Commit Graph

1735 Commits

Author SHA1 Message Date
Lasse Collin 2ba8173e27 Update THANKS. 2022-03-31 00:05:07 +03:00
Lasse Collin 69d1b3fc29 xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).
Malicious filenames can make xzgrep to write to arbitrary files
or (with a GNU sed extension) lead to arbitrary code execution.

xzgrep from XZ Utils versions up to and including 5.2.5 are
affected. 5.3.1alpha and 5.3.2alpha are affected as well.
This patch works for all of them.

This bug was inherited from gzip's zgrep. gzip 1.12 includes
a fix for zgrep.

The issue with the old sed script is that with multiple newlines,
the N-command will read the second line of input, then the
s-commands will be skipped because it's not the end of the
file yet, then a new sed cycle starts and the pattern space
is printed and emptied. So only the last line or two get escaped.

One way to fix this would be to read all lines into the pattern
space first. However, the included fix is even simpler: All lines
except the last line get a backslash appended at the end. To ensure
that shell command substitution doesn't eat a possible trailing
newline, a colon is appended to the filename before escaping.
The colon is later used to separate the filename from the grep
output so it is fine to add it here instead of a few lines later.

The old code also wasn't POSIX compliant as it used \n in the
replacement section of the s-command. Using \<newline> is the
POSIX compatible method.

LC_ALL=C was added to the two critical sed commands. POSIX sed
manual recommends it when using sed to manipulate pathnames
because in other locales invalid multibyte sequences might
cause issues with some sed implementations. In case of GNU sed,
these particular sed scripts wouldn't have such problems but some
other scripts could have, see:

    info '(sed)Locale Considerations'

This vulnerability was discovered by:
cleemy desu wayo working with Trend Micro Zero Day Initiative

Thanks to Jim Meyering and Paul Eggert discussing the different
ways to fix this and for coordinating the patch release schedule
with gzip.
2022-03-29 20:10:50 +03:00
Lasse Collin bd93b776c1 liblzma: Fix a deadlock in threaded decoder.
If a worker thread has consumed all input so far and it's
waiting on thr->cond and then the main thread enables
partial update for that thread, the code used to deadlock.
This commit allows one dummy decoding pass to occur in this
situation which then also does the partial update.

As part of the fix, this moves thr->progress_* updates to
avoid the second thr->mutex locking.

Thanks to Jia Tan for finding, debugging, and reporting the bug.
2022-03-26 01:15:32 +02:00
Lasse Collin e0394e9423 Update THANKS. 2022-03-23 16:34:00 +02:00
Lasse Collin 487c77d487 liblzma: Threaded decoder: Don't stop threads on LZMA_TIMED_OUT.
LZMA_TIMED_OUT is not an error and thus stopping threads on
LZMA_TIMED_OUT breaks the decoder badly.

Thanks to Jia Tan for finding the bug and for the patch.
2022-03-23 16:28:55 +02:00
Lasse Collin 6c6da57ae2 xz: Add initial support for threaded decompression.
If threading support is enabled at build time, this will
use lzma_stream_decoder_mt() even for single-threaded mode.
With memlimit_threading=0 the behavior should be identical.

This needs some work like adding --memlimit-threading=LIMIT.

The original patch from Sebastian Andrzej Siewior included
a method to get currently available RAM on Linux. It might
be one way to go but as it is Linux-only, the available-RAM
approach needs work for portability or using a fallback method
on other OSes.

The man page wasn't updated yet.
2022-03-07 00:36:16 +02:00
Lasse Collin 4cce3e27f5 liblzma: Add threaded .xz decompressor.
I realize that this is about a decade late.

Big thanks to Sebastian Andrzej Siewior for the original patch.
I made a bunch of smaller changes but after a while quite a few
things got rewritten. So any bugs in the commit were created by me.
2022-03-07 00:35:53 +02:00
Lasse Collin 717631b978 liblzma: Fix docs: lzma_block_decoder() cannot return LZMA_UNSUPPORTED_CHECK.
If Check is unsupported, it will be silently ignored.
It's the caller's job to handle it.
2022-03-06 16:54:23 +02:00
Lasse Collin 1a4bb97a00 liblzma: Add new output queue (lzma_outq) features.
Add lzma_outq_clear_cache2() which may leave one buffer allocated
in the cache.

