[ptxdist] [PATCH v2] xz: version bump 5.4.4 -> 5.8.1

mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed

* [ptxdist] [PATCH v2] xz: version bump 5.4.4 -> 5.8.1
@ 2025-10-21 16:01 Sven Püschel
  2025-10-23 13:13 ` [ptxdist] [APPLIED] " Michael Olbrich
  0 siblings, 1 reply; 2+ messages in thread
From: Sven Püschel @ 2025-10-21 16:01 UTC (permalink / raw)
  To: ptxdist; +Cc: Sven Püschel

This fixes CVE-2025-31115: Threaded .xz decoder frees memory too early.

To avoid malicious tarballs, which happened in the past switch to the
automatically generated tarballs from by GitHub. As xz also has a
feature complete CMake build system, use it to avoid adding an
autogen.sh file.

Most parts of the COPYING file replaced public domain licenses with
0BSD. But public domain is still mentioned for some old translations.
Therefore only add 0BSD to the license list.

Signed-off-by: Sven Püschel <s.pueschel@pengutronix.de>
---
 rules/host-xz.in   |  1 +
 rules/host-xz.make | 52 ++++++++++++++++---------------------
 rules/xz.in        |  1 +
 rules/xz.make      | 65 +++++++++++++++++++++-------------------------
 4 files changed, 54 insertions(+), 65 deletions(-)

diff --git a/rules/host-xz.in b/rules/host-xz.in
index 9d1b4fe6a..b38a42194 100644
--- a/rules/host-xz.in
+++ b/rules/host-xz.in
@@ -2,6 +2,7 @@
 
 config HOST_XZ
 	tristate
+	select HOST_CMAKE
 	default y if ALLYES
 	help
 	  XZ-format compression utilities
diff --git a/rules/host-xz.make b/rules/host-xz.make
index c04db9567..c719421b5 100644
--- a/rules/host-xz.make
+++ b/rules/host-xz.make
@@ -15,35 +15,29 @@ HOST_PACKAGES-$(PTXCONF_HOST_XZ) += host-xz
 # Prepare
 # ----------------------------------------------------------------------------
 
-#
-# autoconf
-#
-HOST_XZ_CONF_TOOL	:= autoconf
+HOST_XZ_CONF_TOOL	:= cmake
 HOST_XZ_CONF_OPT	:= \
-	$(HOST_AUTOCONF) \
-	--disable-debug \
-	--disable-external-sha256 \
-	--disable-microlzma \
-	--disable-lzip-decoder \
-	--enable-assembler \
-	--enable-clmul-crc \
-	--disable-small \
-	--enable-threads \
-	--enable-xz \
-	--disable-xzdec \
-	--disable-lzmadec \
-	--disable-lzmainfo \
-	--disable-lzma-links \
-	--disable-scripts \
-	--disable-doc \
-	--disable-sandbox \
-	--enable-shared \
-	--disable-static \
-	--enable-symbol-versions \
-	--disable-nls \
-	--enable-rpath \
-	--enable-unaligned-access=auto \
-	--disable-unsafe-type-punning \
-	--disable-werror
+	$(HOST_CMAKE_OPT) \
+	-DBUILD_SHARED_LIBS=ON \
+	-DBUILD_TESTING=OFF \
+	-DTUKLIB_USE_UNSAFE_TYPE_PUNNING=OFF \
+	-DXZ_DOC=OFF \
+	-DXZ_DOXYGEN=OFF \
+	-DXZ_EXTERNAL_SHA256=OFF \
+	-DXZ_LZIP_DECODER=OFF \
+	-DXZ_MICROLZMA_DECODER=OFF \
+	-DXZ_MICROLZMA_ENCODER=OFF \
+	-DXZ_NLS=OFF \
+	-DXZ_SANDBOX=no \
+	-DXZ_SMALL=OFF \
+	-DXZ_SYMBOL_VERSIONING=linux \
+	-DXZ_THREADS=yes \
+	-DXZ_TOOL_LZMADEC=OFF \
+	-DXZ_TOOL_LZMAINFO=OFF \
+	-DXZ_TOOL_SCRIPTS=OFF \
+	-DXZ_TOOL_SYMLINKS=OFF \
+	-DXZ_TOOL_SYMLINKS_LZMA=OFF \
+	-DXZ_TOOL_XZ=ON \
+	-DXZ_TOOL_XZDEC=OFF
 
