This is based on the decision The NetBSD Foundation made in 2008 to
do so, which was already applied to src.
This change has been applied to code which is likely not in other
repositories.
ok board@, reviewed by riastradh@
1.61 Sat 18 Aug 2018
- File::Find will not untaint [github/ThisUsedToBeAnEmail]
- Prevent from traversing symlinks and parent directories when extracting [github/ppisar]
Changes:
improve q=1 compression on small files
inverse Bazel workspace tree
add rolling-composite-hasher for large-window mode
add tools to download and transform static dictionary data
Changes:
2018-03-15 guidod <guidod@gmx.de>
* fix a number of CVEs reported with special *.zip PoC files
* man-pages are generated with new dbk2man.py - docbook xmlto is optional now
* completing some doc strings while checking the new man-pages to look good
* allow the zziptests.py testsuite to run with an installed /bin path
* try to fix some issues on testing with non-installed binaries on non-linux platfors
* update autotools to allow compiling on some newer Mac / Win machines
* a zip-program is still required for testing, but some errors are gone when not there
* complete the approximation of fnmatch for the test binaries (on platforms without)
* allow windows __mmap.h to be simpler, helping with some problems on MingW
* integrate 'fopen("wb")' from TexLive to be more portable across
* more portability as well for helpers like strnlen being used in the sources
* update doc refs to point to github instead of sf.net
* update the sf.net pages to have a prominent hint on newer github.com location
* release v0.13.69
2018-04-26 Stuart Caie <kyzer@cabextract.org.uk>
* read_chunk(): the test that chunk numbers are in bounds was off
by one, so read_chunk() returned a pointer taken from outside
allocated memory that usually crashes libmspack when accessed.
Thanks to Hanno Böck for finding the issue and providing a sample.
* chmd_read_headers(): reject files with blank filenames. Thanks
again to Hanno Böck for finding the issue and providing a sample file.
2018-02-06 Stuart Caie <kyzer@cabextract.org.uk>
* chmd.c: fixed an off-by-one error in the TOLOWER() macro, reported
by Dmitry Glavatskikh. Thanks Dmitry!
2017-11-26 Stuart Caie <kyzer@cabextract.org.uk>
* kwajd_read_headers(): fix up the logic of reading the filename and
extension headers to avoid a one or two byte overwrite. Thanks to
Jakub Wilk for finding the issue.
* test/kwajd_test.c: add tests for KWAJ filename.ext handling
2017-10-16 Stuart Caie <kyzer@cabextract.org.uk>
* test/cabd_test.c: update the short string tests to expect not only
MSPACK_ERR_DATAFORMAT but also MSPACK_ERR_READ, because of the recent
change to cabd_read_string(). Thanks to maitreyee43 for spotting this.
* test/msdecompile_md5: update the setup instructions for this script,
and also change the script so it works with current Wine. Again, thanks
to maitreyee43 for trying to use it and finding it not working.
2017-08-13 Stuart Caie <kyzer@cabextract.org.uk>
* src/chmextract.c: support MinGW one-arg mkdir(). Thanks to AntumDeluge
for reporting this.
2017-08-13 Stuart Caie <kyzer@cabextract.org.uk>
* read_spaninfo(): a CHM file can have no ResetTable and have a
negative length in SpanInfo, which then feeds a negative output length
to lzxd_init(), which then sets frame_size to a value of your choosing,
the lower 32 bits of output length, larger than LZX_FRAME_SIZE. If the
first LZX block is uncompressed, this writes data beyond the end of the
window. This issue was raised by ClamAV as CVE-2017-6419. Thanks to
Sebastian Andrzej Siewior for finding this by chance!
* lzxd_init(), lzxd_set_output_length(), mszipd_init(): due to the issue
mentioned above, these functions now reject negative lengths
2017-08-05 Stuart Caie <kyzer@cabextract.org.uk>
* cabd_read_string(): add missing error check on result of read().
If an mspack_system implementation returns an error, it's interpreted
as a huge positive integer, which leads to reading past the end of the
stack-based buffer. Thanks to Sebastian Andrzej Siewior for explaining
the problem. This issue was raised by ClamAV as CVE-2017-11423
2016-04-20 Stuart Caie <kyzer@cabextract.org.uk>
* configure.ac: change my email address to kyzer@cabextract.org.uk
2015-05-10 Stuart Caie <kyzer@4u.net>
* cabd_read_string(): correct rejection of empty strings. Thanks to
Hanno Böck for finding the issue and providing a sample file.
2015-05-10 Stuart Caie <kyzer@4u.net>
* Makefile.am: Add subdir-objects option as suggested by autoreconf.
* configure.ac: Add AM_PROG_AR as suggested by autoreconf.
2015-01-29 Stuart Caie <kyzer@4u.net>
* system.h: if C99 inttypes.h exists, use its PRI{d,u}{32,64} macros.
Thanks to Johnathan Kollasch for the suggestion.
New in 1.7
* cabextract now supports an --encoding parameter, to specify the character
encoding of CAB filenames if they are not ASCII or UTF8
* cabextract -L now lowercases non-ASCII characters
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
Update LICENSE
Upstream changes:
0.26 (2018/06/09)
Implemented refactoring due warnings from Perl::Critic.
0.25 (2018/06/04)
Implemented refactoring due warnings from Perl::Critic.
Merge pull request #3 from manwar/suggest-code-tidy
0.24 (2018/06/02)
Added a LICENSE file (GNU GPL v3).
Removed MYMETA files (see https://rt.cpan.org/Ticket/Display.html?id=108171).
Improved Kwalitee by adding information to Makefile.PL
Fixed tests under OpenBSD
Added some code to check for OpenBSD tar, which is not quite compatible to the command line options passed by this module.
Also made the method is_gnu() more robust, testing the return code and properly handling STDOUT and STDERR when trying "tar --version".
Dependencies added are those already available on standard perl (Config and IPC::Open3).
Added a README.md for better formatting in Github project page.
Small refactorings and code formating with perltidy.
Upstream changes:
2.30 19/06/2018
- skip white_space test on MSWin32 as Windows will report that both
files exist, which is obviously a 'feature'
2.28 08/06/2018 (madroach, ARC, OCBNET, ppisar)
- fix creating file with trailing whitespace on filename - fixes 103279
- allow archiving with absolute pathnames - fixes 97748
- small POD fix
- Speed up extract when archive contains lots of files
- CVE-2018-12015 directory traversal vulnerability [RT#125523]
2.0.1:
This release fixes: tests failed when run under python setup.py test, but passed when running under tox.
2.0.0:
It's now possible to specify a compession dictionary for block compression.
The bundled LZ4 libraries have been updated to 1.8.2
A compatibility fix for 2.x memoryview objects has been added.
Various flake8 cleanups and test additions.
This Go language package supports the reading and writing of xz
compressed streams. It includes also a gxz command for compressing and
decompressing data. The package is completely written in Go and
doesn't have any dependency on any C code.
Changes 2.8:
add support for setting atime, ctime, mtime and birthtime
tell libarchive when writing an archive is aborted due to an exception
add support for getting uid and gid
add support for high resolution timestamps
add two new archive readers: stream_reader and custom_reader
add missing archive extraction flags
add the lz4 and warc formats
add support for write options and uid/gid lookup
innoextract 1.7 (2018-06-12)
- Added support for Inno Setup 5.6.0 installers
- Added support for new GOG installers with GOG Galaxy file parts
- Added support for encrypted installers with the --password (-P) and --password-file options
- Added a --show-password option to print password check information
- Added a --check-password option to abort if the provided password does not match the stored checksum
- Added a --info (-i) convenience option to print information about the installer
- Added a --list-sizes option to print file sizes even with --quiet or --silent
- Added a --list-checksums option to print file checksums
- Added a --data-version (-V) option to print the data version and exit
- Added a --no-extract-unknown (-n) option to abort on unknown Inno Setup data versions
- Fixed building in paths that contain regex expressions
- Fixed case-sensitivity in parent directory when creating subdirectories
- Fixed .bin slice file names used with Inno Setup versions older than 4.1.7
- Fixed build with newer libc++ versions
- Made loading of .bin slice files case-insensitive
- The --test option can now be combined with --extract to abort on file checksum errors
- Now compiles in C++17 mode if supported
5.2.4:
* liblzma:
- Allow 0 as memory usage limit instead of returning
LZMA_PROG_ERROR. Now 0 is treated as if 1 byte was specified,
which effectively is the same as 0.
