backport-CVE-2022-1271.patch

@@ -1,94 +0,0 @@
-From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001
-From: Lasse Collin <lasse.collin@tukaani.org>
-Date: Tue, 29 Mar 2022 19:19:12 +0300
-Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).
-
-Malicious filenames can make xzgrep to write to arbitrary files
-or (with a GNU sed extension) lead to arbitrary code execution.
-
-xzgrep from XZ Utils versions up to and including 5.2.5 are
-affected. 5.3.1alpha and 5.3.2alpha are affected as well.
-This patch works for all of them.
-
-This bug was inherited from gzip's zgrep. gzip 1.12 includes
-a fix for zgrep.
-
-The issue with the old sed script is that with multiple newlines,
-the N-command will read the second line of input, then the
-s-commands will be skipped because it's not the end of the
-file yet, then a new sed cycle starts and the pattern space
-is printed and emptied. So only the last line or two get escaped.
-
-One way to fix this would be to read all lines into the pattern
-space first. However, the included fix is even simpler: All lines
-except the last line get a backslash appended at the end. To ensure
-that shell command substitution doesn't eat a possible trailing
-newline, a colon is appended to the filename before escaping.
-The colon is later used to separate the filename from the grep
-output so it is fine to add it here instead of a few lines later.
-
-The old code also wasn't POSIX compliant as it used \n in the
-replacement section of the s-command. Using \<newline> is the
-POSIX compatible method.
-
-LC_ALL=C was added to the two critical sed commands. POSIX sed
-manual recommends it when using sed to manipulate pathnames
-because in other locales invalid multibyte sequences might
-cause issues with some sed implementations. In case of GNU sed,
-these particular sed scripts wouldn't have such problems but some
-other scripts could have, see:
-
-info '(sed)Locale Considerations'
-
-This vulnerability was discovered by:
-cleemy desu wayo working with Trend Micro Zero Day Initiative
-
-Thanks to Jim Meyering and Paul Eggert discussing the different
-ways to fix this and for coordinating the patch release schedule
-with gzip.
----
- src/scripts/xzgrep.in | 20 ++++++++++++--------
- 1 file changed, 12 insertions(+), 8 deletions(-)
-
-diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in
-index 9db5c3a..f64dddb 100644
---- a/src/scripts/xzgrep.in
-+++ b/src/scripts/xzgrep.in
-@@ -179,22 +179,26 @@ for i; do
-          { test $# -eq 1 || test $no_filename -eq 1; }; then
-       eval "$grep"
-     else
-+      # Append a colon so that the last character will never be a newline
-+      # which would otherwise get lost in shell command substitution.
-+      i="$i:"
-+
-+      # Escape & \ | and newlines only if such characters are present
-+      # (speed optimization).
-       case $i in
-       (*'
- '* | *'&'* | *'\'* | *'|'*)
--        i=$(printf '%s\n' "$i" |
--            sed '
--              $!N
--              $s/[&\|]/\\&/g
--              $s/\n/\\n/g
--            ');;
-+        i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
-       esac
--      sed_script="s|^|$i:|"
-+
-+      # $i already ends with a colon so don't add it here.
-+      sed_script="s|^|$i|"
- 
-       # Fail if grep or sed fails.
-       r=$(
-         exec 4>&1
--        (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
-+        (eval "$grep" 4>&-; echo $? >&4) 3>&- |
-+            LC_ALL=C sed "$sed_script" >&3 4>&-
-       ) || r=2
-       exit $r
-     fi >&3 5>&-
--- 
-1.8.3.1
-

backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch

@@ -1,60 +0,0 @@
-From 68bda971bb8b666a009331455fcedb4e18d837a4  Mon Sep 17 00:00:00 2001
-From: Jia Tan <jiat0218@gmail.com>
-Date: Mon, 28 Aug 2023 21:31:25 +0800
-Subject: [PATCH] liblzma: Add overflow check for Unpadded size in
- lzma_index_append().
-
-This was not a security bug since there was no path to overflow
-UINT64_MAX in lzma_index_append() or when it calls index_file_size().
-The bug was discovered by a failing assert() in vli_ceil4() when called
-from index_file_size() when unpadded_sum (the sum of the compressed size
-of current Stream and the unpadded_size parameter) exceeds LZMA_VLI_MAX.
-
-Previously, the unpadded_size parameter was checked to be not greater
-than UNPADDED_SIZE_MAX, but no check was done once compressed_base was
-added.
-
-This could not have caused an integer overflow in index_file_size() when
-called by lzma_index_append(). The calculation for file_size breaks down
-into the sum of:
-
-- Compressed base from all previous Streams
-- 2 * LZMA_STREAM_HEADER_SIZE (size of the current Streams header and
-  footer)
-- stream_padding (can be set by lzma_index_stream_padding())
-- Compressed base from the current Stream
-- Unpadded size (parameter to lzma_index_append())
-
-The sum of everything except for Unpadded size must be less than
-LZMA_VLI_MAX. This is guarenteed by overflow checks in the functions
-that can set these values including lzma_index_stream_padding(),
-lzma_index_append(), and lzma_index_cat(). The maximum value for
-Unpadded size is enforced by lzma_index_append() to be less than or
-equal UNPADDED_SIZE_MAX. Thus, the sum cannot exceed UINT64_MAX since
-LZMA_VLI_MAX is half of UINT64_MAX.
-
-Thanks to Joona Kannisto for reporting this.
----
- src/liblzma/common/index.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c
-index a41e8f3..8c8ad46 100644
---- a/src/liblzma/common/index.c
-+++ b/src/liblzma/common/index.c
-@@ -656,6 +656,12 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator,
- 	const uint32_t index_list_size_add = lzma_vli_size(unpadded_size)
- 			+ lzma_vli_size(uncompressed_size);
- 
-+	// Check that the new unpadded sum will not overflow. This is
-+	// checked again in index_file_size(), but the unpadded sum is
-+	// passed to vli_ceil4() which expects a valid lzma_vli value.
-+	if (compressed_base + unpadded_size > UNPADDED_SIZE_MAX)
-+		return LZMA_DATA_ERROR;
-+
- 	// Check that the file size will stay within limits.
- 	if (index_file_size(s->node.compressed_base,
- 			compressed_base + unpadded_size, s->record_count + 1,
--- 
-2.23.0
-

colorxzgrep.csh

@@ -1,5 +0,0 @@
-/usr/libexec/grepconf.sh -c
-if ( $status == 1 ) exit
-alias xzgrep 'xzgrep --color=auto'
-alias xzfgrep 'xzfgrep --color=auto'
-alias xzegrep 'xzegrep --color=auto'

colorxzgrep.sh

@@ -1,4 +0,0 @@
-/usr/libexec/grepconf.sh -c || return
-alias xzgrep='xzgrep --color=auto' 2>/dev/null
-alias xzegrep='xzegrep --color=auto' 2>/dev/null
-alias xzfgrep='xzfgrep --color=auto' 2>/dev/null

liblzma-Avoid-memcpy-NULL-foo-0-because-it-is-undefi.patch

@@ -0,0 +1,101 @@
+From 2a22de439ec63da1927b640eda309296a1e8dce5 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Mon, 13 May 2019 20:05:17 +0300
+Subject: [PATCH 14/14] liblzma: Avoid memcpy(NULL, foo, 0) because it is
+ undefined behavior.
+
+I should have always known this but I didn't. Here is an example
+as a reminder to myself:
+
+    int mycopy(void *dest, void *src, size_t n)
+    {
+        memcpy(dest, src, n);
+        return dest == NULL;
+    }
+
+In the example, a compiler may assume that dest != NULL because
+passing NULL to memcpy() would be undefined behavior. Testing
+with GCC 8.2.1, mycopy(NULL, NULL, 0) returns 1 with -O0 and -O1.
+With -O2 the return value is 0 because the compiler infers that
+dest cannot be NULL because it was already used with memcpy()
+and thus the test for NULL gets optimized out.
+
+In liblzma, if a null-pointer was passed to memcpy(), there were
+no checks for NULL *after* the memcpy() call, so I cautiously
+suspect that it shouldn't have caused bad behavior in practice,
+but it's hard to be sure, and the problematic cases had to be
+fixed anyway.
+
+Thanks to Jeffrey Walton.
+---
+ src/liblzma/common/common.c       |  6 +++++-
+ src/liblzma/lz/lz_decoder.c       | 12 +++++++++---
+ src/liblzma/simple/simple_coder.c | 10 +++++++++-
+ 3 files changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/src/liblzma/common/common.c b/src/liblzma/common/common.c
+index 1399b92..18453ae 100644
+--- a/src/liblzma/common/common.c
++++ b/src/liblzma/common/common.c
+@@ -99,7 +99,11 @@ lzma_bufcpy(const uint8_t *restrict in, size_t *restrict in_pos,
+ 	const size_t out_avail = out_size - *out_pos;
+ 	const size_t copy_size = my_min(in_avail, out_avail);
+ 
+-	memcpy(out + *out_pos, in + *in_pos, copy_size);
++	// Call memcpy() only if there is something to copy. If there is
++	// nothing to copy, in or out might be NULL and then the memcpy()
++	// call would trigger undefined behavior.
++	if (copy_size > 0)
++		memcpy(out + *out_pos, in + *in_pos, copy_size);
+ 
+ 	*in_pos += copy_size;
+ 	*out_pos += copy_size;
+diff --git a/src/liblzma/lz/lz_decoder.c b/src/liblzma/lz/lz_decoder.c
+index bb21d0d..6c9024e 100644
+--- a/src/liblzma/lz/lz_decoder.c
++++ b/src/liblzma/lz/lz_decoder.c
+@@ -91,11 +91,17 @@ decode_buffer(lzma_coder *coder,
+ 				in, in_pos, in_size);
+ 
+ 		// Copy the decoded data from the dictionary to the out[]
+-		// buffer.
++		// buffer. Do it conditionally because out can be NULL
++		// (in which case copy_size is always 0). Calling memcpy()
++		// with a null-pointer is undefined even if the third
++		// argument is 0.
+ 		const size_t copy_size = coder->dict.pos - dict_start;
+ 		assert(copy_size <= out_size - *out_pos);
+-		memcpy(out + *out_pos, coder->dict.buf + dict_start,
+-				copy_size);
++
++		if (copy_size > 0)
++			memcpy(out + *out_pos, coder->dict.buf + dict_start,
++					copy_size);
++
+ 		*out_pos += copy_size;
+ 
+ 		// Reset the dictionary if so requested by coder->lz.code().
+diff --git a/src/liblzma/simple/simple_coder.c b/src/liblzma/simple/simple_coder.c
+index 13ebabc..4f499be 100644
+--- a/src/liblzma/simple/simple_coder.c
++++ b/src/liblzma/simple/simple_coder.c
+@@ -118,7 +118,15 @@ simple_code(void *coder_ptr, const lzma_allocator *allocator,
+ 		// coder->pos and coder->size yet. This way the coder can be
+ 		// restarted if the next filter in the chain returns e.g.
+ 		// LZMA_MEM_ERROR.
+-		memcpy(out + *out_pos, coder->buffer + coder->pos, buf_avail);
++		//
++		// Do the memcpy() conditionally because out can be NULL
++		// (in which case buf_avail is always 0). Calling memcpy()
++		// with a null-pointer is undefined even if the third
++		// argument is 0.
++		if (buf_avail > 0)
++			memcpy(out + *out_pos, coder->buffer + coder->pos,
++					buf_avail);
++
+ 		*out_pos += buf_avail;
+ 
+ 		// Copy/Encode/Decode more data to out[].
+-- 
+1.8.3.1
+

