Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xz-java for openSUSE:Factory checked in at 2025-12-27 11:28:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xz-java (Old) and /work/SRC/openSUSE:Factory/.xz-java.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xz-java" Sat Dec 27 11:28:47 2025 rev:8 rq:1324433 version:1.11 Changes: -------- --- /work/SRC/openSUSE:Factory/xz-java/xz-java.changes 2025-07-06 17:05:19.340526212 +0200 +++ /work/SRC/openSUSE:Factory/.xz-java.new.1928/xz-java.changes 2025-12-27 11:28:49.779513731 +0100 @@ -1,0 +2,19 @@ +Wed Dec 24 21:48:33 UTC 2025 - Anton Shvetz <[email protected]> + +- Upgrade to version 1.11 + * Fix a data corruption bug when encoding with the rarely-used + option LZMA2Options.MODE_UNCOMPRESSED. To trigger the bug, a + write call must cross an offset that is a multiple of 65536 + bytes. For example, one write of 70000 bytes or two write calls + of 50000 bytes each would trigger the bug. The bug isn't + triggered if there are ten write calls of 8192 bytes each + followed by one 123-byte write. + * If encoding to a .xz file, a decoder would catch the issue + because the integrity check wouldn't match. + * The binaries of 1.10 in the Maven Central require Java 8 and + contain optimized classes for Java >= 9 as multi-release JAR. + They were built with OpenJDK 21.0.9 on GNU/Linux and can be + reproduced using the following command: + SOURCE_DATE_EPOCH=1763575020 TZ=UTC0 ant maven + +------------------------------------------------------------------- Old: ---- xz-java-1.10.zip New: ---- _scmsync.obsinfo build.specials.obscpio xz-java-1.11.zip ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xz-java.spec ++++++ --- /var/tmp/diff_new_pack.SP6SMy/_old 2025-12-27 11:28:50.515543812 +0100 +++ /var/tmp/diff_new_pack.SP6SMy/_new 2025-12-27 11:28:50.515543812 +0100 @@ -1,7 +1,7 @@ # # spec file for package xz-java # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # Copyright (c) 2013 Peter Conrad # # All modifications and additions to the file contributed by third parties @@ -18,7 +18,7 @@ Name: xz-java -Version: 1.10 +Version: 1.11 Release: 0 Summary: Pure Java implementation of XZ compression License: 0BSD ++++++ _scmsync.obsinfo ++++++ mtime: 1766613162 commit: 97d68f22b5829fbb1a5f68e980cf95413161cfaba84a926f91dec49386675513 url: https://src.opensuse.org/java-packages/xz-java.git revision: 97d68f22b5829fbb1a5f68e980cf95413161cfaba84a926f91dec49386675513 projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2025-12-26 09:09:03.000000000 +0100 @@ -0,0 +1 @@ +.osc ++++++ xz-java-1.10.zip -> xz-java-1.11.zip ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/NEWS.md new/NEWS.md --- old/NEWS.md 2024-07-29 16:10:26.000000000 +0200 +++ new/NEWS.md 2025-11-19 18:57:00.000000000 +0100 @@ -2,6 +2,27 @@ XZ for Java release notes ========================= +1.11 (2025-11-19) +----------------- + + * Fix a data corruption bug when encoding with the rarely-used option + `LZMA2Options.MODE_UNCOMPRESSED`. To trigger the bug, a `write` + call must cross an offset that is a multiple of 65536 bytes. + For example, one `write` of 70000 bytes or two `write` calls of + 50000 bytes each would trigger the bug. The bug *isn't* triggered + if there are ten `write` calls of 8192 bytes each followed by one + 123-byte `write`. + + If encoding to a .xz file, a decoder would catch