diff --git a/.gitignore b/.gitignore
index 41b1ddb..32cf204 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,3 @@
 /*.sig
-/*.tar.gz
 /*.tar.xz
 /xz-*/
diff --git a/colorxzgrep.sh b/colorxzgrep.sh
index cdbc14f..4a91d70 100644
--- a/colorxzgrep.sh
+++ b/colorxzgrep.sh
@@ -1,4 +1,3 @@
-# shellcheck shell=sh
 /usr/libexec/grepconf.sh -c || return
 alias xzgrep='xzgrep --color=auto' 2>/dev/null
 alias xzegrep='xzegrep --color=auto' 2>/dev/null
diff --git a/gpgkey-3690C240CE51B4670D30AD1C38EE757D69184620.asc b/gpgkey-3690C240CE51B4670D30AD1C38EE757D69184620.asc
new file mode 100644
index 0000000..44e17c1
--- /dev/null
+++ b/gpgkey-3690C240CE51B4670D30AD1C38EE757D69184620.asc
@@ -0,0 +1,75 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBEzEOZIBEACxg/IuXERlDB48JBWmF4NxNUuuup1IhJAJyFGFSKh3OGAO2Ard
+sNuRLjANsFXA7m7P5eTFcG+BoHHuAVYmKnI3PPZtHVLnUt4pGItPczQZ2BE1WpcI
+ayjGTBJeKItX3Npqg9D/odO9WWS1i3FQPVdrLn0YH37/BA66jeMQCRo7g7GLpaNf
+IrvYGsqTbxCwsmA37rpE7oyU4Yrf74HT091WBsRIoq/MelhbxTDMR8eu/dUGZQVc
+Kj3lN55RepwWwUUKyqarY0zMt4HkFJ7v7yRL+Cvzy92Ouv4Wf2FlhNtEs5LE4Tax
+W0PO5AEmUoKjX87SezQK0f652018b4u6Ex52cY7p+n5TII/UyoowH6+tY8UHo9yb
+fStrqgNE/mY2bhA6+AwCaOUGsFzVVPTbjtxL3HacUP/jlA1h78V8VTvTs5d55iG7
+jSqR9o05wje8rwNiXXK0xtiJahyNzL97Kn/DgPSqPIi45G+8nxWSPFM5eunBKRl9
+vAnsvwrdPRsR6YR3uMHTuVhQX9/CY891MHkaZJ6wydWtKt3yQwJLYqwo5d4DwnUX
+CduUwSKv+6RmtWI5ZmTQYOcBRcZyGKml9X9Q8iSbm6cnpFXmLrNQwCJN+D3SiYGc
+MtbltZo0ysPMa6Xj5xFaYqWk/BI4iLb2Gs+ByGo/+a0Eq4XYBMOpitNniQARAQAB
+tCdMYXNzZSBDb2xsaW4gPGxhc3NlLmNvbGxpbkB0dWthYW5pLm9yZz6JAlEEEwEK
+ADsCGwMCHgECF4AECwkIBwMVCggFFgIDAQAWIQQ2kMJAzlG0Zw0wrRw47nV9aRhG
+IAUCYEt9dQUJFxeR4wAKCRA47nV9aRhGIBNDEACxD6vJ+enZwe3IgkJh5JtLsC9b
+MWCQRlPW1EVMsg96Cb5Rtron1eN1pp1TlzENJu1/C7C/VEsr9WwOPg26Men7fNf/
+O21QM9IBWd/uB0Pu333WqKh92ESS5x9ST9DrG39nVGSPkQQBMuia72VrA+crPnwT
+/h/u1IN6/sff5VDIU24rUiqW2Npy733dANruj7Ny0scRXVPltnVdhqwPHt6qNjC1
+t+/cCnwHgW1BR1RYXBPpB42z/m29dL9rPrG0YPGWs2Bc+EATUICfEE6eIvwfciue
+IJTjKT9Y9DrogJC2AYFhjC7N04OKdCB2hFs4BjexJwr4X0GJO7LhFl03c951AsIE
+GHwrucRPB5bo2vmvQ8IvZn7CmtdUJzXv9JlyU6p+MIK1pz7TK6GgSOSffQIXZn6e
+nUPtm9mEwuncOfmW8/ODYPs1gCWYgyiFJx8h7eEu+M4MxHSFBs7MwXf/Ae2fSp+M
+P/p198qB8fC5oVBnF95qb0Qi0uc1D+Gb+gpBF+ymMb+s/VBOR3QWiym7AzBrJ62g
+UnbC9jMLGnSRI+7p7raUfMTgXr5/oQoBw7ExJVltSSRrim2YH/t4CV47mO6dR9J3
+1RtsTFIRNhz+07XPsETcuCV/dgqeC8fOFLt9MY17Sufhb1DcGy4urZBOIhXcpTV7
+vHVj5IYH5nYOT49NRYkCOAQTAQIAIgUCTMQ5kgIbAwYLCQgHAwIGFQgCCQoLBBYC
+AwECHgECF4AACgkQOO51fWkYRiAg4A/7BXKwoRaXrMbMPOW7vuVF7c2IKB2Yqzn1
+vLBCwuEHkqY237lDcXY4/5LR+1gcZ3Duw1n/BRSm0FBdvyX/JTWiWNSDUkKAO/0l
+T2Tg44YLrDT3bzwu8dbU9xQt6kH+SCOHvv5Oe4k79l5mro6fF3H1M0bN63x/YoFY
+ojy09D7/JptY82oR4f/VdKnfZLJcCViCb0wp8SD2NkDAudKg+K+7PD8HlTWklQQg
+TZdRXxVZKIJeU42aJDqnRbAhJd64YHyClhqut9F5LUmiP5qfLfNhkKDhNOwk2Blr
+BGBJkSd7wPyzcX4Mun/L6YspHjbeVMt9TD7HQlo+OOd2OjAHCx6pqwkXnzeLPEaE
+cPdQ1SHgrBViAxX3DNPubLP0Knw8XwFu96EuhHZgexE1W7bB4LFsJyXAc5k1PqPD
+CLsAauxmvI2OfI7opG/8wyxDvNgoPjG8fZNAgY0REqPC0JnTXChH31IxUmhNotH8
+tD3DDTZOHw05n5MwwUrEE9xiETVDfFQcMLfxZ9KLz+BC2g1t5LYublRgnCMNJzFg
+sNUMM02CphABzl/LCLnumr0eyQQ/weV4twEhLwSDmqLYHL0EdYW0Y3CnnU9vmYxQ
+cXKbstS71sEJJYBBmSBbf9GxkOY8BRNtwVwY0kPgxv1WqdVBiAFvfB+pyAsrax9B
+3UeB7ZSwRD6JAhwEEAEKAAYFAlS25GwACgkQlbYYGy0z6ew92Q//ZA9/6piQtoW4
+PwP/1DtWGyKU8hwR+9FG669iPk/dAG+yoEJtFMOUpg/FUFmCX8Bc4oEHsCVyLxKt
+DcCVUIRcYNSFi5hTZaBEbwsOlDT37gtlfIIu34hhHRccKaLnN/N9gNMNw8wGh9xg
+Q/KtxZwcbk/bZIlDkKTJkFBRAekdEGAFDWb/AZOy+LQxS8ZAh1eWkfV0i8opmK9k
+gPXtLE0WSsqtYyGs58z+BFE9NH3tEUwK6jSvtuLwQl4UrICNbKthcpb8WwH6UXzb
+q3QNSYVOpf/cqRdBJA6bvb/ku/xyKVL08lGmxD9v1b137R7mafDAFPTsvH2Mt/0V
+YuhtWav3r1Bl9QksDxt2DTS8wiWDUBetGqOVdcw7vBrXPEWDNBmxeJXsiJ7zJlR+
+9wrJOm6RV2+l1IPxu96EaPS+kTNBijKrhxb67bww8BTEWTd0wcdJmgWRkM8SIstp
+IKqd0L2TFYph2/NtrBhRg+DIEPJPpSTGsUMcCEXCZPQ+cIdlQKsWpk0tZ62DlvEl
+r7E+wgUSQolRfx5KrpZifiS2zQlhzdXv28CJhsVbLyw5fUAWUKIH/dCo5NKsNLk2
+Lc5DH9VWnFgxAAtW290FqeK/4ulMq7Vs1dQSwyHM2Ni3QqqeaiOrh8gbSY5CMLFN
+Y3HYRwuTYPa3AobsozCzBj0Zdf/6AFe5Ag0ETMQ5kgEQAL/FwKdjxgPxtSpgq1SM
+zgZtTTyLqhgGD3NZfadHWHYRIL38NDV3JeTA79Y2zj2dj7KQPDT+0aqeizTV2E3j
+P3iCQ53VOT4consBaQAgKexpptnS+T1DobtICFJ0GGzf0HRj6KO2zSOuOitWPWlU
+wbvX7M0LLI2+hqlx0jTPqbJFZ/Za6KTtbS6xdCPVUpUqYZQpokEZcwQmUp8Q+lGo
+JD2sNYCZyap63X/aAOgCGr2RXYddOH5e8vGzGW+mwtCv+WQ9Ay35mGqI5MqkbZd1
+Qbuv2b1647E/QEEucfRHVbJVKGGPpFMUJtcItyyIt5jo+r9CCL4Cs47dF/9/RNwu
+NvpvHXUyqMBQdWNZRMx4k/NGD/WviPi9m6mIMui6rOQsSOaqYdcUX4Nq2Orr3Oaz
+2JPQdUfeI23iot1vK8hxvUCQTV3HfJghizN6spVl0yQOKBiE8miJRgrjHilH3hTb
+xoo42xDkNAq+CQo3QAm1ibDxKCDq0RcWPjcCRAN/Q5MmpcodpdKkzV0yGIS4g7s5
+frVrgV/kox2r4/Yxsr8K909+4H82AjTKGX/BmsQFCTAqBk6p7I0zxjIqJ/w33TZB
+Q0Pn4r3WIlUPafzY6a9/LAvN1fHRxf9SpCByJsszD03Qu5f5TB8gthsdnVmTo7jj
+iordEKMtw2aEMLzdWWTQ/TNVABEBAAGJAjwEGAEKACYCGwwWIQQ2kMJAzlG0Zw0w
+rRw47nV9aRhGIAUCYEt9YAUJFxeRzgAKCRA47nV9aRhGIMLtD/9HuKM4pngImcuz
+YwzQmdv4j26YYyh4jVsKEmVWTiRcehEgUIlrWkCu3qzd5NK+RetS7kJ8MPnzEUfj
+YbpdC6yrF6n1mSrZZ4VJMkV2ev37bIgXM+Wp1mCAGbjNxQnjn9RabT/gjIqmGuRn
+AP7RsSeOSuO/gO9h2Pteciz23ussTilB+8cTooQEQQZe6Kv/zukvL+ccSehLHsZ7
+qVfRUAmtt8nFkXXE+s8jfLfhqstaI2/RJu5witaPcXM8Mnz2E95aASAbZy0eQot9
+0Pvf07n9yuC3tueTvzvlXx3h5U3yT44tIOmzANIQjay1TGdm+RBJ2ZYyhyLawlZ2
+NVUXXSp4QZZXPA0UWbF+pb7Q9cdKDNFVuvGBljuea0Yd0T2o+ibDq43HziX9ll+l
+SXk9mqvW1UcDOaxWrSsm1Gc1O9g3wqH5xHAhtY8GPh/7VgAawskPkmnlkMW6pYPy
+zibbeISJL1gd1jIT63y6aoVrtNoo+wYJm280ROflh4+5QOo6QJ+jm70fkXSG/qJ5
+a8/qCPTHkJc/rpkL6/TDQAJURi9RhDAC0gb40HtusbN1LZEA+i0cWTmYXap+DB4Y
+R4pApilpaG87M+VUokR4xpnx7vTb2MPa7Mdenvi9FEGnKXadmT8038vlfzz5GGUT
+MlVin9BQPTpdA+PpRiJvKJgVDeAFOg==
+=asTC
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/lasse_collin_pubkey.txt b/lasse_collin_pubkey.txt
deleted file mode 100644
index 4a391c6..0000000
--- a/lasse_collin_pubkey.txt
+++ /dev/null
@@ -1,52 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBEzEOZIBEACxg/IuXERlDB48JBWmF4NxNUuuup1IhJAJyFGFSKh3OGAO2Ard
-sNuRLjANsFXA7m7P5eTFcG+BoHHuAVYmKnI3PPZtHVLnUt4pGItPczQZ2BE1WpcI
-ayjGTBJeKItX3Npqg9D/odO9WWS1i3FQPVdrLn0YH37/BA66jeMQCRo7g7GLpaNf
-IrvYGsqTbxCwsmA37rpE7oyU4Yrf74HT091WBsRIoq/MelhbxTDMR8eu/dUGZQVc
-Kj3lN55RepwWwUUKyqarY0zMt4HkFJ7v7yRL+Cvzy92Ouv4Wf2FlhNtEs5LE4Tax
