Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xz-java for openSUSE:Factory checked in at 2026-04-25 21:35:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xz-java (Old) and /work/SRC/openSUSE:Factory/.xz-java.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xz-java" Sat Apr 25 21:35:19 2026 rev:9 rq:1349082 version:1.12 Changes: -------- --- /work/SRC/openSUSE:Factory/xz-java/xz-java.changes 2025-12-27 11:28:49.779513731 +0100 +++ /work/SRC/openSUSE:Factory/.xz-java.new.11940/xz-java.changes 2026-04-25 21:35:26.081045274 +0200 @@ -1,0 +2,23 @@ +Thu Apr 23 20:06:15 UTC 2026 - Anton Shvetz <[email protected]> + +- Upgrade to version 1.12 + * Fix ArrayIndexOutOfBoundsException in the LZMA/LZMA2 encoder on + x86-64 and ARM64 when running on Java 9 or newer. The affected + code isn't used on Java 8. The bug is present in versions 1.10 + and 1.11. If one cannot upgrade, one should set the property + org.tukaani.xz.MatchLengthFinder=Basic to disable the affected + code path. + * Fix ArrayCache usage in LZMAInputStream. If ArrayCache was + enabled, decompression was likely to fail quickly when the + cache returns a cached array. ArrayCache is disabled by + default. + * The binaries of 1.12 in the Maven Central require Java 8 and + contain optimized classes for Java >= 9 as multi-release JAR. + They were built with OpenJDK 21.0.10 on GNU/Linux and can be + reproduced using the following command: + SOURCE_DATE_EPOCH=1772370000 TZ=UTC0 ant maven +- Modified patch: + * xz-java-module-info.patch + + rebased + +------------------------------------------------------------------- Old: ---- xz-java-1.11.zip New: ---- xz-java-1.12.zip ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xz-java.spec ++++++ --- /var/tmp/diff_new_pack.4Gp9Pq/_old 2026-04-25 21:35:26.781073758 +0200 +++ /var/tmp/diff_new_pack.4Gp9Pq/_new 2026-04-25 21:35:26.785073921 +0200 @@ -1,7 +1,7 @@ # # spec file for package xz-java # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # Copyright (c) 2013 Peter Conrad # # All modifications and additions to the file contributed by third parties @@ -18,7 +18,7 @@ Name: xz-java -Version: 1.11 +Version: 1.12 Release: 0 Summary: Pure Java implementation of XZ compression License: 0BSD ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.4Gp9Pq/_old 2026-04-25 21:35:26.821075385 +0200 +++ /var/tmp/diff_new_pack.4Gp9Pq/_new 2026-04-25 21:35:26.825075549 +0200 @@ -1,6 +1,6 @@ -mtime: 1766613162 -commit: 97d68f22b5829fbb1a5f68e980cf95413161cfaba84a926f91dec49386675513 -url: https://src.opensuse.org/java-packages/xz-java.git -revision: 97d68f22b5829fbb1a5f68e980cf95413161cfaba84a926f91dec49386675513 +mtime: 1776975068 +commit: 565c7bdb74b65b56e28d7d27aec58645517036b53fdc91b870bd0d2a332821f4 +url: https://src.opensuse.org/java-packages/xz-java +revision: 565c7bdb74b65b56e28d7d27aec58645517036b53fdc91b870bd0d2a332821f4 projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-04-23 22:11:08.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ xz-java-1.11.zip -> xz-java-1.12.zip ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/NEWS.md new/NEWS.md --- old/NEWS.md 2025-11-19 18:57:00.000000000 +0100 +++ new/NEWS.md 2026-03-01 13:35:22.000000000 +0100 @@ -2,6 +2,27 @@ XZ for Java release notes ========================= +1.12 (2026-03-01) +----------------- + + * Fix ArrayIndexOutOfBoundsException in the LZMA/LZMA2 encoder on + x86-64 and ARM64 when running on Java 9 or newer. The affected + code isn't used