 # vim: syntax=make
diff --git a/rules/xz.in b/rules/xz.in
index 9f31a4f45..f61a58f05 100644
--- a/rules/xz.in
+++ b/rules/xz.in
@@ -2,6 +2,7 @@
 
 menuconfig XZ
 	tristate
+	select HOST_CMAKE
 	prompt "xz                            "
 	help
 	  XZ Utils is free general-purpose data compression software
diff --git a/rules/xz.make b/rules/xz.make
index f24a2ac03..d80ce9276 100644
--- a/rules/xz.make
+++ b/rules/xz.make
@@ -14,16 +14,16 @@ PACKAGES-$(PTXCONF_XZ) += xz
 #
 # Paths and names
 #
-XZ_VERSION	:= 5.4.4
-XZ_MD5		:= fbb849a27e266964aefe26bad508144f
+XZ_VERSION	:= 5.8.1
+XZ_MD5		:= 1be5d8137d7b5e91fa9ff8a6fdc4895b
 XZ		:= xz-$(XZ_VERSION)
-XZ_SUFFIX	:= tar.bz2
-XZ_URL		:= https://tukaani.org/xz/$(XZ).$(XZ_SUFFIX)
+XZ_SUFFIX	:= tar.gz
+XZ_URL		:= https://github.com/tukaani-project/xz/archive/refs/tags/v$(XZ_VERSION).$(XZ_SUFFIX)
 XZ_SOURCE	:= $(SRCDIR)/$(XZ).$(XZ_SUFFIX)
 XZ_DIR		:= $(BUILDDIR)/$(XZ)
-XZ_LICENSE	:= public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later
+XZ_LICENSE	:= 0BSD AND public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later
 XZ_LICENSE_FILES := \
-	file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \
+	file://COPYING;md5=d38d562f6112174de93a9677682231b2 \
 	file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 	file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \
 	file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c
@@ -32,37 +32,30 @@ XZ_LICENSE_FILES := \
 # Prepare
 # ----------------------------------------------------------------------------
 
-#
-# autoconf
-#
-XZ_CONF_TOOL	:= autoconf
+XZ_CONF_TOOL	:= cmake
 XZ_CONF_OPT	:= \
-	$(CROSS_AUTOCONF_USR) \
-	--disable-debug \
-	--disable-external-sha256 \
-	--disable-microlzma \
-	--disable-lzip-decoder \
-	--enable-assembler \
-	--enable-clmul-crc \
-	--disable-small \
-	--enable-threads \
-	--$(call ptx/endis,PTXCONF_XZ_TOOLS)-xz \
-	--$(call ptx/endis,PTXCONF_XZ_TOOLS)-xzdec \
-	--disable-lzmadec \
-	--disable-lzmainfo \
-	--disable-lzma-links \
-	--$(call ptx/endis,PTXCONF_XZ_TOOLS)-scripts \
-	--disable-doc \
-	--disable-sandbox \
-	--enable-shared \
-	--disable-static \
-	--enable-symbol-versions \
-	--disable-nls \
-	--disable-rpath \
-	$(GLOBAL_LARGE_FILE_OPTION) \
-	--enable-unaligned-access=auto \
-	--disable-unsafe-type-punning \
-	--disable-werror
+	$(CROSS_CMAKE_USR) \
+	-DBUILD_SHARED_LIBS=ON \
+	-DBUILD_TESTING=OFF \
+	-DTUKLIB_USE_UNSAFE_TYPE_PUNNING=OFF \
+	-DXZ_DOC=OFF \
+	-DXZ_DOXYGEN=OFF \
+	-DXZ_EXTERNAL_SHA256=OFF \
+	-DXZ_LZIP_DECODER=OFF \
+	-DXZ_MICROLZMA_DECODER=OFF \
+	-DXZ_MICROLZMA_ENCODER=OFF \
+	-DXZ_NLS=OFF \
+	-DXZ_SANDBOX=no \
+	-DXZ_SMALL=OFF \
+	-DXZ_SYMBOL_VERSIONING=linux \
+	-DXZ_THREADS=yes \
+	-DXZ_TOOL_LZMADEC=OFF \
+	-DXZ_TOOL_LZMAINFO=OFF \
+	-DXZ_TOOL_SCRIPTS=$(call ptx/onoff,PTXCONF_XZ_TOOLS) \
+	-DXZ_TOOL_SYMLINKS=OFF \
+	-DXZ_TOOL_SYMLINKS_LZMA=OFF \
+	-DXZ_TOOL_XZ=$(call ptx/onoff,PTXCONF_XZ_TOOLS) \
+	-DXZ_TOOL_XZDEC=$(call ptx/onoff,PTXCONF_XZ_TOOLS)
 
 # ----------------------------------------------------------------------------
 # Target-Install
-- 
2.47.3




^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [ptxdist] [APPLIED] xz: version bump 5.4.4 -> 5.8.1
  2025-10-21 16:01 [ptxdist] [PATCH v2] xz: version bump 5.4.4 -> 5.8.1 Sven Püschel
@ 2025-10-23 13:13 ` Michael Olbrich
  0 siblings, 0 replies; 2+ messages in thread
From: Michael Olbrich @ 2025-10-23 13:13 UTC (permalink / raw)
  To: ptxdist; +Cc: Sven Püschel

Thanks, applied as a29631c251345c6f4ac72844a8ac4495c5708f82.