the issue because + the integrity check wouldn't match. + + * The binaries of 1.10 in the Maven Central require Java 8 and + contain optimized classes for Java >= 9 as multi-release JAR. + They were built with OpenJDK 21.0.9 on GNU/Linux and can be + reproduced using the following command: + + SOURCE_DATE_EPOCH=1763575020 TZ=UTC0 ant maven + 1.10 (2024-07-29) ----------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/README.md new/README.md --- old/README.md 2024-07-29 16:10:26.000000000 +0200 +++ new/README.md 2025-11-19 18:57:00.000000000 +0100 @@ -40,15 +40,15 @@ thus it's good to override it to GMT/UTC. On POSIX systems, the following commands are equivalent: - $ ANT_OPTS=-Duser.timezone=GMT \ - ant -Dant.tstamp.now.iso=2024-07-29T14:10:26Z + $ ANT_OPTS=-Duser.timezone=GMT \ + ant -Dant.tstamp.now.iso=2024-07-29T14:10:26Z - $ SOURCE_DATE_EPOCH=1722262226 TZ=UTC0 ant + $ SOURCE_DATE_EPOCH=1722262226 TZ=UTC0 ant When the Git repository is available, using the committer date is one way to get a reasonable value: - $ SOURCE_DATE_EPOCH=$(git log -n1 --pretty=%ct) TZ=UTC0 ant + $ SOURCE_DATE_EPOCH=$(git log -n1 --pretty=%ct) TZ=UTC0 ant ### Old build environments diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/REUSE.toml new/REUSE.toml --- old/REUSE.toml 2024-07-29 16:10:26.000000000 +0200 +++ new/REUSE.toml 2025-11-19 18:57:00.000000000 +0100 @@ -1,4 +1,4 @@ -# XZ for Java is compliant with version 3.2 of the REUSE Specification. +# XZ for Java is compliant with version 3.3 of the REUSE Specification. version = 1 @@ -10,6 +10,7 @@ 'NEWS.md', 'README.md', 'REUSE.toml', + 'SHA256SUMS', 'THANKS.md', 'fileset-src.txt', 'fileset-src9.txt', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/THANKS.md new/THANKS.md --- old/THANKS.md 2024-07-29 16:10:26.000000000 +0200 +++ new/THANKS.md 2025-11-19 18:57:00.000000000 +0100 @@ -17,6 +17,7 @@ - Christian Schlichtherle - Matthias Stevens - Alyosha Vasilieva + - Daniel Wilhelm Companies (in alphabetical order): - Cerner diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/build.properties new/build.properties --- old/build.properties 2024-07-29 16:10:26.000000000 +0200 +++ new/build.properties 2025-11-19 18:57:00.000000000 +0100 @@ -5,7 +5,7 @@ title = XZ data compression homepage = https://tukaani.org/xz/java.html doc_url = https://tukaani.org/xz/xz-javadoc/ -version = 1.10 +version = 1.11 debug = true # sourcever sets --release for javac 9 (or later) or -source and -target for diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/build.xml new/build.xml --- old/build.xml 2024-07-29 16:10:26.000000000 +0200 +++ new/build.xml 2025-11-19 18:57:00.000000000 +0100 @@ -22,9 +22,7 @@ <mkdir dir="${dist_dir}"/> <exec output="${dist_file}" logError="true" failonerror="true" executable="git"> - <arg value="archive"/> - <arg value="--format=zip"/> - <arg value="HEAD"/> + <arg line="archive --format=zip -9 HEAD"/> </exec> </target> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/src/org/tukaani/xz/UncompressedLZMA2OutputStream.java new/src/org/tukaani/xz/UncompressedLZMA2OutputStream.java --- old/src/org/tukaani/xz/UncompressedLZMA2OutputStream.java 2024-07-29 16:10:26.000000000 +0200 +++ new/src/org/tukaani/xz/UncompressedLZMA2OutputStream.java 2025-11-19 18:57:00.000000000 +0100 @@ -36,8 +36,7 @@ outData = new DataOutputStream(out); // We only allocate one array