Friday, March 29, 2024

Re: archivers/xz: update to 5.6.1

Hello,

I hate to raise the alarm, but it looks like this should be scrutinized.

It sounds like a backdoor made it into the upstream repository: https://www.openwall.com/lists/oss-security/2024/03/29/4


On Mon, Mar 18, 2024 at 4:15 AM Christian Weisgerber <naddy@mips.inka.de> wrote:
archivers/xz: update to 5.6.1

* Multithreaded mode is now the default.
* New command line options to set filter chains using the liblzma filter
  string syntax.
* Significant speed optimizations to the LZMA decoder.


I have added runtime detection code to check for CRC32 instructions
to speed up CRC32 integrity checks on arm64.  I intend to submit
this upstream, so if anybody has comments on that, let me know.
(xz defaults to CRC64 anyway, so this has little practical value,
but it is supported on other operating systems.)

Upstream has added pledge() support to xzdec, rendering our previous
patch obsolete.

ok?


diff d65615b6802f8ddeb4536c340034d07be3df3483 41fabc9987fb853589f2dd0de774d8f5cdbd0b69
commit - d65615b6802f8ddeb4536c340034d07be3df3483
commit + 41fabc9987fb853589f2dd0de774d8f5cdbd0b69
blob - d1f7ac3fc25e3152944c4efae9a179e35ab504dc
blob + 40addd5d055828107dd9fdb477184ffa605b5fd1
--- archivers/xz/Makefile
+++ archivers/xz/Makefile
@@ -1,18 +1,19 @@
 COMMENT=       library and tools for XZ and LZMA compressed files

-DISTNAME=      xz-5.4.5
-SHARED_LIBS=   lzma                 2.2      # 9.4
+VERSION=       5.6.1
+DISTNAME=      xz-${VERSION}
+SHARED_LIBS=   lzma                 2.3      # 11.1
 CATEGORIES=    archivers
 DPB_PROPERTIES=        parallel

-HOMEPAGE=      https://tukaani.org/xz/
+HOMEPAGE=      https://xz.tukaani.org/xz-utils/

 MAINTAINER=    Christian Weisgerber <naddy@openbsd.org>

 # GPLv2+
 PERMIT_PACKAGE=        Yes

-SITES=         ${SITE_SOURCEFORGE:=lzmautils/}
+SITES= https://github.com/tukaani-project/xz/releases/download/v${VERSION}/

 # uses pledge()
 WANTLIB=       c pthread
blob - 98b88e2abbfec958489da8fba87fb00df54b8532
blob + 83ae5ae9b49b503f0bcb1672db69e161dbb814b0
--- archivers/xz/distinfo
+++ archivers/xz/distinfo
@@ -1,2 +1,2 @@
-SHA256 (xz-5.4.5.tar.gz) = E1yQuTSu6PvA1Gfeh6Bctw1ifaNqvlGMNXqHNwnlt9Y=
-SIZE (xz-5.4.5.tar.gz) = 2884510
+SHA256 (xz-5.6.1.tar.gz) = I5j0qOUzRTJfRL3Z8Mx0Ab2QJdc2xtQ7Ny9N6ne/dbg=
+SIZE (xz-5.6.1.tar.gz) = 3045434
blob - 6061c7f3c22f7e992a2b66ff5cd7082eb1ffd5c8 (mode 644)
blob + /dev/null
--- archivers/xz/patches/patch-config_h_in
+++ /dev/null
@@ -1,16 +0,0 @@
-Index: config.h.in
---- config.h.in.orig
-+++ config.h.in
-@@ -409,7 +409,11 @@
-
- /* Define to 1 if the system supports fast unaligned access to 16-bit, 32-bit,
-    and 64-bit integers. */
--#undef TUKLIB_FAST_UNALIGNED_ACCESS
-+#include <endian.h>
-+#if !defined(__STRICT_ALIGNMENT)
-+#define \
-+    TUKLIB_FAST_UNALIGNED_ACCESS 1
-+

No comments:

Post a Comment