From: Christian Melki <christian.melki@t2data.com>
To: s.pueschel@pengutronix.de
Cc: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [PATCH] xz: version bump 5.4.4 -> 5.8.1
Date: Tue, 21 Oct 2025 15:18:01 +0200 [thread overview]
Message-ID: <d0b38ee1-ea62-472b-b3fa-5375ad1f5bac@t2data.com> (raw)
In-Reply-To: <20251021131035.2034805-1-s.pueschel@pengutronix.de>
Hi Sven.
Glad you did this. There was a bit of controversy regarding the xz bump
at the time after the project got compromised. I don't remember what
it was about, but I don't mind xz at all.
Could you also be so kind and check the host-* equivalents too?
Regards,
Christian
On 10/21/25 3:10 PM, Sven Püschel wrote:
> This fixes CVE-2025-31115: Threaded .xz decoder frees memory too early.
>
> Most parts of the COPYING file replaced public domain licenses with
> 0BSD. But public domain is still mentioned for some old translations.
> Therefore only add 0BSD to the license list.
>
> Signed-off-by: Sven Püschel <s.pueschel@pengutronix.de>
> ---
> rules/xz.make | 12 +++++++-----
> 1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/rules/xz.make b/rules/xz.make
> index f24a2ac03..90a32f728 100644
> --- a/rules/xz.make
> +++ b/rules/xz.make
> @@ -14,16 +14,16 @@ PACKAGES-$(PTXCONF_XZ) += xz
> #
> # Paths and names
> #
> -XZ_VERSION := 5.4.4
> -XZ_MD5 := fbb849a27e266964aefe26bad508144f
> +XZ_VERSION := 5.8.1
> +XZ_MD5 := a814a04a94c5ce757e2f90e387bd1a5c
> XZ := xz-$(XZ_VERSION)
> XZ_SUFFIX := tar.bz2
> XZ_URL := https://tukaani.org/xz/$(XZ).$(XZ_SUFFIX)
> XZ_SOURCE := $(SRCDIR)/$(XZ).$(XZ_SUFFIX)
> XZ_DIR := $(BUILDDIR)/$(XZ)
> -XZ_LICENSE := public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later
> +XZ_LICENSE := 0BSD AND public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later
> XZ_LICENSE_FILES := \
> - file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \
> + file://COPYING;md5=d38d562f6112174de93a9677682231b2 \
> file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
> file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \
> file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c
> @@ -53,6 +53,7 @@ XZ_CONF_OPT := \
> --disable-lzma-links \
> --$(call ptx/endis,PTXCONF_XZ_TOOLS)-scripts \
> --disable-doc \
> + --disable-doxygen \
> --disable-sandbox \
> --enable-shared \
> --disable-static \
> @@ -62,7 +63,8 @@ XZ_CONF_OPT := \
> $(GLOBAL_LARGE_FILE_OPTION) \
> --enable-unaligned-access=auto \
> --disable-unsafe-type-punning \
> - --disable-werror
> + --disable-werror \
> + --$(call ptx/endis, PTXDIST_Y2038)-year2038
>
> # ----------------------------------------------------------------------------
> # Target-Install
next prev parent reply other threads:[~2025-10-21 13:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-21 13:10 Sven Püschel
2025-10-21 13:18 ` Christian Melki [this message]
2025-10-21 13:28 ` Sven Püschel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d0b38ee1-ea62-472b-b3fa-5375ad1f5bac@t2data.com \
--to=christian.melki@t2data.com \
--cc=ptxdist@pengutronix.de \
--cc=s.pueschel@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox