From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: "Sven Püschel" <s.pueschel@pengutronix.de>
Subject: Re: [ptxdist] [APPLIED] xz: version bump 5.4.4 -> 5.8.1
Date: Thu, 23 Oct 2025 15:13:52 +0200 [thread overview]
Message-ID: <20251023131352.1212837-1-m.olbrich@pengutronix.de> (raw)
In-Reply-To: <20251021160152.2405903-1-s.pueschel@pengutronix.de>
Thanks, applied as a29631c251345c6f4ac72844a8ac4495c5708f82.
Michael
[sent from post-receive hook]
On Thu, 23 Oct 2025 15:13:52 +0200, Sven Püschel <s.pueschel@pengutronix.de> wrote:
> This fixes CVE-2025-31115: Threaded .xz decoder frees memory too early.
>
> To avoid malicious tarballs, which happened in the past switch to the
> automatically generated tarballs from by GitHub. As xz also has a
> feature complete CMake build system, use it to avoid adding an
> autogen.sh file.
>
> Most parts of the COPYING file replaced public domain licenses with
> 0BSD. But public domain is still mentioned for some old translations.
> Therefore only add 0BSD to the license list.
>
> Signed-off-by: Sven Püschel <s.pueschel@pengutronix.de>
> Message-Id: <20251021160152.2405903-1-s.pueschel@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/rules/host-xz.in b/rules/host-xz.in
> index 9d1b4fe6aec1..b38a42194d55 100644
> --- a/rules/host-xz.in
> +++ b/rules/host-xz.in
> @@ -2,6 +2,7 @@
>
> config HOST_XZ
> tristate
> + select HOST_CMAKE
> default y if ALLYES
> help
> XZ-format compression utilities
> diff --git a/rules/host-xz.make b/rules/host-xz.make
> index c04db9567550..c719421b5da6 100644
> --- a/rules/host-xz.make
> +++ b/rules/host-xz.make
> @@ -15,35 +15,29 @@ HOST_PACKAGES-$(PTXCONF_HOST_XZ) += host-xz
> # Prepare
> # ----------------------------------------------------------------------------
>
> -#
> -# autoconf
> -#
> -HOST_XZ_CONF_TOOL := autoconf
> +HOST_XZ_CONF_TOOL := cmake
> HOST_XZ_CONF_OPT := \
> - $(HOST_AUTOCONF) \
> - --disable-debug \
> - --disable-external-sha256 \
> - --disable-microlzma \
> - --disable-lzip-decoder \
> - --enable-assembler \
> - --enable-clmul-crc \
> - --disable-small \
> - --enable-threads \
> - --enable-xz \
> - --disable-xzdec \
> - --disable-lzmadec \
> - --disable-lzmainfo \
> - --disable-lzma-links \
> - --disable-scripts \
> - --disable-doc \
> - --disable-sandbox \
> - --enable-shared \
> - --disable-static \
> - --enable-symbol-versions \
> - --disable-nls \
> - --enable-rpath \
> - --enable-unaligned-access=auto \
> - --disable-unsafe-type-punning \
> - --disable-werror
> + $(HOST_CMAKE_OPT) \
> + -DBUILD_SHARED_LIBS=ON \
> + -DBUILD_TESTING=OFF \
> + -DTUKLIB_USE_UNSAFE_TYPE_PUNNING=OFF \
> + -DXZ_DOC=OFF \
> + -DXZ_DOXYGEN=OFF \
> + -DXZ_EXTERNAL_SHA256=OFF \
> + -DXZ_LZIP_DECODER=OFF \
> + -DXZ_MICROLZMA_DECODER=OFF \
> + -DXZ_MICROLZMA_ENCODER=OFF \
> + -DXZ_NLS=OFF \
> + -DXZ_SANDBOX=no \
> + -DXZ_SMALL=OFF \
> + -DXZ_SYMBOL_VERSIONING=linux \
> + -DXZ_THREADS=yes \
> + -DXZ_TOOL_LZMADEC=OFF \
> + -DXZ_TOOL_LZMAINFO=OFF \
> + -DXZ_TOOL_SCRIPTS=OFF \
> + -DXZ_TOOL_SYMLINKS=OFF \
> + -DXZ_TOOL_SYMLINKS_LZMA=OFF \
> + -DXZ_TOOL_XZ=ON \
> + -DXZ_TOOL_XZDEC=OFF
>
> # vim: syntax=make
> diff --git a/rules/xz.in b/rules/xz.in
> index 9f31a4f45343..f61a58f05c74 100644
> --- a/rules/xz.in
> +++ b/rules/xz.in
> @@ -2,6 +2,7 @@
>
> menuconfig XZ
> tristate
> + select HOST_CMAKE
> prompt "xz "
> help
