diff --git a/NEWS b/NEWS index d3f7d602..4c79b18f 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,232 @@ XZ Utils Release Notes ====================== +5.2.6 (2022-08-12) + + * xz: + + - The --keep option now accepts symlinks, hardlinks, and + setuid, setgid, and sticky files. Previously this required + using --force. + + - When copying metadata from the source file to the destination + file, don't try to set the group (GID) if it is already set + correctly. This avoids a failure on OpenBSD (and possibly on + a few other OSes) where files may get created so that their + group doesn't belong to the user, and fchown(2) can fail even + if it needs to do nothing. + + - Cap --memlimit-compress to 2000 MiB instead of 4020 MiB on + MIPS32 because on MIPS32 userspace processes are limited + to 2 GiB of address space. + + * liblzma: + + - Fixed a missing error-check in the threaded encoder. If a + small memory allocation fails, a .xz file with an invalid + Index field would be created. Decompressing such a file would + produce the correct output but result in an error at the end. + Thus this is a "mild" data corruption bug. Note that while + a failed memory allocation can trigger the bug, it cannot + cause invalid memory access. + + - The decoder for .lzma files now supports files that have + uncompressed size stored in the header and still use the + end of payload marker (end of stream marker) at the end + of the LZMA stream. Such files are rare but, according to + the documentation in LZMA SDK, they are valid. + doc/lzma-file-format.txt was updated too. + + - Improved 32-bit x86 assembly files: + * Support Intel Control-flow Enforcement Technology (CET) + * Use non-executable stack on FreeBSD. + + - Visual Studio: Use non-standard _MSVC_LANG to detect C++ + standard version in the lzma.h API header. It's used to + detect when "noexcept" can be used. + + * xzgrep: + + - Fixed arbitrary command injection via a malicious filename + (CVE-2022-1271, ZDI-CAN-16587). A standalone patch for + this was released to the public on 2022-04-07. A slight + robustness improvement has been made since then and, if + using GNU or *BSD grep, a new faster method is now used + that doesn't use the old sed-based construct at all. This + also fixes bad output with GNU grep >= 3.5 (2020-09-27) + when xzgrepping binary files. + + This vulnerability was discovered by: + cleemy desu wayo working with Trend Micro Zero Day Initiative + + - Fixed detection of corrupt .bz2 files. + + - Improved error handling to fix exit status in some situations + and to fix handling of signals: in some situations a signal + didn't make xzgrep exit when it clearly should have. It's + possible that the signal handling still isn't quite perfect + but hopefully it's good enough. + + - Documented exit statuses on the man page. + + - xzegrep and xzfgrep now use "grep -E" and "grep -F" instead + of the deprecated egrep and fgrep commands. + + - Fixed parsing of the options -E, -F, -G, -P, and -X. The + problem occurred when multiple options were specied in + a single argument, for example, + + echo foo | xzgrep -Fe foo + + treated foo as a filename because -Fe wasn't correctly + split into -F -e. + + - Added zstd support. + + * xzdiff/xzcmp: + + - Fixed wrong exit status. Exit status could be 2 when the + correct value is 1. + + - Documented on the man page that exit status of 2 is used + for decompression errors. + + - Added zstd support. + + * xzless: + + - Fix less(1) version detection. It failed if the version number + from "less -V" contained a dot. + + * Translations: + + - Added new translations: Catalan, Croatian, Esperanto, + Korean, Portuguese, Romanian, Serbian, Spanish, Swedish, + and Ukrainian + + - Updated the Brazilian Portuguese translation. + + - Added French man page translation. This and the existing + German translation aren't complete anymore because the + English man pages got a few updates and the translators + weren't reached so that they could update their work. + + * Build systems: + + - Windows: Fix building of resource files when config.h isn't + used. CMake + Visual Studio can now build liblzma.dll. + + - Various fixes to the CMake support. Building static or shared + liblzma should work fine in most cases. In contrast, building + the command line tools with CMake is still clearly incomplete + and experimental and should be used for testing only. + + +5.2.5 (2020-03-17) + + * liblzma: + + - Fixed several C99/C11 conformance bugs. Now the code is clean + under gcc/clang -fsanitize=undefined. Some of these changes + might have a negative effect on performance with old GCC + versions or compilers other than GCC and Clang. The configure + option --enable-unsafe-type-punning can be used to (mostly) + restore the old behavior but it shouldn't normally be used. + + - Improved API documentation of lzma_properties_decode(). + + - Added a very minor encoder speed optimization. + + * xz: + + - Fixed a crash in "xz -dcfv not_an_xz_file". All four options + were required to trigger it. The crash occurred in the + progress indicator code when xz was in passthru mode where + xz works like "cat". + + - Fixed an integer overflow with 32-bit off_t. It could happen + when decompressing a file that has a long run of zero bytes + which xz would try to write as a sparse file. Since the build + system enables large file support by default, off_t is + normally 64-bit even on 32-bit systems. + + - Fixes for --flush-timeout: + * Fix semi-busy-waiting. + * Avoid unneeded flushes when no new input has arrived + since the previous flush was completed. + + - Added a special case for 32-bit xz: If --memlimit-compress is + used to specify a limit that exceeds 4020 MiB, the limit will + be set to 4020 MiB. The values "0" and "max" aren't affected + by this and neither is decompression. This hack can be + helpful when a 32-bit xz has access to 4 GiB address space + but the specified memlimit exceeds 4 GiB. This can happen + e.g. with some scripts. + + - Capsicum sandbox is now enabled by default where available + (FreeBSD >= 10). The sandbox debug messages (xz -vv) were + removed since they seemed to be more annoying than useful. + + - DOS build now requires DJGPP 2.05 instead of 2.04beta. + A workaround for a locale problem with DJGPP 2.05 was added. + + * xzgrep and other scripts: + + - Added a configure option --enable-path-for-scripts=PREFIX. + It is disabled by default except on Solaris where the default + is /usr/xpg4/bin. See INSTALL for details. + + - Added a workaround for a POSIX shell detection problem on + Solaris. + + * Build systems: + + - Added preliminary build instructions for z/OS. See INSTALL + section 1.2.9. + + - Experimental CMake support was added. It should work to build + static liblzma on a few operating systems. It may or may not + work to build shared liblzma. On some platforms it can build + xz and xzdec too but those are only for testing. See the + comment in the beginning of CMakeLists.txt for details. + + - Visual Studio project files were updated. + WindowsTargetPlatformVersion was removed from VS2017 files + and set to "10.0" in the added VS2019 files. In the future + the VS project files will be removed when CMake support is + good enough. + + - New #defines in config.h: HAVE___BUILTIN_ASSUME_ALIGNED, + HAVE___BUILTIN_BSWAPXX, and TUKLIB_USE_UNSAFE_TYPE_PUNNING. + + - autogen.sh has a new optional dependency on po4a and a new + option --no-po4a to skip that step. This matters only if one + wants to remake the build files. po4a is used to update the + translated man pages but as long as the man pages haven't + been modified, there's nothing to update and one can use + --no-po4a to avoid the dependency on po4a. + + * Translations: + + - XZ Utils translations are now handled by the Translation + Project: https://translationproject.org/domain/xz.html + + - All man pages are now included in German too. + + - New xz translations: Brazilian Portuguese, Finnish, + Hungarian, Chinese (simplified), Chinese (traditional), + and Danish (partial translation) + + - Updated xz translations: French, German, Italian, and Polish + + - Unfortunately a few new xz translations weren't included due + to technical problems like too long lines in --help output or + misaligned column headings in tables. In the future, many of + these strings will be split and e.g. the table column + alignment will be handled in software. This should make the + strings easier to translate. + + 5.2.5 (2020-03-17) * liblzma: