Thanks, applied as a29631c251345c6f4ac72844a8ac4495c5708f82. Michael
[sent from post-receive hook] On Thu, 23 Oct 2025 15:13:52 +0200, Sven Püschel <[email protected]> wrote: > This fixes CVE-2025-31115: Threaded .xz decoder frees memory too early. > > To avoid malicious tarballs, which happened in the past switch to the > automatically generated tarballs from by GitHub. As xz also has a > feature complete CMake build system, use it to avoid adding an > autogen.sh file. > > Most parts of the COPYING file replaced public domain licenses with > 0BSD. But public domain is still mentioned for some old translations. > Therefore only add 0BSD to the license list. > > Signed-off-by: Sven Püschel <[email protected]> > Message-Id: <[email protected]> > Signed-off-by: Michael Olbrich <[email protected]> > > diff --git a/rules/host-xz.in b/rules/host-xz.in > index 9d1b4fe6aec1..b38a42194d55 100644 > --- a/rules/host-xz.in > +++ b/rules/host-xz.in > @@ -2,6 +2,7 @@ > > config HOST_XZ > tristate > + select HOST_CMAKE > default y if ALLYES > help > XZ-format compression utilities > diff --git a/rules/host-xz.make b/rules/host-xz.make > index c04db9567550..c719421b5da6 100644 > --- a/rules/host-xz.make > +++ b/rules/host-xz.make > @@ -15,35 +15,29 @@ HOST_PACKAGES-$(PTXCONF_HOST_XZ) += host-xz > # Prepare > # > ---------------------------------------------------------------------------- > > -# > -# autoconf > -# > -HOST_XZ_CONF_TOOL := autoconf > +HOST_XZ_CONF_TOOL := cmake > HOST_XZ_CONF_OPT := \ > - $(HOST_AUTOCONF) \ > - --disable-debug \ > - --disable-external-sha256 \ > - --disable-microlzma \ > - --disable-lzip-decoder \ > - --enable-assembler \ > - --enable-clmul-crc \ > - --disable-small \ > - --enable-threads \ > - --enable-xz \ > - --disable-xzdec \ > - --disable-lzmadec \ > - --disable-lzmainfo \ > - --disable-lzma-links \ > - --disable-scripts \ > - --disable-doc \ > - --disable-sandbox \ > - --enable-shared \ > - --disable-static \ > - --enable-symbol-versions \ > - --disable-nls \ > - --enable-rpath \ > - --enable-unaligned-access=auto \ > - --disable-unsafe-type-punning \ > - --disable-werror > + $(HOST_CMAKE_OPT) \ > + -DBUILD_SHARED_LIBS=ON \ > + -DBUILD_TESTING=OFF \ > + -DTUKLIB_USE_UNSAFE_TYPE_PUNNING=OFF \ > + -DXZ_DOC=OFF \ > + -DXZ_DOXYGEN=OFF \ > + -DXZ_EXTERNAL_SHA256=OFF \ > + -DXZ_LZIP_DECODER=OFF \ > + -DXZ_MICROLZMA_DECODER=OFF \ > + -DXZ_MICROLZMA_ENCODER=OFF \ > + -DXZ_NLS=OFF \ > + -DXZ_SANDBOX=no \ > + -DXZ_SMALL=OFF \ > + -DXZ_SYMBOL_VERSIONING=linux \ > + -DXZ_THREADS=yes \ > + -DXZ_TOOL_LZMADEC=OFF \ > + -DXZ_TOOL_LZMAINFO=OFF \ > + -DXZ_TOOL_SCRIPTS=OFF \ > + -DXZ_TOOL_SYMLINKS=OFF \ > + -DXZ_TOOL_SYMLINKS_LZMA=OFF \ > + -DXZ_TOOL_XZ=ON \ > + -DXZ_TOOL_XZDEC=OFF > > # vim: syntax=make > diff --git a/rules/xz.in b/rules/xz.in > index 9f31a4f45343..f61a58f05c74 100644 > --- a/rules/xz.in > +++ b/rules/xz.in > @@ -2,6 +2,7 @@ > > menuconfig XZ > tristate > + select HOST_CMAKE > prompt "xz " > help > XZ Utils is free general-purpose data compression software > diff --git a/rules/xz.make b/rules/xz.make > index f24a2ac03442..d80ce9276670 100644 > --- a/rules/xz.make > +++ b/rules/xz.make > @@ -14,16 +14,16 @@ PACKAGES-$(PTXCONF_XZ) += xz > # > # Paths and names > # > -XZ_VERSION := 5.4.4 > -XZ_MD5 := fbb849a27e266964aefe26bad508144f > +XZ_VERSION := 5.8.1 > +XZ_MD5 := 1be5d8137d7b5e91fa9ff8a6fdc4895b > XZ := xz-$(XZ_VERSION) > -XZ_SUFFIX := tar.bz2 > -XZ_URL := https://tukaani.org/xz/$(XZ).$(XZ_SUFFIX) > +XZ_SUFFIX := tar.gz > +XZ_URL := > https://github.com/tukaani-project/xz/archive/refs/tags/v$(XZ_VERSION).$(XZ_SUFFIX) > XZ_SOURCE := $(SRCDIR)/$(XZ).$(XZ_SUFFIX) > XZ_DIR := $(BUILDDIR)/$(XZ) > -XZ_LICENSE := public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND > GPL-3.0-or-later > +XZ_LICENSE := 0BSD AND public_domain AND LGPL-2.1-or-later AND > GPL-2.0-or-later AND GPL-3.0-or-later > XZ_LICENSE_FILES := \ > - file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \ > + file://COPYING;md5=d38d562f6112174de93a9677682231b2 \ > file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ > file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \ > file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c > @@ -32,37 +32,30 @@ XZ_LICENSE_FILES := \ > # Prepare > # > ---------------------------------------------------------------------------- > > -# > -# autoconf > -# > -XZ_CONF_TOOL := autoconf > +XZ_CONF_TOOL := cmake > XZ_CONF_OPT := \ > - $(CROSS_AUTOCONF_USR) \ > - --disable-debug \ > - --disable-external-sha256 \ > - --disable-microlzma \ > - --disable-lzip-decoder \ > - --enable-assembler \ > - --enable-clmul-crc \ > - --disable-small \ > - --enable-threads \ > - --$(call ptx/endis,PTXCONF_XZ_TOOLS)-xz \ > - --$(call ptx/endis,PTXCONF_XZ_TOOLS)-xzdec \ > - --disable-lzmadec \ > - --disable-lzmainfo \ > - --disable-lzma-links \ > - --$(call ptx/endis,PTXCONF_XZ_TOOLS)-scripts \ > - --disable-doc \ > - --disable-sandbox \ > - --enable-shared \ > - --disable-static \ > - --enable-symbol-versions \ > - --disable-nls \ > - --disable-rpath \ > - $(GLOBAL_LARGE_FILE_OPTION) \ > - --enable-unaligned-access=auto \ > - --disable-unsafe-type-punning \ > - --disable-werror > + $(CROSS_CMAKE_USR) \ > + -DBUILD_SHARED_LIBS=ON \ > + -DBUILD_TESTING=OFF \ > + -DTUKLIB_USE_UNSAFE_TYPE_PUNNING=OFF \ > + -DXZ_DOC=OFF \ > + -DXZ_DOXYGEN=OFF \ > + -DXZ_EXTERNAL_SHA256=OFF \ > + -DXZ_LZIP_DECODER=OFF \ > + -DXZ_MICROLZMA_DECODER=OFF \ > + -DXZ_MICROLZMA_ENCODER=OFF \ > + -DXZ_NLS=OFF \ > + -DXZ_SANDBOX=no \ > + -DXZ_SMALL=OFF \ > + -DXZ_SYMBOL_VERSIONING=linux \ > + -DXZ_THREADS=yes \ > + -DXZ_TOOL_LZMADEC=OFF \ > + -DXZ_TOOL_LZMAINFO=OFF \ > + -DXZ_TOOL_SCRIPTS=$(call ptx/onoff,PTXCONF_XZ_TOOLS) \ > + -DXZ_TOOL_SYMLINKS=OFF \ > + -DXZ_TOOL_SYMLINKS_LZMA=OFF \ > + -DXZ_TOOL_XZ=$(call ptx/onoff,PTXCONF_XZ_TOOLS) \ > + -DXZ_TOOL_XZDEC=$(call ptx/onoff,PTXCONF_XZ_TOOLS) > > # > ---------------------------------------------------------------------------- > # Target-Install