from the cache. We will call - // putArray directly in writeEndMarker and thus we don't use - // ResettableArrayCache here. + // putArray in writeEndMarker. this.arrayCache = arrayCache; uncompBuf = arrayCache.getByteArray( LZMA2OutputStream.COMPRESSED_SIZE_MAX, false); @@ -64,12 +63,22 @@ while (len > 0) { int copySize = Math.min(LZMA2OutputStream.COMPRESSED_SIZE_MAX - uncompPos, len); - System.arraycopy(buf, off, uncompBuf, uncompPos, copySize); - len -= copySize; - uncompPos += copySize; - if (uncompPos == LZMA2OutputStream.COMPRESSED_SIZE_MAX) - writeChunk(); + if (copySize == LZMA2OutputStream.COMPRESSED_SIZE_MAX) { + // Copy 64 KiB directly from buf to the output stream. + assert(uncompPos == 0); + writeChunk(buf, off, copySize); + } else { + // Copy to uncompBuf and flush 64 KiB at a time + // to the output stream. + System.arraycopy(buf, off, uncompBuf, uncompPos, copySize); + uncompPos += copySize; + if (uncompPos == LZMA2OutputStream.COMPRESSED_SIZE_MAX) + writeChunk(); + } + + off += copySize; + len -= copySize; } } catch (IOException e) { exception = e; @@ -78,10 +87,14 @@ } private void writeChunk() throws IOException { - outData.writeByte(dictResetNeeded ? 0x01 : 0x02); - outData.writeShort(uncompPos - 1); - outData.write(uncompBuf, 0, uncompPos); + writeChunk(uncompBuf, 0, uncompPos); uncompPos = 0; + } + + private void writeChunk(byte[] buf, int off, int len) throws IOException { + outData.writeByte(dictResetNeeded ? 0x01 : 0x02); + outData.writeShort(len - 1); + outData.write(buf, off, len); dictResetNeeded = false; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/src/org/tukaani/xz/lzma/LZMACoder.java new/src/org/tukaani/xz/lzma/LZMACoder.java --- old/src/org/tukaani/xz/lzma/LZMACoder.java 2024-07-29 16:10:26.000000000 +0200 +++ new/src/org/tukaani/xz/lzma/LZMACoder.java 2025-11-19 18:57:00.000000000 +0100 @@ -126,7 +126,7 @@ for (int i = 0; i < low.length; ++i) RangeCoder.initProbs(low[i]); - for (int i = 0; i < low.length; ++i) + for (int i = 0; i < mid.length; ++i) RangeCoder.initProbs(mid[i]); RangeCoder.initProbs(high); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/src/org/tukaani/xz/package-info.java new/src/org/tukaani/xz/package-info.java --- old/src/org/tukaani/xz/package-info.java 2024-07-29 16:10:26.000000000 +0200 +++ new/src/org/tukaani/xz/package-info.java 2025-11-19 18:57:00.000000000 +0100 @@ -10,7 +10,7 @@ * This aims to be a complete implementation of XZ data compression * in pure Java. Features: * <ul> - * <li>Full support for the .xz file format specification version 1.2.0</li> + * <li>Full support for the .xz file format specification version 1.2.1</li> * <li>Single-threaded streamed compression and decompression</li> * <li>Single-threaded decompression with limited random access support</li> * <li>Raw streams (no .xz headers) for advanced users, including LZMA2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/src/org/tukaani/xz/simple/IA64.java new/src/org/tukaani/xz/simple/IA64.java --- old/src/org/tukaani/xz/simple/IA64.java 2024-07-29 16:10:26.000000000 +0200 +++ new/src/org/tukaani/xz/simple/IA64.java 2025-11-19 18:57:00.000000000 +0100 @@ -63,7 +63,7 @@ instrNorm |= (dest & 0x0FFFFFL) << 13; instrNorm |= (dest & 0x100000L) << (36 - 20); - instr &= (1 << bitRes) - 1; + instr &= (1L << bitRes) - 1; instr |= instrNorm << bitRes; for (int j = 0; j < 6; ++j)
