Hello, I hate to raise the alarm, but it looks like this should be scrutinized.
It sounds like a backdoor made it into the upstream repository: https://www.openwall.com/lists/oss-security/2024/03/29/4 On Mon, Mar 18, 2024 at 4:15 AM Christian Weisgerber <na...@mips.inka.de> wrote: > archivers/xz: update to 5.6.1 > > * Multithreaded mode is now the default. > * New command line options to set filter chains using the liblzma filter > string syntax. > * Significant speed optimizations to the LZMA decoder. > > > I have added runtime detection code to check for CRC32 instructions > to speed up CRC32 integrity checks on arm64. I intend to submit > this upstream, so if anybody has comments on that, let me know. > (xz defaults to CRC64 anyway, so this has little practical value, > but it is supported on other operating systems.) > > Upstream has added pledge() support to xzdec, rendering our previous > patch obsolete. > > ok? > > > diff d65615b6802f8ddeb4536c340034d07be3df3483 > 41fabc9987fb853589f2dd0de774d8f5cdbd0b69 > commit - d65615b6802f8ddeb4536c340034d07be3df3483 > commit + 41fabc9987fb853589f2dd0de774d8f5cdbd0b69 > blob - d1f7ac3fc25e3152944c4efae9a179e35ab504dc > blob + 40addd5d055828107dd9fdb477184ffa605b5fd1 > --- archivers/xz/Makefile > +++ archivers/xz/Makefile > @@ -1,18 +1,19 @@ > COMMENT= library and tools for XZ and LZMA compressed files > > -DISTNAME= xz-5.4.5 > -SHARED_LIBS= lzma 2.2 # 9.4 > +VERSION= 5.6.1 > +DISTNAME= xz-${VERSION} > +SHARED_LIBS= lzma 2.3 # 11.1 > CATEGORIES= archivers > DPB_PROPERTIES= parallel > > -HOMEPAGE= https://tukaani.org/xz/ > +HOMEPAGE= https://xz.tukaani.org/xz-utils/ > > MAINTAINER= Christian Weisgerber <na...@openbsd.org> > > # GPLv2+ > PERMIT_PACKAGE= Yes > > -SITES= ${SITE_SOURCEFORGE:=lzmautils/} > +SITES= > https://github.com/tukaani-project/xz/releases/download/v${VERSION}/ > > # uses pledge() > WANTLIB= c pthread > blob - 98b88e2abbfec958489da8fba87fb00df54b8532 > blob + 83ae5ae9b49b503f0bcb1672db69e161dbb814b0 > --- archivers/xz/distinfo > +++ archivers/xz/distinfo > @@ -1,2 +1,2 @@ > -SHA256 (xz-5.4.5.tar.gz) = E1yQuTSu6PvA1Gfeh6Bctw1ifaNqvlGMNXqHNwnlt9Y= > -SIZE (xz-5.4.5.tar.gz) = 2884510 > +SHA256 (xz-5.6.1.tar.gz) = I5j0qOUzRTJfRL3Z8Mx0Ab2QJdc2xtQ7Ny9N6ne/dbg= > +SIZE (xz-5.6.1.tar.gz) = 3045434 > blob - 6061c7f3c22f7e992a2b66ff5cd7082eb1ffd5c8 (mode 644) > blob + /dev/null > --- archivers/xz/patches/patch-config_h_in > +++ /dev/null > @@ -1,16 +0,0 @@ > -Index: config.h.in > ---- config.h.in.orig > -+++ config.h.in > -@@ -409,7 +409,11 @@ > - > - /* Define to 1 if the system supports fast unaligned access to 16-bit, > 32-bit, > - and 64-bit integers. */ > --#undef TUKLIB_FAST_UNALIGNED_ACCESS > -+#include <endian.h> > -+#if !defined(__STRICT_ALIGNMENT) > -+#define \ > -+ TUKLIB_FAST_UNALIGNED_ACCESS 1 > -+#endif > - > - /* Define to 1 if the amount of physical memory can be detected with > - _system_configuration.physmem. */ > blob - /dev/null > blob + a4b473567a4e085aa4ae0b4af893e51eed1e2014 (mode 644) > --- /dev/null > +++ archivers/xz/patches/patch-src_liblzma_check_crc32_arm64_h > @@ -0,0 +1,30 @@ > +Index: src/liblzma/check/crc32_arm64.h > +--- src/liblzma/check/crc32_arm64.h.orig > ++++ src/liblzma/check/crc32_arm64.h > +@@ -28,6 +28,11 @@ > + # include <processthreadsapi.h> > + # elif defined(__APPLE__) && defined(HAVE_SYSCTLBYNAME) > + # include <sys/sysctl.h> > ++# elif defined(__OpenBSD__) > ++# include <sys/types.h> > ++# include <sys/sysctl.h> > ++# include <machine/cpu.h> > ++# include <machine/armreg.h> > + # endif > + #endif > + > +@@ -103,6 +108,14 @@ is_arch_extension_supported(void) > + &size, NULL, 0); > + > + return !err && has_crc32; > ++ > ++#elif defined(__OpenBSD__) > ++ const int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 }; > ++ uint64_t isar0; > ++ size_t len = sizeof(isar0); > ++ > ++ return sysctl(isar0_mib, 2, &isar0, &len, NULL, 0) != -1 && > ++ ID_AA64ISAR0_CRC32(isar0) >= ID_AA64ISAR0_CRC32_BASE; > + > + #else > + // If a runtime detection method cannot be found, then this must > blob - 399cb3be7c7e9134963d36b0858d09da5dc0e3ff (mode 644) > blob + /dev/null > --- archivers/xz/patches/patch-src_xzdec_xzdec_c > +++ /dev/null > @@ -1,21 +0,0 @@ > -Index: src/xzdec/xzdec.c > ---- src/xzdec/xzdec.c.orig > -+++ src/xzdec/xzdec.c > -@@ -295,9 +295,17 @@ main(int argc, char **argv) > - > - if (optind == argc) { > - // No filenames given, decode from stdin. > -+ if (pledge("stdio", NULL) == -1) { > -+ my_errorf("pledge"); > -+ exit(EXIT_FAILURE); > -+ } > - uncompress(&strm, stdin, "(stdin)"); > - } else { > - // Loop through the filenames given on the command line. > -+ if (pledge("stdio rpath", NULL) == -1) { > -+ my_errorf("pledge"); > -+ exit(EXIT_FAILURE); > -+ } > - do { > - // "-" indicates stdin. > - if (strcmp(argv[optind], "-") == 0) { > blob - /dev/null > blob + c2a62aaeb707f0b281f921f3b2064334f94de22b (mode 644) > --- /dev/null > +++ archivers/xz/patches/patch-src_liblzma_check_crc_common_h > @@ -0,0 +1,13 @@ > +Index: src/liblzma/check/crc_common.h > +--- src/liblzma/check/crc_common.h.orig > ++++ src/liblzma/check/crc_common.h > +@@ -50,7 +50,8 @@ > + // Keep this in sync with changes to crc32_arm64.h > + #if defined(_WIN32) || defined(HAVE_GETAUXVAL) \ > + || defined(HAVE_ELF_AUX_INFO) \ > +- || (defined(__APPLE__) && defined(HAVE_SYSCTLBYNAME)) > ++ || (defined(__APPLE__) && defined(HAVE_SYSCTLBYNAME)) \ > ++ || defined(__OpenBSD__) > + # define ARM64_RUNTIME_DETECTION 1 > + #endif > + > blob - 2b1d610561baf03509f7c96be0d71f934992279f > blob + 59dbc56c918c42393b1d54ec43f3a2fe80c53a58 > --- archivers/xz/pkg/PLIST > +++ archivers/xz/pkg/PLIST > @@ -69,12 +69,13 @@ lib/pkgconfig/liblzma.pc > share/doc/xz/ > share/doc/xz/AUTHORS > share/doc/xz/COPYING > +share/doc/xz/COPYING.0BSD > share/doc/xz/COPYING.GPLv2 > share/doc/xz/NEWS > share/doc/xz/README > share/doc/xz/THANKS > -share/doc/xz/TODO > share/doc/xz/api/ > +share/doc/xz/api/COPYING.CC-BY-SA-4.0 > share/doc/xz/api/annotated.html > share/doc/xz/api/base_8h.html > share/doc/xz/api/bc_s.png > @@ -143,16 +144,15 @@ share/doc/xz/api/tab_sd.png > share/doc/xz/api/tabs.css > share/doc/xz/api/version_8h.html > share/doc/xz/api/vli_8h.html > +share/doc/xz/api/xz-logo.png > share/doc/xz/examples/ > share/doc/xz/examples/00_README.txt > share/doc/xz/examples/01_compress_easy.c > share/doc/xz/examples/02_decompress.c > share/doc/xz/examples/03_compress_custom.c > share/doc/xz/examples/04_compress_easy_mt.c > +share/doc/xz/examples/11_file_info.c > share/doc/xz/examples/Makefile > -share/doc/xz/examples_old/ > -share/doc/xz/examples_old/xz_pipe_comp.c > -share/doc/xz/examples_old/xz_pipe_decomp.c > share/doc/xz/faq.txt > share/doc/xz/history.txt > share/doc/xz/lzma-file-format.txt > > -- > Christian "naddy" Weisgerber na...@mips.inka.de > >