XZ Utils Release Notes
======================
+5.2.6 (2022-08-12)
+
+ * xz:
+
+ - The --keep option now accepts symlinks, hardlinks, and
+ setuid, setgid, and sticky files. Previously this required
+ using --force.
+
+ - When copying metadata from the source file to the destination
+ file, don't try to set the group (GID) if it is already set
+ correctly. This avoids a failure on OpenBSD (and possibly on
+ a few other OSes) where files may get created so that their
+ group doesn't belong to the user, and fchown(2) can fail even
+ if it needs to do nothing.
+
+ - Cap --memlimit-compress to 2000 MiB instead of 4020 MiB on
+ MIPS32 because on MIPS32 userspace processes are limited
+ to 2 GiB of address space.
+
+ * liblzma:
+
+ - Fixed a missing error-check in the threaded encoder. If a
+ small memory allocation fails, a .xz file with an invalid
+ Index field would be created. Decompressing such a file would
+ produce the correct output but result in an error at the end.
+ Thus this is a "mild" data corruption bug. Note that while
+ a failed memory allocation can trigger the bug, it cannot
+ cause invalid memory access.
+
+ - The decoder for .lzma files now supports files that have
+ uncompressed size stored in the header and still use the
+ end of payload marker (end of stream marker) at the end
+ of the LZMA stream. Such files are rare but, according to
+ the documentation in LZMA SDK, they are valid.
+ doc/lzma-file-format.txt was updated too.
+
+ - Improved 32-bit x86 assembly files:
+ * Support Intel Control-flow Enforcement Technology (CET)
+ * Use non-executable stack on FreeBSD.
+
+ - Visual Studio: Use non-standard _MSVC_LANG to detect C++
+ standard version in the lzma.h API header. It's used to
+ detect when "noexcept" can be used.
+
+ * xzgrep:
+
+ - Fixed arbitrary command injection via a malicious filename
+ (CVE-2022-1271, ZDI-CAN-16587). A standalone patch for
+ this was released to the public on 2022-04-07. A slight
+ robustness improvement has been made since then and, if
+ using GNU or *BSD grep, a new faster method is now used
+ that doesn't use the old sed-based construct at all. This
+ also fixes bad output with GNU grep >= 3.5 (2020-09-27)
+ when xzgrepping binary files.
+
+ This vulnerability was discovered by:
+ cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+ - Fixed detection of corrupt .bz2 files.
+
+ - Improved error handling to fix exit status in some situations
+ and to fix handling of signals: in some situations a signal
+ didn't make xzgrep exit when it clearly should have. It's
+ possible that the signal handling still isn't quite perfect
+ but hopefully it's good enough.
+
+ - Documented exit statuses on the man page.
+
+ - xzegrep and xzfgrep now use "grep -E" and "grep -F" instead
+ of the deprecated egrep and fgrep commands.
+
+ - Fixed parsing of the options -E, -F, -G, -P, and -X. The
+ problem occurred when multiple options were specied in
+ a single argument, for example,
+
+ echo foo | xzgrep -Fe foo
+
+ treated foo as a filename because -Fe wasn't correctly
+ split into -F -e.
+
+ - Added zstd support.
+
+ * xzdiff/xzcmp:
+
+ - Fixed wrong exit status. Exit status could be 2 when the
+ correct value is 1.
+
+ - Documented on the man page that exit status of 2 is used
+ for decompression errors.
+
+ - Added zstd support.
+
+ * xzless:
+
+ - Fix less(1) version detection. It failed if the version number
+ from "less -V" contained a dot.
+
+ * Translations:
+
+ - Added new translations: Catalan, Croatian, Esperanto,
+ Korean, Portuguese, Romanian, Serbian, Spanish, Swedish,
+ and Ukrainian
+
+ - Updated the Brazilian Portuguese translation.
+
+ - Added French man page translation. This and the existing
+ German translation aren't complete anymore because the
+ English man pages got a few updates and the translators
+ weren't reached so that they could update their work.
+
+ * Build systems:
+
+ - Windows: Fix building of resource files when config.h isn't
+ used. CMake + Visual Studio can now build liblzma.dll.
+
+ - Various fixes to the CMake support. Building static or shared
+ liblzma should work fine in most cases. In contrast, building
+ the command line tools with CMake is still clearly incomplete
+ and experimental and should be used for testing only.
+
+
+5.2.5 (2020-03-17)
+
+ * liblzma:
+
+ - Fixed several C99/C11 conformance bugs. Now the code is clean
+ under gcc/clang -fsanitize=undefined. Some of these changes
+ might have a negative effect on performance with old GCC
+ versions or compilers other than GCC and Clang. The configure
+ option --enable-unsafe-type-punning can be used to (mostly)
+ restore the old behavior but it shouldn't normally be used.
+
+ - Improved API documentation of lzma_properties_decode().
+
+ - Added a very minor encoder speed optimization.
+
+ * xz:
+
+ - Fixed a crash in "xz -dcfv not_an_xz_file". All four options
+ were required to trigger it. The crash occurred in the
+ progress indicator code when xz was in passthru mode where
+ xz works like "cat".
+
+ - Fixed an integer overflow with 32-bit off_t. It could happen
+ when decompressing a file that has a long run of zero bytes
+ which xz would try to write as a sparse file. Since the build
+ system enables large file support by default, off_t is
+ normally 64-bit even on 32-bit systems.
+
+ - Fixes for --flush-timeout:
+ * Fix semi-busy-waiting.
+ * Avoid unneeded flushes when no new input has arrived
+ since the previous flush was completed.
+
+ - Added a special case for 32-bit xz: If --memlimit-compress is
+ used to specify a limit that exceeds 4020 MiB, the limit will
+ be set to 4020 MiB. The values "0" and "max" aren't affected
+ by this and neither is decompression. This hack can be
+ helpful when a 32-bit xz has access to 4 GiB address space
+ but the specified memlimit exceeds 4 GiB. This can happen
+ e.g. with some scripts.
+
+ - Capsicum sandbox is now enabled by default where available
+ (FreeBSD >= 10). The sandbox debug messages (xz -vv) were
+ removed since they seemed to be more annoying than useful.
+
+ - DOS build now requires DJGPP 2.05 instead of 2.04beta.
+ A workaround for a locale problem with DJGPP 2.05 was added.
+
+ * xzgrep and other scripts:
+
+ - Added a configure option --enable-path-for-scripts=PREFIX.
+ It is disabled by default except on Solaris where the default
+ is /usr/xpg4/bin. See INSTALL for details.
+
+ - Added a workaround for a POSIX shell detection problem on
+ Solaris.
+
+ * Build systems:
+
+ - Added preliminary build instructions for z/OS. See INSTALL
+ section 1.2.9.
+
+ - Experimental CMake support was added. It should work to build
+ static liblzma on a few operating systems. It may or may not
+ work to build shared liblzma. On some platforms it can build
+ xz and xzdec too but those are only for testing. See the
+ comment in the beginning of CMakeLists.txt for details.
+
+ - Visual Studio project files were updated.
+ WindowsTargetPlatformVersion was removed from VS2017 files
+ and set to "10.0" in the added VS2019 files. In the future
+ the VS project files will be removed when CMake support is
+ good enough.
+
+ - New #defines in config.h: HAVE___BUILTIN_ASSUME_ALIGNED,
+ HAVE___BUILTIN_BSWAPXX, and TUKLIB_USE_UNSAFE_TYPE_PUNNING.
+
+ - autogen.sh has a new optional dependency on po4a and a new
+ option --no-po4a to skip that step. This matters only if one
+ wants to remake the build files. po4a is used to update the
+ translated man pages but as long as the man pages haven't
+ been modified, there's nothing to update and one can use
+ --no-po4a to avoid the dependency on po4a.
+
+ * Translations:
+
+ - XZ Utils translations are now handled by the Translation
+ Project: https://translationproject.org/domain/xz.html
+
+ - All man pages are now included in German too.
+
+ - New xz translations: Brazilian Portuguese, Finnish,
+ Hungarian, Chinese (simplified), Chinese (traditional),
+ and Danish (partial translation)
+
+ - Updated xz translations: French, German, Italian, and Polish
+
+ - Unfortunately a few new xz translations weren't included due
+ to technical problems like too long lines in --help output or
+ misaligned column headings in tables. In the future, many of
+ these strings will be split and e.g. the table column
+ alignment will be handled in software. This should make the
+ strings easier to translate.
+
+
5.2.5 (2020-03-17)
* liblzma:
projects / thirdparty / xz.git / commitdiff
