Reviewed-by: Michael Tremer <[email protected]> This was obviously too late for c193, but I strongly suggest to ship this in c194.
Best, -Michael > On 8 Apr 2025, at 22:37, Adolf Belka <[email protected]> wrote: > > - Update from version 5.8.0 to 5.8.1 > - Update of rootfile > - Changelog > 5.8.1 > IMPORTANT: This includes a security fix for CVE-2025-31115 which > affects XZ Utils from 5.3.3alpha to 5.8.0. No new 5.4.x or 5.6.x > releases will be made, but the fix is in the v5.4 and v5.6 branches > in the xz Git repository. A standalone patch for all affected > versions is available as well. > * Multithreaded .xz decoder (lzma_stream_decoder_mt()): > - Fix a bug that could at least result in a crash with > invalid input. (CVE-2025-31115) > - Fix a performance bug: Only one thread was used if the whole > input file was provided at once to lzma_code(), the output > buffer was big enough, timeout was disabled, and LZMA_FINISH > was used. There are no bug reports about this, thus it's > possible that no real-world application was affected. > * Avoid <stdalign.h> even with C11/C17 compilers. This fixes the > build with Oracle Developer Studio 12.6 on Solaris 10 when the > compiler is in C11 mode (the header doesn't exist). > * Autotools: Restore compatibility with GNU make versions older > than 4.0 by creating the package using GNU gettext 0.23.1 > infrastructure instead of 0.24. > * Update Croatian translation. > > Signed-off-by: Adolf Belka <[email protected]> > --- > config/rootfiles/common/xz | 2 +- > lfs/xz | 4 ++-- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz > index 3873744c8..f836d4578 100644 > --- a/config/rootfiles/common/xz > +++ b/config/rootfiles/common/xz > @@ -41,7 +41,7 @@ usr/bin/xzmore > #usr/lib/liblzma.la > #usr/lib/liblzma.so > usr/lib/liblzma.so.5 > -usr/lib/liblzma.so.5.8.0 > +usr/lib/liblzma.so.5.8.1 > #usr/lib/pkgconfig/liblzma.pc > #usr/share/doc/xz > #usr/share/doc/xz/AUTHORS > diff --git a/lfs/xz b/lfs/xz > index 511848c1d..1ee1faa52 100644 > --- a/lfs/xz > +++ b/lfs/xz > @@ -24,7 +24,7 @@ > > include Config > > -VER = 5.8.0 > +VER = 5.8.1 > > THISAPP = xz-$(VER) > DL_FILE = $(THISAPP).tar.xz > @@ -45,7 +45,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = > 5087c88884a857b96bc5658548fc9b07ab2f14fe9eabfaeaa19e21810e7588c97621db08353632bd56e66ae2085ec5adc421c4d6849525b630d56dadd65c9f81 > +$(DL_FILE)_BLAKE2 = > f11be3971e181bb49b6a92d3cc07ebb1c6b5fb53bc5d079e0952eed94f069656cffb37a2e2e8f068a5f119c6ef5ee565b3ac9978a5afa24a40d49607d492d176 > > install : $(TARGET) > > -- > 2.49.0 > >
