Log message:
xz: updated to 5.8.1

5.8.1 (2025-04-03)

IMPORTANT: This includes a security fix for CVE-2025-31115 which
affects XZ Utils from 5.3.3alpha to 5.8.0. No new 5.4.x or 5.6.x
releases will be made, but the fix is in the v5.4 and v5.6 branches
in the xz Git repository. A standalone patch for all affected
versions is available as well.

* Multithreaded .xz decoder (lzma_stream_decoder_mt()):

    - Fix a bug that could at least result in a crash with
      invalid input. (CVE-2025-31115)

    - Fix a performance bug: Only one thread was used if the whole
      input file was provided at once to lzma_code(), the output
      buffer was big enough, timeout was disabled, and LZMA_FINISH
      was used. There are no bug reports about this, thus it's
      possible that no real-world application was affected.

* Avoid <stdalign.h> even with C11/C17 compilers. This fixes the
  build with Oracle Developer Studio 12.6 on Solaris 10 when the
  compiler is in C11 mode (the header doesn't exist).

* Autotools: Restore compatibility with GNU make versions older
  than 4.0 by creating the package using GNU gettext 0.23.1
  infrastructure instead of 0.24.

* Update Croatian translation.

Log message:
xz: updated to 5.8.0

5.8.0 (2025-03-25)

This bumps the minor version of liblzma because new features were
added. The API and ABI are still backward compatible with liblzma
5.6.x, 5.4.x, 5.2.x, and 5.0.x.

* liblzma on 32/64-bit x86: When possible, use SSE2 intrinsics
  instead of memcpy() in the LZMA/LZMA2 decoder. In typical cases,
  this may reduce decompression time by 0-5 %. However, when built
  against musl libc, over 15 % time reduction was observed with
  highly compressed files.

* CMake: Make the feature test macros match the Autotools-based
  build on NetBSD, Darwin, and mingw-w64.

* Update the Croatian, Italian, Portuguese, and Romanian
  translations.

* Update the German, Italian, Korean, Romanian, Serbian, and
  Ukrainian man page translations.

Summary of changes in the 5.7.x development releases:

* Mark the following LZMA Utils script aliases as deprecated:
  lzcmp, lzdiff, lzless, lzmore, lzgrep, lzegrep, and lzfgrep.

* liblzma:

    - Improve LZMA/LZMA2 encoder speed on 64-bit PowerPC (both
      endiannesses) and those 64-bit RISC-V processors that
      support fast unaligned access.

    - Add low-level APIs for RISC-V, ARM64, and x86 BCJ filters
      to lzma/bcj.h. These are primarily for erofs-utils.

    - x86/x86-64/E2K CLMUL CRC code was rewritten.

    - Use the CRC32 instructions on LoongArch.

* xz:

    - Synchronize the output file and its directory using fsync()
      before deleting the input file. No syncing is done when xz
      isn't going to delete the input file.

    - Add --no-sync to disable the sync-before-delete behavior.

    - Make --single-stream imply --keep.

* xz, xzdec, lzmainfo: When printing messages, replace
  non-printable characters with question marks.

* xz and xzdec on Linux: Support Landlock ABI versions 5 and 6.

* CMake: Revise the configuration variables and some of their
  options, and document them in the file INSTALL. CMake support
  is no longer experimental. (It was already not experimental
  when building for native Windows.)

* Add build-aux/license-check.sh.

Log message:
xz: updated to 5.6.4

5.6.4 (2025-01-23)

* liblzma: Fix LZMA/LZMA2 encoder on big endian ARM64.

* xz:

    - Fix --filters= and --filters1= ... --filters9= options
      parsing. They require an argument, thus "xz --filters lzma2"
      should work in addition to "xz --filters=lzma2".

    - On the man page, note in the --compress and --decompress
      options that the default behavior is to delete the input
      file unless writing to standard output. It was already
      documented in the DESCRIPTION section but new users in
      a hurry might miss it.

* Windows (native builds, not Cygwin): Fix regressions introduced
  in XZ Utils 5.6.3 which caused non-ASCII characters to display
  incorrectly. Only builds with translation support were affected
  (--enable-nls or ENABLE_NLS=ON). The following changes affect
  builds that have translations enabled:

    - Require UCRT because MSVCRT doesn't support UTF-8
      locales and thus translations won't be readable on
      Windows 10 version 1903 and later. (MSVCRT builds
      are still possible with --disable-nls or ENABLE_NLS=OFF.)

    - Require gettext-runtime >= 0.23.1 because older versions
      don't autodetect the use of the UTF-8 code page. This
      resulted in garbled non-ASCII characters even with UCRT.

    - Partially fix alignment issues in xz --verbose --list
      with translated messages. Chinese (simplified),
      Chinese (traditional), and Korean column headings
      are misaligned still because Windows and MinGW-w64
      don't provide wcwidth() and XZ Utils doesn't include
      a replacement function either.

