This fixes CVE-2025-31115: Threaded .xz decoder frees memory too early. Most parts of the COPYING file replaced public domain licenses with 0BSD. But public domain is still mentioned for some old translations. Therefore only add 0BSD to the license list.
Signed-off-by: Sven Püschel <[email protected]> --- rules/xz.make | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/xz.make b/rules/xz.make index f24a2ac03..90a32f728 100644 --- a/rules/xz.make +++ b/rules/xz.make @@ -14,16 +14,16 @@ PACKAGES-$(PTXCONF_XZ) += xz # # Paths and names # -XZ_VERSION := 5.4.4 -XZ_MD5 := fbb849a27e266964aefe26bad508144f +XZ_VERSION := 5.8.1 +XZ_MD5 := a814a04a94c5ce757e2f90e387bd1a5c XZ := xz-$(XZ_VERSION) XZ_SUFFIX := tar.bz2 XZ_URL := https://tukaani.org/xz/$(XZ).$(XZ_SUFFIX) XZ_SOURCE := $(SRCDIR)/$(XZ).$(XZ_SUFFIX) XZ_DIR := $(BUILDDIR)/$(XZ) -XZ_LICENSE := public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later +XZ_LICENSE := 0BSD AND public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later XZ_LICENSE_FILES := \ - file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \ + file://COPYING;md5=d38d562f6112174de93a9677682231b2 \ file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \ file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c @@ -53,6 +53,7 @@ XZ_CONF_OPT := \ --disable-lzma-links \ --$(call ptx/endis,PTXCONF_XZ_TOOLS)-scripts \ --disable-doc \ + --disable-doxygen \ --disable-sandbox \ --enable-shared \ --disable-static \ @@ -62,7 +63,8 @@ XZ_CONF_OPT := \ $(GLOBAL_LARGE_FILE_OPTION) \ --enable-unaligned-access=auto \ --disable-unsafe-type-punning \ - --disable-werror + --disable-werror \ + --$(call ptx/endis, PTXDIST_Y2038)-year2038 # ---------------------------------------------------------------------------- # Target-Install -- 2.47.3
