Add NEWS for 5.6.3

2024-10-01 12:17:39 +03:00 · 2024-10-01 12:17:39 +03:00 · f52857ffde
parent b8f52990b5
commit f52857ffde
1 changed files with 125 additions and 0 deletions
--- a/125
+++ b/125
@ -2,6 +2,131 @@
 XZ Utils Release Notes
 ======================
 5.6.3 (2024-10-01)
    IMPORTANT: This includes a Windows-specific security fix to
    the command line tools. liblzma isn't affected by this issue.
    * liblzma:
        - Fix x86-64 inline assembly compatibility with GNU Binutils
          older than 2.27.
        - Fix the build with GCC 4.2 on OpenBSD/sparc64.
    * xzdec: Display an error instead of failing silently if the
      unsupported option -M is specified.
    * lzmainfo: Fix integer overflows when rounding the dictionary and
      uncompressed sizes to the nearest mebibyte.
    * Windows (except Cygwin and MSYS2): Add an application manifest to
      xz, xzdec, lzmadec, and lzmainfo executables:
        - Declare them compatible with Vista/7/8/8.1/10/11. This way
          the programs won't needlessly use Operating System Context
          of Vista when running on later Windows versions. This setting
          doesn't mean that the executables cannot run on even older
          versions if otherwise built that way.
        - Declare them as UAC-compliant. MSVC added this by default
          already but it wasn't done with MinGW-w64, at least not
          with all toolchain variants.
        - Declare them long path aware. This makes long path names
          work on Windows 10 and 11 if the feature has been enabled
          in the Windows registry.
        - Use the UTF-8 code page on Windows 10 version 1903 and later.
            * Now command line tools can access files whose names
              contain characters that don't exist in the current
              legacy code page.
            * The options --files and --files0 now expect file lists
              to be in UTF-8 instead of the legacy code page.
            * This fixes a security issue: If a command line contains
              Unicode characters (for example, filenames) that don't
              exist in the current legacy code page, the characters are
              converted to similar-looking characters with best-fit
              mapping. Some best-fit mappings result in ASCII
              characters that change the meaning of the command line,
              which can be exploited with malicious filenames to do
              argument injection or directory traversal attacks.
              UTF-8 avoids best-fit mappings and thus fixes the issue.
              Forcing the process code page to UTF-8 is possible only
              on Windows 10 version 1903 and later. The command line
              tools remain vulnerable if used on an old older
              version of Windows.
              This issue was discovered by Orange Tsai and splitline
              from DEVCORE Research Team.
              A related smaller issue remains: Windows filenames may
              contain unpaired surrogates (invalid UTF-16). These are
              converted to the replacement character U+FFFD in the
              UTF-8 code page. Thus, filenames with different unpaired
              surrogates appear identical and aren't distinguishable
              from filenames that contain the actual replacement
              character U+FFFD.
            * When building with MinGW-w64, it is recommended to use
              UCRT version instead of the old MSVCRT. For example,
              non-ASCII characters from filenames won't print
              correctly in messages to console with MSVCRT with
              the UTF-8 code page (a cosmetic issue). liblzma-only
              builds are still fine with MSVCRT.
        - Cygwin and MSYS2 process command line options differently and
          the above issues don't exist. There is no need to replace the
          default application manifest on Cygwin and MSYS2.
    * Autotools-based build:
        - Fix feature checks with link-time optimization (-flto).
        - Solaris: Fix a compatibility issue in version.sh. It matters
          if one wants to regenerate configure by running autoconf.
    * CMake:
        - Use paths relative to ${prefix} in liblzma.pc when possible.
          This is done only with CMake >= 3.20.
        - MSVC: Install liblzma.pc as it can be useful with MSVC too.
        - Windows: Fix liblzma filename prefix, for example:
            * Cygwin: The DLL was incorrectly named liblzma-5.dll.
              Now it is cyglzma-5.dll.
            * MSVC: Rename import library from liblzma.lib to lzma.lib
              while keeping liblzma.dll name as is. This helps with
              "pkgconf --msvc-syntax --libs liblzma" because it mungles
              "-llzma" in liblzma.pc to "lzma.lib".
            * MinGW-w64: No changes.
        - Windows: Use the correct resource file for lzmadec.exe.
          Previously the resource file for xzdec.exe was used for both.
          Autotools-based build isn't affected.
        - Prefer a C11 compiler over a C99 compiler but accept both.
        - Link Threads::Threads against liblzma using PRIVATE so that
          -pthread and such flags won't unnecessarily get included in
          the usage requirements of shared liblzma. That is,
          target_link_libraries(foo PRIVATE liblzma::liblzma) no
          longer adds -pthread if using POSIX threads and linking
          against shared liblzma. The threading flags are still added
          if linking against static liblzma.
    * Updated translations: Catalan, Chinese (simplified), and
      Brazilian Portuguese.
 5.6.2 (2024-05-29)
    * Remove the backdoor (CVE-2024-3094).