[Bug 2059417] Re: Sync xz-utils 5.6.1-1 (main) from Debian unstable (main)

Fri Mar 29 19:11:30 UTC 2024

Important context from https://lists.debian.org/debian-security-
announce/2024/msg00057.html :

  Andres Freund discovered that the upstream source tarballs for xz-utils,
  the XZ-format compression utilities, are compromised and inject
  malicious code, at build time, into the resulting liblzma5 library.

  Right now no Debian stable versions are known to be affected.
  Compromised packages were part of the Debian testing, unstable and
  experimental distributions, with versions ranging from 5.5.1alpha-0.1
  (uploaded on 2024-02-01), up to and including 5.6.1-1. The package has
  been reverted to use the upstream 5.4.5 code, which we have versioned
  5.6.1+really5.4.5-1.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to xz-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2059417

Title:
  Sync xz-utils 5.6.1-1 (main) from Debian unstable (main)

Status in xz-utils package in Ubuntu:
  Won't Fix

Bug description:
  Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main)

  Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1
  was recently released and uploaded to Debian as a bugfix only release.
  Notably, this fixes a bug that causes Valgrind to issue a warning on
  any application dynamically linked with liblzma. This includes a lot of
  important applications. This could break build scripts and test
  pipelines that expect specific output from Valgrind in order to pass.

  Additionally, this fixes a small typo for the man pages translations
  for Brazilian Portuguese, German, French, Korean, Romanian, and
  Ukrainian, and removes the need for patches applied for version
  5.6.0-0.2.

  The other bugfixes in this release have no impact on Ubuntu. They
  involve building with CMake or when building on a system without
  Landlock system calls defined (these are defined in Ubuntu).

  Changelog entries since current noble version 5.6.0-0.2:

  xz-utils (5.6.1-1) unstable; urgency=medium

    * Non-maintainer upload.
    * Import 5.6.1 (Closes: #1067708).
    * Takeover maintenance of the package.

   -- Sebastian Andrzej Siewior <sebastian at breakpoint.cc>  Wed, 27 Mar
  2024 22:53:21 +0100

  Excerpt from the NEWS entry from upstream:

  5.6.1 (2024-03-09)

      * liblzma: Fixed two bugs relating to GNU indirect function (IFUNC)
        with GCC. The more serious bug caused a program linked with
        liblzma to crash on start up if the flag -fprofile-generate was
        used to build liblzma. The second bug caused liblzma to falsely
        report an invalid write to Valgrind when loading liblzma.

      * xz: Changed the messages for thread reduction due to memory
        constraints to only appear under the highest verbosity level.

      * Build:

          - Fixed a build issue when the header file <linux/landlock.h>
            was present on the system but the Landlock system calls were
            not defined in <sys/syscall.h>.

          - The CMake build now warns and disables NLS if both gettext
            tools and pre-created .gmo files are missing. Previously,
            this caused the CMake build to fail.

      * Minor improvements to man pages.

      * Minor improvements to tests.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417/+subscriptions