- Use "noexcept" keyword instead of "throw()" in the public
headers when a C++11 (or newer standard) compiler is used.
- Added a portability fix for recent Intel C Compilers.
- Microsoft Visual Studio build files have been moved under
windows/vs2013 and windows/vs2017.
* xz:
- Fix "xz --list --robot missing_or_bad_file.xz" which would
try to print an unitialized string and thus produce garbage
output. Since the exit status is non-zero, most uses of such
a command won't try to interpret the garbage output.
- "xz --list foo.xz" could print "Internal error (bug)" in a
corner case where a specific memory usage limit had been set.
Engrampa, the archive viewer, has improved support for encrypted 7z archives.
Full changelog:
build: use PKG_CONFIG to fix cross-build
Add our copyright to About dialog and Caja extension
7z: Fix: rename files with password without the list encrypted
7z: Fix: delete/rename files/folders with the list encrypted
avoid deprecated gdk_screen_make_display_name
don’t use deprecated gtk_show_uri
use a more common gtk+ function
avoid deprecated gdk_screen_get_number
Add the button “Show the Files and Quit” in the progress dialog
Fix: create zip files in “maximum” compression level
Fix: Browsing history not correct
hide folders in “View All Files”
Fix: Wrong behavior of Skip button in Replace file dialog
UI files: avoid deprecations
gtk-utils: remove some GTK_STOCK deprecations
gtk-utils: avoid deprecated gtk_icon_size_lookup_for_settings
fr-window: fix some GTK_STOCK deprecations
add style class frame to scrolledwindows
fr-window: avoid deprecated GtkMisc and GtkAlignment
dlg-add-folder: avoid deprecated gtk_alignment_new()
build: use variable instead of hardcoded file name when cleaning
Translations update
v1.8.2
perf: *much* faster dictionary compression on small files
perf: improved decompression speed and binary size
perf: slightly faster HC compression and decompression speed
perf: very small compression ratio improvement
fix : compression compatible with low memory addresses (< 0xFFFF)
fix : decompression segfault when provided with NULL input
cli : new command --favor-decSpeed
cli : benchmark mode more accurate for small inputs
fullbench : can bench _destSize() variants
doc : clarified block format parsing restrictions
1.5.1 [2018-04-11]
==================
* Choose format of installed documentation based on available tools.
* Fix visibility of symbols.
* Fix zipcmp directory support.
* Don't set RPATH on Linux.
* Use Libs.private for link dependencies in pkg-config file.
* Fix build with LibreSSL.
* Various bugfixes.
0.9.0:
Backwards Compatibility Notes
CFFI 1.11 or newer is now required (previous requirement was 1.8).
The primary module is now zstandard. Please change imports of zstd and zstd_cffi to import zstandard. See the README for more. Support for importing the old names will be dropped in the next release.
ZstdCompressor.read_from() and ZstdDecompressor.read_from() have been renamed to read_to_iter(). read_from() is aliased to the new name and will be deleted in a future release.
Support for Python 2.6 has been removed.
Support for Python 3.3 has been removed.
The selectivity argument to train_dictionary() has been removed, as the feature disappeared from zstd 1.3.
Support for legacy dictionaries has been removed. Cover dictionaries are now the default. train_cover_dictionary() has effectively been renamed to train_dictionary().
