Ted Hess staging tree https://git-03.infra.openwrt.org/openwrt/staging/thess/atom?h=main 2025-12-21T19:49:22Z 2025-12-21T19:49:22Z Shiji Yang 2025-12-18T13:26:36Z urn:sha1:def7548867741206f6788d55e58d7417d859e106 Release Notes: https://github.com/tukaani-project/xz/releases/tag/v5.8.2 Signed-off-by: Shiji Yang <yangshiji66@outlook.com> Link: https://github.com/openwrt/openwrt/pull/21208 Signed-off-by: Robert Marko <robimarko@gmail.com> 2025-04-22T11:20:05Z Robert Marko 2025-04-21T11:23:20Z urn:sha1:269f251ba6eae8981e3dbc13f355fc1f53b955ba 5.8.1 (2025-04-03) * Multithreaded .xz decoder (lzma_stream_decoder_mt()): - Fix a bug that could at least result in a crash with invalid input. (CVE-2025-31115) - Fix a performance bug: Only one thread was used if the whole input file was provided at once to lzma_code(), the output buffer was big enough, timeout was disabled, and LZMA_FINISH was used. There are no bug reports about this, thus it's possible that no real-world application was affected. * Avoid <stdalign.h> even with C11/C17 compilers. This fixes the build with Oracle Developer Studio 12.6 on Solaris 10 when the compiler is in C11 mode (the header doesn't exist). * Autotools: Restore compatibility with GNU make versions older than 4.0 by creating the package using GNU gettext 0.23.1 infrastructure instead of 0.24. * Update Croatian translation. Link: https://github.com/openwrt/openwrt/pull/18558 Signed-off-by: Robert Marko <robimarko@gmail.com> 2025-04-01T19:47:15Z Shiji Yang 2025-03-28T16:10:25Z urn:sha1:e37ad78539d410368de2e5b95388b3acf8686126 Changelogs: https://github.com/tukaani-project/xz/releases/tag/v5.8.0 Signed-off-by: Shiji Yang <yangshiji66@outlook.com> Link: https://github.com/openwrt/openwrt/pull/18367 Signed-off-by: Nick Hainke <vincent@systemli.org> 2025-02-23T11:21:26Z Shiji Yang 2025-02-21T13:18:22Z urn:sha1:3ffe54a1e19fa0f26c158e8fc7d2af2b8e409ba4 The serious liblzma backdoor vulnerability (CVE-2024-3094) has been fixed since v5.6.2. It's time to bump this tool to the latest version. This patch also added a new GitHub package URL. Changelogs: https://github.com/tukaani-project/xz/releases/tag/v5.6.2 https://github.com/tukaani-project/xz/releases/tag/v5.6.3 https://github.com/tukaani-project/xz/releases/tag/v5.6.4 Signed-off-by: Shiji Yang <yangshiji66@qq.com> Link: https://github.com/openwrt/openwrt/pull/18063 Signed-off-by: Nick Hainke <vincent@systemli.org> 2024-03-29T16:59:56Z Petr Štetiar 2024-03-29T16:59:01Z urn:sha1:d4b6b76443207103d3a7c0eae5c0085317fb584f This reverts commit 714c91d1a63f29650abaa9cf69ffa47cf2c70297 as probably the upstream xz repository and the xz tarballs have been backdoored. References: https://www.openwall.com/lists/oss-security/2024/03/29/4. Signed-off-by: Petr Štetiar <ynezz@true.cz> 2024-03-29T05:56:43Z Nick Hainke 2024-03-28T20:36:29Z urn:sha1:714c91d1a63f29650abaa9cf69ffa47cf2c70297 Change mirror to github. Signed-off-by: Nick Hainke <vincent@systemli.org> 2024-01-30T09:37:34Z Nick Hainke 2024-01-29T18:15:28Z urn:sha1:dfb4babfdfcede65ab373a1ef7fa57a17b0f7a4f Changelog: https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;h=d271dad2d3f1ec54e56ef8fa60275a88697a24aa;hb=0ef8192e8d5af4e6200d5d4aee22d1f177f7a2df Signed-off-by: Nick Hainke <vincent@systemli.org> 2023-12-04T12:18:35Z Nick Hainke 2023-11-11T07:54:17Z urn:sha1:39bdcec0113984fd9087379ae3937daefe04e077 * liblzma: - Use __attribute__((__no_sanitize_address__)) to avoid address sanitization with CRC64 CLMUL. It uses 16-byte-aligned reads which can extend past the bounds of the input buffer and inherently trigger address sanitization