Update dependency org_lzma_lzma to v5.6.2

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
org_lzma_lzma	http_archive	minor	v5.4.5 -> v5.6.2

---

Release Notes

tukaani-project/xz (org_lzma_lzma)

v5.6.2: XZ Utils 5.6.2 (stable)

Compare Source

NOTE: 5.2.13, 5.4.7, and 5.6.2 have a build system issue that prevents building of shared libraries on some systems like mips64. See the patch itself for details. The same patch applies to 5.2.13, 5.4.7, and 5.6.2.

5.6.2 (2024-05-29)

    * Remove the backdoor (CVE-2024-3094).

    * Not changed: Memory sanitizer (MSAN) has a false positive
      in the CRC CLMUL code which also makes OSS Fuzz unhappy.
      Valgrind is smarter and doesn't complain.

      A revision to the CLMUL code is coming anyway and this issue
      will be cleaned up as part of it. It won't be backported to
      5.6.x or 5.4.x because the old code isn't wrong. There is
      no reason to risk introducing regressions in old branches
      just to silence a false positive.

    * liblzma:

        - lzma_index_decoder() and lzma_index_buffer_decode(): Fix
          a missing output pointer initialization (*i = NULL) if the
          functions are called with invalid arguments. The API docs
          say that such an initialization is always done. In practice
          this matters very little because the problem can only occur
          if the calling application has a bug and these functions
          return LZMA_PROG_ERROR.

        - lzma_str_to_filters(): Fix a missing output pointer
          initialization (*error_pos = 0). This is very similar
          to the fix above.

        - Fix C standard conformance with function pointer types.

        - Remove GNU indirect function (IFUNC) support. This is *NOT*
          done for security reasons even though the backdoor relied on
          this code. The performance benefits of IFUNC are too tiny in
          this project to make the extra complexity worth it.

        - FreeBSD on ARM64: Add error checking to CRC32 instruction
          support detection.

        - Fix building with NVIDIA HPC SDK.

    * xz:

        - Fix a C standard conformance issue in --block-list parsing
          (arithmetic on a null pointer).

        - Fix a warning from GNU groff when processing the man page:
          "warning: cannot select font 'CW'"

    * xzdec: Add support for Linux Landlock ABI version 4. xz already
      had the v3-to-v4 change but it had been forgotten from xzdec.

    * Autotools-based build system (configure):

        - Symbol versioning variant can now be overridden with
          --enable-symbol-versions. Documentation in INSTALL was
          updated to match.

        - Add new configure option --enable-doxygen to enable
          generation and installation of the liblzma API documentation
          using Doxygen. Documentation in INSTALL and PACKAGERS was
          updated to match.

    CMake:

        - Fix detection of Linux Landlock support. The detection code
          in CMakeLists.txt had been sabotaged.

        - Disable symbol versioning on non-glibc Linux to match what
          the Autotools build does. For example, symbol versioning
          isn't enabled with musl.

        - Symbol versioning variant can now be overridden by setting
          SYMBOL_VERSIONING to "OFF", "generic", or "linux".

        - Add support for all tests in typical build configurations.
          Now the only difference to the tests coverage to Autotools
          is that CMake-based build will skip more tests if features
          are disabled. Such builds are only for special cases like
          embedded systems.

        - Separate the CMake code for the tests into tests/tests.cmake.
          It is used conditionally, thus it is possible to

              rm -rf tests

          and the CMake-based build will still work normally except
          that no tests are then available.

        - Add a option ENABLE_DOXYGEN to enable generation and
          installation of the liblzma API documentation using Doxygen.

    * Documentation:

        - Omit the Doxygen-generated liblzma API documentation from the
          package. Instead, the generation and installation of the API
          docs can be enabled with a configure or CMake option if
          Doxygen is available.

        - Remove the XZ logo which was used in the API documentation.
          The logo has been retired and isn't used by the project
          anymore. However, it's OK to use it in contexts that refer
          to the backdoor incident.

        - Remove the PDF versions of the man pages from the source
          package. These existed primarily for users of operating
          systems which don't come with tools to render man page
          source files. The plain text versions are still included
          in doc/man/txt. PDF files can still be generated to doc/man,
          if the required tools are available, using "make pdf" after
          running "configure".

