From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Tue, 21 Oct 2025 15:28:12 +0200
Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1vBCPM-00AGOG-1o
	for lore@lore.pengutronix.de;
	Tue, 21 Oct 2025 15:28:12 +0200
Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de)
	by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1vBCPM-0005yG-5H; Tue, 21 Oct 2025 15:28:12 +0200
Received: from ptz.office.stw.pengutronix.de ([2a0a:edc0:0:900:1d::77]
 helo=[127.0.0.1])
 by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
 (envelope-from <s.pueschel@pengutronix.de>)
 id 1vBCPF-0005xl-E7; Tue, 21 Oct 2025 15:28:05 +0200
Message-ID: <173985ea-9ba8-45bd-9cb5-db50e571fece@pengutronix.de>
Date: Tue, 21 Oct 2025 15:28:05 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Christian Melki <christian.melki@t2data.com>
References: <20251021131035.2034805-1-s.pueschel@pengutronix.de>
 <d0b38ee1-ea62-472b-b3fa-5375ad1f5bac@t2data.com>
Content-Language: en-US
From: =?UTF-8?Q?Sven_P=C3=BCschel?= <s.pueschel@pengutronix.de>
In-Reply-To: <d0b38ee1-ea62-472b-b3fa-5375ad1f5bac@t2data.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [ptxdist] [PATCH] xz: version bump 5.4.4 -> 5.8.1
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <https://metis.pengutronix.de/mailman/options/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <https://metis.pengutronix.de/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <https://metis.pengutronix.de/mailman/listinfo/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: ptxdist@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false

Hi Christian,

On 10/21/25 3:18 PM, Christian Melki wrote:
> Hi Sven.
>
> Glad you did this. There was a bit of controversy regarding the xz bump
> at the time after the project got compromised. I don't remember what
> it was about, but I don't mind xz at all.

While I don't know about the controversy, I know that the supply chain 
attack was done using a modified configure script in the release tarball 
(so not present in the git tree).

If this is a concern, I could switch over to the GitHub generated 
release archives and switch over to CMake (which is feature complete but 
not that well tested).


> Could you also be so kind and check the host-* equivalents too?

yeah, thanks for the hint.


Sincerely
     Sven

>
> Regards,
> Christian
>
> On 10/21/25 3:10 PM, Sven Püschel wrote:
>> This fixes CVE-2025-31115: Threaded .xz decoder frees memory too early.
>>
>> Most parts of the COPYING file replaced public domain licenses with
>> 0BSD. But public domain is still mentioned for some old translations.
>> Therefore only add 0BSD to the license list.
>>
>> Signed-off-by: Sven Püschel <s.pueschel@pengutronix.de>
>> ---
>>   rules/xz.make | 12 +++++++-----
>>   1 file changed, 7 insertions(+), 5 deletions(-)
>>
>> diff --git a/rules/xz.make b/rules/xz.make
>> index f24a2ac03..90a32f728 100644
>> --- a/rules/xz.make
>> +++ b/rules/xz.make
>> @@ -14,16 +14,16 @@ PACKAGES-$(PTXCONF_XZ) += xz
>>   #
>>   # Paths and names
>>   #
>> -XZ_VERSION    := 5.4.4
>> -XZ_MD5        := fbb849a27e266964aefe26bad508144f
>> +XZ_VERSION    := 5.8.1
>> +XZ_MD5        := a814a04a94c5ce757e2f90e387bd1a5c
>>   XZ        := xz-$(XZ_VERSION)
>>   XZ_SUFFIX    := tar.bz2
>>   XZ_URL        := https://tukaani.org/xz/$(XZ).$(XZ_SUFFIX)
>>   XZ_SOURCE    := $(SRCDIR)/$(XZ).$(XZ_SUFFIX)
>>   XZ_DIR        := $(BUILDDIR)/$(XZ)
>> -XZ_LICENSE    := public_domain AND LGPL-2.1-or-later AND 
>> GPL-2.0-or-later AND GPL-3.0-or-later
>> +XZ_LICENSE    := 0BSD AND public_domain AND LGPL-2.1-or-later AND 
>> GPL-2.0-or-later AND GPL-3.0-or-later
>>   XZ_LICENSE_FILES := \
>> -    file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \
>> +    file://COPYING;md5=d38d562f6112174de93a9677682231b2 \
>>       file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
>>       file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \
>> file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c
>> @@ -53,6 +53,7 @@ XZ_CONF_OPT    := \
>>       --disable-lzma-links \
>>       --$(call ptx/endis,PTXCONF_XZ_TOOLS)-scripts \
>>       --disable-doc \
>> +    --disable-doxygen \
>>       --disable-sandbox \
>>       --enable-shared \
>>       --disable-static \
>> @@ -62,7 +63,8 @@ XZ_CONF_OPT    := \
>>       $(GLOBAL_LARGE_FILE_OPTION) \
>>       --enable-unaligned-access=auto \
>>       --disable-unsafe-type-punning \
>> -    --disable-werror
>> +    --disable-werror \
>> +    --$(call ptx/endis, PTXDIST_Y2038)-year2038
>>     # 
>> ----------------------------------------------------------------------------
>>   # Target-Install
>
>