public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/pxz] epel10.2: - Update to GIT 20200421
@ 2026-06-15 21:56 Robert Scheck
0 siblings, 0 replies; only message in thread
From: Robert Scheck @ 2026-06-15 21:56 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/pxz
Branch : epel10.2
Commit : 183dacb03395ba7d978156631d2922f782df14eb
Author : Robert Scheck <robert@fedoraproject.org>
Date : 2020-04-22T01:17:16+02:00
Stats : +121/-12 in 5 file(s)
URL : https://src.fedoraproject.org/rpms/pxz/c/183dacb03395ba7d978156631d2922f782df14eb?branch=epel10.2
Log:
- Update to GIT 20200421
- Added patch against race condition in setting permissions on output file (#1182024)
- Added patch to revert environment redirect allowing 'export XZ_OPT="-9"' or similar
---
diff --git a/.gitignore b/.gitignore
index 97095d2..6909b1e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-/pxz-4.999.9beta.20120930git.tar.xz
+/pxz-*.tar.xz
diff --git a/pxz-4.999.9-cve-2015-1200.patch b/pxz-4.999.9-cve-2015-1200.patch
new file mode 100644
index 0000000..236aac9
--- /dev/null
+++ b/pxz-4.999.9-cve-2015-1200.patch
@@ -0,0 +1,36 @@
+From eb233cfadd2480ca30e5853644bb63c97956ed88 Mon Sep 17 00:00:00 2001
+From: Robert Scheck <robert@fedoraproject.org>
+Date: Wed, 22 Apr 2020 00:02:18 +0200
+Subject: [PATCH] CVE-2015-1200: Race condition in setting permissions on
+ output file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Race condition in pxz 4.999.99 Beta 3 uses weak file permissions
+for the output file when compressing a file before changing the
+permission to match the original file, which allows local users
+to bypass the intended access restrictions.
+
+Patch by Moritz Mühlenhoff <jmm@inutil.org>
+
+See also:
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1200
+ - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775306
+ - https://bugzilla.redhat.com/show_bug.cgi?id=1182024
+---
+ pxz.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pxz.c b/pxz.c
+index 4240b6e..1119ed7 100644
+--- a/pxz.c
++++ b/pxz.c
+@@ -312,6 +312,7 @@ int main( int argc, char **argv, char **envp ) {
+ }
+
+ fo = stdout;
++ umask(077);
+ if ( std_in ) {
+ fi = stdin;
+ } else {
diff --git a/pxz-4.999.9-revert-fa3194e.patch b/pxz-4.999.9-revert-fa3194e.patch
new file mode 100644
index 0000000..e63cd7a
--- /dev/null
+++ b/pxz-4.999.9-revert-fa3194e.patch
@@ -0,0 +1,65 @@
+Revert https://github.com/jnovy/pxz/commit/fa3194ea0bf87ce377d5cec30fdcdb96db750896
+as it actually makes pxz quite unusable, see https://github.com/jnovy/pxz/issues/34
+
+diff --git a/pxz.c b/pxz.c
+index 74c7eae..be07845 100644
+--- a/pxz.c
++++ b/pxz.c
+@@ -132,13 +132,13 @@ const struct option long_opts[] = {
+ { NULL, 0, NULL, 0 }
+ };
+
+-void __attribute__((noreturn)) run_xz( char **argv, char **envp ) {
+- execve(XZ_BINARY, argv, envp);
++void __attribute__((noreturn)) run_xz( char **argv ) {
++ execvp(XZ_BINARY, argv);
+ error(0, errno, "execution of "XZ_BINARY" binary failed");
+ exit(EXIT_FAILURE);
+ }
+
+-void parse_args( int argc, char **argv, char **envp ) {
++void parse_args( int argc, char **argv ) {
+ int c;
+
+ opterr = 0;
+@@ -184,11 +184,11 @@ void parse_args( int argc, char **argv, char **envp ) {
+ " -D, --context-size per-thread compression context size as a multiple\n"
+ " of dictionary size. Default is 3.\n\n"
