[kirkstone,03/24] xz: update 5.2.5 -> 5.2.6

From: Alexander Kanavin <alex.kanavin@gmail.com>

From: Alexander Kanavin <alex.kanavin@gmail.com>

5.2.6 (2022-08-12)

    * xz:

        - The --keep option now accepts symlinks, hardlinks, and
          setuid, setgid, and sticky files. Previously this required
          using --force.

        - When copying metadata from the source file to the destination
          file, don't try to set the group (GID) if it is already set
          correctly. This avoids a failure on OpenBSD (and possibly on
          a few other OSes) where files may get created so that their
          group doesn't belong to the user, and fchown(2) can fail even
          if it needs to do nothing.

        - Cap --memlimit-compress to 2000 MiB instead of 4020 MiB on
          MIPS32 because on MIPS32 userspace processes are limited
          to 2 GiB of address space.

    * liblzma:

        - Fixed a missing error-check in the threaded encoder. If a
          small memory allocation fails, a .xz file with an invalid
          Index field would be created. Decompressing such a file would
          produce the correct output but result in an error at the end.
          Thus this is a "mild" data corruption bug. Note that while
          a failed memory allocation can trigger the bug, it cannot
          cause invalid memory access.

        - The decoder for .lzma files now supports files that have
          uncompressed size stored in the header and still use the
          end of payload marker (end of stream marker) at the end
          of the LZMA stream. Such files are rare but, according to
          the documentation in LZMA SDK, they are valid.
          doc/lzma-file-format.txt was updated too.

        - Improved 32-bit x86 assembly files:
            * Support Intel Control-flow Enforcement Technology (CET)
            * Use non-executable stack on FreeBSD.

        - Visual Studio: Use non-standard _MSVC_LANG to detect C++
          standard version in the lzma.h API header. It's used to
          detect when "noexcept" can be used.

    * xzgrep:

        - Fixed arbitrary command injection via a malicious filename
          (CVE-2022-1271, ZDI-CAN-16587). A standalone patch for
          this was released to the public on 2022-04-07. A slight
          robustness improvement has been made since then and, if
          using GNU or *BSD grep, a new faster method is now used
          that doesn't use the old sed-based construct at all. This
          also fixes bad output with GNU grep >= 3.5 (2020-09-27)
          when xzgrepping binary files.

          This vulnerability was discovered by:
          cleemy desu wayo working with Trend Micro Zero Day Initiative

        - Fixed detection of corrupt .bz2 files.

        - Improved error handling to fix exit status in some situations
          and to fix handling of signals: in some situations a signal
          didn't make xzgrep exit when it clearly should have. It's
          possible that the signal handling still isn't quite perfect
          but hopefully it's good enough.

        - Documented exit statuses on the man page.

        - xzegrep and xzfgrep now use "grep -E" and "grep -F" instead
          of the deprecated egrep and fgrep commands.

        - Fixed parsing of the options -E, -F, -G, -P, and -X. The
          problem occurred when multiple options were specied in
          a single argument, for example,

              echo foo | xzgrep -Fe foo

          treated foo as a filename because -Fe wasn't correctly
          split into -F -e.

        - Added zstd support.

    * xzdiff/xzcmp:

        - Fixed wrong exit status. Exit status could be 2 when the
          correct value is 1.

        - Documented on the man page that exit status of 2 is used
          for decompression errors.

        - Added zstd support.

    * xzless:

        - Fix less(1) version detection. It failed if the version number
          from "less -V" contained a dot.

    * Translations:

        - Added new translations: Catalan, Croatian, Esperanto,
          Korean, Portuguese, Romanian, Serbian, Spanish, Swedish,
          and Ukrainian

        - Updated the Brazilian Portuguese translation.

        - Added French man page translation. This and the existing
          German translation aren't complete anymore because the
          English man pages got a few updates and the translators
          weren't reached so that they could update their work.

    * Build systems:

        - Windows: Fix building of resource files when config.h isn't
          used. CMake + Visual Studio can now build liblzma.dll.

        - Various fixes to the CMake support. Building static or shared
          liblzma should work fine in most cases. In contrast, building
          the command line tools with CMake is still clearly incomplete
          and experimental and should be used for testing only.

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7e3782f4d66973cb7ab922d4bbc6ef6241756ed2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../xz/xz/CVE-2022-1271.patch                 | 96 -------------------
 .../xz/{xz_5.2.5.bb => xz_5.2.6.bb}           |  7 +-
 2 files changed, 2 insertions(+), 101 deletions(-)
 delete mode 100644 meta/recipes-extended/xz/xz/CVE-2022-1271.patch
 rename meta/recipes-extended/xz/{xz_5.2.5.bb => xz_5.2.6.bb} (88%)

Message ID	a2a89c73ca7f775c351439cc1b626e96b3bd5c3b.1661624569.git.steve@sakoman.com
State	Accepted, archived
Commit	b2af2fd0dbb3edac0257adc4edfa9bcab4941f92
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.216.42, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/24] xz: update 5.2.5 -> 5.2.6 Date: Sat, 27 Aug 2022 08:25:27 -1000 Message-Id: <a2a89c73ca7f775c351439cc1b626e96b3bd5c3b.1661624569.git.steve@sakoman.com> In-Reply-To: <cover.1661624569.git.steve@sakoman.com> References: <cover.1661624569.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/24] vim: Upgrade 9.0.0115 -> 9.0.0242 \| expand [kirkstone,01/24] vim: Upgrade 9.0.0115 -> 9.0.0242 [kirkstone,02/24] tzdata: upgrade 2022a -> 2022b [kirkstone,03/24] xz: update 5.2.5 -> 5.2.6 [kirkstone,04/24] Revert "gdk-pixbuf: CVE-2021-46829 a heap-based buffer overflow" [kirkstone,05/24] gdk-pixbuf: upgrade 2.42.6 -> 2.42.8 [kirkstone,06/24] gdk-pixbuf: update 2.42.8 -> 2.42.9 [kirkstone,07/24] epiphany: upgrade 42.3 -> 42.4 [kirkstone,08/24] glib-networking: upgrade 2.72.1 -> 2.72.2 [kirkstone,09/24] libjpeg-turbo: upgrade 2.1.3 -> 2.1.4 [kirkstone,10/24] libwebp: upgrade 1.2.3 -> 1.2.4 [kirkstone,11/24] wireless-regdb: upgrade 2022.06.06 -> 2022.08.12 [kirkstone,12/24] wpebackend-fdo: upgrade 1.12.0 -> 1.12.1 [kirkstone,13/24] sysvinit-inittab/start_getty: Fix respawn too fast [kirkstone,14/24] kernel-fitimage.bbclass: only package unique DTBs [kirkstone,15/24] oeqa/parselogs: add qemuarmv5 arm-charlcd masking [kirkstone,16/24] package_rpm: Do not replace square brackets in %files [kirkstone,17/24] sanity: add a comment to ensure CONNECTIVITY_CHECK_URIS is correct [kirkstone,18/24] oeqa/qemurunner: add run_serial() comment [kirkstone,19/24] oeqa/selftest: rename git.py to intercept.py [kirkstone,20/24] oeqa/gotoolchain: put writable files in the Go module cache [kirkstone,21/24] oeqa/gotoolchain: set CGO_ENABLED=1 [kirkstone,22/24] wic: add target tools to PATH when executing native commands [kirkstone,23/24] wic/bootimg-efi: use cross objcopy when building unified kernel image [kirkstone,24/24] wic: depend on cross-binutils

[kirkstone,03/24] xz: update 5.2.5 -> 5.2.6

Commit Message

Patch