commit 7404f16e1ad647db6776e667758dc2fab302781b Author: Toshaan Bharvani Date: Mon Jul 4 17:57:20 2022 +0200 initial paackage creation Signed-off-by: Toshaan Bharvani diff --git a/SOURCES/colorxzgrep.csh b/SOURCES/colorxzgrep.csh new file mode 100644 index 0000000..a3964dc --- /dev/null +++ b/SOURCES/colorxzgrep.csh @@ -0,0 +1,5 @@ +/usr/libexec/grepconf.sh -c +if ( $status == 1 ) exit +alias xzgrep 'xzgrep --color=auto' +alias xzfgrep 'xzfgrep --color=auto' +alias xzegrep 'xzegrep --color=auto' diff --git a/SOURCES/colorxzgrep.sh b/SOURCES/colorxzgrep.sh new file mode 100644 index 0000000..4a91d70 --- /dev/null +++ b/SOURCES/colorxzgrep.sh @@ -0,0 +1,4 @@ +/usr/libexec/grepconf.sh -c || return +alias xzgrep='xzgrep --color=auto' 2>/dev/null +alias xzegrep='xzegrep --color=auto' 2>/dev/null +alias xzfgrep='xzfgrep --color=auto' 2>/dev/null diff --git a/SOURCES/xz-5.2.5-cve-2022-1271.patch b/SOURCES/xz-5.2.5-cve-2022-1271.patch new file mode 100644 index 0000000..406ded5 --- /dev/null +++ b/SOURCES/xz-5.2.5-cve-2022-1271.patch @@ -0,0 +1,94 @@ +From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Tue, 29 Mar 2022 19:19:12 +0300 +Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587). + +Malicious filenames can make xzgrep to write to arbitrary files +or (with a GNU sed extension) lead to arbitrary code execution. + +xzgrep from XZ Utils versions up to and including 5.2.5 are +affected. 5.3.1alpha and 5.3.2alpha are affected as well. +This patch works for all of them. + +This bug was inherited from gzip's zgrep. gzip 1.12 includes +a fix for zgrep. + +The issue with the old sed script is that with multiple newlines, +the N-command will read the second line of input, then the +s-commands will be skipped because it's not the end of the +file yet, then a new sed cycle starts and the pattern space +is printed and emptied. So only the last line or two get escaped. + +One way to fix this would be to read all lines into the pattern +space first. However, the included fix is even simpler: All lines +except the last line get a backslash appended at the end. To ensure +that shell command substitution doesn't eat a possible trailing +newline, a colon is appended to the filename before escaping. +The colon is later used to separate the filename from the grep +output so it is fine to add it here instead of a few lines later. + +The old code also wasn't POSIX compliant as it used \n in the +replacement section of the s-command. Using \ is the +POSIX compatible method. + +LC_ALL=C was added to the two critical sed commands. POSIX sed +manual recommends it when using sed to manipulate pathnames +because in other locales invalid multibyte sequences might +cause issues with some sed implementations. In case of GNU sed, +these particular sed scripts wouldn't have such problems but some +other scripts could have, see: + + info '(sed)Locale Considerations' + +This vulnerability was discovered by: +cleemy desu wayo working with Trend Micro Zero Day Initiative + +Thanks to Jim Meyering and Paul Eggert discussing the different +ways to fix this and for coordinating the patch release schedule +with gzip. +--- + src/scripts/xzgrep.in | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in +index b180936..e5186ba 100644 +--- a/src/scripts/xzgrep.in ++++ b/src/scripts/xzgrep.in +@@ -180,22 +180,26 @@ for i; do + { test $# -eq 1 || test $no_filename -eq 1; }; then + eval "$grep" + else ++ # Append a colon so that the last character will never be a newline ++ # which would otherwise get lost in shell command substitution. ++ i="$i:" ++ ++ # Escape & \ | and newlines only if such characters are present ++ # (speed optimization). + case $i in + (*' + '* | *'&'* | *'\'* | *'|'*) +- i=$(printf '%s\n' "$i" | +- sed ' +- $!N +- $s/[&\|]/\\&/g +- $s/\n/\\n/g +- ');; ++ i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');; + esac +- sed_script="s|^|$i:|" ++ ++ # $i already ends with a colon so don't add it here. ++ sed_script="s|^|$i|" + + # Fail if grep or sed fails. + r=$( + exec 4>&1 +- (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&- ++ (eval "$grep" 4>&-; echo $? >&4) 3>&- | ++ LC_ALL=C sed "$sed_script" >&3 4>&- + ) || r=2 + exit $r + fi >&3 5>&- +-- +2.35.1 + diff --git a/SOURCES/xz-5.2.5-enable_CET.patch b/SOURCES/xz-5.2.5-enable_CET.patch new file mode 100644 index 0000000..e0b3265 --- /dev/null +++ b/SOURCES/xz-5.2.5-enable_CET.patch @@ -0,0 +1,70 @@ +From: H.J. Lu +Date: Wed, 23 Dec 2020 15:49:04 +0100 (06:49 -0800) +Subject: [PATCH] liblzma: Enable Intel CET in x86 CRC assembly codes + +When Intel CET is enabled, we need to include in assembly codes +to mark Intel CET support and add _CET_ENDBR to indirect jump targets. + +Tested on Intel Tiger Lake under CET enabled Linux. +--- + src/liblzma/check/crc32_x86.S | 9 +++++++++ + src/liblzma/check/crc64_x86.S | 9 +++++++++ + 2 files changed, 18 insertions(+) + +diff --git a/src/liblzma/check/crc32_x86.S b/src/liblzma/check/crc32_x86.S +index 67f68a4..e3745e6 100644 +--- a/src/liblzma/check/crc32_x86.S ++++ b/src/liblzma/check/crc32_x86.S +@@ -51,6 +51,14 @@ init_table(void) + * extern uint32_t lzma_crc32(const uint8_t *buf, size_t size, uint32_t crc); + */ + ++/* When Intel CET is enabled, include in assembly code to mark ++ Intel CET support. */ ++#ifdef __CET__ ++# include ++#else ++# define _CET_ENDBR ++#endif ++ + /* + * On some systems, the functions need to be prefixed. The prefix is + * usually an underscore. +@@ -83,6 +91,7 @@ init_table(void) + + ALIGN(4, 16) + LZMA_CRC32: ++ _CET_ENDBR + /* + * Register usage: + * %eax crc +diff --git a/src/liblzma/check/crc64_x86.S b/src/liblzma/check/crc64_x86.S +index f5bb84b..7ee08f6 100644 +--- a/src/liblzma/check/crc64_x86.S ++++ b/src/liblzma/check/crc64_x86.S +@@ -41,6 +41,14 @@ init_table(void) + * extern uint64_t lzma_crc64(const uint8_t *buf, size_t size, uint64_t crc); + */ + ++/* When Intel CET is enabled, include in assembly code to mark ++ Intel CET support. */ ++#ifdef __CET__ ++# include ++#else ++# define _CET_ENDBR ++#endif ++ + /* + * On some systems, the functions need to be prefixed. The prefix is + * usually an underscore. +@@ -73,6 +81,7 @@ init_table(void) + + ALIGN(4, 16) + LZMA_CRC64: ++ _CET_ENDBR + /* + * Register usage: + * %eax crc LSB +-- +2.26.0 + diff --git a/SPECS/xz.spec b/SPECS/xz.spec new file mode 100644 index 0000000..9b3d811 --- /dev/null +++ b/SPECS/xz.spec @@ -0,0 +1,404 @@ +# Not needed for f21+ and probably RHEL8+ +%{!?_licensedir:%global license %%doc} + +Summary: LZMA compression utilities +Name: xz +Version: 5.2.5 +Release: 8%{?dist} + +# Scripts xz{grep,diff,less,more} and symlinks (copied from gzip) are +# GPLv2+, binaries are Public Domain (linked against LGPL getopt_long but its +# OK), documentation is Public Domain. +License: GPLv2+ and Public Domain +# official upstream release +Source0: https://tukaani.org/%{name}/%{name}-%{version}.tar.xz + +Source100: colorxzgrep.sh +Source101: colorxzgrep.csh + +Patch1: xz-5.2.5-enable_CET.patch +Patch2: xz-5.2.5-cve-2022-1271.patch + +URL: https://tukaani.org/%{name}/ +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +# For /usr/libexec/grepconf.sh (RHBZ#1189120). +# Unfortunately F21 has a newer version of grep which doesn't +# have grepconf, but we're only concerned with F22 here. +Requires: grep >= 2.20-5 + +BuildRequires: make +BuildRequires: gcc +BuildRequires: perl-interpreter + + +%description +XZ Utils are an attempt to make LZMA compression easy to use on free (as in +freedom) operating systems. This is achieved by providing tools and libraries +which are similar to use than the equivalents of the most popular existing +compression algorithms. + +LZMA is a general purpose compression algorithm designed by Igor Pavlov as +part of 7-Zip. It provides high compression ratio while keeping the +decompression speed fast. + + +%package libs +Summary: Libraries for decoding LZMA compression +License: Public Domain +Obsoletes: %{name}-compat-libs < %{version}-%{release} + +%description libs +Libraries for decoding files compressed with LZMA or XZ utils. + + +%package static +Summary: Statically linked library for decoding LZMA compression +License: Public Domain + +%description static +Statically linked library for decoding files compressed with LZMA or +XZ utils. Most users should *not* install this. + + +%package devel +Summary: Devel libraries & headers for liblzma +License: Public Domain +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description devel +Devel libraries and headers for liblzma. + + +%package lzma-compat +Summary: Older LZMA format compatibility binaries +# Just a set of symlinks to 'xz' + two Public Domain binaries. +License: Public Domain +Requires: %{name}%{?_isa} = %{version}-%{release} +Obsoletes: lzma < %{version} +Provides: lzma = %{version} + +%description lzma-compat +The lzma-compat package contains compatibility links for older +commands that deal with the older LZMA format. + + +%prep +%autosetup -p1 + + +%build +export CFLAGS="%optflags" + +%ifarch %{power64} + CFLAGS="$CFLAGS -O3" +%endif + +%ifarch %ix86 + # rhbz#1630650, annocheck reports the following message because liblzma uses + # crc*_x86.S asm code on i686: + CFLAGS="$CFLAGS -Wa,--generate-missing-build-notes=yes" +%endif + +%configure +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool +%make_build + + +%install +%make_install +rm -f %{buildroot}%{_libdir}/*.la + +# xzgrep colorization +%global profiledir %{_sysconfdir}/profile.d +mkdir -p %{buildroot}%{profiledir} +install -p -m 644 %{SOURCE100} %{buildroot}%{profiledir} +install -p -m 644 %{SOURCE101} %{buildroot}%{profiledir} + +%find_lang %name + + +%check +LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check + +%ldconfig_scriptlets libs + + +%files -f %{name}.lang +%license COPYING* +%doc %{_pkgdocdir} +%exclude %_pkgdocdir/examples* +%{_bindir}/*xz* +%{_mandir}/man1/*xz* +%{_mandir}/de/man1/*xz* +%{profiledir}/* + + +%files libs +%license COPYING +%{_libdir}/lib*.so.5* + + +%files static +%license COPYING +%{_libdir}/liblzma.a + + +%files devel +%dir %{_includedir}/lzma +%{_includedir}/lzma/*.h +%{_includedir}/lzma.h +%{_libdir}/*.so +%{_libdir}/pkgconfig/liblzma.pc +%doc %_pkgdocdir/examples* + + +%files lzma-compat +%{_bindir}/*lz* +%{_mandir}/man1/*lz* +%{_mandir}/de/man1/*lz* + + +%changelog +* Tue May 31 2022 Matej Mužila - 5.2.5-8 +- Fix arbitrary file write vulnerability + Resolves: CVE-2022-1271 + +* Tue Aug 10 2021 Mohan Boddu - 5.2.5-7 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Apr 16 2021 Mohan Boddu - 5.2.5-6 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Thu Jan 28 2021 Fedora Release Engineering - 5.2.5-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jan 04 2021 Ondrej Dubaj - 5.2.5-4 +- Enabled CET for i686 (#1910368) + +* Wed Jul 29 2020 Fedora Release Engineering - 5.2.