1
0
mirror of https://git.tukaani.org/xz.git synced 2025-10-25 02:22:55 +00:00

1301 Commits

Author SHA1 Message Date
Lasse Collin
bb66a98ded xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).
Malicious filenames can make xzgrep to write to arbitrary files
or (with a GNU sed extension) lead to arbitrary code execution.

xzgrep from XZ Utils versions up to and including 5.2.5 are
affected. 5.3.1alpha and 5.3.2alpha are affected as well.
This patch works for all of them.

This bug was inherited from gzip's zgrep. gzip 1.12 includes
a fix for zgrep.

The issue with the old sed script is that with multiple newlines,
the N-command will read the second line of input, then the
s-commands will be skipped because it's not the end of the
file yet, then a new sed cycle starts and the pattern space
is printed and emptied. So only the last line or two get escaped.

One way to fix this would be to read all lines into the pattern
space first. However, the included fix is even simpler: All lines
except the last line get a backslash appended at the end. To ensure
that shell command substitution doesn't eat a possible trailing
newline, a colon is appended to the filename before escaping.
The colon is later used to separate the filename from the grep
output so it is fine to add it here instead of a few lines later.

The old code also wasn't POSIX compliant as it used \n in the
replacement section of the s-command. Using \<newline> is the
POSIX compatible method.

LC_ALL=C was added to the two critical sed commands. POSIX sed
manual recommends it when using sed to manipulate pathnames
because in other locales invalid multibyte sequences might
cause issues with some sed implementations. In case of GNU sed,
these particular sed scripts wouldn't have such problems but some
other scripts could have, see:

    info '(sed)Locale Considerations'

This vulnerability was discovered by:
cleemy desu wayo working with Trend Micro Zero Day Initiative

Thanks to Jim Meyering and Paul Eggert discussing the different
ways to fix this and for coordinating the patch release schedule
with gzip.
2022-07-12 19:47:28 +03:00
Lasse Collin
fa3af4e4c6 Update THANKS. 2022-07-12 19:45:26 +03:00
Lasse Collin
f12ce0f23a liblzma: Fix docs: lzma_block_decoder() cannot return LZMA_UNSUPPORTED_CHECK.
If Check is unsupported, it will be silently ignored.
It's the caller's job to handle it.
2022-07-12 19:30:40 +03:00
Lasse Collin
4125667311 liblzma: Index hash: Change return value type of hash_append() to void. 2022-07-12 19:30:40 +03:00
Lasse Collin
7c3ce02df0 liblzma: Minor addition to lzma_vli_size() API doc.
Thanks to Jia Tan.
2022-07-12 19:30:40 +03:00
Lasse Collin
b8f667fe0c liblzma: Check the return value of lzma_index_append() in threaded encoder.
If lzma_index_append() failed (most likely memory allocation failure)
it could have gone unnoticed and the resulting .xz file would have
an incorrect Index. Decompressing such a file would produce the
correct uncompressed data but then an error would occur when
verifying the Index field.
2022-07-12 19:30:40 +03:00
Lasse Collin
2356d53edd Update THANKS. 2022-07-12 19:30:40 +03:00
Ed Maste
748ef08338 liblzma: Use non-executable stack on FreeBSD as on Linux 2022-07-12 19:30:40 +03:00
Lasse Collin
068a6e3286 liblzma: Make Block decoder catch certain types of errors better.
Now it limits the input and output buffer sizes that are
passed to a raw decoder. This way there's no need to check
if the sizes can grow too big or overflow when updating
Compressed Size and Uncompressed Size counts. This also means
that a corrupt file cannot cause the raw decoder to process
useless extra input or output that would exceed the size info
in Block Header (and thus cause LZMA_DATA_ERROR anyway).

More importantly, now the size information is verified more
carefully in case raw decoder returns LZMA_OK. This doesn't
really matter with the current single-threaded .xz decoder
as the errors would be detected slightly later anyway. But
this helps avoiding corner cases in the upcoming threaded
decompressor, and it might help other Block decoder uses
outside liblzma too.

The test files bad-1-lzma2-{9,10,11}.xz test these conditions.
With the single-threaded .xz decoder the only difference is
that LZMA_DATA_ERROR is detected in a difference place now.
2022-07-12 19:30:40 +03:00
Lasse Collin
766df4f62c Tests: Add bad-1-lzma2-11.xz. 2022-07-12 19:30:40 +03:00
Lasse Collin
12a6d6ce2a Translations: Fix po4a failure with the French man page translations.
Thanks to Mario Blättermann for the patch.
2022-07-12 19:30:40 +03:00
Lasse Collin
00e6aad836 Translations: Add French translation of man pages.
This matches xz-utils 5.2.5-2 in Debian.

The translation was done by "bubu", proofread by the debian-l10n-french
mailing list contributors, and submitted to me on the xz-devel mailing
list by Jean-Pierre Giraud. Thanks to everyone!
2022-07-12 19:30:40 +03:00
jiat75
e20ce2b122 liblzma: Add NULL checks to LZMA and LZMA2 properties encoders.
Previously lzma_lzma_props_encode() and lzma_lzma2_props_encode()
assumed that the options pointers must be non-NULL because the
with these filters the API says it must never be NULL. It is
good to do these checks anyway.
2022-07-12 19:03:51 +03:00
huangqinjin
feb80ace86 CMake: Keep compatible with Windows 95 for 32-bit build. 2022-07-12 19:03:51 +03:00
Lasse Collin
725f2e0522 xzgrep: Update man page timestamp. 2022-07-12 19:01:09 +03:00
Lasse Collin
7955669d42 Update THANKS. 2022-07-12 19:01:09 +03:00
Ville Skyttä
671673a7a2 xzgrep: use grep -E/-F instead of egrep and fgrep
`egrep` and `fgrep` have been deprecated in GNU grep since 2007, and in
current post 3.7 Git they have been made to emit obsolescence warnings:
https://git.savannah.gnu.org/cgit/grep.git/commit/?id=a9515624709865d480e3142fd959bccd1c9372d1
2022-07-12 19:01:09 +03:00
Lasse Collin
45e538257e Update THANKS. 2022-07-12 19:01:09 +03:00
Lasse Collin
ca21733d24 xz: Change the coding style of the previous commit.
It isn't any better now but it's consistent with
the rest of the code base.
2022-07-12 19:01:09 +03:00
Alexander Bluhm
906b990b15 xz: Avoid fchown(2) failure.
OpenBSD does not allow to change the group of a file if the user
does not belong to this group.  In contrast to Linux, OpenBSD also
fails if the new group is the same as the old one.  Do not call
fchown(2) in this case, it would change nothing anyway.

This fixes an issue with Perl Alien::Build module.
https://github.com/PerlAlien/Alien-Build/issues/62
2022-07-12 19:01:09 +03:00
Lasse Collin
ca83df96c4 Update THANKS. 2022-07-12 19:01:09 +03:00
Lasse Collin
d8b294af03 liblzma: Use _MSVC_LANG to detect when "noexcept" can be used with MSVC.
By default, MSVC always sets __cplusplus to 199711L. The real
C++ standard version is available in _MSVC_LANG (or one could
use /Zc:__cplusplus to set __cplusplus correctly).

Fixes <https://sourceforge.net/p/lzmautils/discussion/708858/thread/f6bc3b108a/>.

Thanks to Dan Weiss.
2022-07-12 19:01:09 +03:00
Lasse Collin
c2fde22bef xzdiff: Update the man page about the exit status.
This was forgotten from 194029ffaf74282a81f0c299c07f73caca3232ca.
2022-07-12 19:01:09 +03:00
Lasse Collin
8d0fd42fbe xzless: Fix less(1) version detection when it contains a dot.
Sometimes the version number from "less -V" contains a dot,
sometimes not. xzless failed detect the version number when
it does contain a dot. This fixes it.

Thanks to nick87720z for reporting this. Apparently it had been
reported here <https://bugs.gentoo.org/489362> in 2013.
2022-07-12 19:01:09 +03:00
Lasse Collin
6e2cab8579 xz: Document the special memlimit case of 2000 MiB on MIPS32.
See commit 95806a8a52ae57bddf6c77dfd19cf7938a92e040.
2022-07-12 18:57:21 +03:00
Lasse Collin
38b311462b Update THANKS. 2022-07-12 18:53:41 +03:00
Ivan A. Melnikov
95806a8a52 Reduce maximum possible memory limit on MIPS32
Due to architectural limitations, address space available to a single
userspace process on MIPS32 is limited to 2 GiB, not 4, even on systems
that have more physical RAM -- e.g. 64-bit systems with 32-bit
userspace, or systems that use XPA (an extension similar to x86's PAE).

So, for MIPS32, we have to impose stronger memory limits. I've chosen
2000MiB to give the process some headroom.
2022-07-12 18:53:41 +03:00
Lasse Collin
a79bd30a6f CMake: Use interface library for better FindLibLZMA compatibility.
https://www.mail-archive.com/xz-devel@tukaani.org/msg00446.html

Thanks to Markus Rickert.
2022-07-12 18:44:47 +03:00
Lasse Collin
64d9814761 CMake: Try to improve compatibility with the FindLibLZMA module.
The naming conflict with FindLibLZMA module gets worse.
Not avoiding it in the first place was stupid.

Normally find_package(LibLZMA) will use the module and
find_package(liblzma 5.2.5 REQUIRED CONFIG) will use the config
file even with a case insensitive file system. However, if
CMAKE_FIND_PACKAGE_PREFER_CONFIG is TRUE and the file system
is case insensitive, find_package(LibLZMA) will find our liblzma
config file instead of using FindLibLZMA module.

One big problem with this is that FindLibLZMA uses
LibLZMA::LibLZMA and we use liblzma::liblzma as the target
name. With target names CMake happens to be case sensitive.
To workaround this, this commit adds

    add_library(LibLZMA::LibLZMA ALIAS liblzma::liblzma)

to the config file. Then both spellings work.

To make the behavior consistent between case sensitive and
insensitive file systems, the config and related files are
renamed from liblzmaConfig.cmake to liblzma-config.cmake style.
With this style CMake looks for lowercase version of the package
name so find_package(LiBLzmA 5.2.5 REQUIRED CONFIG) will work
to find our config file.

There are other differences between our config file and
FindLibLZMA so it's still possible that things break for
reasons other than the spelling of the target name. Hopefully
those situations aren't too common.

When the config file is available, it should always give as good or
better results as FindLibLZMA so this commit doesn't affect the
recommendation to use find_package(liblzma 5.2.5 REQUIRED CONFIG)
which explicitly avoids FindLibLZMA.

Thanks to Markus Rickert.
2022-07-12 18:44:47 +03:00
Lasse Collin
9e2f9e2d08 Tests: Add bad-1-lzma2-10.xz and also modify -9.xz. 2022-07-12 18:44:13 +03:00
Lasse Collin
00a4c69bbb Tests: Add bad-1-lzma2-9.xz. 2022-07-12 18:43:50 +03:00
Lasse Collin
1da2269b2e Tests: Add bad-1-check-crc32-2.xz. 2022-07-12 18:43:50 +03:00
Lasse Collin
11ceecb5e2 Scripts: Add zstd support to xzdiff. 2022-07-12 18:42:21 +03:00
Lasse Collin
d655b8c9cb Scripts: Fix exit status of xzgrep.
Omit the -q option from xz, gzip, and bzip2. With xz this shouldn't
matter. With gzip it's important because -q makes gzip replace SIGPIPE
with exit status 2. With bzip2 it's important because with -q bzip2
is completely silent if input is corrupt while other decompressors
still give an error message.

Avoiding exit status 2 from gzip is important because bzip2 uses
exit status 2 to indicate corrupt input. Before this commit xzgrep
didn't recognize corrupt .bz2 files because xzgrep was treating
exit status 2 as SIGPIPE for gzip compatibility.

zstd still needs -q because otherwise it is noisy in normal
operation.

The code to detect real SIGPIPE didn't check if the exit status
was due to a signal (>= 128) and so could ignore some other exit
status too.
2022-07-12 18:30:56 +03:00
Lasse Collin
09c331b03c Scripts: Fix exit status of xzdiff/xzcmp.
This is a minor fix since this affects only the situation when
the files differ and the exit status is something else than 0.
In such case there could be SIGPIPE from a decompression tool
and that would result in exit status of 2 from xzdiff/xzcmp
while the correct behavior would be to return 1 or whatever
else diff or cmp may have returned.

This commit omits the -q option from xz/gzip/bzip2/lzop arguments.
I'm not sure why the -q was used in the first place, perhaps it
hides warnings in some situation that I cannot see at the moment.
Hopefully the removal won't introduce a new bug.

With gzip the -q option was harmful because it made gzip return 2
instead of >= 128 with SIGPIPE. Ignoring exit status 2 (warning
from gzip) isn't practical because bzip2 uses exit status 2 to
indicate corrupt input file. It's better if SIGPIPE results in
exit status >= 128.

With bzip2 the removal of -q seems to be good because with -q
it prints nothing if input is corrupt. The other tools aren't
silent in this situation even with -q. On the other hand, if
zstd support is added, it will need -q since otherwise it's
noisy in normal situations.

Thanks to Étienne Mollier and Sebastian Andrzej Siewior.
2022-07-12 18:30:56 +03:00
Lasse Collin
b33a345cba Update THANKS. 2022-07-12 18:30:56 +03:00
H.J. Lu
c01e29a933 liblzma: Enable Intel CET in x86 CRC assembly codes
When Intel CET is enabled, we need to include <cet.h> in assembly codes
to mark Intel CET support and add _CET_ENDBR to indirect jump targets.

Tested on Intel Tiger Lake under CET enabled Linux.
2022-07-12 18:30:56 +03:00
Lasse Collin
0983682f87 Update THANKS. 2022-07-12 18:30:56 +03:00
Lasse Collin
880596e4b8 Build: Don't build bundles on Apple OSes.
Thanks to Daniel Packard.
2022-07-12 18:30:56 +03:00
Lasse Collin
29050c79f1 Update THANKS. 2022-07-12 18:30:56 +03:00
Adam Borowski
94fd724749 Scripts: Add zstd support to xzgrep.
Thanks to Adam Borowski.
2022-07-12 18:30:56 +03:00
Lasse Collin
13c58ac13e CMake: Fix compatibility with CMake 3.13.
The syntax "if(DEFINED CACHE{FOO})" requires CMake 3.14.
In some other places the code treats the cache variables
like normal variables already (${FOO} or if(FOO) is used,
not ${CACHE{FOO}).

Thanks to ygrek for reporting the bug on IRC.
2022-07-12 18:11:36 +03:00
Lasse Collin
8f7d3345a7 Update THANKS. 2022-07-12 18:10:08 +03:00
Lasse Collin
ca7bcdb30f xz: Avoid unneeded \f escapes on the man page.
I don't want to use \c in macro arguments but groff_man(7)
suggests that \f has better portability. \f would be needed
for the .TP strings for portability reasons anyway.

Thanks to Bjarni Ingi Gislason.
2022-07-12 18:10:08 +03:00
Lasse Collin
3b40a0792e xz: Use non-breaking spaces when intentionally using more than one space.
This silences some style checker warnings. Seems that spaces
in the beginning of a line don't need this treatment.

Thanks to Bjarni Ingi Gislason.
2022-07-12 18:10:08 +03:00
Lasse Collin
d85699c36d xz: Protect the ellipsis (...) on the man page with \&.
This does it only when ... appears outside macro calls.

Thanks to Bjarni Ingi Gislason.
2022-07-12 18:10:08 +03:00
Lasse Collin
d996ae6617 xz: Avoid the abbreviation "e.g." on the man page.
A few are simply omitted, most are converted to "for example"
and surrounded with commas. Sounds like that this is better
style, for example, man-pages(7) recommends avoiding such
abbreviations except in parenthesis.

Thanks to Bjarni Ingi Gislason.
2022-07-12 18:09:21 +03:00
Lasse Collin
d16d0d198a xz man page: Change \- (minus) to \(en (en-dash) for a numeric range.
Docs of ancient troff/nroff mention \(em (em-dash) but not \(en
and \- was used for both minus and en-dash. I don't know how
portable \(en is nowadays but it can be changed back if someone
complains. At least GNU groff and OpenBSD's mandoc support it.

Thanks to Bjarni Ingi Gislason for the patch.
2022-07-12 18:09:21 +03:00
Lasse Collin
3acf1adfc7 Windows: Fix building of resource files when config.h isn't used.
Now CMake + Visual Studio works for building liblzma.dll.

Thanks to Markus Rickert.
2022-07-12 18:09:21 +03:00
Lasse Collin
adba06e649 src/scripts/xzgrep.1: Filenames to xzgrep are optional.
xzgrep --help was correct already.
2022-07-12 18:09:21 +03:00