-W0PO5AEmUoKjX87SezQK0f652018b4u6Ex52cY7p+n5TII/UyoowH6+tY8UHo9yb
-fStrqgNE/mY2bhA6+AwCaOUGsFzVVPTbjtxL3HacUP/jlA1h78V8VTvTs5d55iG7
-jSqR9o05wje8rwNiXXK0xtiJahyNzL97Kn/DgPSqPIi45G+8nxWSPFM5eunBKRl9
-vAnsvwrdPRsR6YR3uMHTuVhQX9/CY891MHkaZJ6wydWtKt3yQwJLYqwo5d4DwnUX
-CduUwSKv+6RmtWI5ZmTQYOcBRcZyGKml9X9Q8iSbm6cnpFXmLrNQwCJN+D3SiYGc
-MtbltZo0ysPMa6Xj5xFaYqWk/BI4iLb2Gs+ByGo/+a0Eq4XYBMOpitNniQARAQAB
-tCdMYXNzZSBDb2xsaW4gPGxhc3NlLmNvbGxpbkB0dWthYW5pLm9yZz6JAlEEEwEK
-ADsCGwMCHgECF4AECwkIBwMVCggFFgIDAQAWIQQ2kMJAzlG0Zw0wrRw47nV9aRhG
-IAUCZZwJyQUJGuHiNwAKCRA47nV9aRhGIE4qD/4jdFTe3WPpLgvz/jdlbnSZxr7q
-OS6H/ZJFENHO4SbavXdoXLtj+t6/lqWq890Js8IpWaaiJLowzW1xJMEg99W6k0KD
-3pHUbwPxf0GCSAt/W4JYxdTj+1ggdHjx5yBAmOakjnOH+ZDKQNBnDOI6ghf3ew+H
-9z/b0mQX3rlQbtoqSPZtuDOdFcjCOSwEyqdV+9eNqnv2CoKZkiGoUB1WGCbqKUkY
-KiUJ3WldmPQ5RQYjEi7zZWVac1VuwBA0XOku+W4cCJ5DnPyK7CtMwC84VvaodlOX
-UAK3Y5BIZpZM2Rk6yMX5lFDA5nA8UuHJQRDjTVmh3BIdgRvp0ZV6ogtqNE7RifpW
-aBWDIsCkimcbCJJM+edOLiVZog+ia1Ts8zu33wj7Tnvp5znLc8NLZIqwu1HKLS97
-m+Yf5oC3ObTZtXbVF+OglWe/3ljLHdL2bJxNdtcVlChSNPUW3fgLHk9Fzrlnqdab
-tSGwI/0Ryt00cKjRiMOagTn5Nly6boCtgGYdQafQoSrs3eQjnWVgbNYDMgPyl4k+
-Q5RJLEY7AvtXo7FUEgOTfr9PWmjmc2JzGpxbtwl6sQi6yLrBZTRf1Xao2OjOje6G
-XdUbXNmgOv16sWxcI0s4lX1z28BgHQfwXhBFBRjw2Sy+6TfFXjX24thcpMwvyJ3c
-xhMtdY4N4jyfRjYe8LkCDQRMxDmSARAAv8XAp2PGA/G1KmCrVIzOBm1NPIuqGAYP
-c1l9p0dYdhEgvfw0NXcl5MDv1jbOPZ2PspA8NP7Rqp6LNNXYTeM/eIJDndU5Phyi
-ewFpACAp7Gmm2dL5PUOhu0gIUnQYbN/QdGPoo7bNI646K1Y9aVTBu9fszQssjb6G
-qXHSNM+pskVn9lropO1tLrF0I9VSlSphlCmiQRlzBCZSnxD6UagkPaw1gJnJqnrd
-f9oA6AIavZFdh104fl7y8bMZb6bC0K/5ZD0DLfmYaojkyqRtl3VBu6/ZvXrjsT9A
-QS5x9EdVslUoYY+kUxQm1wi3LIi3mOj6v0IIvgKzjt0X/39E3C42+m8ddTKowFB1
-Y1lEzHiT80YP9a+I+L2bqYgy6Lqs5CxI5qph1xRfg2rY6uvc5rPYk9B1R94jbeKi
-3W8ryHG9QJBNXcd8mCGLM3qylWXTJA4oGITyaIlGCuMeKUfeFNvGijjbEOQ0Cr4J
-CjdACbWJsPEoIOrRFxY+NwJEA39Dkyalyh2l0qTNXTIYhLiDuzl+tWuBX+SjHavj
-9jGyvwr3T37gfzYCNMoZf8GaxAUJMCoGTqnsjTPGMion/DfdNkFDQ+fivdYiVQ9p
-/Njpr38sC83V8dHF/1KkIHImyzMPTdC7l/lMHyC2Gx2dWZOjuOOKit0Qoy3DZoQw
-vN1ZZND9M1UAEQEAAYkCPAQYAQoAJgIbDBYhBDaQwkDOUbRnDTCtHDjudX1pGEYg
-BQJlnAmyBQka4eIgAAoJEDjudX1pGEYguyYQAJo+5SnMMdu+d70mWfUb9PZg7P5C
-GRepHnckx9Sis5oR5s7NNl5j5Yy4J1UwsmrP+mn52ujqewkkVsCq65NGQQx7+tkw
-uKGvnGBkHdrI+aJk86qLMf4DlnNJEmN8t5jTGQfRLbFVf2I8EY6qXAzCSmL9Zs++
-rDUz65GOTB1EP0XmBRsuVYRfDbFezrPQH0JDucbXFi/2BDnl2/Mk9NBoQ0CvB4oG
-tLDiQZ+jV7n1VXXJ1faD9s7i0hOTdcG6rlyIqi/LyAzdCnOYTkmv3U1kdmzkvrh1
-KEiejnM5fj27RE2v191vh3hgZ+X5+uwjNTP0QC4qP8XykQOAA8usOMVZ72lyXCAk
-wiUcRdrAXLN/XbIFNcQ3m4d3W6t60Gk09wFlUKaEltDMlPUsxiSG3qFwFGPBP6UV
-h3mjJMAl1jltLrR7ybez0SczfrcAtdCsKTvgzV9W2TzUfK2R9PBanmXTXK2M7yU3
-IquHt3Je4aSP7XYb5D+ajlbFNvnXOYcai8WryfC5nLAfV4MbPX+UlRaYCqqHVhut
-gK93re1L5mMI3zjG5Ri5jLpUA9toSJCIJIY5zwr/8LL/ZL4TixXlouA17yjkpY/e
-Bjs8cNj1O3aM4jY2FKCS8UbfxOiARk/5kBMRPEZ/mqpMQttzE8KVjOv6fRxy/eVE
-888/gToe5kb8qYwy
-=6rZC
------END PGP PUBLIC KEY BLOCK-----
diff --git a/sources b/sources
index f0abd9a..1103c39 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,3 @@
-SHA512 (xz-5.8.2.tar.gz) = 0b808fc8407e7c50da3a7b2db05be732c2fcd41850b92c7f5647181443483848ff359e176c816ce2038c115273f51575877c14f1356417cc9d53845841acb063
-SHA512 (xz-5.8.2.tar.gz.sig) = 91c8d49d8ad0eb1e128203cf2c051fb200ec0e2b5eebea10a39945a998d24f11652a000faefa688d129327593043271314cbf115d78c21eeed738476dd2defb6
+SHA512 (xz-5.2.5.tar.xz) = 59266068a51cb616eb31b67cd8f07ffeb2288d1391c61665ae2ec6814465afac80fec69248f6a2f2db45b44475af001296a99af6a32287226a9c41419173ccbb
+SHA512 (xz-5.2.5.tar.xz.sig) = ea0218ac25843c8b44686871fba573809618f074465ec52f5966a082aeeb5e01bd646d462a56a6af7a786e1c69a05b135a6735ad1f3be27daecf3a2f9be865a5
+SHA512 (xzgrep-ZDI-CAN-16587.patch.sig) = 527c2702cf3ff3ddee6e49feb6d2305e4e9cd786f856b25f0cb5776df1341c5a960ba54c179cb27c507011e1223baf4a10de8a546199806ff96f531f62b9f136
diff --git a/xz-5.2.5-enable_CET.patch b/xz-5.2.5-enable_CET.patch
new file mode 100644
index 0000000..e0b3265
--- /dev/null
+++ b/xz-5.2.5-enable_CET.patch
@@ -0,0 +1,70 @@
+From: H.J. Lu <hjl.tools@gmail.com>
+Date: Wed, 23 Dec 2020 15:49:04 +0100 (06:49 -0800)
+Subject: [PATCH] liblzma: Enable Intel CET in x86 CRC assembly codes
+
+When Intel CET is enabled, we need to include <cet.h> in assembly codes
+to mark Intel CET support and add _CET_ENDBR to indirect jump targets.
+
+Tested on Intel Tiger Lake under CET enabled Linux.
+---
+ src/liblzma/check/crc32_x86.S | 9 +++++++++
+ src/liblzma/check/crc64_x86.S | 9 +++++++++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/src/liblzma/check/crc32_x86.S b/src/liblzma/check/crc32_x86.S
+index 67f68a4..e3745e6 100644
+--- a/src/liblzma/check/crc32_x86.S
++++ b/src/liblzma/check/crc32_x86.S
+@@ -51,6 +51,14 @@ init_table(void)
+  * extern uint32_t lzma_crc32(const uint8_t *buf, size_t size, uint32_t crc);
+  */
+ 
++/* When Intel CET is enabled, include <cet.h> in assembly code to mark
++   Intel CET support.  */
++#ifdef __CET__
++# include <cet.h>
++#else
++# define _CET_ENDBR
++#endif
++
+ /*
+  * On some systems, the functions need to be prefixed. The prefix is
+  * usually an underscore.
+@@ -83,6 +91,7 @@ init_table(void)
+ 
+ 	ALIGN(4, 16)
+ LZMA_CRC32:
++	_CET_ENDBR
+ 	/*
+ 	 * Register usage:
+ 	 * %eax crc
+diff --git a/src/liblzma/check/crc64_x86.S b/src/liblzma/check/crc64_x86.S
+index f5bb84b..7ee08f6 100644
+--- a/src/liblzma/check/crc64_x86.S
++++ b/src/liblzma/check/crc64_x86.S
+@@ -41,6 +41,14 @@ init_table(void)
+  * extern uint64_t lzma_crc64(const uint8_t *buf, size_t size, uint64_t crc);
+  */
+ 
++/* When Intel CET is enabled, include <cet.h> in assembly code to mark
++   Intel CET support.  */
++#ifdef __CET__
++# include <cet.h>
++#else
++# define _CET_ENDBR
++#endif
++
+ /*
+  * On some systems, the functions need to be prefixed. The prefix is
+  * usually an underscore.
+@@ -73,6 +81,7 @@ init_table(void)
+ 
+ 	ALIGN(4, 16)
+ LZMA_CRC64:
++	_CET_ENDBR
+ 	/*
+ 	 * Register usage:
+ 	 * %eax crc LSB
+-- 
+2.26.0
+
diff --git a/xz.spec b/xz.spec
index d75d810..ab00323 100644
--- a/xz.spec
+++ b/xz.spec
@@ -3,29 +3,31 @@
 