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jun 8 2020 Richard W.M. Jones - 5.2.5-2 +- Fix location of German man pages (RHBZ#1844813). + +* Mon Mar 30 2020 Ondrej Dubaj - 5.2.5-1 +- Rebase to version 5.2.5 (#1818418) + +* Fri Jan 31 2020 Fedora Release Engineering - 5.2.4-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Aug 21 2019 Petr Kubat - 5.2.4-7 +- Use relative path for COPYING files so that rpm moves them to correct place + Related: rhbz#1741074 + +* Sat Jul 27 2019 Fedora Release Engineering - 5.2.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 5.2.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Nov 22 2018 Pavel Raiskup - 5.2.4-4 +- fix annocheck failures on i686 (rhbz#1630650) + +* Sat Jul 14 2018 Fedora Release Engineering - 5.2.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed May 09 2018 Pavel Raiskup - 5.2.4-2 +- drop ppc64p7 hack, per fedora devel list discussion: + https://lists.fedoraproject.org/archives/list/ + devel@lists.fedoraproject.org/thread/2OWD2QRDFBEC6HTPVQ7FMJENH32BWT54/ +- don't explicitly set _FILE_OFFSET_BITS, package uses AC_SYS_LARGEFILE + +* Tue May 08 2018 Pavel Raiskup - 5.2.4-1 +- rebase to 5.2.4 (rhbz#1574039), per release notes: + https://www.mail-archive.com/xz-devel@tukaani.org/msg00295.html + +* Fri Feb 09 2018 Fedora Release Engineering - 5.2.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Feb 02 2018 Igor Gnatenko - 5.2.3-6 +- Switch to %%ldconfig_scriptlets + +* Wed Sep 13 2017 Vasiliy N. Glazov - 5.2.3.-5 +- Cleanup spec + +* Thu Aug 03 2017 Fedora Release Engineering - 5.2.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 5.2.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 5.2.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Jan 02 2017 Pavel Raiskup - 5.2.3-1 +- rebase to stable 5.2.3 per release notes: + http://www.mail-archive.com/xz-devel@tukaani.org/msg00285.html + +* Mon Nov 28 2016 Lubomir Rintel - 5.2.2-3 +- Fix FTBFS by requiring Perl + +* Fri Feb 05 2016 Fedora Release Engineering - 5.2.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Sep 29 2015 Pavel Raiskup - 5.2.2-1 +- rebase to stable 5.2.2 per release notes: + http://www.mail-archive.com/xz-devel@tukaani.org/msg00244.html + +* Thu Jul 09 2015 Pavel Raiskup - 5.2.1-3 +- remove xz-compat-libs as it is not necessary (#1179193) + +* Fri Jun 19 2015 Fedora Release Engineering - 5.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Fri Feb 27 2015 Pavel Raiskup - 5.2.1-1 +- bugfix rebase to 5.2.1, per release notes + http://www.mail-archive.com/xz-devel@tukaani.org/msg00226.html + +* Wed Feb 04 2015 Richard W.M. Jones - 5.2.0-2 +- Depend on grep that contains grepconf.sh (#1189120) + +* Tue Dec 23 2014 Pavel Raiskup - 5.2.0-1 +- rebase per upstream release notes (#1023718) + http://www.mail-archive.com/xz-devel@tukaani.org/msg00216.html +- fedora-review fixes, documentation/license fixes in spec + +* Tue Aug 26 2014 Pavel Raiskup - 5.1.2-15alpha +- xz*grep's output is colored iff grep's is (#1034846) + +* Mon Aug 18 2014 Fedora Release Engineering - 5.1.2-14alpha +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Aug 6 2014 Tom Callaway - 5.1.2-13alpha +- fix license handling + +* Fri Jun 13 2014 Pavel Raiskup - 5.1.2-12alpha +- xzgrep: return 0 when at least one file matches (#1109122) + +* Sun Jun 08 2014 Fedora Release Engineering - 5.1.2-11alpha +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat May 31 2014 Peter Robinson 5.1.2-10alpha +- Drop ChangeLog, it's big and the excitement is summarised in NEWS + +* Fri May 16 2014 Richard W.M. Jones - 5.1.2-9alpha +- Add a -static subpackage (see RHBZ#547011). + +* Wed Apr 02 2014 Pavel Raiskup - 5.1.2-8alpha +- add _isa requirements where appropriate +- better check the version of less binary (#1015924) + +* Fri Jan 10 2014 Pavel Raiskup - 5.1.2-7alpha +- build with -O3 on ppc64 (private #1051078) + +* Sun Aug 04 2013 Fedora Release Engineering - 5.1.2-6alpha +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Apr 09 2013 Pavel Raiskup - 5.1.2-5alpha +- fix manual page inconsistencies with help output (private #948533) +- enable/fix the 'xzgrep -h' (private #850898) + +* Thu Feb 21 2013 Karsten Hopp 5.1.2-4alpha +- add support for ppc64p7 arch (Power7 optimized) + +* Fri Feb 15 2013 Fedora Release Engineering - 5.1.2-3alpha +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sun Jul 22 2012 Fedora Release Engineering - 5.1.2-2alpha +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jul 05 2012 Jindrich Novy 5.1.2alpha-1 +- update to 5.1.2alpha + +* Sat Jan 14 2012 Fedora Release Engineering - 5.1.1-2alpha +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Sun Oct 16 2011 Jindrich Novy 5.1.1alpha-1 +- update to 5.1.1alpha + +* Mon Jun 20 2011 Jindrich Novy 5.0.3-2 +- better to have upstream tarballs in different formats than XZ + to allow bootstrapping (#714765) + +* Mon May 23 2011 Jindrich Novy 5.0.3-1 +- update to 5.0.3 + +* Mon Apr 04 2011 Jindrich Novy 5.0.2-1 +- update to 5.0.2 + +* Tue Feb 08 2011 Fedora Release Engineering - 5.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Sat Jan 29 2011 Jindrich Novy 5.0.1-1 +- update to 5.0.1 + +* Tue Oct 26 2010 Jindrich Novy 5.0.0-4 +- call ldconfig for compat-libs and fix description + +* Mon Oct 25 2010 Jindrich Novy 5.0.0-3 +- introduce compat-libs subpackage with older soname to + resolve problems with soname bump and for packages requiring + older xz-4.999.9beta + +* Mon Oct 25 2010 Jindrich Novy 5.0.0-2 +- rebuild + +* Mon Oct 25 2010 Jindrich Novy 5.0.0-1 +- update to the new upstream release + +* Sat Oct 16 2010 Jindrich Novy 4.999.9-0.3.beta.212.gacbc +- update to latest git snapshot + +* Thu Apr 01 2010 Jindrich Novy 4.999.9-0.2.20100401.beta +- sync with upstream (#578925) + +* Thu Feb 18 2010 Jindrich Novy 4.999.9-0.2.20091007.beta +- move xz man pages to main package, leave lzma ones where they belong (#566484) + +* Wed Oct 07 2009 Jindrich Novy 4.999.9-0.1.20091007.beta +- sync with upstream again + +* Fri Oct 02 2009 Jindrich Novy 4.999.9-0.1.20091002.beta +- sync with upstream to generate the same archives on machines with different + endianess + +* Fri Aug 28 2009 Jindrich Novy 4.999.9-0.1.beta +- update to 4.999.9beta + +* Mon Aug 17 2009 Jindrich Novy 4.999.8-0.10.beta.20090817git +- sync with upstream because of #517806 + +* Tue Aug 04 2009 Jindrich Novy 4.999.8-0.9.beta.20090804git +- update to the latest GIT snapshot + +* Mon Jul 27 2009 Fedora Release Engineering - 4.999.8-0.8.beta +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Fri Jul 17 2009 Bill Nottingham 4.999.8-0.7.beta +- tweak summary +- add %%check section () + +* Thu Jul 09 2009 Bill Nottingham 4.999.8-0.6.beta +- fix release versioning to match guidelines +- fix up lzma-compat summary/description +- tweak licensing + +* Mon Jun 22 2009 Jindrich Novy 4.999.8beta-0.5 +- introduce lzma-compat subpackage + +* Fri Jun 19 2009 Jindrich Novy 4.999.8beta-0.4 +- try to not to conflict with lzma + +* Thu Jun 18 2009 Jindrich Novy 4.999.8beta-0.3 +- obsolete but don't provide lzma, they are largely incompatible +- put beta to Release + +* Wed Jun 17 2009 Jindrich Novy 4.999.8beta-0.2 +- obsolete old lzma +- add Requires: pkgconfig + +* Tue Jun 16 2009 Jindrich Novy 4.999.8beta-0.1 +- package XZ Utils, based on LZMA Utils packaged by Per Patrice Bouchand