xz.spec

@@ -1,15 +1,12 @@
 Name:           xz
-Version:        5.2.5
-Release:        4
+Version:        5.2.4
+Release:        10
 Summary:        A free general-purpose data compreession software with LZMA2 algorithm
 License:        Public Domain, LGPLv2.1 and GPLv2+
 URL:            http://tukaani.org/xz
 Source0:        http://tukaani.org/%{name}/%{name}-%{version}.tar.xz
-Source1:        colorxzgrep.sh
-Source2:        colorxzgrep.csh
 
-Patch6000:      backport-CVE-2022-1271.patch
-Patch6001:      backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch
+Patch0:         liblzma-Avoid-memcpy-NULL-foo-0-because-it-is-undefi.patch
 
 BuildRequires:  perl-interpreter gcc
 
@@ -68,12 +65,6 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 %install
 %make_install
 
-# config color alias for xz*grep
-%global profiledir %{_sysconfdir}/profile.d
-mkdir -p %{buildroot}%{profiledir}
-install -p -m 644 %{SOURCE1} %{buildroot}%{profiledir}
-install -p -m 644 %{SOURCE2} %{buildroot}%{profiledir}
-
 %find_lang %name
 
 %check
@@ -84,7 +75,6 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check
 %doc %{_pkgdocdir}
 %license %{_pkgdocdir}/COPYING*
 %{_bindir}/*xz*
-%{profiledir}/*
 
 %exclude %_pkgdocdir/examples*
 %exclude %{_libdir}/*.la
@@ -108,34 +98,8 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check
 %files help
 %{_mandir}/man1/*lz*
 %{_mandir}/man1/*xz*
-%{_mandir}/de/man1/*lz*
-%{_mandir}/de/man1/*xz*
 
 %changelog
-* Wed May 22 2024 kouwenqi <kouwenqi@kylinos.cn> - 5.2.5-4
-- Type:enhancement
-- CVE:NA
-- SUG:NA
-- DESC:Add overflow check for Unpadded size in lzma_index_append
-
-* Fri Sep 23 2022 wangjiang <wangjiang37@h-partners.com> - 5.2.5-3
-- Type:enhancement
-- CVE:NA
-- SUG:NA
-- DESC:config color alias for xz*grep
-
-* Fri Apr 15 2022 liudabo <liudabo1@h-partners.com> - 5.2.5-2
-- Type:CVE
-- ID:CVE-2022-1271
-- SUG:NA
-- DESC:Fix CVE-2022-1271
-
-* Thu Jul 23 2020 shixuantong <shixuantong@huawei.com> - 5.2.5-1
-- Type:NA
-- ID:NA
-- SUG:NA
-- DESC:update to  5.2.5-1
-
 * Sat Mar 21 2020 shenyangyang<shenyangyang4@huawei.com> - 5.2.4-10
 - Type:enhancement
 - ID:NA

xz.yaml

@@ -1,4 +0,0 @@
-version_control: github
-src_repo: xz-mirror/xz
-tag_prefix: ^v
-seperator: .