+ "Usage and other options are same as in XZ:\n\n");
+- run_xz(argv, envp);
++ run_xz(argv);
+ break;
+ case 'V':
+ printf("Parallel PXZ "PXZ_VERSION" (build "PXZ_BUILD_DATE")\n");
+- run_xz(argv, envp);
++ run_xz(argv);
+ break;
+ case 'g':
+ opt_lzma_check = LZMA_CHECK_CRC32;
+@@ -197,7 +197,7 @@ void parse_args( int argc, char **argv, char **envp ) {
+ case 't':
+ case 'l':
+ case '?':
+- run_xz(argv, envp);
++ run_xz(argv);
+ default:
+ break;
+ }
+@@ -246,7 +246,7 @@ int close_stream( FILE *f ) {
+ return 0;
+ }
+
+-int main( int argc, char **argv, char **envp ) {
++int main( int argc, char **argv ) {
+ int i;
+ uint64_t p, threads, chunk_size;
+ uint8_t *m;
+@@ -271,7 +271,7 @@ int main( int argc, char **argv, char **envp ) {
+ }
+ snprintf(xzcmd, xzcmd_max, XZ_BINARY);
+
+- parse_args(argc, argv, envp);
++ parse_args(argc, argv);
+
+ lzma_lzma_preset(&lzma_options, opt_complevel);
+
diff --git a/pxz.spec b/pxz.spec
index 18cbd28..ec3dba5 100644
--- a/pxz.spec
+++ b/pxz.spec
@@ -1,13 +1,15 @@
-%global git_date 20120930
+%global git_date 20200421
Summary: Parallel LZMA compressor using XZ
Name: pxz
Version: 4.999.9
-Release: 18.beta.%{git_date}git%{?dist}
+Release: 19.beta.%{git_date}git%{?dist}
License: GPLv2+
+URL: https://jnovy.fedorapeople.org/pxz/
# source created as "make dist" in checked out GIT tree: git clone git://github.com/jnovy/pxz.git
-Source0: http://jnovy.fedorapeople.org/%{name}/%{name}-%{version}beta.%{git_date}git.tar.xz
-URL: http://jnovy.fedorapeople.org/pxz
+Source0: https://jnovy.fedorapeople.org/%{name}/%{name}-%{version}beta.%{git_date}git.tar.xz
+Patch0: pxz-4.999.9-cve-2015-1200.patch
+Patch1: pxz-4.999.9-revert-fa3194e.patch
BuildRequires: gcc, xz-devel
%description
@@ -17,21 +19,27 @@ multiple cores and processors. This significantly speeds up compression time.
%prep
%setup -q -n %{name}-%{version}beta
+%patch0 -p1 -b .cve-2015-1200
+%patch1 -p1 -b .revert-fa3194e
%build
export CFLAGS="%{optflags} -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE"
-make %{?_smp_mflags}
+%make_build
%install
-rm -rf %{buildroot}
-make install DESTDIR=%{buildroot} INSTALL="%{__install} -p"
+%make_install
%files
-%doc COPYING
-%{_mandir}/man1/pxz.1*
-%{_bindir}/pxz
+%license COPYING
+%{_bindir}/%{name}
+%{_mandir}/man1/%{name}.1*
%changelog
+* Tue Apr 21 2020 Robert Scheck <robert@fedoraproject.org> 4.999.9-19.beta.20200421git
+- Update to GIT 20200421
+- Added patch against race condition in setting permissions on output file (#1182024)
+- Added patch to revert environment redirect allowing 'export XZ_OPT="-9"' or similar
+
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.999.9-18.beta.20120930git
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
diff --git a/sources b/sources
index 16c3179..4ec93b4 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-b9b35a1de642e964be6e010c2b5b1b6c pxz-4.999.9beta.20120930git.tar.xz
+SHA512 (pxz-4.999.9beta.20200421git.tar.xz) = d7f47be278444991375336e6736dcf67d19452c951c73565cd26a0482f1af00d41101b435d937e20a003a22adefdda92e1f8737fe83b753d395b64a6ecba6f50
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-15 21:56 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-15 21:56 [rpms/pxz] epel10.2: - Update to GIT 20200421 Robert Scheck
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox