From c19b7d7f71a18408ec77171f3ff89492fc3d5081 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 14 Apr 2025 10:56:26 +0100 Subject: [PATCH 1/8] Remove accidental ANSI escape sequence in comment Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2359454 --- xz.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xz.spec b/xz.spec index ea1edae..c13497b 100644 --- a/xz.spec +++ b/xz.spec @@ -11,7 +11,7 @@ Release: 1%{?dist} # xz{,dec}, lzma{dec,info} - 0BSD # - getopt_long - LGPL-2.1-or-later - not built in Fedora # xz{grep,diff,less,more} - GPL-2.0-or-later -# docs - BSD0 AND LicenseRef-Fedora-Public-Domain +# docs - BSD0 AND LicenseRef-Fedora-Public-Domain # man pages and translations - 0BSD AND LicenseRef-Fedora-Public-Domain # See: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/547 License: 0BSD AND GPL-2.0-or-later AND LicenseRef-Fedora-Public-Domain From 781e3e45cdbf645fd6c374f03a2e3800299918cb Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Wed, 23 Apr 2025 23:32:23 -0700 Subject: [PATCH 2/8] drop gating.yaml the gate on rpmdeplint was added to guard against the strict version tie in perl-Compress-Raw-Lzma, but we were able to remove that recently, so it's no longer an issue. The gate causes a problem because rpmdeplint is only run on Rawhide, but the policy was written to apply the gate to all branches, so this prevents updates for non-Rawhide branches from going stable. For simplicity's sake, let's just get rid of it. --- gating.yaml | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 gating.yaml diff --git a/gating.yaml b/gating.yaml deleted file mode 100644 index 70ba11e..0000000 --- a/gating.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- !Policy -product_versions: - - fedora-* -decision_context: bodhi_update_push_stable -subject_type: koji_build -rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpmdeplint.functional} From 93e837ea6db3aeade3e6fbec5666174faf5f9ff6 Mon Sep 17 00:00:00 2001 From: Siteshwar Vashisht Date: Thu, 8 May 2025 10:23:58 +0200 Subject: [PATCH 3/8] Fix a shellcheck warning Error: SHELLCHECK_WARNING (CWE-758): [#def1] /etc/profile.d/colorxzgrep.sh:1:1: error[SC2148]: Tips depend on target shell and yours is unknown. Add a shebang or a 'shell' directive. Related: https://github.com/tukaani-project/xz/issues/174#issuecomment-2848635721 Signed-off-by: Siteshwar Vashisht --- colorxzgrep.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/colorxzgrep.sh b/colorxzgrep.sh index 4a91d70..cdbc14f 100644 --- a/colorxzgrep.sh +++ b/colorxzgrep.sh @@ -1,3 +1,4 @@ +# shellcheck shell=sh /usr/libexec/grepconf.sh -c || return alias xzgrep='xzgrep --color=auto' 2>/dev/null alias xzegrep='xzegrep --color=auto' 2>/dev/null From b7202e887415c38a857bffe8036b37fd65ad95b6 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 24 Apr 2025 09:34:17 -0700 Subject: [PATCH 4/8] Empty rebuild to try and fix gating issue --- xz.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/xz.spec b/xz.spec index c13497b..64f2231 100644 --- a/xz.spec +++ b/xz.spec @@ -5,7 +5,7 @@ Summary: LZMA compression utilities Name: xz Epoch: 1 Version: 5.8.1 -Release: 1%{?dist} +Release: 2%{?dist} # liblzma - 0BSD # xz{,dec}, lzma{dec,info} - 0BSD @@ -180,6 +180,9 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check %changelog +* Thu Apr 24 2025 Adam Williamson - 1:5.8.1-2 +- Empty rebuild to try and fix gating issue + * Thu Apr 03 2025 Richard W.M. Jones - 1:5.8.1-1 - New upstream version 5.8.1 - Fixes CVE-2025-31115 heap-use-after-free bug in threaded .xz decoder From 6b51ecaa475fc01fa36a320e6393a0db23ebfcdd Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Sat, 22 Nov 2025 19:32:47 +0000 Subject: [PATCH 5/8] Add workaround for "Failed to enable the sandbox" (RHEL-125143) Thanks: Lasse Collin --- 0001-Landlock-Cache-the-ABI-version.patch | 46 +++++++++++ ...ck-Workaround-a-bug-in-RHEL-9-kernel.patch | 80 +++++++++++++++++++ xz.spec | 11 ++- 3 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 