Michael

[sent from post-receive hook]

On Thu, 23 Oct 2025 15:13:52 +0200, Sven Püschel <s.pueschel@pengutronix.de> wrote:
> This fixes CVE-2025-31115: Threaded .xz decoder frees memory too early.
> 
> To avoid malicious tarballs, which happened in the past switch to the
> automatically generated tarballs from by GitHub. As xz also has a
> feature complete CMake build system, use it to avoid adding an
> autogen.sh file.
> 
> Most parts of the COPYING file replaced public domain licenses with
> 0BSD. But public domain is still mentioned for some old translations.
> Therefore only add 0BSD to the license list.
> 
> Signed-off-by: Sven Püschel <s.pueschel@pengutronix.de>
> Message-Id: <20251021160152.2405903-1-s.pueschel@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/host-xz.in b/rules/host-xz.in
> index 9d1b4fe6aec1..b38a42194d55 100644
> --- a/rules/host-xz.in
> +++ b/rules/host-xz.in
> @@ -2,6 +2,7 @@
>  
>  config HOST_XZ
>  	tristate
> +	select HOST_CMAKE
>  	default y if ALLYES
>  	help
>  	  XZ-format compression utilities
> diff --git a/rules/host-xz.make b/rules/host-xz.make
> index c04db9567550..c719421b5da6 100644
> --- a/rules/host-xz.make
> +++ b/rules/host-xz.make
> @@ -15,35 +15,29 @@ HOST_PACKAGES-$(PTXCONF_HOST_XZ) += host-xz
>  # Prepare
>  # ----------------------------------------------------------------------------
>  
> -#
> -# autoconf
> -#
> -HOST_XZ_CONF_TOOL	:= autoconf
> +HOST_XZ_CONF_TOOL	:= cmake
>  HOST_XZ_CONF_OPT	:= \
> -	$(HOST_AUTOCONF) \
> -	--disable-debug \
> -	--disable-external-sha256 \
> -	--disable-microlzma \
> -	--disable-lzip-decoder \
> -	--enable-assembler \
> -	--enable-clmul-crc \
> -	--disable-small \
> -	--enable-threads \
> -	--enable-xz \
> -	--disable-xzdec \
> -	--disable-lzmadec \
> -	--disable-lzmainfo \
> -	--disable-lzma-links \
> -	--disable-scripts \
> -	--disable-doc \
> -	--disable-sandbox \
> -	--enable-shared \
> -	--disable-static \
> -	--enable-symbol-versions \
> -	--disable-nls \
> -	--enable-rpath \
> -	--enable-unaligned-access=auto \
> -	--disable-unsafe-type-punning \
> -	--disable-werror
> +	$(HOST_CMAKE_OPT) \
> +	-DBUILD_SHARED_LIBS=ON \
> +	-DBUILD_TESTING=OFF \
> +	-DTUKLIB_USE_UNSAFE_TYPE_PUNNING=OFF \
> +	-DXZ_DOC=OFF \
> +	-DXZ_DOXYGEN=OFF \
> +	-DXZ_EXTERNAL_SHA256=OFF \
> +	-DXZ_LZIP_DECODER=OFF \
> +	-DXZ_MICROLZMA_DECODER=OFF \
> +	-DXZ_MICROLZMA_ENCODER=OFF \
> +	-DXZ_NLS=OFF \
> +	-DXZ_SANDBOX=no \
> +	-DXZ_SMALL=OFF \
> +	-DXZ_SYMBOL_VERSIONING=linux \
> +	-DXZ_THREADS=yes \
> +	-DXZ_TOOL_LZMADEC=OFF \
> +	-DXZ_TOOL_LZMAINFO=OFF \
> +	-DXZ_TOOL_SCRIPTS=OFF \
> +	-DXZ_TOOL_SYMLINKS=OFF \
> +	-DXZ_TOOL_SYMLINKS_LZMA=OFF \
> +	-DXZ_TOOL_XZ=ON \
> +	-DXZ_TOOL_XZDEC=OFF
>  
>  # vim: syntax=make
> diff --git a/rules/xz.in b/rules/xz.in
> index 9f31a4f45343..f61a58f05c74 100644
> --- a/rules/xz.in
> +++ b/rules/xz.in
> @@ -2,6 +2,7 @@
>  
>  menuconfig XZ
>  	tristate
> +	select HOST_CMAKE
>  	prompt "xz                            "
>  	help
>  	  XZ Utils is free general-purpose data compression software
> diff --git a/rules/xz.make b/rules/xz.make
> index f24a2ac03442..d80ce9276670 100644
> --- a/rules/xz.make