The allow_empty argument from ZstdCompressor.compress() has been deleted and the method now allows empty inputs to be compressed by default.
estimate_compression_context_size() has been removed. Use CompressionParameters.estimated_compression_context_size() instead.
get_compression_parameters() has been removed. Use CompressionParameters.from_level() instead.
The arguments to CompressionParameters.__init__() have changed. If you were using positional arguments before, the positions now map to different arguments. It is recommended to use keyword arguments to construct CompressionParameters instances.
TARGETLENGTH_MAX constant has been removed (it disappeared from zstandard 1.3.4).
ZstdCompressor.write_to() and ZstdDecompressor.write_to() have been renamed to ZstdCompressor.stream_writer() and ZstdDecompressor.stream_writer(), respectively. The old names are still aliased, but will be removed in the next major release.
Content sizes are written into frame headers by default (ZstdCompressor(write_content_size=True) is now the default).
CompressionParameters has been renamed to ZstdCompressionParameters for consistency with other types. The old name is an alias and will be removed in the next major release.
Bug Fixes
Fixed memory leak in ZstdCompressor.copy_stream().
Fixed memory leak in ZstdDecompressor.copy_stream().
Fixed memory leak of ZSTD_DDict instances in CFFI's ZstdDecompressor.
New Features
Bundlded zstandard library upgraded from 1.1.3 to 1.3.4. This delivers various bug fixes and performance improvements. It also gives us access to newer features.
Support for negative compression levels.
Support for long distance matching (facilitates compression ratios that approach LZMA).
Supporting for reading empty zstandard frames (with an embedded content size of 0).
Support for writing and partial support for reading zstandard frames without a magic header.
New stream_reader() API that exposes the io.RawIOBase interface (allows you to .read() from a file-like object).
Several minor features, bug fixes, and performance enhancements.
Wheels for Linux and macOS are now provided with releases.
Changes
Functions accepting bytes data now use the buffer protocol and can accept more types (like memoryview and bytearray).
Add #includes so compilation on OS X and BSDs works.
New ZstdDecompressor.stream_reader() API to obtain a read-only i/o stream of decompressed data for a source.
New ZstdCompressor.stream_reader() API to obtain a read-only i/o stream of compressed data for a source.
Renamed ZstdDecompressor.read_from() to ZstdDecompressor.read_to_iter(). The old name is still available.
Renamed ZstdCompressor.read_from() to ZstdCompressor.read_to_iter(). read_from() is still available at its old location.
Introduce the zstandard module to import and re-export the C or CFFI backend as appropriate. Behavior can be controlled via the PYTHON_ZSTANDARD_IMPORT_POLICY environment variable. See README for usage info.
Vendored version of zstd upgraded to 1.3.4.
Added module constants CONTENTSIZE_UNKNOWN and CONTENTSIZE_ERROR.
Add STRATEGY_BTULTRA compression strategy constant.
Switch from deprecated ZSTD_getDecompressedSize() to ZSTD_getFrameContentSize() replacement.
ZstdCompressor.compress() can now compress empty inputs without requiring special handling.
ZstdCompressor and ZstdDecompressor now have a memory_size() method for determining the current memory utilization of the underlying zstd primitive.
train_dictionary() has new arguments and functionality for trying multiple variations of COVER parameters and selecting the best one.
Added module constants LDM_MINMATCH_MIN, LDM_MINMATCH_MAX, and LDM_BUCKETSIZELOG_MAX.
Converted all consumers to the zstandard new advanced API, which uses ZSTD_compress_generic()
CompressionParameters.__init__ now accepts several more arguments, including support for long distance matching.
ZstdCompressionDict.__init__ now accepts a dict_type argument that controls how the dictionary should be interpreted. This can be used to force the use of content-only dictionaries or to require the presence of the dictionary magic header.
ZstdCompressionDict.precompute_compress() can be used to precompute the compression dictionary so it can efficiently be used with multiple ZstdCompressor instances.
Digested dictionaries are now stored in ZstdCompressionDict instances, created automatically on first use, and automatically reused by all ZstdDecompressor instances bound to that dictionary.