on Java 8. The bug is present in versions 1.10 + and 1.11. If one cannot upgrade, one should set the property + `org.tukaani.xz.MatchLengthFinder=Basic` to disable the affected + code path. + + * Fix ArrayCache usage in LZMAInputStream. If ArrayCache was enabled, + decompression was likely to fail quickly when the cache returns a + cached array. ArrayCache is disabled by default. + + * The binaries of 1.10 in the Maven Central require Java 8 and + contain optimized classes for Java >= 9 as multi-release JAR. + They were built with OpenJDK 21.0.10 on GNU/Linux and can be + reproduced using the following command: + + SOURCE_DATE_EPOCH=1772370000 TZ=UTC0 ant maven + 1.11 (2025-11-19) ----------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/build.properties new/build.properties --- old/build.properties 2025-11-19 18:57:00.000000000 +0100 +++ new/build.properties 2026-03-01 13:35:22.000000000 +0100 @@ -5,7 +5,7 @@ title = XZ data compression homepage = https://tukaani.org/xz/java.html doc_url = https://tukaani.org/xz/xz-javadoc/ -version = 1.11 +version = 1.12 debug = true # sourcever sets --release for javac 9 (or later) or -source and -target for diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/src/org/tukaani/xz/lz/LZDecoder.java new/src/org/tukaani/xz/lz/LZDecoder.java --- old/src/org/tukaani/xz/lz/LZDecoder.java 2025-11-19 18:57:00.000000000 +0100 +++ new/src/org/tukaani/xz/lz/LZDecoder.java 2026-03-01 13:35:22.000000000 +0100 @@ -24,6 +24,15 @@ bufSize = dictSize; buf = arrayCache.getByteArray(bufSize, false); + // getByte(0) needs to return 0x00 when no data has been decompressed. + // This requires initializing only one byte, so don't pass "true" as + // the second argument in the above arrayCache.getByteArray call. + // + // Note that LZMA2InputStream calls LZDecoder.reset() before decoding + // anything, thus it doesn't break even if this initialization was + // missing here. But LZMAInputStream has no reason to call reset(). + buf[bufSize - 1] = 0x00; + if (presetDict != null) { pos = Math.min(presetDict.length, dictSize); full = pos; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/src/org/tukaani/xz/lz/LZEncoder.java new/src/org/tukaani/xz/lz/LZEncoder.java --- old/src/org/tukaani/xz/lz/LZEncoder.java 2025-11-19 18:57:00.000000000 +0100 +++ new/src/org/tukaani/xz/lz/LZEncoder.java 2026-03-01 13:35:22.000000000 +0100 @@ -139,7 +139,8 @@ // MatchLength.getLen might read and ignore extra bytes // at the end of the buffer. - buf = arrayCache.getByteArray(bufSize + MatchLength.EXTRA_SIZE, false); + buf = arrayCache.getByteArray(bufSize + MatchLength.getExtraSize(), + false); keepSizeBefore = extraSizeBefore + dictSize; keepSizeAfter = extraSizeAfter + matchLenMax; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/src/org/tukaani/xz/lz/MatchLength.java new/src/org/tukaani/xz/lz/MatchLength.java --- old/src/org/tukaani/xz/lz/MatchLength.java 2025-11-19 18:57:00.000000000 +0100 +++ new/src/org/tukaani/xz/lz/MatchLength.java 2026-03-01 13:35:22.000000000 +0100 @@ -6,7 +6,9 @@ // See the version in the src9 directory for documentation. final class MatchLength { - static final int EXTRA_SIZE = 0; + static int getExtraSize() { + return 0; + } static int getLen(byte[] buf, int off, int delta, int len, int lenLimit) { assert off >= 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/src9/org/tukaani/xz/lz/MatchLength.java new/src9/org/tukaani/xz/lz/MatchLength.java --- old/src9/org/tukaani/xz/lz/MatchLength.java 