Add lzma_outq_outbuf_memusage() to get the memory needed for
a single lzma_outbuf. This is now used internally in outqueue.c too.

Track both the total amount of memory allocated and the amount of
memory that is in active use (not in cache).

In lzma_outbuf, allow storing the current input position that
matches the current output position. This way the main thread
can notice when no more output is possible without first providing
more input.

Allow specifying return code for lzma_outq_read() in a finished
lzma_outbuf.
2022-03-06 16:41:19 +02:00
Lasse Collin ddbc6f58c2 liblzma: Index hash: Change return value type of hash_append() to void. 2022-03-06 15:18:58 +02:00
Lasse Collin 20e7a33e2d liblzma: Minor addition to lzma_vli_size() API doc.
Thanks to Jia Tan.
2022-02-22 03:42:57 +02:00
Lasse Collin 4f78f5fcf6 liblzma: Check the return value of lzma_index_append() in threaded encoder.
If lzma_index_append() failed (most likely memory allocation failure)
it could have gone unnoticed and the resulting .xz file would have
an incorrect Index. Decompressing such a file would produce the
correct uncompressed data but then an error would occur when
verifying the Index field.
2022-02-22 02:04:18 +02:00
Lasse Collin 5313ad66b4 Update THANKS. 2022-02-22 01:37:39 +02:00
Ed Maste 865e0a3689 liblzma: Use non-executable stack on FreeBSD as on Linux 2022-02-22 01:23:34 +02:00
Lasse Collin 1c9a5786d2 liblzma: Make Block decoder catch certain types of errors better.
Now it limits the input and output buffer sizes that are
passed to a raw decoder. This way there's no need to check
if the sizes can grow too big or overflow when updating
Compressed Size and Uncompressed Size counts. This also means
that a corrupt file cannot cause the raw decoder to process
useless extra input or output that would exceed the size info
in Block Header (and thus cause LZMA_DATA_ERROR anyway).

More importantly, now the size information is verified more
carefully in case raw decoder returns LZMA_OK. This doesn't
really matter with the current single-threaded .xz decoder
as the errors would be detected slightly later anyway. But
this helps avoiding corner cases in the upcoming threaded
decompressor, and it might help other Block decoder uses
outside liblzma too.

The test files bad-1-lzma2-{9,10,11}.xz test these conditions.
With the single-threaded .xz decoder the only difference is
that LZMA_DATA_ERROR is detected in a difference place now.
2022-02-20 20:36:27 +02:00
Lasse Collin 555de11873 Tests: Add bad-1-lzma2-11.xz. 2022-02-20 19:38:55 +02:00
Lasse Collin f0da507f22 Translations: Fix po4a failure with the French man page translations.
Thanks to Mario Blättermann for the patch.
2022-02-18 18:51:10 +02:00
Lasse Collin f7711d228c Translations: Add French translation of man pages.
This matches xz-utils 5.2.5-2 in Debian.

The translation was done by "bubu", proofread by the debian-l10n-french
mailing list contributors, and submitted to me on the xz-devel mailing
list by Jean-Pierre Giraud. Thanks to everyone!
2022-02-07 01:30:06 +02:00
jiat75 6468f7e41a liblzma: Add NULL checks to LZMA and LZMA2 properties encoders.
Previously lzma_lzma_props_encode() and lzma_lzma2_props_encode()
assumed that the options pointers must be non-NULL because the
with these filters the API says it must never be NULL. It is
good to do these checks anyway.
2022-02-07 00:20:01 +02:00
Lasse Collin 2523c30705 liblzma: Fix uint64_t vs. size_t confusion.
This broke 32-bit builds due to a pointer type mismatch.

This bug was introduced with the output-size-limited encoding
in 625f4c7c99.