0001-Landlock-Cache-the-ABI-version.patch create mode 100644 0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch diff --git a/0001-Landlock-Cache-the-ABI-version.patch b/0001-Landlock-Cache-the-ABI-version.patch new file mode 100644 index 0000000..137629d --- /dev/null +++ b/0001-Landlock-Cache-the-ABI-version.patch @@ -0,0 +1,46 @@ +From 19daf4ace85df69a6582375f1f2329205fe7e92f Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Sat, 22 Nov 2025 12:57:51 +0200 +Subject: [PATCH 1/2] Landlock: Cache the ABI version + +In xz it can avoid up to two syscalls that query the ABI version. +--- + src/common/my_landlock.h | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/common/my_landlock.h b/src/common/my_landlock.h +index e135d08c..379d7bd4 100644 +--- a/src/common/my_landlock.h ++++ b/src/common/my_landlock.h +@@ -4,6 +4,10 @@ + // + /// \file my_landlock.h + /// \brief Linux Landlock sandbox helper functions ++/// ++/// \note This uses static variables to cache the Landlock ABI version. ++/// Only one file in an application should include this header. ++/// Only one thread should call these functions. + // + // Author: Lasse Collin + // +@@ -32,8 +36,16 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr) + { + memzero(attr, sizeof(*attr)); + +- const int abi_version = syscall(SYS_landlock_create_ruleset, ++ // Cache the Landlock ABI version: ++ // 0 = not checked yet ++ // -1 = Landlock not supported ++ // >0 = Landlock ABI version ++ static int abi_version = 0; ++ ++ if (abi_version == 0) ++ abi_version = syscall(SYS_landlock_create_ruleset, + (void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); ++ + if (abi_version <= 0) + return -1; + +-- +2.47.3 + diff --git a/0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch b/0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch new file mode 100644 index 0000000..926351c --- /dev/null +++ b/0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch @@ -0,0 +1,80 @@ +From d18502bc62f49c626900994cf5a2b940b3c56cdf Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Sat, 22 Nov 2025 13:21:06 +0200 +Subject: [PATCH 2/2] Landlock: Workaround a bug in RHEL 9 kernel + +RHEL 9 kernel since 5.14.0-603.el9 (2025-07-30) claims to support +Landlock ABI version 6, but it lacks support for LANDLOCK_SCOPE_SIGNAL. +The issue is still present in 5.14.0-642.el9 (2025-11-20). + +If one runs xz 5.8.0 or 5.8.1 from some other distribution in a container +on RHEL 9, xz will fail with the message "Failed to enable the sandbox". +The sandbox is meant to be transparent to users, thus there isn't and +won't be a command line option to disable it. Instead, add a workaround +to keep xz working on the buggy RHEL 9 kernels. + +Fixes: https://github.com/tukaani-project/xz/issues/199 +Link: https://issues.redhat.com/browse/RHEL-125143 +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2407105 +--- + src/common/my_landlock.h | 27 ++++++++++++++++++++++++++- + 1 file changed, 26 insertions(+), 1 deletion(-) + +diff --git a/src/common/my_landlock.h b/src/common/my_landlock.h +index 379d7bd4..a11077c4 100644 +--- a/src/common/my_landlock.h ++++ b/src/common/my_landlock.h +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + + /// \brief Initialize Landlock ruleset attributes to forbid everything +@@ -42,10 +43,28 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr) + // >0 = Landlock ABI version + static int abi_version = 0; + +- if (abi_version == 0) ++ // Red Hat Enterprise Linux 9 kernel since 5.14.0-603.el9 (2025-07-30) ++ // claims ABI version 6 support, but as of 5.14.0-642.el9 (2025-11-20) ++ // it lacks LANDLOCK_SCOPE_SIGNAL. ABI version 6 was added in upstream ++ // Linux 6.12 while RHEL 9 has Linux 5.14 with lots of backports. ++ // We assume that any kernel version 5.14 with ABI version 6 is buggy. ++ static bool is_rhel9 = false; ++ ++ if (abi_version == 0) { + abi_version = syscall(SYS_landlock_create_ruleset, + (void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + ++ if (abi_version == 6) { ++ static const char rel[] = "5.14."; ++ const size_t rel_len = sizeof(rel) - 1; ++ ++ struct utsname un; ++ if (uname(&un) == 0 && strncmp( ++ un.release, rel, rel_len) == 0) ++ is_rhel9 = true; ++ } ++ } ++ + if (abi_version <= 0) + return -1; + +@@ -121,6 +140,12 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr) + #endif + FALLTHROUGH; + ++ case 6: ++ if (is_rhel9) ++ attr->scoped &= ~LANDLOCK_SCOPE_SIGNAL; ++ ++ FALLTHROUGH; ++ + default: + // We only know about the features of the ABIs 1-6. + break; +-- +2.47.3 + diff --git a/xz.spec b/xz.spec index 64f2231..2623b1f 100644 --- a/xz.spec +++ b/xz.spec @@ -5,7 +5,7 @@ Summary: LZMA compression utilities Name: xz Epoch: 1 Version: 5.8.1 -Release: 2%{?dist} +Release: 3%{?dist} # liblzma - 0BSD # xz{,dec}, lzma{dec,info} - 0BSD @@ -24,6 +24,12 @@ Source2: https://tukaani.org/misc/lasse_collin_pubkey.txt Source100: colorxzgrep.sh Source101: colorxzgrep.csh +# https://github.com/tukaani-project/xz/issues/199 +# https://issues.redhat.com/browse/RHEL-125143 +# (Upstream, but in the rhel9landlock branch) +Patch: 0001-Landlock-Cache-the-ABI-version.patch +Patch: 0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch + URL: https://tukaani.org/%{name}/ Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} @@ -180,6 +186,9 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check %changelog +* Sat Nov 22 2025 Richard W.M. Jones - 1:5.8.1-3 +- Add workaround for "Failed to enable the sandbox" (RHEL-125143) + * Thu Apr 24 2025 Adam Williamson - 1:5.8.1-2 - Empty rebuild to try and fix gating issue From 4dbfb6665e5f3442572c735c859a245125bd563f Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Sun, 23 Nov 2025 19:09:03 +0000 Subject: [PATCH 6/8] Add final workaround for "Failed to enable the sandbox" (RHEL-125143) --- 0001-Landlock-Cache-the-ABI-version.patch | 8 +-- ...ck-Workaround-a-bug-in-RHEL-9-kernel.patch | 27 +++++---- 0004-Landlock-Add-missing-ifdefs.patch | 59 +++++++++++++++++++ xz.spec | 9 ++- 4 files changed, 87 insertions(+), 16 deletions(-) create mode 100644 0004-Landlock-Add-missing-ifdefs.patch diff --git a/0001-Landlock-Cache-the-ABI-version.patch b/0001-Landlock-Cache-the-ABI-version.patch index 137629d..0caa634 100644 --- a/0001-Landlock-Cache-the-ABI-version.patch +++ b/0001-Landlock-Cache-the-ABI-version.patch @@ -1,7 +1,7 @@ -From 19daf4ace85df69a6582375f1f2329205fe7e92f Mon Sep 17 00:00:00 2001 +From ee75c76958dd891906745125590563ab64e85995 Mon Sep 17 00:00:00 2001 From: Lasse Collin -Date: Sat, 22 Nov 2025 12:57:51 +0200 -Subject: [PATCH 1/2] Landlock: Cache the ABI version +Date: Sun, 23 Nov 2025 20:13:37 +0200 +Subject: [PATCH 1/4] Landlock: Cache the ABI version In xz it can avoid up to two syscalls that query the ABI version. --- @@ -42,5 +42,5 @@ index e135d08c..379d7bd4 100644 return -1; -- -2.47.3 +2.51.1 diff --git a/0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch b/0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch index 926351c..ec3fe51 100644 --- a/0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch +++ b/0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch @@ -1,27 +1,34 @@ -From d18502bc62f49c626900994cf5a2b940b3c56cdf Mon Sep 17 00:00:00 2001 +From 2b2652e914b1c38d4c009a8dcac11dfee9c7e008 Mon Sep 17 00:00:00 2001 From: Lasse Collin -Date: Sat, 22 Nov 2025 13:21:06 +0200 -Subject: [PATCH 2/2] Landlock: Workaround a bug in RHEL 9 kernel - -RHEL 9 kernel since 5.14.0-603.el9 (2025-07-30) claims to support -Landlock ABI version 6, but it lacks support for LANDLOCK_SCOPE_SIGNAL. -The issue is still present in 5.14.0-642.el9 (2025-11-20). +Date: Sun, 23 Nov 2025 20:13:49 +0200 +Subject: [PATCH 2/4] Landlock: Workaround a bug in RHEL 9 kernel If one runs xz 5.8.0 or 5.8.1 from some other distribution in a container on RHEL 9, xz will fail with the message "Failed to enable the sandbox". + +RHEL 9 kernel since 