From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 21 Oct 2025 18:02:04 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vBEoG-00AIjj-2L for lore@lore.pengutronix.de; Tue, 21 Oct 2025 18:02:04 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1vBEoG-0003Dr-Gg; Tue, 21 Oct 2025 18:02:04 +0200 Received: from dude04.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::ac]) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1vBEo5-0003DT-Qd; Tue, 21 Oct 2025 18:01:53 +0200 From: =?UTF-8?q?Sven=20P=C3=BCschel?= To: ptxdist@pengutronix.de Date: Tue, 21 Oct 2025 18:01:43 +0200 Message-ID: <20251021160152.2405903-1-s.pueschel@pengutronix.de> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: [ptxdist] [PATCH v2] xz: version bump 5.4.4 -> 5.8.1 X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: =?UTF-8?q?Sven=20P=C3=BCschel?= Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false This fixes CVE-2025-31115: Threaded .xz decoder frees memory too early. To avoid malicious tarballs, which happened in the past switch to the automatically generated tarballs from by GitHub. As xz also has a feature complete CMake build system, use it to avoid adding an autogen.sh file. Most parts of the COPYING file replaced public domain licenses with 0BSD. But public domain is still mentioned for some old translations. Therefore only add 0BSD to the license list. Signed-off-by: Sven PĆ¼schel --- rules/host-xz.in | 1 + rules/host-xz.make | 52 ++++++++++++++++--------------------- rules/xz.in | 1 + rules/xz.make | 65 +++++++++++++++++++++------------------------- 4 files changed, 54 insertions(+), 65 deletions(-) diff --git a/rules/host-xz.in b/rules/host-xz.in index 9d1b4fe6a..b38a42194 100644 --- a/rules/host-xz.in +++ b/rules/host-xz.in @@ -2,6 +2,7 @@ config HOST_XZ tristate + select HOST_CMAKE default y if ALLYES help XZ-format compression utilities diff --git a/rules/host-xz.make b/rules/host-xz.make index c04db9567..c719421b5 100644 --- a/rules/host-xz.make +++ b/rules/host-xz.make @@ -15,35 +15,29 @@ HOST_PACKAGES-$(PTXCONF_HOST_XZ) += host-xz # Prepare # ---------------------------------------------------------------------------- -# -# autoconf -# -HOST_XZ_CONF_TOOL := autoconf +HOST_XZ_CONF_TOOL := cmake HOST_XZ_CONF_OPT := \ - $(HOST_AUTOCONF) \ - --disable-debug \ - --disable-external-sha256 \ - --disable-microlzma \ - --disable-lzip-decoder \ - --enable-assembler \ - --enable-clmul-crc \ - --disable-small \ - --enable-threads \ - --enable-xz \ - --disable-xzdec \ - --disable-lzmadec \ - --disable-lzmainfo \ - --disable-lzma-links \ - --disable-scripts \ - --disable-doc \ - --disable-sandbox \ - --enable-shared \ - --disable-static \ - --enable-symbol-versions \ - --disable-nls \ - --enable-rpath \ - --enable-unaligned-access=auto \ - --disable-unsafe-type-punning \ - --disable-werror + $(HOST_CMAKE_OPT) \ + -DBUILD_SHARED_LIBS=ON \ + -DBUILD_TESTING=OFF \ + -DTUKLIB_USE_UNSAFE_TYPE_PUNNING=OFF \ + -DXZ_DOC=OFF \ + -DXZ_DOXYGEN=OFF \ + -DXZ_EXTERNAL_SHA256=OFF \ + -DXZ_LZIP_DECODER=OFF \ + -DXZ_MICROLZMA_DECODER=OFF \ + -DXZ_MICROLZMA_ENCODER=OFF \ + -DXZ_NLS=OFF \ + -DXZ_SANDBOX=no \ + -DXZ_SMALL=OFF \ + -DXZ_SYMBOL_VERSIONING=linux \ + -DXZ_THREADS=yes \ + -DXZ_TOOL_LZMADEC=OFF \ + -DXZ_TOOL_LZMAINFO=OFF \ + -DXZ_TOOL_SCRIPTS=OFF \ + -DXZ_TOOL_SYMLINKS=OFF \ + -DXZ_TOOL_SYMLINKS_LZMA=OFF \ + -DXZ_TOOL_XZ=ON \ + -DXZ_TOOL_XZDEC=OFF # vim: syntax=make diff --git a/rules/xz.in b/rules/xz.in index 9f31a4f45..f61a58f05 100644 --- a/rules/xz.in +++ b/rules/xz.in @@ -2,6 +2,7 @@ menuconfig XZ tristate + select HOST_CMAKE prompt "xz " help XZ Utils is free general-purpose data compression software diff --git a/rules/xz.make b/rules/xz.make index f24a2ac03..d80ce9276 100644 --- a/rules/xz.make +++ b/rules/xz.make @@ -14,16 +14,16 @@ PACKAGES-$(PTXCONF_XZ) += xz # # Paths and names # -XZ_VERSION := 5.4.4 -XZ_MD5 := fbb849a27e266964aefe26bad508144f +XZ_VERSION := 5.8.1 +XZ_MD5 := 1be5d8137d7b5e91fa9ff8a6fdc4895b XZ := xz-$(XZ_VERSION) -XZ_SUFFIX := tar.bz2 -XZ_URL := https://tukaani.org/xz/$(XZ).$(XZ_SUFFIX) +XZ_SUFFIX := tar.gz +XZ_URL := https://github.com/tukaani-project/xz/archive/refs/tags/v$(XZ_VERSION).$(XZ_SUFFIX) XZ_SOURCE := $(SRCDIR)/$(XZ).$(XZ_SUFFIX) XZ_DIR := $(BUILDDIR)/$(XZ) -XZ_LICENSE := public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later +XZ_LICENSE := 0BSD AND public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later XZ_LICENSE_FILES := \ - file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \ + file://COPYING;md5=d38d562f6112174de93a9677682231b2 \ file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \ file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c @@ -32,37 +32,30 @@ XZ_LICENSE_FILES := \ # Prepare # ---------------------------------------------------------------------------- -# -# autoconf -# -XZ_CONF_TOOL := autoconf +XZ_CONF_TOOL := cmake XZ_CONF_OPT := \ - $(CROSS_AUTOCONF_USR) \ - --disable-debug \ - --disable-external-sha256 \ - --disable-microlzma \ - --disable-lzip-decoder \ - --enable-assembler \ - --enable-clmul-crc \ - --disable-small \ - --enable-threads \ - --$(call ptx/endis,PTXCONF_XZ_TOOLS)-xz \ - --$(call ptx/endis,PTXCONF_XZ_TOOLS)-xzdec \ - --disable-lzmadec \ - --disable-lzmainfo \ - --disable-lzma-links \ - --$(call ptx/endis,PTXCONF_XZ_TOOLS)-scripts \ - --disable-doc \ - --disable-sandbox \ - --enable-shared \ - --disable-static \ - --enable-symbol-versions \ - --disable-nls \ - --disable-rpath \ - $(GLOBAL_LARGE_FILE_OPTION) \ - --enable-unaligned-access=auto \ - --disable-unsafe-type-punning \ - --disable-werror + $(CROSS_CMAKE_USR) \ + -DBUILD_SHARED_LIBS=ON \ + -DBUILD_TESTING=OFF \ + -DTUKLIB_USE_UNSAFE_TYPE_PUNNING=OFF \ + -DXZ_DOC=OFF \ + -DXZ_DOXYGEN=OFF \ + -DXZ_EXTERNAL_SHA256=OFF \ + -DXZ_LZIP_DECODER=OFF \ + -DXZ_MICROLZMA_DECODER=OFF \ + -DXZ_MICROLZMA_ENCODER=OFF \ + -DXZ_NLS=OFF \ + -DXZ_SANDBOX=no \ + -DXZ_SMALL=OFF \ + -DXZ_SYMBOL_VERSIONING=linux \ + -DXZ_THREADS=yes \ + -DXZ_TOOL_LZMADEC=OFF \ + -DXZ_TOOL_LZMAINFO=OFF \ + -DXZ_TOOL_SCRIPTS=$(call ptx/onoff,PTXCONF_XZ_TOOLS) \ + -DXZ_TOOL_SYMLINKS=OFF \ + -DXZ_TOOL_SYMLINKS_LZMA=OFF \ + -DXZ_TOOL_XZ=$(call ptx/onoff,PTXCONF_XZ_TOOLS) \ + -DXZ_TOOL_XZDEC=$(call ptx/onoff,PTXCONF_XZ_TOOLS) # ---------------------------------------------------------------------------- # Target-Install -- 2.47.3