> XZ Utils is free general-purpose data compression software
> diff --git a/rules/xz.make b/rules/xz.make
> index f24a2ac03442..d80ce9276670 100644
> --- a/rules/xz.make
> +++ b/rules/xz.make
> @@ -14,16 +14,16 @@ PACKAGES-$(PTXCONF_XZ) += xz
> #
> # Paths and names
> #
> -XZ_VERSION := 5.4.4
> -XZ_MD5 := fbb849a27e266964aefe26bad508144f
> +XZ_VERSION := 5.8.1
> +XZ_MD5 := 1be5d8137d7b5e91fa9ff8a6fdc4895b
> XZ := xz-$(XZ_VERSION)
> -XZ_SUFFIX := tar.bz2
> -XZ_URL := https://tukaani.org/xz/$(XZ).$(XZ_SUFFIX)
> +XZ_SUFFIX := tar.gz
> +XZ_URL := https://github.com/tukaani-project/xz/archive/refs/tags/v$(XZ_VERSION).$(XZ_SUFFIX)
> XZ_SOURCE := $(SRCDIR)/$(XZ).$(XZ_SUFFIX)
> XZ_DIR := $(BUILDDIR)/$(XZ)
> -XZ_LICENSE := public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later
> +XZ_LICENSE := 0BSD AND public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later
> XZ_LICENSE_FILES := \
> - file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \
> + file://COPYING;md5=d38d562f6112174de93a9677682231b2 \
> file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
> file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \
> file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c
> @@ -32,37 +32,30 @@ XZ_LICENSE_FILES := \
> # Prepare
> # ----------------------------------------------------------------------------
>
> -#
> -# autoconf
> -#
> -XZ_CONF_TOOL := autoconf
> +XZ_CONF_TOOL := cmake
> XZ_CONF_OPT := \
> - $(CROSS_AUTOCONF_USR) \
> - --disable-debug \
> - --disable-external-sha256 \
> - --disable-microlzma \
> - --disable-lzip-decoder \
> - --enable-assembler \
> - --enable-clmul-crc \
> - --disable-small \
> - --enable-threads \
> - --$(call ptx/endis,PTXCONF_XZ_TOOLS)-xz \
> - --$(call ptx/endis,PTXCONF_XZ_TOOLS)-xzdec \
> - --disable-lzmadec \
> - --disable-lzmainfo \
> - --disable-lzma-links \
> - --$(call ptx/endis,PTXCONF_XZ_TOOLS)-scripts \
> - --disable-doc \
> - --disable-sandbox \
> - --enable-shared \
> - --disable-static \
> - --enable-symbol-versions \
> - --disable-nls \
> - --disable-rpath \
> - $(GLOBAL_LARGE_FILE_OPTION) \
> - --enable-unaligned-access=auto \
> - --disable-unsafe-type-punning \
> - --disable-werror
> + $(CROSS_CMAKE_USR) \
> + -DBUILD_SHARED_LIBS=ON \
> + -DBUILD_TESTING=OFF \
> + -DTUKLIB_USE_UNSAFE_TYPE_PUNNING=OFF \
> + -DXZ_DOC=OFF \
> + -DXZ_DOXYGEN=OFF \
> + -DXZ_EXTERNAL_SHA256=OFF \
> + -DXZ_LZIP_DECODER=OFF \
> + -DXZ_MICROLZMA_DECODER=OFF \
> + -DXZ_MICROLZMA_ENCODER=OFF \
> + -DXZ_NLS=OFF \
> + -DXZ_SANDBOX=no \
> + -DXZ_SMALL=OFF \
> + -DXZ_SYMBOL_VERSIONING=linux \
> + -DXZ_THREADS=yes \
> + -DXZ_TOOL_LZMADEC=OFF \
> + -DXZ_TOOL_LZMAINFO=OFF \
> + -DXZ_TOOL_SCRIPTS=$(call ptx/onoff,PTXCONF_XZ_TOOLS) \
> + -DXZ_TOOL_SYMLINKS=OFF \
> + -DXZ_TOOL_SYMLINKS_LZMA=OFF \
> + -DXZ_TOOL_XZ=$(call ptx/onoff,PTXCONF_XZ_TOOLS) \
> + -DXZ_TOOL_XZDEC=$(call ptx/onoff,PTXCONF_XZ_TOOLS)
>
> # ----------------------------------------------------------------------------
> # Target-Install
prev parent reply other threads:[~2025-10-23 13:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-21 16:01 [ptxdist] [PATCH v2] " Sven Püschel
2025-10-23 13:13 ` Michael Olbrich [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251023131352.1212837-1-m.olbrich@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=ptxdist@pengutronix.de \
--cc=s.pueschel@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox