Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package xz for openSUSE:Factory checked in at 2024-06-03 17:40:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xz (Old)
and /work/SRC/openSUSE:Factory/.xz.new.24587 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xz"
Mon Jun 3 17:40:26 2024 rev:91 rq:1177928 version:5.6.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/xz/xz.changes 2024-04-14 12:23:50.127839954 +0200
+++ /work/SRC/openSUSE:Factory/.xz.new.24587/xz.changes 2024-06-03 17:40:28.048389967 +0200
@@ -1,0 +2,40 @@
+Thu May 30 06:08:18 UTC 2024 - Paolo Stivanin
+
+- Update to 5.6.2:
+ * Remove the backdoor (CVE-2024-3094).
+ * Not changed: Memory sanitizer (MSAN) has a false positive
+ in the CRC CLMUL code which also makes OSS Fuzz unhappy.
+ Valgrind is smarter and doesn't complain.
+ A revision to the CLMUL code is coming anyway and this issue
+ will be cleaned up as part of it. It won't be backported to
+ 5.6.x or 5.4.x because the old code isn't wrong. There is
+ no reason to risk introducing regressions in old branches
+ just to silence a false positive.
+ * liblzma:
+ - lzma_index_decoder() and lzma_index_buffer_decode(): Fix
+ a missing output pointer initialization (*i = NULL) if the
+ functions are called with invalid arguments. The API docs
+ say that such an initialization is always done. In practice
+ this matters very little because the problem can only occur
+ if the calling application has a bug and these functions
+ return LZMA_PROG_ERROR.
+ - lzma_str_to_filters(): Fix a missing output pointer
+ initialization (*error_pos = 0). This is very similar
+ to the fix above.
+ - Fix C standard conformance with function pointer types.
+ - Remove GNU indirect function (IFUNC) support. This is *NOT*
+ done for security reasons even though the backdoor relied on
+ this code. The performance benefits of IFUNC are too tiny in
+ this project to make the extra complexity worth it.
+ - FreeBSD on ARM64: Add error checking to CRC32 instruction
+ support detection.
+ - Fix building with NVIDIA HPC SDK.
+ * xz:
+ - Fix a C standard conformance issue in --block-list parsing
+ (arithmetic on a null pointer).
+ - Fix a warning from GNU groff when processing the man page:
+ "warning: cannot select font 'CW'"
+ * xzdec: Add support for Linux Landlock ABI version 4. xz already
+ had the v3-to-v4 change but it had been forgotten from xzdec.
+
+-------------------------------------------------------------------
Old:
----
xz-5.4.2.tar.gz
xz-5.4.2.tar.gz.sig
New:
----
xz-5.6.2.tar.xz
xz-5.6.2.tar.xz.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xz.spec ++++++
--- /var/tmp/diff_new_pack.rSm4Cf/_old 2024-06-03 17:40:29.120429301 +0200
+++ /var/tmp/diff_new_pack.rSm4Cf/_new 2024-06-03 17:40:29.120429301 +0200
@@ -23,17 +23,15 @@
%bcond_with static
%endif
-%global real_ver 5.4.2
-
Name: xz
-Version: 5.6.1.revertto5.4
+Version: 5.6.2
Release: 0
Summary: A Program for Compressing Files with the Lempel–Ziv–Markov algorithm
License: 0BSD AND GPL-2.0-or-later AND GPL-3.0-or-later AND LGPL-2.1-or-later
Group: Productivity/Archiving/Compression
URL: https://tukaani.org/xz/
-Source0: https://github.com/tukaani-project/xz/releases/download/v%{real_ver}/xz-%{real_ver}.tar.gz
-Source1: https://github.com/tukaani-project/xz/releases/download/v%{real_ver}/xz-%{real_ver}.tar.gz.sig
+Source0: https://github.com/tukaani-project/xz/releases/download/v%{version}/xz-%{version}.tar.xz
+Source1: https://github.com/tukaani-project/xz/releases/download/v%{version}/xz-%{version}.tar.xz.sig
Source2: baselibs.conf
Source3: https://tukaani.org/misc/lasse_collin_pubkey.txt#/xz.keyring
Source4: xznew
@@ -93,7 +91,7 @@
%endif
%prep
-%autosetup -n xz-%{real_ver}
+%autosetup -p1
%build
%global _lto_cflags %{_lto_cflags} -ffat-lto-objects