* CMake: Explicitly disable unity builds. This prevents build
  failures when another project uses XZ Utils via CMake's
  FetchContent module, and that project enables unity builds.

* Update Chinese (traditional) and Serbian translations.

Log message:
xz: updated to 5.6.3

5.6.3 (2024-10-01)

IMPORTANT: This includes a Windows-specific security fix to
the command line tools. liblzma isn't affected by this issue.

* liblzma:

    - Fix x86-64 inline assembly compatibility with GNU Binutils
      older than 2.27.

    - Fix the build with GCC 4.2 on OpenBSD/sparc64.

* xzdec: Display an error instead of failing silently if the
  unsupported option -M is specified.

* lzmainfo: Fix integer overflows when rounding the dictionary and
  uncompressed sizes to the nearest mebibyte.

* Windows (except Cygwin and MSYS2): Add an application manifest to
  xz, xzdec, lzmadec, and lzmainfo executables:

    - Declare them compatible with Vista/7/8/8.1/10/11. This way
      the programs won't needlessly use Operating System Context
      of Vista when running on later Windows versions. This setting
      doesn't mean that the executables cannot run on even older
      versions if otherwise built that way.

    - Declare them as UAC-compliant. MSVC added this by default
      already but it wasn't done with MinGW-w64, at least not
      with all toolchain variants.

    - Declare them long path aware. This makes long path names
      work on Windows 10 and 11 if the feature has been enabled
      in the Windows registry.

    - Use the UTF-8 code page on Windows 10 version 1903 and later.

        * Now command line tools can access files whose names
          contain characters that don't exist in the current
          legacy code page.

        * The options --files and --files0 now expect file lists
          to be in UTF-8 instead of the legacy code page.

        * This fixes a security issue: If a command line contains
          Unicode characters (for example, filenames) that don't
          exist in the current legacy code page, the characters are
          converted to similar-looking characters with best-fit
          mapping. Some best-fit mappings result in ASCII
          characters that change the meaning of the command line,
          which can be exploited with malicious filenames to do
          argument injection or directory traversal attacks.
          UTF-8 avoids best-fit mappings and thus fixes the issue.

          Forcing the process code page to UTF-8 is possible only
          on Windows 10 version 1903 and later. The command line
          tools remain vulnerable if used on an old older
          version of Windows.

          This issue was discovered by Orange Tsai and splitline
          from DEVCORE Research Team.

          A related smaller issue remains: Windows filenames may
          contain unpaired surrogates (invalid UTF-16). These are
          converted to the replacement character U+FFFD in the
          UTF-8 code page. Thus, filenames with different unpaired
          surrogates appear identical and aren't distinguishable
          from filenames that contain the actual replacement
          character U+FFFD.

        * When building with MinGW-w64, it is recommended to use
          UCRT version instead of the old MSVCRT. For example,
          non-ASCII characters from filenames won't print
          correctly in messages to console with MSVCRT with
          the UTF-8 code page (a cosmetic issue). liblzma-only
          builds are still fine with MSVCRT.

    - Cygwin and MSYS2 process command line options differently and
      the above issues don't exist. There is no need to replace the
      default application manifest on Cygwin and MSYS2.

* Autotools-based build:

    - Fix feature checks with link-time optimization (-flto).

    - Solaris: Fix a compatibility issue in version.sh. It matters
      if one wants to regenerate configure by running autoconf.

* CMake:

    - Use paths relative to ${prefix} in liblzma.pc when possible.
      This is done only with CMake >= 3.20.

    - MSVC: Install liblzma.pc as it can be useful with MSVC too.

    - Windows: Fix liblzma filename prefix, for example:

        * Cygwin: The DLL was incorrectly named liblzma-5.dll.
          Now it is cyglzma-5.dll.

        * MSVC: Rename import library from liblzma.lib to lzma.lib
          while keeping liblzma.dll name as is. This helps with
          "pkgconf --msvc-syntax --libs liblzma" because it mungles
          "-llzma" in liblzma.pc to "lzma.lib".

        * MinGW-w64: No changes.

    - Windows: Use the correct resource file for lzmadec.exe.
      Previously the resource file for xzdec.exe was used for both.
      Autotools-based build isn't affected.

    - Prefer a C11 compiler over a C99 compiler but accept both.

    - Link Threads::Threads against liblzma using PRIVATE so that
      -pthread and such flags won't unnecessarily get included in
      the usage requirements of shared liblzma. That is,
      target_link_libraries(foo PRIVATE liblzma::liblzma) no
      longer adds -pthread if using POSIX threads and linking
      against shared liblzma. The threading flags are still added
      if linking against static liblzma.

* Updated translations: Catalan, Chinese (simplified), and
  Brazilian Portuguese.

Log message:
xz: updated to 5.6.2

5.6.2 (2024-05-29)

    * Remove the backdoor (CVE-2024-3094).

    * Not changed: Memory sanitizer (MSAN) has a false positive
      in the CRC CLMUL code which also makes OSS Fuzz unhappy.
      Valgrind is smarter and doesn't complain.

      A revision to the CLMUL code is coming anyway and this issue
      will be cleaned up as part of it. It won't be backported to
      5.6.x or 5.4.x because the old code isn't wrong. There is
      no reason to risk introducing regressions in old branches
      just to silence a false positive.

    * liblzma:

        - lzma_index_decoder() and lzma_index_buffer_decode(): Fix
          a missing output pointer initialization (*i = NULL) if the
          functions are called with invalid arguments. The API docs
          say that such an initialization is always done. In practice
          this matters very little because the problem can only occur
          if the calling application has a bug and these functions
          return LZMA_PROG_ERROR.

        - lzma_str_to_filters(): Fix a missing output pointer
          initialization (*error_pos = 0). This is very similar
          to the fix above.

        - Fix C standard conformance with function pointer types.

        - Remove GNU indirect function (IFUNC) support. This is *NOT*
          done for security reasons even though the backdoor relied on
          this code. The performance benefits of IFUNC are too tiny in
          this project to make the extra complexity worth it.

        - FreeBSD on ARM64: Add error checking to CRC32 instruction
          support detection.

        - Fix building with NVIDIA HPC SDK.

    * xz:

        - Fix a C standard conformance issue in --block-list parsing
          (arithmetic on a null pointer).

        - Fix a warning from GNU groff when processing the man page:
          "warning: cannot select font 'CW'"

    * xzdec: Add support for Linux Landlock ABI version 4. xz already
      had the v3-to-v4 change but it had been forgotten from xzdec.

    * Autotools-based build system (configure):

        - Symbol versioning variant can now be overridden with
          --enable-symbol-versions. Documentation in INSTALL was
          updated to match.

        - Add new configure option --enable-doxygen to enable
          generation and installation of the liblzma API documentation
          using Doxygen. Documentation in INSTALL and PACKAGERS was
          updated to match.

    CMake:

        - Fix detection of Linux Landlock support. The detection code
          in CMakeLists.txt had been sabotaged.

        - Disable symbol versioning on non-glibc Linux to match what
          the Autotools build does. For example, symbol versioning
          isn't enabled with musl.

        - Symbol versioning variant can now be overridden by setting
          SYMBOL_VERSIONING to "OFF", "generic", or \ 
"linux".

        - Add support for all tests in typical build configurations.
          Now the only difference to the tests coverage to Autotools
          is that CMake-based build will skip more tests if features
          are disabled. Such builds are only for special cases like
          embedded systems.

        - Separate the CMake code for the tests into tests/tests.cmake.
          It is used conditionally, thus it is possible to

              rm -rf tests

          and the CMake-based build will still work normally except
          that no tests are then available.

        - Add a option ENABLE_DOXYGEN to enable generation and
          installation of the liblzma API documentation using Doxygen.

    * Documentation:

        - Omit the Doxygen-generated liblzma API documentation from the
          package. Instead, the generation and installation of the API
          docs can be enabled with a configure or CMake option if
          Doxygen is available.

        - Remove the XZ logo which was used in the API documentation.
          The logo has been retired and isn't used by the project
          anymore. However, it's OK to use it in contexts that refer
          to the backdoor incident.

        - Remove the PDF versions of the man pages from the source
          package. These existed primarily for users of operating
          systems which don't come with tools to render man page
          source files. The plain text versions are still included
          in doc/man/txt. PDF files can still be generated to doc/man,
          if the required tools are available, using "make pdf" after
          running "configure".

        - Update home page URLs back to their old locations on
          tukaani.org.

        - Update maintainer info.

    * Tests:

        - In tests/files/README, explain how to recreate the ARM64
          test files.

        - Remove two tests that used tiny x86 and SPARC object files
          as the input files. The matching .c file was included but
          the object files aren't easy to reproduce. The test cases
          weren't great anyway; they were from the early days (2009)
          of the project when the test suite had very few tests.

        - Improve a few tests.

Log message:
archivers/xz: Fix download URL

https://github.com/tukaani-project/xz/releases/download/v5.6.1/xz-5.4.6.tar.bz2
is not a valid URL. It's an HTML (probably an error message because GitHub has
suspended the repo), despite it surprisingly returning HTTP 200.

Log message:
xz: call this 5.6.1nb100 despite it being 5.4.6

For easier "upgrades" to a non-backdoored version.

Note it in COMMENT and DESCR.

Log message:
xz: downgrade to 5.4.6