> +++ b/rules/xz.make
> @@ -14,16 +14,16 @@ PACKAGES-$(PTXCONF_XZ) += xz
>  #
>  # Paths and names
>  #
> -XZ_VERSION	:= 5.4.4
> -XZ_MD5		:= fbb849a27e266964aefe26bad508144f
> +XZ_VERSION	:= 5.8.1
> +XZ_MD5		:= 1be5d8137d7b5e91fa9ff8a6fdc4895b
>  XZ		:= xz-$(XZ_VERSION)
> -XZ_SUFFIX	:= tar.bz2
> -XZ_URL		:= https://tukaani.org/xz/$(XZ).$(XZ_SUFFIX)
> +XZ_SUFFIX	:= tar.gz
> +XZ_URL		:= https://github.com/tukaani-project/xz/archive/refs/tags/v$(XZ_VERSION).$(XZ_SUFFIX)
>  XZ_SOURCE	:= $(SRCDIR)/$(XZ).$(XZ_SUFFIX)
>  XZ_DIR		:= $(BUILDDIR)/$(XZ)
> -XZ_LICENSE	:= public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later
> +XZ_LICENSE	:= 0BSD AND public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later
>  XZ_LICENSE_FILES := \
> -	file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \
> +	file://COPYING;md5=d38d562f6112174de93a9677682231b2 \
>  	file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
>  	file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \
>  	file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c
> @@ -32,37 +32,30 @@ XZ_LICENSE_FILES := \
>  # Prepare
>  # ----------------------------------------------------------------------------
>  
> -#
> -# autoconf
> -#
> -XZ_CONF_TOOL	:= autoconf
> +XZ_CONF_TOOL	:= cmake
>  XZ_CONF_OPT	:= \
> -	$(CROSS_AUTOCONF_USR) \
> -	--disable-debug \
> -	--disable-external-sha256 \
> -	--disable-microlzma \
> -	--disable-lzip-decoder \
> -	--enable-assembler \
> -	--enable-clmul-crc \
> -	--disable-small \
> -	--enable-threads \
> -	--$(call ptx/endis,PTXCONF_XZ_TOOLS)-xz \
> -	--$(call ptx/endis,PTXCONF_XZ_TOOLS)-xzdec \
> -	--disable-lzmadec \
> -	--disable-lzmainfo \
> -	--disable-lzma-links \
> -	--$(call ptx/endis,PTXCONF_XZ_TOOLS)-scripts \
> -	--disable-doc \
> -	--disable-sandbox \
> -	--enable-shared \
> -	--disable-static \
> -	--enable-symbol-versions \
> -	--disable-nls \
> -	--disable-rpath \
> -	$(GLOBAL_LARGE_FILE_OPTION) \
> -	--enable-unaligned-access=auto \
> -	--disable-unsafe-type-punning \
> -	--disable-werror
> +	$(CROSS_CMAKE_USR) \
> +	-DBUILD_SHARED_LIBS=ON \
> +	-DBUILD_TESTING=OFF \
> +	-DTUKLIB_USE_UNSAFE_TYPE_PUNNING=OFF \
> +	-DXZ_DOC=OFF \
> +	-DXZ_DOXYGEN=OFF \
> +	-DXZ_EXTERNAL_SHA256=OFF \
> +	-DXZ_LZIP_DECODER=OFF \
> +	-DXZ_MICROLZMA_DECODER=OFF \
> +	-DXZ_MICROLZMA_ENCODER=OFF \
> +	-DXZ_NLS=OFF \
> +	-DXZ_SANDBOX=no \
> +	-DXZ_SMALL=OFF \
> +	-DXZ_SYMBOL_VERSIONING=linux \
> +	-DXZ_THREADS=yes \
> +	-DXZ_TOOL_LZMADEC=OFF \
> +	-DXZ_TOOL_LZMAINFO=OFF \
> +	-DXZ_TOOL_SCRIPTS=$(call ptx/onoff,PTXCONF_XZ_TOOLS) \
> +	-DXZ_TOOL_SYMLINKS=OFF \
> +	-DXZ_TOOL_SYMLINKS_LZMA=OFF \
> +	-DXZ_TOOL_XZ=$(call ptx/onoff,PTXCONF_XZ_TOOLS) \
> +	-DXZ_TOOL_XZDEC=$(call ptx/onoff,PTXCONF_XZ_TOOLS)
>  
>  # ----------------------------------------------------------------------------
>  # Target-Install



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-10-23 13:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-21 16:01 [ptxdist] [PATCH v2] xz: version bump 5.4.4 -> 5.8.1 Sven Püschel
2025-10-23 13:13 ` [ptxdist] [APPLIED] " Michael Olbrich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox