[ptxdist] [PATCH] xz: version bump 5.4.4 -> 5.8.1

[ptxdist] [PATCH] xz: version bump 5.4.4 -> 5.8.1

[Sven Püschel]

This fixes CVE-2025-31115: Threaded .xz decoder frees memory too early.

Most parts of the COPYING file replaced public domain licenses with
0BSD. But public domain is still mentioned for some old translations.
Therefore only add 0BSD to the license list.

Signed-off-by: Sven Püschel <s.pueschel@pengutronix.de>
---
 rules/xz.make | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/rules/xz.make b/rules/xz.make
index f24a2ac03..90a32f728 100644
--- a/rules/xz.make
+++ b/rules/xz.make
@@ -14,16 +14,16 @@ PACKAGES-$(PTXCONF_XZ) += xz
 #
 # Paths and names
 #
-XZ_VERSION	:= 5.4.4
-XZ_MD5		:= fbb849a27e266964aefe26bad508144f
+XZ_VERSION	:= 5.8.1
+XZ_MD5		:= a814a04a94c5ce757e2f90e387bd1a5c
 XZ		:= xz-$(XZ_VERSION)
 XZ_SUFFIX	:= tar.bz2
 XZ_URL		:= https://tukaani.org/xz/$(XZ).$(XZ_SUFFIX)
 XZ_SOURCE	:= $(SRCDIR)/$(XZ).$(XZ_SUFFIX)
 XZ_DIR		:= $(BUILDDIR)/$(XZ)
-XZ_LICENSE	:= public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later
+XZ_LICENSE	:= 0BSD AND public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later
 XZ_LICENSE_FILES := \
-	file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \
+	file://COPYING;md5=d38d562f6112174de93a9677682231b2 \
 	file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 	file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \
 	file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c
@@ -53,6 +53,7 @@ XZ_CONF_OPT	:= \
 	--disable-lzma-links \
 	--$(call ptx/endis,PTXCONF_XZ_TOOLS)-scripts \
 	--disable-doc \
+	--disable-doxygen \
 	--disable-sandbox \
 	--enable-shared \
 	--disable-static \
@@ -62,7 +63,8 @@ XZ_CONF_OPT	:= \
 	$(GLOBAL_LARGE_FILE_OPTION) \
 	--enable-unaligned-access=auto \
 	--disable-unsafe-type-punning \
-	--disable-werror
+	--disable-werror \
+	--$(call ptx/endis, PTXDIST_Y2038)-year2038
 
 # ----------------------------------------------------------------------------
 # Target-Install
-- 
2.47.3

Re: [ptxdist] [PATCH] xz: version bump 5.4.4 -> 5.8.1

[Christian Melki]

Hi Sven.

Glad you did this. There was a bit of controversy regarding the xz bump
at the time after the project got compromised. I don't remember what
it was about, but I don't mind xz at all.
Could you also be so kind and check the host-* equivalents too?

Regards,
Christian

On 10/21/25 3:10 PM, Sven Püschel wrote:
> This fixes CVE-2025-31115: Threaded .xz decoder frees memory too early.
> 
> Most parts of the COPYING file replaced public domain licenses with
> 0BSD. But public domain is still mentioned for some old translations.
> Therefore only add 0BSD to the license list.
> 
> Signed-off-by: Sven Püschel <s.pueschel@pengutronix.de>
> ---
>   rules/xz.make | 12 +++++++-----
>   1 file changed, 7 insertions(+), 5 deletions(-)
> 
> diff --git a/rules/xz.make b/rules/xz.make
> index f24a2ac03..90a32f728 100644
> --- a/rules/xz.make
> +++ b/rules/xz.make
> @@ -14,16 +14,16 @@ PACKAGES-$(PTXCONF_XZ) += xz
>   #
>   # Paths and names
>   #
> -XZ_VERSION	:= 5.4.4
> -XZ_MD5		:= fbb849a27e266964aefe26bad508144f
> +XZ_VERSION	:= 5.8.1
> +XZ_MD5		:= a814a04a94c5ce757e2f90e387bd1a5c
>   XZ		:= xz-$(XZ_VERSION)
>   XZ_SUFFIX	:= tar.bz2
>   XZ_URL		:= https://tukaani.org/xz/$(XZ).$(XZ_SUFFIX)
>   XZ_SOURCE	:= $(SRCDIR)/$(XZ).$(XZ_SUFFIX)
>   XZ_DIR		:= $(BUILDDIR)/$(XZ)
> -XZ_LICENSE	:= public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later
> +XZ_LICENSE	:= 0BSD AND public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later
>   XZ_LICENSE_FILES := \
> -	file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \
> +	file://COPYING;md5=d38d562f6112174de93a9677682231b2 \
>   	file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
>   	file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \
>   	file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c
> @@ -53,6 +53,7 @@ XZ_CONF_OPT	:= \
>   	--disable-lzma-links \
>   	--$(call ptx/endis,PTXCONF_XZ_TOOLS)-scripts \
>   	--disable-doc \
> +	--disable-doxygen \
>   	--disable-sandbox \
>   	--enable-shared \
>   	--disable-static \
> @@ -62,7 +63,8 @@ XZ_CONF_OPT	:= \
>   	$(GLOBAL_LARGE_FILE_OPTION) \
>   	--enable-unaligned-access=auto \
>   	--disable-unsafe-type-punning \
> -	--disable-werror
> +	--disable-werror \
> +	--$(call ptx/endis, PTXDIST_Y2038)-year2038
>   
>   # ----------------------------------------------------------------------------
>   # Target-Install