        - Update home page URLs back to their old locations on
          tukaani.org.

        - Update maintainer info.

    * Tests:

        - In tests/files/README, explain how to recreate the ARM64
          test files.

        - Remove two tests that used tiny x86 and SPARC object files
          as the input files. The matching .c file was included but
          the object files aren't easy to reproduce. The test cases
          weren't great anyway; they were from the early days (2009)
          of the project when the test suite had very few tests.

        - Improve a few tests.

v5.4.7: XZ Utils 5.4.7 (old stable)

Compare Source

NOTE: 5.2.13, 5.4.7, and 5.6.2 have a build system issue that prevents building of shared libraries on some systems like mips64. See the patch itself for details. The same patch applies to 5.2.13, 5.4.7, and 5.6.2.

5.4.7 (2024-05-29)

    * Not changed: Memory sanitizer (MSAN) has a false positive
      in the CRC CLMUL code which also makes OSS Fuzz unhappy.
      Valgrind is smarter and doesn't complain.

      A revision to the CLMUL code is coming anyway and this issue
      will be cleaned up as part of it. It won't be backported to
      5.6.x or 5.4.x because the old code isn't wrong. There is
      no reason to risk introducing regressions in old branches
      just to silence a false positive.

    * liblzma:

        - lzma_index_decoder() and lzma_index_buffer_decode(): Fix
          a missing output pointer initialization (*i = NULL) if the
          functions are called with invalid arguments. The API docs
          say that such an initialization is always done. In practice
          this matters very little because the problem can only occur
          if the calling application has a bug and these functions
          return LZMA_PROG_ERROR.

        - lzma_str_to_filters(): Fix a missing output pointer
          initialization (*error_pos = 0). This is very similar
          to the fix above.

        - Fix C standard conformance with function pointer types.
          This newly showed up with Clang 17 with -fsanitize=undefined.
          There are no bug reports about this.

        - Fix building with NVIDIA HPC SDK.

    * xz:

        - Fix a C standard conformance issue in --block-list parsing
          (arithmetic on a null pointer).

        - Fix a warning from GNU groff when processing the man page:
          "warning: cannot select font 'CW'"

        - Fix outdated threading related information on the man page.

    * xzless:

        - With "less" version 451 and later, use "||-" instead of "|-"
          in the environment variable LESSOPEN. This way compressed
          files that contain no uncompressed data are shown correctly
          as empty.

        - With "less" version 632 and later, use --show-preproc-errors
          to make "less" show a warning on decompression errors.

    * Autotools-based build system (configure):

        - Symbol versioning variant can now be overridden with
          --enable-symbol-versions. Documentation in INSTALL was
          updated to match.

    CMake:

        - Linux on MicroBlaze is handled specially now. This matches
          the changes made to the Autotools-based build in XZ Utils
          5.4.2 and 5.2.11.

        - Disable symbol versioning on non-glibc Linux to match what
          the Autotools build does. For example, symbol versioning
          isn't enabled with musl.

        - Symbol versioning variant can now be overridden by setting
          SYMBOL_VERSIONING to "OFF", "generic", or "linux".

    * Documentation:

        - Clarify the description of --disable-assembler in INSTALL.
          The option only affects 32-bit x86 assembly usage.

        - Add doc/examples/11_file_info.c. It was added to the
          Git repository in 2017 but forgotten to be added into
          distribution tarballs.

        - Don't install the TODO file as part of the documentation.
          The file is out of date.

        - Update home page URLs back to their old locations on
          tukaani.org.

        - Update maintainer info.

v5.4.6: XZ Utils 5.4.6 Stable

Compare Source

5.4.6 (2024-01-26)

    * Fixed a bug involving internal function pointers in liblzma not
      being initialized to NULL. The bug can only be triggered if
      lzma_filters_update() is called on a LZMA1 encoder, so it does
      not affect xz or any application known to us that uses liblzma.

    * xz:

        - Fixed a regression introduced in 5.4.2 that caused encoding
          in the raw format to unnecessarily fail if --suffix was not
          used. For instance, the following command no longer reports
          that --suffix must be used:

              echo foo | xz --format=raw --lzma2 | wc -c

        - Fixed an issue on MinGW-w64 builds that prevented reading
          from or writing to non-terminal character devices like NUL.

    * Added a new test.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.