 Summary:	LZMA compression utilities
 Name:		xz
-Epoch:		1
-Version:	5.8.2
-Release:	1%{?dist}
-
-# liblzma - 0BSD
-# xz{,dec}, lzma{dec,info} - 0BSD
-#    - getopt_long - LGPL-2.1-or-later - not built in Fedora
-# xz{grep,diff,less,more} - GPL-2.0-or-later
-# docs - BSD0 AND LicenseRef-Fedora-Public-Domain
-# man pages and translations - 0BSD AND LicenseRef-Fedora-Public-Domain
-# See: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/547
-License:	0BSD AND GPL-2.0-or-later AND LicenseRef-Fedora-Public-Domain
+Version:	5.2.5
+Release:	9%{?dist}
 
+# Scripts xz{grep,diff,less,more} and symlinks (copied from gzip) are
+# GPLv2+, binaries are Public Domain (linked against LGPL getopt_long but its
+# OK), documentation is Public Domain.
+License:	GPLv2+ and Public Domain
 # official upstream release
-Source0:	https://github.com/tukaani-project/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
-Source1:	https://github.com/tukaani-project/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz.sig
-Source2:	https://tukaani.org/misc/lasse_collin_pubkey.txt
+Source0:	https://tukaani.org/%{name}/%{name}-%{version}.tar.xz
+Source1:	https://tukaani.org/%{name}/%{name}-%{version}.tar.xz.sig
+# https://tukaani.org/misc/lasse_collin_pubkey.txt
+Source2:        gpgkey-3690C240CE51B4670D30AD1C38EE757D69184620.asc
+# Signature for Patch2
+Source3:        https://tukaani.org/%{name}/xzgrep-ZDI-CAN-16587.patch.sig
 
 Source100:	colorxzgrep.sh
 Source101:	colorxzgrep.csh
 
+Patch1:		xz-5.2.5-enable_CET.patch
+# xzgrep: arbitrary-file-write vulnerability (CVE-2022-1271)
+# NOTE: Source3 contains the upstream signature for this patch
+Patch2:		https://tukaani.org/%{name}/xzgrep-ZDI-CAN-16587.patch
+
 URL:		https://tukaani.org/%{name}/
-Requires:	%{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires:	%{name}-libs%{?_isa} = %{version}-%{release}
 
 # For /usr/libexec/grepconf.sh (RHBZ#1189120).
 # Unfortunately F21 has a newer version of grep which doesn't
@@ -36,7 +38,6 @@ BuildRequires:	make
 BuildRequires:	gcc
 BuildRequires:	gnupg2
 BuildRequires:	perl-interpreter
-BuildRequires:	autoconf automake libtool gettext-devel
 
 
 %description
@@ -52,7 +53,7 @@ decompression speed fast.
 
 %package 	libs
 Summary:	Libraries for decoding LZMA compression
-License:	0BSD
+License:	Public Domain
 Obsoletes:	%{name}-compat-libs < %{version}-%{release}
 
 %description 	libs
@@ -61,7 +62,7 @@ Libraries for decoding files compressed with LZMA or XZ utils.
 
 %package 	static
 Summary:	Statically linked library for decoding LZMA compression
-License:	0BSD
+License:	Public Domain
 
 %description 	static
 Statically linked library for decoding files compressed with LZMA or
@@ -70,8 +71,8 @@ XZ utils.  Most users should *not* install this.
 
 %package 	devel
 Summary:	Devel libraries & headers for liblzma
-License:	0BSD
-Requires:	%{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
+License:	Public Domain
+Requires:	%{name}-libs%{?_isa} = %{version}-%{release}
 
 %description	devel
 Devel libraries and headers for liblzma.
@@ -79,9 +80,9 @@ Devel libraries and headers for liblzma.
 
 %package 	lzma-compat
 Summary:	Older LZMA format compatibility binaries
-# Just a set of symlinks to some files in the 'xz' package.
-License:	0BSD AND GPL-2.0-or-later AND LicenseRef-Fedora-Public-Domain
-Requires:	%{name}%{?_isa} = %{epoch}:%{version}-%{release}
+# Just a set of symlinks to 'xz' + two Public Domain binaries.
+License:	Public Domain
+Requires:	%{name}%{?_isa} = %{version}-%{release}
 Obsoletes:	lzma < %{version}
 Provides:	lzma = %{version}
 
@@ -92,8 +93,8 @@ commands that deal with the older LZMA format.
 
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE3}' --data='%{PATCH2}'
 %autosetup -p1
-autoreconf -fi
 
 
 %build
@@ -136,15 +137,7 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check
 %exclude %_pkgdocdir/examples*
 %{_bindir}/*xz*
 %{_mandir}/man1/*xz*
-%lang(de) %{_mandir}/de/man1/*xz*
-%lang(fr) %{_mandir}/fr/man1/*xz*
-%lang(it) %{_mandir}/it/man1/*xz*
-%lang(ko) %{_mandir}/ko/man1/*xz*
-%lang(pt_BR) %{_mandir}/pt_BR/man1/*xz*
-%lang(ro) %{_mandir}/ro/man1/*xz*
-%lang(sr) %{_mandir}/sr/man1/*xz*
-%lang(sv) %{_mandir}/sv/man1/*xz*
-%lang(uk) %{_mandir}/uk/man1/*xz*
+%{_mandir}/de/man1/*xz*
 %{profiledir}/*
 