All meaningful functions now accept keyword arguments.
ZstdDecompressor.decompressobj() now accepts a write_size argument to control how much work to perform on every decompressor invocation.
ZstdCompressor.write_to() now exposes a tell(), which exposes the total number of bytes written so far.
ZstdDecompressor.stream_reader() now supports seek() when moving forward in the stream.
Removed TARGETLENGTH_MAX constant.
Added frame_header_size(data) function.
Added frame_content_size(data) function.
Consumers of ZSTD_decompress* have been switched to the new advanced decompression API.
ZstdCompressor and ZstdCompressionParams can now be constructed with negative compression levels.
ZstdDecompressor now accepts a max_window_size argument to limit the amount of memory required for decompression operations.
FORMAT_ZSTD1 and FORMAT_ZSTD1_MAGICLESS constants to be used with the format compression parameter to control whether the frame magic header is written.
ZstdDecompressor now accepts a format argument to control the expected frame format.
ZstdCompressor now has a frame_progression() method to return information about the current compression operation.
Error messages in CFFI no longer have b'' literals.
Compiler warnings and underlying overflow issues on 32-bit platforms have been fixed.
Builds in CI now build with compiler warnings as errors. This should hopefully fix new compiler warnings from being introduced.
Make ZstdCompressor(write_content_size=True) and CompressionParameters(write_content_size=True) the default.
CompressionParameters has been renamed to ZstdCompressionParameters.
1.1.0:
This release removes the deprecated functions which were marked as remove in 1.0, but nonetheless remained:
lz4.lz4version()
LZ4FrameCompressor.finalize()
As a side effect, we noo longer have a dependency on the deprecation package.
1.5.0 [2018-03-11]
==================
* Use standard cryptographic library instead of custom AES implementation.
This also simplifies the license.
* Use `clang-format` to format the source code.
* More Windows improvements.
version 1.30 - Sergey Poznyakoff, 2017-12-17
* Member names containing '..' components are now skipped when extracting.
This fixes tar's behavior to match its documentation, and is a bit
safer when extracting untrusted archives over old files (an unsafe
practice that the tar manual has long recommended against).
* Report erroneous use of position-sensitive options.
During archive creation or update, tar keeps track of positional
options (see the manual, subsection 3.4.4 "Position-Sensitive
Options"), and reports those that had no effect. For example, when
invoked as
tar -cf a.tar . --exclude '*.o'
tar will create the archive, but will exit with status 2, having
issued the following error message
tar: The following options were used after non-optional
arguments in archive create or update mode. These options are
positional and affect only arguments that follow them. Please,
rearrange them properly.
tar: --exclude '*.o' has no effect
tar: Exiting with failure status due to previous errors
* --numeric-owner now affects private headers too.
This helps the output of 'tar' to be more deterministic.
* Fixed the --delay-directory-restore option
In some cases tar would restore the directory permissions too early,
causing subsequent link extractions in that directory to fail.
* The --warnings=failed-read option
This new warning control option suppresses warning messages about
unreadable files and directories. It has effect only if used together
with the --ignore-failed-read option.
* The --warnings=none option now suppresses all warnings
This includes warnings about unreadable files produced when
--ignore-failed-read is in effect. To output these, use
--warnings=none --warnings=no-failed-read.
* Fix reporting of hardlink mismatches during compare
Tar reported incorrect target file name in the 'Not linked to'
diagnostic message.
Changes in version 1.20:
The option '--loose-trailing', has been added.
The test used by lzip to discriminate trailing data from a corrupt
header in multimember or concatenated files has been improved to a
Hamming distance (HD) of 3, and the 3 bit flips must happen in different
magic bytes for the test to fail. As a consequence some kinds of files
no longer can be appended to a lzip file as trailing data unless the
'--loose-trailing' option is used when decompressing.
Lziprecover can be used to remove conflicting trailing data from a file.
The contents of a corrupt or truncated header found in a multimember
file are now shown, after the error message, in the same format as
trailing data.
