Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xz for openSUSE:Factory checked in at 2024-06-03 17:40:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xz (Old) and /work/SRC/openSUSE:Factory/.xz.new.24587 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "xz" Mon Jun 3 17:40:26 2024 rev:91 rq:1177928 version:5.6.2 Changes: -------- --- /work/SRC/openSUSE:Factory/xz/xz.changes 2024-04-14 12:23:50.127839954 +0200 +++ /work/SRC/openSUSE:Factory/.xz.new.24587/xz.changes 2024-06-03 17:40:28.048389967 +0200 @@ -1,0 +2,40 @@ +Thu May 30 06:08:18 UTC 2024 - Paolo Stivanin <info@paolostivanin.com> + +- Update to 5.6.2: + * Remove the backdoor (CVE-2024-3094). + * Not changed: Memory sanitizer (MSAN) has a false positive + in the CRC CLMUL code which also makes OSS Fuzz unhappy. + Valgrind is smarter and doesn't complain. + A revision to the CLMUL code is coming anyway and this issue + will be cleaned up as part of it. It won't be backported to + 5.6.x or 5.4.x because the old code isn't wrong. There is + no reason to risk introducing regressions in old branches + just to silence a false positive. + * liblzma: + - lzma_index_decoder() and lzma_index_buffer_decode(): Fix + a missing output pointer initialization (*i = NULL) if the + functions are called with invalid arguments. The API docs + say that such an initialization is always done. In practice + this matters very little because the problem can only occur + if the calling application has a bug and these functions + return LZMA_PROG_ERROR. + - lzma_str_to_filters(): Fix a missing output pointer + initialization (*error_pos = 0). This is very similar + to the fix above. + - Fix C standard conformance with function pointer types. + - Remove GNU indirect function (IFUNC) support. This is *NOT* + done for security reasons even though the backdoor relied on + this code. The performance benefits of IFUNC are too tiny in + this project to make the extra complexity worth it. + - FreeBSD on ARM64: Add error checking to CRC32 instruction + support detection. + - Fix building with NVIDIA HPC SDK. + * xz: + - Fix a C standard conformance issue in --block-list parsing + (arithmetic on a null pointer). + - Fix a warning from GNU groff when processing the man page: + "warning: cannot select font 'CW'" + * xzdec: Add support for Linux Landlock ABI version 4. xz already + had the v3-to-v4 change but it had been forgotten from xzdec. + +------------------------------------------------------------------- Old: ---- xz-5.4.2.tar.gz xz-5.4.2.tar.gz.sig New: ---- xz-5.6.2.tar.xz xz-5.6.2.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xz.spec ++++++ --- /var/tmp/diff_new_pack.rSm4Cf/_old 2024-06-03 17:40:29.120429301 +0200 +++ /var/tmp/diff_new_pack.rSm4Cf/_new 2024-06-03 17:40:29.120429301 +0200 @@ -23,17 +23,15 @@ %bcond_with static %endif -%global real_ver 5.4.2 - Name: xz -Version: 5.6.1.revertto5.4 +Version: 5.6.2 Release: 0 Summary: A Program for Compressing Files with the Lempel–Ziv–Markov algorithm License: 0BSD AND GPL-2.0-or-later AND GPL-3.0-or-later AND LGPL-2.1-or-later Group: Productivity/Archiving/Compression URL: https://tukaani.org/xz/ -Source0: https://github.com/tukaani-project/xz/releases/download/v%{real_ver}/xz-%{real_ver}.tar.gz -Source1: https://github.com/tukaani-project/xz/releases/download/v%{real_ver}/xz-%{real_ver}.tar.gz.sig +Source0: https://github.com/tukaani-project/xz/releases/download/v%{version}/xz-%{version}.tar.xz +Source1: https://github.com/tukaani-project/xz/releases/download/v%{version}/xz-%{version}.tar.xz.sig Source2: baselibs.conf Source3: https://tukaani.org/misc/lasse_collin_pubkey.txt#/xz.keyring Source4: xznew @@ -93,7 +91,7 @@ %endif %prep -%autosetup -n xz-%{real_ver} +%autosetup -p1 %build %global _lto_cflags %{_lto_cflags} -ffat-lto-objects