 
@@ -170,122 +163,10 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check
 %files lzma-compat
 %{_bindir}/*lz*
 %{_mandir}/man1/*lz*
-%lang(de) %{_mandir}/de/man1/*lz*
-%lang(fr) %{_mandir}/fr/man1/*lz*
-%lang(it) %{_mandir}/it/man1/*lz*
-%lang(ko) %{_mandir}/ko/man1/*lz*
-%lang(pt_BR) %{_mandir}/pt_BR/man1/*lz*
-%lang(ro) %{_mandir}/ro/man1/*lz*
-%lang(sr) %{_mandir}/sr/man1/*lz*
-%lang(sv) %{_mandir}/sv/man1/*lz*
-%lang(uk) %{_mandir}/uk/man1/*lz*
+%{_mandir}/de/man1/*lz*
 
 
 %changelog
-* Mon Jan 05 2026 Richard W.M. Jones <rjones@redhat.com> - 1:5.8.2-1
-- New upstream version 5.8.2 (RHBZ#2423317)
-- Remove patches which are included in this release.
-
-* Sun Nov 23 2025 Richard W.M. Jones <rjones@redhat.com> - 1:5.8.1-4
-- Add final workaround for "Failed to enable the sandbox" (RHEL-125143)
-
-* Sat Nov 22 2025 Richard W.M. Jones <rjones@redhat.com> - 1:5.8.1-3
-- Add workaround for "Failed to enable the sandbox" (RHEL-125143)
-
-* Thu Apr 24 2025 Adam Williamson <awilliam@redhat.com> - 1:5.8.1-2
-- Empty rebuild to try and fix gating issue
-
-* Thu Apr 03 2025 Richard W.M. Jones <rjones@redhat.com> - 1:5.8.1-1
-- New upstream version 5.8.1
-- Fixes CVE-2025-31115 heap-use-after-free bug in threaded .xz decoder
-
-* Wed Mar 26 2025 Jakub Martisko <jamartis@redhat.com> - 1:5.8.0-1
-- New upstream version 5.8.0
-Resolves: rhbz#2341818
-
-* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1:5.6.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Fri Oct 11 2024 Richard W.M. Jones <rjones@redhat.com> - 1:5.6.3-2
-- perl-Compress-Raw-Lzma dep has been removed, rebuild
-  https://src.fedoraproject.org/rpms/perl-Compress-Raw-Lzma/pull-request/3
-
-* Wed Oct 02 2024 Richard W.M. Jones <rjones@redhat.com> - 1:5.6.3-1
-- New upstream version 5.6.3 (RHBZ#2316069)
-
-* Thu Aug 08 2024 Lukáš Zaoral <lzaoral@redhat.com> - 1:5.6.2-3
-- fix licenses and finish SPDX license conversion
-
-* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:5.6.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Thu Jun 20 2024 Richard W.M. Jones <rjones@redhat.com> - 1:5.6.2-1
-- New upstream version 5.6.2 (RHBZ#2283854)
-- Remove "Jia Tan" pubkey, replace with Lasse Collin's.
-
-* Thu Mar 28 2024 Richard W.M. Jones <rjones@redhat.com> - 1:5.4.6-3
-- Revert to 5.4.6, bump epoch
-
-* Sat Mar 09 2024 Richard W.M. Jones <rjones@redhat.com> - 5.6.1-1
-- New version 5.6.1 (RHBZ#2267598)
-- Reenable ifunc as it is supposed to be fixed in 5.6.1.
-
-* Mon Mar 04 2024 Richard W.M. Jones <rjones@redhat.com> - 5.6.0-3
-- --disable-ifunc (workaround for 2267598)
-
-* Thu Feb 29 2024 Adam Williamson <awilliam@redhat.com> - 5.6.0-2
-- Rebuild on a side tag to create a coherent update
-
-* Tue Feb 27 2024 Jindrich Novy <jnovy@redhat.com> - 5.6.0-1
-- Rebase to version 5.6.0
-
-* Mon Jan 29 2024 Richard W.M. Jones <rjones@redhat.com> - 5.4.6-1
-- New version 5.4.6 (RHBZ#2260521)
-- Fix Source URLs.
-
-* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.4.5-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Wed Nov 01 2023 Richard W.M. Jones <rjones@redhat.com> - 5.4.5-1
-- New version 5.4.5 (RHBZ#2247487)
-
-* Thu Oct 19 2023 Debarshi Ray <rishi@fedoraproject.org> - 5.4.4-2
-- Mark translations of manuals with %%lang()
-
-* Wed Aug 02 2023 Richard W.M. Jones <rjones@redhat.com> - 5.4.4-1
-- New version 5.4.4 (RHBZ#2228542)
-
-* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.4.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Thu May 04 2023 Richard W.M. Jones <rjones@redhat.com> - 5.4.3-1
-- Rebase to version 5.4.3 (RHBZ#2179570)
-- Update the pubkey which appears to have changed.
-
-* Mon Apr 17 2023 Matej Mužila <mmuzila@redhat.com> - 5.4.2-1
-- Rebase to version 5.4.2 (#2179570)
-
-* Mon Jan 23 2023 Richard W.M. Jones <rjones@redhat.com> - 5.4.1-1
-- Rebase to version 5.4.1 (#2142405)
-
-* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.9-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Thu Dec 01 2022 Richard W.M. Jones <rjones@redhat.com> - 5.2.9-1
-- Rebase to version 5.2.9 (#2142405)
-
-* Tue Nov 22 2022 Matej Mužila <mmuzila@redhat.com> - 5.2.8-1
-- Rebase to version 5.2.8 (#2142405)
-
-* Tue Aug 30 2022 Matej Mužila <mmuzila@redhat.com> - 5.2.7-1
-- Rebase to version 5.2.7 (#2131313)
-
-* Tue Aug 30 2022 Matej Mužila <mmuzila@redhat.com> - 5.2.6-1
-- Rebase to version 5.2.6 (#2117931)
-
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.5-10
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
 * Sat Apr 16 2022 Todd Zullinger <tmz@pobox.com> - 5.2.5-9
 - verify upstream GPG signature
 - xzgrep: arbitrary-file-write vulnerability (#2073310, CVE-2022-1271)
@@ -353,7 +234,6 @@ Resolves: rhbz#2341818
 - Cleanup spec
 
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.3-4
-
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 
 * Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.3-3
diff --git a/xzgrep-ZDI-CAN-16587.patch b/xzgrep-ZDI-CAN-16587.patch
new file mode 100644
index 0000000..406ded5
--- /dev/null
+++ b/xzgrep-ZDI-CAN-16587.patch
@@ -0,0 +1,94 @@
+From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Tue, 29 Mar 2022 19:19:12 +0300
+Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).
+
+Malicious filenames can make xzgrep to write to arbitrary files
+or (with a GNU sed extension) lead to arbitrary code execution.
+
+xzgrep from XZ Utils versions up to and including 5.2.5 are
+affected. 5.3.1alpha and 5.3.2alpha are affected as well.
+This patch works for all of them.
+
+This bug was inherited from gzip's zgrep. gzip 1.12 includes
+a fix for zgrep.
+
+The issue with the old sed script is that with multiple newlines,
+the N-command will read the second line of input, then the
+s-commands will be skipped because it's not the end of the
+file yet, then a new sed cycle starts and the pattern space
+is printed and emptied. So only the last line or two get escaped.
+
+One way to fix this would be to read all lines into the pattern
+space first. However, the included fix is even simpler: All lines
+except the last line get a backslash appended at the end. To ensure
+that shell command substitution doesn't eat a possible trailing
+newline, a colon is appended to the filename before escaping.
+The colon is later used to separate the filename from the grep
+output so it is fine to add it here instead of a few lines later.
+
+The old code also wasn't POSIX compliant as it used \n in the
+replacement section of the s-command. Using \<newline> is the
+POSIX compatible method.
+
+LC_ALL=C was added to the two critical sed commands. POSIX sed
+manual recommends it when using sed to manipulate pathnames
+because in other locales invalid multibyte sequences might
+cause issues with some sed implementations. In case of GNU sed,
+these particular sed scripts wouldn't have such problems but some
+other scripts could have, see:
+
+    info '(sed)Locale Considerations'
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+Thanks to Jim Meyering and Paul Eggert discussing the different
+ways to fix this and for coordinating the patch release schedule
+with gzip.
+---
+ src/scripts/xzgrep.in | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in
+index b180936..e5186ba 100644
+--- a/src/scripts/xzgrep.in
++++ b/src/scripts/xzgrep.in
+@@ -180,22 +180,26 @@ for i; do
+          { test $# -eq 1 || test $no_filename -eq 1; }; then
+       eval "$grep"
+     else
++      # Append a colon so that the last character will never be a newline
++      # which would otherwise get lost in shell command substitution.
++      i="$i:"
++
++      # Escape & \ | and newlines only if such characters are present
++      # (speed optimization).
+       case $i in
+       (*'
+ '* | *'&'* | *'\'* | *'|'*)
+-        i=$(printf '%s\n' "$i" |
+-            sed '
+-              $!N
+-              $s/[&\|]/\\&/g
+-              $s/\n/\\n/g
+-            ');;
++        i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
+       esac
+-      sed_script="s|^|$i:|"
++
++      # $i already ends with a colon so don't add it here.
++      sed_script="s|^|$i|"
+ 
+       # Fail if grep or sed fails.
+       r=$(
+         exec 4>&1
+-        (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
++        (eval "$grep" 4>&-; echo $? >&4) 3>&- |
++            LC_ALL=C sed "$sed_script" >&3 4>&-
+       ) || r=2
+       exit $r
+     fi >&3 5>&-
+-- 
+2.35.1
+