Option '-S, --volume-size' now keeps input files unchanged.
When creating multimember files or splitting the output in volumes, the
dictionary size is now adjusted for each member individually.
The 'bits/byte' ratio has been replaced with the inverse compression
ratio in the output.
The progress of decompression is now shown at verbosity level 2 (-vv) or
higher.
Progress of (de)compression is only shown if stderr is a terminal.
A final diagnostic is now shown at verbosity level 1 (-v) or higher if
any file fails the test when testing multiple files.
A second '.lz' extension is no longer added to the argument of '-o' if
it already ends in '.lz' or '.tlz'.
In case of (de)compressed size mismatch, the stored size is now also
shown in hexadecimal to ease visual comparison.
The dictionary size is now shown at verbosity level 4 (-vvvv) when
decompressing or testing.
The new chapter "Meaning of lzip's output" has been added to the manual.
Changelog:
2018-02-02 guidod <guidod@gmx.de>
* fix a number of CVEs reported with special *.zip files
* the testsuite has been expanded to cover all the CVEs
* some minor doc updates referencing GitHub instead of sf.net
* release v0.13.68
0.23.2:
Fixes an error in the deprecated LZ4Compressor.finalize() method
Improves documentation
Has all example code in documentation verified via doctest
Skip running the regression tests since for some reason the setting
of LD_LIBRARY_PATH isn't passed down through cmake invocation; this
avoids error:
dyld: Library not loaded: @rpath/libzip.5.dylib
Referenced from: ${WRKSRC}/regress/../src/ziptool
Reason: image not found
The module has bundled version 1.1.2, but the configure script warns
when using the bundled one, and it's of course better to not duplicate
it. Noticed this on recent PHP 7.1.14/7.2.2 releases which had fixes
for zip extension when used with libzip >= 1.3.1.
XXX May need backport of the fix for 7.0 and 5.6 which did not get the fix,
or can just switch over to using the PECL module directly
0.19.1:
This release adds compressed file handling capability to the lz4.frame sub-package.
This necessitated some changes to the API of lz4.frame.decompress_chunk, ad some smaller changes to the LZ4FrameCompressor and LZ4FrameDecompressor classes. Please see updated documentation for further details.
This is a build-maintenance release. Major changes:
added Autotools build files
switched shared library version to libtool scheme
In this release semantic suffix and libtool suffix are the same: 1.0.2.
Don't expect them to match in future releases.
Minor changes:
BrotliDictionary members are not const now
ZopfliNode distance could be up to 128MiB
fixed API documentation typos
total_out is always set by decoder
fixed BROTLI_ENSURE_CAPACITY macro; no-op in preprocessed output
Other changes:
fixed scripts for oss-fuzz, test them with Travis
made Bazel JNI tests less messy
fixed linter warnings in JS decoder
fixed permissions of various files
added Bazel build to Appveyor matrix
added Sieve dictionary generator
0.18.2:
This release fixes a memory leak that was introduced in lz4.frame.decompress in 0.18.1. This leak resulted from an incorrect ref count on the returned result which prevented it from ever being released and garbage collected.
v1.8.1.2:
It's the same as v1.8.1, but the version number in source code has been fixed.
The version number is used in cli and documentation display, to create the full name of dynamic library, and can be requested via LZ4_versionNumber().
v1.8.1
perf : faster and stronger ultra modes (levels 10+)
perf : slightly faster compression and decompression speed
perf : fix bad degenerative case
fix : decompression failed when using a combination of extDict + low memory address
cli : support for dictionary compression (-D)
cli : fix : lz4 -d --rm preserves timestamp
cli : fix : do not modify /dev/null permission as root
api : _destSize() variant supported for all compression levels
build : make and make test compatible with -jX
build : can control LZ4LIB_VISIBILITY macro
install: fix man page directory
The actual fix as been done by "pkglint -F */*/buildlink3.mk", and was
reviewed manually.
There are some .include lines that still are indented with zero spaces
although the surrounding .if is indented. This is existing practice.