_BLAKE2 = 36d6ae3ce1ee70f1d18d10107f7d6b4dfb43c34e11d8ec4504feeaa50b43cfa8d80de2b8ac2a1b66478723a83b4ebacf4179b69fb4d746f08b120b2e804fc2ce install : $(TARGET) @@ -75,7 +75,8 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && ./configure --prefix=$(PREFIX) + cd $(DIR_APP) && ./configure \ + --prefix=$(PREFIX) cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install @rm -rf $(DIR_APP)