Thanks to huangqinjin for the bug report.
2022-02-06 23:19:32 +02:00
huangqinjin 2bd36c91d0 CMake: Keep compatible with Windows 95 for 32-bit build. 2022-02-06 22:49:39 +02:00
Lasse Collin 2024fbf279 xzgrep: Update man page timestamp. 2021-11-13 21:04:05 +02:00
Lasse Collin 400e7a239a Update THANKS. 2021-11-13 18:23:24 +02:00
Ville Skyttä 3a512c7787 xzgrep: use `grep -E/-F` instead of `egrep` and `fgrep`
`egrep` and `fgrep` have been deprecated in GNU grep since 2007, and in
current post 3.7 Git they have been made to emit obsolescence warnings:
https://git.savannah.gnu.org/cgit/grep.git/commit/?id=a9515624709865d480e3142fd959bccd1c9372d1
2021-11-13 18:17:33 +02:00
Lasse Collin edf525e2b1 Bump the version number for 5.3.2alpha. 2021-10-28 23:02:11 +03:00
Lasse Collin ea8c948655 Add NEWS for 5.3.2alpha. 2021-10-28 22:59:52 +03:00
Lasse Collin 52435f302f Update THANKS. 2021-10-27 23:27:48 +03:00
Lasse Collin f2aea1d5a5 xz: Change the coding style of the previous commit.
It isn't any better now but it's consistent with
the rest of the code base.
2021-10-27 23:23:11 +03:00
Alexander Bluhm 892b16cc28 xz: Avoid fchown(2) failure.
OpenBSD does not allow to change the group of a file if the user
does not belong to this group.  In contrast to Linux, OpenBSD also
fails if the new group is the same as the old one.  Do not call
fchown(2) in this case, it would change nothing anyway.

This fixes an issue with Perl Alien::Build module.
https://github.com/PerlAlien/Alien-Build/issues/62
2021-10-27 20:49:41 +03:00
Lasse Collin 2b509c868c liblzma: Fix liblzma.map for the lzma_microlzma_* symbols.
This should have been part of d267d109c3.

Thanks to Gao Xiang.
2021-09-17 17:31:11 +03:00
Lasse Collin cacb06a954 Update THANKS. 2021-09-09 22:21:07 +03:00
Lasse Collin 6928aac9da liblzma: Use _MSVC_LANG to detect when "noexcept" can be used with MSVC.
By default, MSVC always sets __cplusplus to 199711L. The real
C++ standard version is available in _MSVC_LANG (or one could
use /Zc:__cplusplus to set __cplusplus correctly).

Fixes <https://sourceforge.net/p/lzmautils/discussion/708858/thread/f6bc3b108a/>.

Thanks to Dan Weiss.
2021-09-09 21:41:51 +03:00
Lasse Collin d267d109c3 liblzma: Rename EROFS LZMA to MicroLZMA.
It still exists primarily for EROFS but MicroLZMA is
a more generic name (that hopefully doesn't clash with
something that already exists).
2021-09-05 20:38:12 +03:00
Lasse Collin 3247e95115 xzdiff: Update the man page about the exit status.
This was forgotten from 194029ffaf.
2021-06-04 19:02:38 +03:00
Lasse Collin 96f5a28a46 xzless: Fix less(1) version detection when it contains a dot.
Sometimes the version number from "less -V" contains a dot,
sometimes not. xzless failed detect the version number when
it does contain a dot. This fixes it.

Thanks to nick87720z for reporting this. Apparently it had been
reported here <https://bugs.gentoo.org/489362> in 2013.
2021-06-04 18:52:48 +03:00
Lasse Collin 5fb5212d81 Update THANKS. 2021-04-11 19:58:10 +03:00
Ivan A. Melnikov fc3d3a7296 Reduce maximum possible memory limit on MIPS32
Due to architectural limitations, address space available to a single
userspace process on MIPS32 is limited to 2 GiB, not 4, even on systems
that have more physical RAM -- e.g. 64-bit systems with 32-bit
userspace, or systems that use XPA (an extension similar to x86's PAE).

So, for MIPS32, we have to impose stronger memory limits. I've chosen
2000MiB to give the process some headroom.
2021-04-11 19:50:41 +03:00
Lasse Collin e7da44d515 CMake: Use interface library for better FindLibLZMA compatibility.
https://www.mail-archive.com/xz-devel@tukaani.org/msg00446.html

Thanks to Markus Rickert.
2021-02-13 23:31:27 +02:00
Lasse Collin a61dd82ada CMake: Try to improve compatibility with the FindLibLZMA module.
The naming conflict with FindLibLZMA module gets worse.
Not avoiding it in the first place was stupid.

Normally find_package(LibLZMA) will use the module and
find_package(liblzma 5.2.5 REQUIRED CONFIG) will use the config
file even with a case insensitive file system. However, if
CMAKE_FIND_PACKAGE_PREFER_CONFIG is TRUE and the file system
is case insensitive, find_package(LibLZMA) will find our liblzma
config file instead of using FindLibLZMA module.

One big problem with this is that FindLibLZMA uses
LibLZMA::LibLZMA and we use liblzma::liblzma as the target
name. With target names CMake happens to be case sensitive.
To workaround this, this commit adds

    add_library(LibLZMA::LibLZMA ALIAS liblzma::liblzma)

to the config file. Then both spellings work.

To make the behavior consistent between case sensitive and
insensitive file systems, the config and related files are
renamed from liblzmaConfig.cmake to liblzma-config.cmake style.
With this style CMake looks for lowercase version of the package
name so find_package(LiBLzmA 5.2.5 REQUIRED CONFIG) will work
to find our config file.

There are other differences between our config file and
FindLibLZMA so it's still possible that things break for
reasons other than the spelling of the target name. Hopefully
those situations aren't too common.

When the config file is available, it should always give as good or
better results as FindLibLZMA so this commit doesn't affect the
recommendation to use find_package(liblzma 5.2.5 REQUIRED CONFIG)
which explicitly avoids FindLibLZMA.

Thanks to Markus Rickert.
2021-01-30 18:36:04 +02:00
Lasse Collin 5b7bc1b8ae Update THANKS. 2021-01-29 21:19:43 +02:00
Lasse Collin 6c6f0db340 liblzma: Fix unitialized variable.
This was introduced two weeks ago in the commit
625f4c7c99.

Thanks to Nathan Moinvaziri.
2021-01-29 21:19:08 +02:00
Lasse Collin bb1d5c1fdd Tests: Add bad-1-lzma2-10.xz and also modify -9.xz. 2021-01-24 22:32:41 +02:00
Lasse Collin 6b8abc84a5 liblzma: Fix a wrong comment in stream_encoder_mt.c. 2021-01-24 19:22:35 +02:00
Lasse Collin 939fc5ed65 Tests: Add bad-1-lzma2-9.xz. 2021-01-24 18:51:51 +02:00
Lasse Collin fdd30032f8 Tests: Add bad-1-check-crc32-2.xz. 2021-01-24 17:04:51 +02:00
Lasse Collin db465419ae liblzma: In EROFS LZMA decoder, verify that comp_size matches at the end.
When the uncompressed size is known to be exact, after decompressing
the stream exactly comp_size bytes of input must have been consumed.
This is a minor improvement to error detection.
2021-01-17 19:20:50 +02:00
Lasse Collin 774cc0118b liblzma: Make EROFS LZMA decoder work when exact uncomp_size isn't known.
The caller must still not specify an uncompressed size bigger
than the actual uncompressed size.

As a downside, this now needs the exact compressed size.
2021-01-17 18:53:34 +02:00
Lasse Collin 421b0aa352 liblzma: Fix missing normalization in rc_encode_dummy().
Without this fix it could attempt to create too much output.
2021-01-14 20:57:11 +02:00
Lasse Collin 601ec0311e liblzma: Add EROFS LZMA encoder and decoder.
Right now this is just a planned extra-compact format for use
in the EROFS file system in Linux. At this point it's possible
that the format will either change or be abandoned and removed
completely.

The special thing about the encoder is that it uses the
output-size-limited encoding added in the previous commit.
EROFS uses fixed-sized blocks (e.g. 4 KiB) to hold compressed
data so the compressors must be able to create valid streams
that fill the given block size.
2021-01-14 20:10:59 +02:00
Lasse Collin 625f4c7c99 liblzma: Add rough support for output-size-limited encoding in LZMA1.
With this it is possible to encode LZMA1 data without EOPM so that
the encoder will encode as much input as it can without exceeding
the specified output size limit. The resulting LZMA1 stream will
be a normal LZMA1 stream without EOPM. The actual uncompressed size
will be available to the caller via the uncomp_size pointer.

One missing thing is that the LZMA layer doesn't inform the LZ layer
when the encoding is finished and thus the LZ may read more input
when it won't be used. However, this doesn't matter if encoding is
done with a single call (which is the planned use case for now).
For proper multi-call encoding this should be improved.

This commit only adds the functionality for internal use.
Nothing uses it yet.
2021-01-14 18:58:13 +02:00