XZ Utils 5.2.13, 5.4.7, and 5.6.2 are available at <https://tukaani.org/xz/>. The releases are signed with my key. The same key was used for 5.2.11 and 5.4.2 and older. Fingerprint:
3690 C240 CE51 B467 0D30 AD1C 38EE 757D 6918 4620 Sam James is now a supporting maintainer. The x...@tukaani.org email address forwards to me and him. Special thanks to Andres Freund for discovering the backdoor in 5.6.0 and 5.6.1. Extracts from the NEWS file: 5.6.2 (2024-05-29) * Remove the backdoor (CVE-2024-3094). * Not changed: Memory sanitizer (MSAN) has a false positive in the CRC CLMUL code which also makes OSS Fuzz unhappy. Valgrind is smarter and doesn't complain. A revision to the CLMUL code is coming anyway and this issue will be cleaned up as part of it. It won't be backported to 5.6.x or 5.4.x because the old code isn't wrong. There is no reason to risk introducing regressions in old branches just to silence a false positive. * liblzma: - lzma_index_decoder() and lzma_index_buffer_decode(): Fix a missing output pointer initialization (*i = NULL) if the functions are called with invalid arguments. The API docs say that such an initialization is always done. In practice this matters very little because the problem can only occur if the calling application has a bug and these functions return LZMA_PROG_ERROR. - lzma_str_to_filters(): Fix a missing output pointer initialization (*error_pos = 0). This is very similar to the fix above. - Fix C standard conformance with function pointer types. - Remove GNU indirect function (IFUNC) support. This is *NOT* done for security reasons even though the backdoor relied on this code. The performance benefits of IFUNC are too tiny in this project to make the extra complexity worth it. - FreeBSD on ARM64: Add error checking to CRC32 instruction support detection. - Fix building with NVIDIA HPC SDK. * xz: - Fix a C standard conformance issue in --block-list parsing (arithmetic on a null pointer). - Fix a warning from GNU groff when processing the man page: "warning: cannot select font 'CW'" * xzdec: Add support for Linux Landlock ABI version 4. xz already had the v3-to-v4 change but it had been forgotten from xzdec. * Autotools-based build system (configure): - Symbol versioning variant can now be overridden with --enable-symbol-versions. Documentation in INSTALL was updated to match. - Add new configure option --enable-doxygen to enable generation and installation of the liblzma API documentation using Doxygen. Documentation in INSTALL and PACKAGERS was updated to match. CMake: - Fix detection of Linux Landlock support. The detection code in CMakeLists.txt had been sabotaged. - Disable symbol versioning on non-glibc Linux to match what the Autotools build does. For example, symbol versioning isn't enabled with musl. - Symbol versioning variant can now be overridden by setting SYMBOL_VERSIONING to "OFF", "generic", or "linux". - Add support for all tests in typical build configurations. Now the only difference to the tests coverage to Autotools is that CMake-based build will skip more tests if features are disabled. Such builds are only for special cases like embedded systems. - Separate the CMake code for the tests into tests/tests.cmake. It is used conditionally, thus it is possible to rm -rf tests and the CMake-based build will still work normally except that no tests are then available. - Add a option ENABLE_DOXYGEN to enable generation and installation of the liblzma API documentation using Doxygen. * Documentation: - Omit the Doxygen-generated liblzma API documentation from the package. Instead, the generation and installation of the API docs can be enabled with a configure or CMake option if Doxygen is available. - Remove the XZ logo which was used in the API documentation. The logo has been retired and isn't used by the project anymore. However, it's OK to use it in contexts that refer to the backdoor incident. - Remove the PDF versions of the man pages from the source package. These existed primarily for users of operating systems which don't come with tools to render man page source files. The plain text versions are still included in doc/man/txt. PDF files can still be generated to doc/man, if the required tools are available, using "make pdf" after running "configure". - Update home page URLs back to their old locations on tukaani.org. - Update maintainer info. * Tests: - In tests/files/README, explain how to recreate the ARM64 test files. - Remove two tests that used tiny x86 and SPARC object files as the input files. The matching .c file was included but the object files aren't easy to reproduce. The test cases weren't great anyway; they were from the early days (2009) of the project when the test suite had very few tests. - Improve a few tests. 5.4.7 (2024-05-29) * Not changed: Memory sanitizer (MSAN) has a false positive in the CRC CLMUL code which also makes OSS Fuzz unhappy. Valgrind is smarter and doesn't complain. A revision to the CLMUL code is coming anyway and this issue will be cleaned up as part of it. It won't be backported to 5.6.x or 5.4.x because the old code isn't wrong. There is no reason to risk introducing regressions in old branches just to silence a false positive. * liblzma: - lzma_index_decoder() and lzma_index_buffer_decode(): Fix a missing output pointer initialization (*i = NULL) if the functions are called with invalid arguments. The API docs say that such an initialization is always done. In practice this matters very little because the problem can only occur if the calling application has a bug and these functions return LZMA_PROG_ERROR. - lzma_str_to_filters(): Fix a missing output pointer initialization (*error_pos = 0). This is very similar to the fix above. - Fix C standard conformance with function pointer types. This newly showed up with Clang 17 with -fsanitize=undefined. There are no bug reports about this. - Fix building with NVIDIA HPC SDK. * xz: - Fix a C standard conformance issue in --block-list parsing (arithmetic on a null pointer). - Fix a warning from GNU groff when processing the man page: "warning: cannot select font 'CW'" - Fix outdated threading related information on the man page. * xzless: - With "less" version 451 and later, use "||-" instead of "|-" in the environment variable LESSOPEN. This way compressed files that contain no uncompressed data are shown correctly as empty. - With "less" version 632 and later, use --show-preproc-errors to make "less" show a warning on decompression errors. * Autotools-based build system (configure): - Symbol versioning variant can now be overridden with --enable-symbol-versions. Documentation in INSTALL was updated to match. CMake: - Linux on MicroBlaze is handled specially now. This matches the changes made to the Autotools-based build in XZ Utils 5.4.2 and 5.2.11. - Disable symbol versioning on non-glibc Linux to match what the Autotools build does. For example, symbol versioning isn't enabled with musl. - Symbol versioning variant can now be overridden by setting SYMBOL_VERSIONING to "OFF", "generic", or "linux". * Documentation: - Clarify the description of --disable-assembler in INSTALL. The option only affects 32-bit x86 assembly usage. - Add doc/examples/11_file_info.c. It was added to the Git repository in 2017 but forgotten to be added into distribution tarballs. - Don't install the TODO file as part of the documentation. The file is out of date. - Update home page URLs back to their old locations on tukaani.org. - Update maintainer info. 5.2.13 (2024-05-29) * liblzma: - lzma_index_append(): Fix an assertion failure that could be triggered by a large unpadded_size argument. It was verified that there was no other bug than the assertion failure. - lzma_index_decoder() and lzma_index_buffer_decode(): Fix a missing output pointer initialization (*i = NULL) if the functions are called with invalid arguments. The API docs say that such an initialization is always done. In practice this matters very little because the problem can only occur if the calling application has a bug and these functions return LZMA_PROG_ERROR. - Fix C standard conformance with function pointer types. This newly showed up with Clang 17 with -fsanitize=undefined. There are no bug reports about this. - Fix building with NVIDIA HPC SDK. - Fix building with Windows Vista threads and --enable-small. (CMake build doesn't support ENABLE_SMALL in XZ Utils 5.2.x.) * xz: - Fix a C standard conformance issue in --block-list parsing (arithmetic on a null pointer). - Fix a warning from GNU groff when processing the man page: "warning: cannot select font 'CW'" - Windows: Handle special files such as "con" or "nul". Earlier the following wrote "foo" to the console and deleted the input file "con_xz": echo foo | xz > con_xz xz --suffix=_xz --decompress con_xz - Windows: Fix an issue that prevented reading from or writing to non-terminal character devices like NUL. * xzless: - With "less" version 451 and later, use "||-" instead of "|-" in the environment variable LESSOPEN. This way compressed files that contain no uncompressed data are shown correctly as empty. - With "less" version 632 and later, use --show-preproc-errors to make "less" show a warning on decompression errors. * Build systems: - Add a new line to liblzma.pc for MSYS2 (Windows): Cflags.private: -DLZMA_API_STATIC When compiling code that will link against static liblzma, the LZMA_API_STATIC macro needs to be defined on Windows. - Autotools (configure): * Symbol versioning variant can now be overridden with --enable-symbol-versions. Documentation in INSTALL was updated to match. - CMake: * Fix a bug that prevented other projects from including liblzma multiple times using find_package(). * Fix a bug where configuring CMake multiple times resulted in HAVE_CLOCK_GETTIME and HAVE_CLOCK_MONOTONIC not being defined. * Fix the build with MinGW-w64-based Clang/LLVM 17. llvm-windres now has more accurate GNU windres emulation so the GNU windres workaround from 5.4.1 is needed with llvm-windres version 17 too. * The import library on Windows is now properly named "liblzma.dll.a" instead of "libliblzma.dll.a" * Add large file support by default for platforms that need it to handle files larger than 2 GiB. This includes MinGW-w64, even 64-bit builds. * Linux on MicroBlaze is handled specially now. This matches the changes made to the Autotools-based build in XZ Utils 5.4.2 and 5.2.11. * Disable symbol versioning on non-glibc Linux to match what the Autotools build does. For example, symbol versioning isn't enabled with musl. * Symbol versioning variant can now be overridden by setting SYMBOL_VERSIONING to "OFF", "generic", or "linux". * Documentation: - Clarify the description of --disable-assembler in INSTALL. The option only affects 32-bit x86 assembly usage. - Don't install the TODO file as part of the documentation. The file is out of date. - Update home page URLs back to their old locations on tukaani.org. - Update maintainer info. -- Lasse Collin