2025-11-19 18:57:00.000000000 +0100 +++ new/src9/org/tukaani/xz/lz/MatchLength.java 2026-03-01 13:35:22.000000000 +0100 @@ -7,13 +7,6 @@ import java.nio.ByteOrder; final class MatchLength { - /** - * Number of additional bytes that {@code getLen} might read even though - * it doesn't need them. The buffer must have this many bytes of extra - * space at the end to make it safe to use {@code getLen}. - */ - static final int EXTRA_SIZE; - private static final MatchLengthFinder matchLengthFinder; static { @@ -48,8 +41,15 @@ "org.tukaani.xz.MatchLengthFinder. " + "Supported values: Basic, UnalignedLongLE"); } + } - EXTRA_SIZE = matchLengthFinder.getExtraSize(); + /** + * Returns the number of additional bytes that {@code getLen} might read + * even though it doesn't need them. The buffer must have this many bytes + * of extra space at the end to make it safe to use {@code getLen}. + */ + static int getExtraSize() { + return matchLengthFinder.getExtraSize(); } /** diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/src9/org/tukaani/xz/lz/MatchLengthFinder.java new/src9/org/tukaani/xz/lz/MatchLengthFinder.java --- old/src9/org/tukaani/xz/lz/MatchLengthFinder.java 2025-11-19 18:57:00.000000000 +0100 +++ new/src9/org/tukaani/xz/lz/MatchLengthFinder.java 2026-03-01 13:35:22.000000000 +0100 @@ -5,7 +5,7 @@ package org.tukaani.xz.lz; interface MatchLengthFinder { - /** Returns value for {@code MatchLength.EXTRA_SIZE}. */ + /** See {@code MatchLength.getExtraSize}. */ int getExtraSize(); /** See {@code MatchLength.getLen}. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/src9/org/tukaani/xz/lz/UnalignedLongLEMatchLengthFinder.java new/src9/org/tukaani/xz/lz/UnalignedLongLEMatchLengthFinder.java --- old/src9/org/tukaani/xz/lz/UnalignedLongLEMatchLengthFinder.java 2025-11-19 18:57:00.000000000 +0100 +++ new/src9/org/tukaani/xz/lz/UnalignedLongLEMatchLengthFinder.java 2026-03-01 13:35:22.000000000 +0100 @@ -10,7 +10,7 @@ // unaligned access. This is based on XZ Utils' memcmplen.h. // This may read up to 7 extra bytes past the end of the specified // end offset (off + lenLimit) so the caller must ensure that -// there are EXTRA_SIZE bytes available at the end of the buffer. +// there are getExtraSize() bytes available at the end of the buffer. // // In the extreme case of compressing a sequence of zero bytes, this // can reduce compression time by over 30 % compared to Arrays.mismatch. ++++++ xz-java-module-info.patch ++++++ --- /var/tmp/diff_new_pack.4Gp9Pq/_old 2026-04-25 21:35:27.177089873 +0200 +++ /var/tmp/diff_new_pack.4Gp9Pq/_new 2026-04-25 21:35:27.193090523 +0200 @@ -1,6 +1,6 @@ ---- a/build.xml 2025-07-03 17:34:58.653124868 +0200 -+++ b/build.xml 2025-07-03 17:50:13.872136109 +0200 -@@ -68,6 +68,16 @@ +--- a/build.xml 2026-04-23 22:29:34.724702617 +0300 ++++ b/build.xml 2026-04-23 22:42:22.998717558 +0300 +@@ -66,6 +66,16 @@ includesfile="fileset-src9.txt"> <compilerarg compiler="modern" line="-Xlint"/> <compilerarg compiler="modern" line="-implicit:none"/> @@ -17,7 +17,7 @@ </javac> </target> -@@ -102,7 +112,7 @@ +@@ -100,7 +110,7 @@ <jar destfile="${jar_dir}/xz.jar" modificationtime="${timestamp}" manifest="${manifest_base}"> @@ -26,7 +26,7 @@ <zipfileset prefix="META-INF/versions/9/" dir="${classes9_dir}" unless:true="${java8only}"/> <manifest> -@@ -112,6 +122,8 @@ +@@ -110,6 +120,8 @@ <attribute name="Sealed" value="true"/> <attribute name="Multi-Release" value="true" unless:true="${java8only}"/>
