1
0
mirror of https://git.tukaani.org/xz.git synced 2025-02-21 16:08:12 +00:00

2682 Commits

Author SHA1 Message Date
Lasse Collin
b0bb84dd7b
Update THANKS 2024-12-18 17:09:29 +02:00
Dexter Castor Döpping
bee0c044d3
liblzma: Fix incorrect macro name in a comment
Fixes: 33b8a24b6646a9dbfd8358405aec466b13078559
Closes: https://github.com/tukaani-project/xz/pull/155
2024-12-18 17:09:29 +02:00
Lasse Collin
2cfa1ad0a9
license-check.sh: Add an exception for doc/SHA256SUMS
Fixes: 36b531022f24a2ab57a2dfb9e5052f1c176e9d9a
2024-12-18 17:09:21 +02:00
Lasse Collin
36b531022f
doc/SHA256SUMS: Add the list of SHA-256 hashes of release files
The release files are signed but verifying the signatures cannot
catch certain types of attacks:

1. A malicious maintainer could make more than one variant of
   a package. One could be for general distribution. Another
   with malicious content could be targeted to specific users,
   for example, distributing the malicious version on a mirror
   controlled by the attacker.

2. If the signing key of an honest maintainer was compromised
   without being detected, a similar situation as described
   above could occur.

SHA256SUMS could be put on the project website but having it in
the Git repository makes it obvious that old lines aren't modified
when the file is updated.

Hashes of uncompressed files are included too. This way tarballs
can be recompressed and the hashes can still be verified.
2024-12-01 21:38:17 +02:00
Lasse Collin
fe9e66993f Docs: Remove .github/SECURITY.md
One of the reasons to have this file in the xz repository was to
show vulnerability reporting info in the Security section on GitHub.
On 2024-11-25, I added SECURITY.md to the tukaani-project organization
on GitHub:

    https://github.com/tukaani-project/.github/blob/main/SECURITY.md

GitHub shows that file in all projects in the organization unless
overridden by a project-specific SECURITY.md. Thus, removing
the file from the xz repo makes GitHub show the organization-wide
text instead.

Maintaining a single copy for the whole GitHub organization makes
things simpler. It's also nicer to have fewer GitHub-specific files
in the xz repo. Information how to report bugs (including security
issues) is available in README and on the home page too.

The OpenSSF Scorecard tool didn't find .github/SECURITY.md from the
xz repository. There was a suggestion to move the file to the top-level
directory where Scorecard should find it. However, Scorecard does find
the organization-wide SECURITY.md. Thus, the file isn't needed in the
xz repository to score points in the Scorecard game:

    https://scorecard.dev/viewer/?uri=github.com/tukaani-project/xz

Closes: https://github.com/tukaani-project/xz/issues/148
Closes: https://github.com/tukaani-project/xz/pull/149
2024-11-30 12:05:59 +02:00
Lasse Collin
b361772736 Translations: Update the Chinese (traditional) translation 2024-11-30 10:27:14 +02:00
Lasse Collin
c15115f7ed liblzma: Optimize the loop conditions in BCJ filters
Compilers cannot optimize the addition "i + 4" away since theoretically
it could overflow.
2024-11-26 19:17:42 +02:00
Lasse Collin
9f69e71e78 Update THANKS 2024-11-25 16:26:54 +02:00
Mark Wielaard
48ff3f0652 xz: Landlock: Fix a file descriptor leak 2024-11-25 12:28:44 +02:00
Sam James
dbca3d078e CI: update FreeBSD, NetBSD, OpenBSD, Solaris actions
Checked the changes and they're all innocuous. This should hopefully
fix the "externally managed" pip error in these jobs that started
recently.
2024-10-02 10:10:54 +03:00
Lasse Collin
a94b85bea3 Add NEWS for 5.6.3 2024-10-01 20:06:54 +03:00
Lasse Collin
be4bf94446 cmake/tuklib_large_file_support.cmake: Add a missing include
v5.2 didn't build with CMake. Other branches had
include(CMakePushCheckState) in top-level CMakeLists.txt
which made the build work.

Fixes: 597f49b61475438a43a417236989b2acc968a686
2024-10-01 14:49:41 +03:00
Lasse Collin
1ebbe915d4 Update THANKS 2024-10-01 12:10:23 +03:00
Lasse Collin
74702ee00e Tests/Windows: Add the application manifest to the test programs
This ensures that the test programs get executed the same way as
the binaries that are installed.
2024-10-01 12:10:23 +03:00
Lasse Collin
7ddf2273e0 license-check.sh: Add an exception for w32_application.manifest
The file gets embedded as is into executables, thus it cannot
hold a license identifier.
2024-10-01 12:10:23 +03:00
Lasse Collin
46ee006162 Windows: Embed an application manifest in the EXE files
IMPORTANT: This includes a security fix to command line tool
           argument handling.

Some toolchains embed an application manifest by default to declare
UAC-compliance. Some also declare compatibility with Vista/8/8.1/10/11
to let the app access features newer than those of Vista.

We want all the above but also two more things:

  - Declare that the app is long path aware to support paths longer
    than 259 characters (this may also require a registry change).

  - Force the code page to UTF-8. This allows the command line tools
    to access files whose names contain characters that don't exist
    in the current legacy code page (except unpaired surrogates).
    The UTF-8 code page also fixes security issues in command line
    argument handling which can be exploited with malicious filenames.
    See the new file w32_application.manifest.comments.txt.

Thanks to Orange Tsai and splitline from DEVCORE Research Team
for discovering this issue.

Thanks to Vijay Sarvepalli for reporting the issue to me.

Thanks to Kelvin Lee for testing with MSVC and helping with
the required build system fixes.
2024-10-01 12:10:23 +03:00
Lasse Collin
dad1530915 Windows: Set DLL name accurately in StringFileInfo on Cygwin and MSYS2
Now the information in the "Details" tab in the file properties
dialog matches the naming convention of Cygwin and MSYS2. This
is only a cosmetic change.
2024-09-30 16:55:23 +03:00
Lasse Collin
8940ecb96f common_w32res.rc: White space edits
LANGUAGE and VS_VERSION_INFO begin new statements so put an empty line
between them.
2024-09-29 01:27:16 +03:00
Lasse Collin
c3b9dad07d CMake: Add the resource files to the Cygwin and MSYS2 builds
Autotools-based build has always done this so this is for consistency.

However, the CMake build won't create the DEF file when building
for Cygwin or MSYS2 because in that context it should be useless.
(If Cygwin or MSYS2 is used to host building of normal Windows
binaries then the DEF file is still created.)
2024-09-29 01:26:45 +03:00
Lasse Collin
da4f275bd1 CMake: Fix Windows resource file dependencies
If common_w32res.rc is modified, the resource files need to be rebuilt.
In contrast, the liblzma*.map files truly are link dependencies.
2024-09-29 01:26:13 +03:00
Lasse Collin
1c673c0aac CMake: Checking for CYGWIN covers MSYS2 too
On MSYS2, both CYGWIN and MSYS are set.
2024-09-29 01:26:13 +03:00
Lasse Collin
6aaa0173b8 Translations: Add the SPDX license identifier to pt_BR.po 2024-09-28 09:38:13 +03:00
Lasse Collin
dc7b9f24b7 Windows/CMake: Use the correct resource file for lzmadec.exe
CMakeLists.txt was using xzdec_w32res.rc for both xzdec and lzmadec.

Fixes: 998d0b29536094a89cf385a3b894e157db1ccefe
2024-09-25 21:31:06 +03:00
Lasse Collin
b834ae5f80 Translations: Update the Brazilian Portuguese translation 2024-09-25 21:29:59 +03:00
Lasse Collin
eceb023d4c Update THANKS 2024-09-17 01:26:02 +03:00
Tobias Stoeckmann
76cfd0a9bb lzmainfo: Avoid integer overflow
The MB output can overflow with huge numbers. Most likely these are
invalid .lzma files anyway, but let's avoid garbage output.

lzmadec was adapted from LZMA Utils. The original code with this bug
was written in 2005, over 19 years ago.

Co-authored-by: Lasse Collin <lasse.collin@tukaani.org>
Closes: https://github.com/tukaani-project/xz/pull/144
2024-09-17 01:26:02 +03:00
Tobias Stoeckmann
78355aebb7 xzdec: Remove unused short option -M
"xzdec -M123" exited with exit status 1 without printing
any messages. The "M:" entry should have been removed when
the memory usage limiter support was removed from xzdec.

Fixes: 792331bdee706aa852a78b171040ebf814c6f3ae
Closes: https://github.com/tukaani-project/xz/pull/143
[ Lasse: Commit message edits ]
2024-09-16 23:33:29 +03:00
Lasse Collin
e5758db7bd Update THANKS 2024-09-10 13:54:47 +03:00
Firas Khalil Khana
80ffa38f56 Build: Fix a typo in autogen.sh
Fixes: e9be74f5b129fe8a5388d588e68b1b7f5168a310
Closes: https://github.com/tukaani-project/xz/pull/141
2024-09-10 13:43:00 +03:00
Lasse Collin
68c54e45d0 Translations: Update Chinese (simplified) translation
Differences to the zh_CN.po file from the Translation Project:

  - Two uses of \v were fixed.

  - Missing "OPTS" translation in --riscv[=OPTS] was copied from
    previous lines.

  - "make update-po" was run to remove line numbers from comments.
2024-09-02 20:08:40 +03:00
Lasse Collin
2230692aa1 Translations: Update the Catalan translation
Differences to the ca.po file from the Translation Project:

  - An overlong line translating --filters-help was wrapped.

  - "make update-po" was used to remove line numbers from the comments
    to match the changes in fccebe2b4fd513488fc920e4dac32562ed3c7637
    and 093490b58271e9424ce38a7b1b38bcf61b9c86c6. xz.pot in the TP
    is older than these commits.
2024-09-02 19:40:50 +03:00
Lasse Collin
3e7723ce26 Update THANKS 2024-09-02 17:33:50 +03:00
Lasse Collin
d3e0e679b2 CMake: Don't install lzmadec.1 symlinks if XZ_TOOL_LZMADEC=OFF
Thanks-to: 榆柳松 (ZhengSen Wang) <wzhengsen@gmail.com>
Fixes: fb50c6ba1d4c9405e5b12b5988b01a3002638c5d
Closes: https://github.com/tukaani-project/xz/pull/134
2024-09-02 17:33:42 +03:00
Lasse Collin
acdf21033a CMake: Fix the build when XZ_TOOL_LZMADEC=OFF
Co-developed-by: 榆柳松 (ZhengSen Wang) <wzhengsen@gmail.com>
Fixes: fb50c6ba1d4c9405e5b12b5988b01a3002638c5d
Fixes: https://github.com/tukaani-project/xz/pull/134
2024-09-02 17:33:06 +03:00
Lasse Collin
5e37598750 Update THANKS 2024-08-22 11:01:07 +03:00
Yifeng Li
6cd7c86078 liblzma: Fix x86-64 movzw compatibility in range_decoder.h
Support for instruction "movzw" without suffix in "GNU as" was
added in commit [1] and stabilized in binutils 2.27, released
in August 2016. Earlier systems don't accept this instruction
without a suffix, making range_decoder.h's inline assembly
unable to build on old systems such as Ubuntu 16.04, creating
error messages like:

    lzma_decoder.c: Assembler messages:
    lzma_decoder.c:371: Error: no such instruction: `movzw 2(%r11),%esi'
    lzma_decoder.c:373: Error: no such instruction: `movzw 4(%r11),%edi'
    lzma_decoder.c:388: Error: no such instruction: `movzw 6(%r11),%edx'
    lzma_decoder.c:398: Error: no such instruction: `movzw (%r11,%r14,4),%esi'

Change "movzw" to "movzwl" for compatibility.

[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c07315e0c610e0e3317b4c02266f81793df253d2

Suggested-by: Lasse Collin <lasse.collin@tukaani.org>
Tested-by: Yifeng Li <tomli@tomli.me>
Signed-off-by: Yifeng Li <tomli@tomli.me>
Fixes: 3182a330c1512cc1f5c87b5c5a272578e60a5158
Fixes: https://github.com/tukaani-project/xz/issues/121
Closes: https://github.com/tukaani-project/xz/pull/136
2024-08-22 10:59:08 +03:00
Lasse Collin
bf901dee5d Build: Comment that elf_aux_info(3) will be available on OpenBSD >= 7.6 2024-07-19 20:06:24 +03:00
Lasse Collin
f7103c2c2a Revert "liblzma: Add ARM64 CRC32 instruction support detection on OpenBSD"
This reverts commit dc03f6290f5b9bd3d50c7e12e58dee870889d599.

OpenBSD 7.6 will support elf_aux_info(3), and the detection code used
on FreeBSD will work on OpenBSD 7.6 too. Keep things simpler and drop
the OpenBSD-specific sysctl() method.

Thanks to Christian Weisgerber.
2024-07-19 20:06:24 +03:00
Lasse Collin
7c292dd0bf liblzma: Tweak a comment 2024-07-13 22:10:37 +03:00
Lasse Collin
6408edac55 CMake: Bump maximum policy version to 3.30 2024-07-11 22:17:56 +03:00
Lasse Collin
9231c39ffb CMake: Require CMake 3.20 or later
This allows a few cleanups.
2024-07-11 20:11:38 +03:00
Lasse Collin
028185dd48 Update THANKS 2024-07-09 14:27:51 +03:00
Lasse Collin
baecfa1426 xz: Remove the TODO comment about --recursive
It won't be implemented. find + xargs is more flexible, for example,
it allows compressing small files in parallel. An example for that
has been included in the xz man page since 2010.
2024-07-06 14:04:48 +03:00
Lasse Collin
f691d58fae Document --disable-loongarch-crc32 in INSTALL 2024-07-06 14:04:16 +03:00
Lasse Collin
b3e53122f4 CMake: Link xz against Threads::Threads if using pthreads
The liblzma target was recently changed to link against Threads::Threads
with the PRIVATE keyword. I had forgotten that xz itself depends on
pthreads too due to pthread_sigmask(). Thus, the build broke when
building shared liblzma and pthread_sigmask() wasn't in libc.

Thanks to Peter Seiderer for the bug report.

Fixes: ac05f1b0d7cda1e7ae79775a8dfecc54601d7f1c
Fixes: https://github.com/tukaani-project/xz/issues/129#issuecomment-2204522994
2024-07-03 20:45:48 +03:00
Lasse Collin
5742ec1fc7 Update THANKS 2024-07-02 22:49:33 +03:00
Lasse Collin
2d13d10357 CMake: Improve NLS error messages 2024-07-02 22:41:48 +03:00
Lasse Collin
628d8d2c4f CMake: Update the comment at the top of CMakeLists.txt
While po/*.gmo files won't be used from the release tarball,
the generated translated man pages will be used still. Those
are text files and po4a has slightly more dependencies than
gettext tools so installing po4a might be a bit more challenging
in some situations.
2024-07-02 22:41:48 +03:00
Lasse Collin
b4b23c94fd CMake: Drop support for pre-generated po/*.gmo files
When a release tarball is created using Autotools, the tarball includes
po/*.gmo files which are binary files generated from po/*.po. Other
tarball creation methods don't and won't create the .gmo files.

It feels clearer if CMake will never install pre-generated binary files
from the source package. If people are able to install CMake, they
likely are able to install gettext tools as well (assuming they want
translations).
2024-07-02 22:41:00 +03:00
Lasse Collin
fb99f8e8c5 CMake: Make XZ_NLS handling more robust
If a user set XZ_NLS=ON but find_package(Intl) failed or CMake version
wasn't at least 3.20, the configuration would fail in a cryptic way.

If XZ_NLS is enabled, require that CMake is new enough and that either
gettext tools or pre-generated .gmo files are available. Otherwise fail
the configuration. Previously missing gettext tools and .gmo files would
only result in a warning.

Missing man page translations are still only a warning.

Thanks to Peter Seiderer for the bug report.

Fixes: https://github.com/tukaani-project/xz/issues/129
Closes: https://github.com/tukaani-project/xz/pull/130
2024-07-02 22:40:37 +03:00