Re: [ptxdist] [PATCH] xz: version bump 5.4.4 -> 5.8.1

[Sven Püschel]

Hi Christian,

On 10/21/25 3:18 PM, Christian Melki wrote:
> Hi Sven.
>
> Glad you did this. There was a bit of controversy regarding the xz bump
> at the time after the project got compromised. I don't remember what
> it was about, but I don't mind xz at all.

While I don't know about the controversy, I know that the supply chain 
attack was done using a modified configure script in the release tarball 
(so not present in the git tree).

If this is a concern, I could switch over to the GitHub generated 
release archives and switch over to CMake (which is feature complete but 
not that well tested).


> Could you also be so kind and check the host-* equivalents too?

yeah, thanks for the hint.


Sincerely
     Sven

>
> Regards,
> Christian
>
> On 10/21/25 3:10 PM, Sven Püschel wrote:
>> This fixes CVE-2025-31115: Threaded .xz decoder frees memory too early.
>>
>> Most parts of the COPYING file replaced public domain licenses with
>> 0BSD. But public domain is still mentioned for some old translations.
>> Therefore only add 0BSD to the license list.
>>
>> Signed-off-by: Sven Püschel <s.pueschel@pengutronix.de>
>> ---
>>   rules/xz.make | 12 +++++++-----
>>   1 file changed, 7 insertions(+), 5 deletions(-)
>>
>> diff --git a/rules/xz.make b/rules/xz.make
>> index f24a2ac03..90a32f728 100644
>> --- a/rules/xz.make
>> +++ b/rules/xz.make
>> @@ -14,16 +14,16 @@ PACKAGES-$(PTXCONF_XZ) += xz
>>   #
>>   # Paths and names
>>   #
>> -XZ_VERSION    := 5.4.4
>> -XZ_MD5        := fbb849a27e266964aefe26bad508144f
>> +XZ_VERSION    := 5.8.1
>> +XZ_MD5        := a814a04a94c5ce757e2f90e387bd1a5c
>>   XZ        := xz-$(XZ_VERSION)
>>   XZ_SUFFIX    := tar.bz2
>>   XZ_URL        := https://tukaani.org/xz/$(XZ).$(XZ_SUFFIX)
>>   XZ_SOURCE    := $(SRCDIR)/$(XZ).$(XZ_SUFFIX)
>>   XZ_DIR        := $(BUILDDIR)/$(XZ)
>> -XZ_LICENSE    := public_domain AND LGPL-2.1-or-later AND 
>> GPL-2.0-or-later AND GPL-3.0-or-later
>> +XZ_LICENSE    := 0BSD AND public_domain AND LGPL-2.1-or-later AND 
>> GPL-2.0-or-later AND GPL-3.0-or-later
>>   XZ_LICENSE_FILES := \
>> -    file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \
>> +    file://COPYING;md5=d38d562f6112174de93a9677682231b2 \
>>       file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
>>       file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \
>> file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c
>> @@ -53,6 +53,7 @@ XZ_CONF_OPT    := \
>>       --disable-lzma-links \
>>       --$(call ptx/endis,PTXCONF_XZ_TOOLS)-scripts \
>>       --disable-doc \
>> +    --disable-doxygen \
>>       --disable-sandbox \
>>       --enable-shared \
>>       --disable-static \
>> @@ -62,7 +63,8 @@ XZ_CONF_OPT    := \
>>       $(GLOBAL_LARGE_FILE_OPTION) \
>>       --enable-unaligned-access=auto \
>>       --disable-unsafe-type-punning \
>> -    --disable-werror
>> +    --disable-werror \
>> +    --$(call ptx/endis, PTXDIST_Y2038)-year2038
>>     # 
>> ----------------------------------------------------------------------------
>>   # Target-Install
>
>