errors. This isn't a bug. - Fixed an assertion failure that could be triggered by a large unpadded_size argument. It was verified that there was no other bug than the assertion failure. - Fixed a bug that prevented building with Windows Vista threading when __attribute__((__constructor__)) is not supported. * xz now properly handles special files such as "con" or "nul" on Windows. Before this fix, the following wrote "foo" to the console and deleted the input file "con_xz": echo foo | xz > con_xz xz --suffix=_xz --decompress con_xz * Build systems: - Allow builds with Windows win95 threading and small mode when __attribute__((__constructor__)) is supported. - Added a new line to liblzma.pc for MSYS2 (Windows): Cflags.private: -DLZMA_API_STATIC When compiling code that will link against static liblzma, the LZMA_API_STATIC macro needs to be defined on Windows. - CMake specific changes: * Fixed a bug that allowed CLOCK_MONOTONIC to be used even if the check for it failed. * Fixed a bug where configuring CMake multiple times resulted in HAVE_CLOCK_GETTIME and HAVE_CLOCK_MONOTONIC not being set. * Fixed the build with MinGW-w64-based Clang/LLVM 17. llvm-windres now has more accurate GNU windres emulation so the GNU windres workaround from 5.4.1 is needed with llvm-windres version 17 too. * The import library on Windows is now properly named "liblzma.dll.a" instead of "libliblzma.dll.a" * Fixed a bug causing the Ninja Generator to fail on UNIX-like systems. This bug was introduced in 5.4.0. * Added a new option to disable CLMUL CRC64. * A module-definition (.def) file is now created when building liblzma.dll with MinGW-w64. * The pkg-config liblzma.pc file is now installed on all builds except when using MSVC on Windows. * Added large file support by default for platforms that need it to handle files larger than 2 GiB. This includes MinGW-w64, even 64-bit builds. * Small fixes and improvements to the tests. * Updated translations: Chinese (simplified) and Esperanto. Signed-off-by: Nick Hainke <vincent@systemli.org> 2023-08-14T08:18:43Z Rosen Penev 2023-08-12T02:06:10Z urn:sha1:813ef01a278e6b551dd16c0b07fb99262e0fea6b * liblzma and xzdec can now build against WASI SDK when threading support is disabled. xz and tests don't build yet. * CMake: - Fixed a bug preventing other projects from including liblzma multiple times using find_package(). - Don't create broken symlinks in Cygwin and MSYS2 unless supported by the environment. This prevented building for the default MSYS2 environment. The problem was introduced in xz 5.4.0. * Documentation: - Small improvements to man pages. - Small improvements and typo fixes for liblzma API documentation. * Tests: - Added a new section to INSTALL to describe basic test usage and address recent questions about building the tests when cross compiling. - Small fixes and improvements to the tests. * Translations: - Fixed a mistake that caused one of the error messages to not be translated. This only affected versions 5.4.2 and 5.4.3. - Updated the Chinese (simplified), Croatian, Esperanto, German, Korean, Polish, Romanian, Spanish, Swedish, Ukrainian, and Vietnamese translations. - Updated the German, Korean, Romanian, and Ukrainian man page translations. Signed-off-by: Rosen Penev <rosenp@gmail.com> 2023-05-06T05:16:15Z Nick Hainke 2023-05-06T00:45:57Z urn:sha1:2526b98a624b0b4912634258c386e6c10f7dd52a Changelog: https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;h=2f4d35adca6198671434d2988803cc9316ad1ec8;hb=c247d06e1f6cada9a76f4f6225cbd97ea760f52f#l5 Signed-off-by: Nick Hainke <vincent@systemli.org>