Re: [ptxdist] [PATCH] xz: version bump 5.4.4 -> 5.8.1

["Sven Püschel" <s.pueschel@pengutronix.de>]

Hi Christian,

On 10/21/25 3:18 PM, Christian Melki wrote:
> Hi Sven.
>
> Glad you did this. There was a bit of controversy regarding the xz bump
> at the time after the project got compromised. I don't remember what
> it was about, but I don't mind xz at all.

While I don't know about the controversy, I know that the supply chain 
attack was done using a modified configure script in the release tarball 
(so not present in the git tree).

If this is a concern, I could switch over to the GitHub generated 
release archives and switch over to CMake (which is feature complete but 
not that well tested).


> Could you also be so kind and check the host-* equivalents too?

yeah, thanks for the hint.


Sincerely
     Sven

>
> Regards,
> Christian
>
> On 10/21/25 3:10 PM, Sven Püschel wrote:
>> This fixes CVE-2025-31115: Threaded .xz decoder frees memory too early.
>>
>> Most parts of the COPYING file replaced public domain licenses with
>> 0BSD. But public domain is still mentioned for some old translations.
>> Therefore only add 0BSD to the license list.
>>
>> Signed-off-by: Sven Püschel <s.pueschel@pengutronix.de>
>> ---
>>   rules/xz.make | 12 +++++++-----
>>   1 file changed, 7 insertions(+), 5 deletions(-)
>>
>> diff --git a/rules/xz.make b/rules/xz.make
>> index f24a2ac03..90a32f728 100644
>> --- a/rules/xz.make
>> +++ b/rules/xz.make
>> @@ -14,16 +14,16 @@ PACKAGES-$(PTXCONF_XZ) += xz
>>   #
>>   # Paths and names
>>   #
>> -XZ_VERSION    := 5.4.4
>> -XZ_MD5        := fbb849a27e266964aefe26bad508144f
>> +XZ_VERSION    := 5.8.1
>> +XZ_MD5        := a814a04a94c5ce757e2f90e387bd1a5c
>>   XZ        := xz-$(XZ_VERSION)
>>   XZ_SUFFIX    := tar.bz2
>>   XZ_URL        := https://tukaani.org/xz/$(XZ).$(XZ_SUFFIX)
>>   XZ_SOURCE    := $(SRCDIR)/$(XZ).$(XZ_SUFFIX)
>>   XZ_DIR        := $(BUILDDIR)/$(XZ)
>> -XZ_LICENSE    := public_domain AND LGPL-2.1-or-later AND 
>> GPL-2.0-or-later AND GPL-3.0-or-later
>> +XZ_LICENSE    := 0BSD AND public_domain AND LGPL-2.1-or-later AND 
>> GPL-2.0-or-later AND GPL-3.0-or-later
>>   XZ_LICENSE_FILES := \
>> -    file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \
>> +    file://COPYING;md5=d38d562f6112174de93a9677682231b2 \
>>       file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
>>       file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \
>> file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c
>> @@ -53,6 +53,7 @@ XZ_CONF_OPT    := \
>>       --disable-lzma-links \
>>       --$(call ptx/endis,PTXCONF_XZ_TOOLS)-scripts \
>>       --disable-doc \
>> +    --disable-doxygen \
>>       --disable-sandbox \
>>       --enable-shared \
>>       --disable-static \
>> @@ -62,7 +63,8 @@ XZ_CONF_OPT    := \
>>       $(GLOBAL_LARGE_FILE_OPTION) \
>>       --enable-unaligned-access=auto \
>>       --disable-unsafe-type-punning \
>> -    --disable-werror
>> +    --disable-werror \
>> +    --$(call ptx/endis, PTXDIST_Y2038)-year2038
>>     # 
>> ----------------------------------------------------------------------------
>>   # Target-Install
>
>