5.14.0-603.el9 (2025-07-30) claims to support +Landlock ABI version 6, but it lacks support for LANDLOCK_SCOPE_SIGNAL. +The issue is still present in 5.14.0-643.el9 (2025-11-22). Red Hat is +aware of the issue, but I don't know when it will be fixed. + The sandbox is meant to be transparent to users, thus there isn't and won't be a command line option to disable it. Instead, add a workaround to keep xz working on the buggy RHEL 9 kernels. +Reported-by: Richard W.M. Jones +Thanks-to: Pavel Raiskup +Tested-by: Orgad Shaneh +Tested-by: Richard W.M. Jones Fixes: https://github.com/tukaani-project/xz/issues/199 Link: https://issues.redhat.com/browse/RHEL-125143 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2407105 +Link: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/65BDSY56R5ZJRTUC4B6CIVCVLY4LG4ME/ --- src/common/my_landlock.h | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/src/common/my_landlock.h b/src/common/my_landlock.h -index 379d7bd4..a11077c4 100644 +index 379d7bd4..0f8e04e0 100644 --- a/src/common/my_landlock.h +++ b/src/common/my_landlock.h @@ -21,6 +21,7 @@ @@ -38,7 +45,7 @@ index 379d7bd4..a11077c4 100644 - if (abi_version == 0) + // Red Hat Enterprise Linux 9 kernel since 5.14.0-603.el9 (2025-07-30) -+ // claims ABI version 6 support, but as of 5.14.0-642.el9 (2025-11-20) ++ // claims ABI version 6 support, but as of 5.14.0-643.el9 (2025-11-22) + // it lacks LANDLOCK_SCOPE_SIGNAL. ABI version 6 was added in upstream + // Linux 6.12 while RHEL 9 has Linux 5.14 with lots of backports. + // We assume that any kernel version 5.14 with ABI version 6 is buggy. @@ -76,5 +83,5 @@ index 379d7bd4..a11077c4 100644 // We only know about the features of the ABIs 1-6. break; -- -2.47.3 +2.51.1 diff --git a/0004-Landlock-Add-missing-ifdefs.patch b/0004-Landlock-Add-missing-ifdefs.patch new file mode 100644 index 0000000..977ce96 --- /dev/null +++ b/0004-Landlock-Add-missing-ifdefs.patch @@ -0,0 +1,59 @@ +From 8bb516887c1912106a72db96216cab46954e6190 Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Sun, 23 Nov 2025 20:39:28 +0200 +Subject: [PATCH 4/4] Landlock: Add missing #ifdefs + +The build was broken on distros that have an old . + +Fixes: 2b2652e914b1 ("Landlock: Workaround a bug in RHEL 9 kernel") +--- + src/common/my_landlock.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/common/my_landlock.h b/src/common/my_landlock.h +index 0f8e04e0..5f761695 100644 +--- a/src/common/my_landlock.h ++++ b/src/common/my_landlock.h +@@ -43,17 +43,20 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr) + // >0 = Landlock ABI version + static int abi_version = 0; + ++#ifdef LANDLOCK_SCOPE_SIGNAL + // Red Hat Enterprise Linux 9 kernel since 5.14.0-603.el9 (2025-07-30) + // claims ABI version 6 support, but as of 5.14.0-643.el9 (2025-11-22) + // it lacks LANDLOCK_SCOPE_SIGNAL. ABI version 6 was added in upstream + // Linux 6.12 while RHEL 9 has Linux 5.14 with lots of backports. + // We assume that any kernel version 5.14 with ABI version 6 is buggy. + static bool is_rhel9 = false; ++#endif + + if (abi_version == 0) { + abi_version = syscall(SYS_landlock_create_ruleset, + (void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + ++#ifdef LANDLOCK_SCOPE_SIGNAL + if (abi_version == 6) { + static const char rel[] = "5.14."; + const size_t rel_len = sizeof(rel) - 1; +@@ -63,6 +66,7 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr) + un.release, rel, rel_len) == 0) + is_rhel9 = true; + } ++#endif + } + + if (abi_version <= 0) +@@ -141,8 +145,10 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr) + FALLTHROUGH; + + case 6: ++#ifdef LANDLOCK_SCOPE_SIGNAL + if (is_rhel9) + attr->scoped &= ~LANDLOCK_SCOPE_SIGNAL; ++#endif + + FALLTHROUGH; + +-- +2.51.1 + diff --git a/xz.spec b/xz.spec index 2623b1f..9631178 100644 --- a/xz.spec +++ b/xz.spec @@ -5,7 +5,7 @@ Summary: LZMA compression utilities Name: xz Epoch: 1 Version: 5.8.1 -Release: 3%{?dist} +Release: 4%{?dist} # liblzma - 0BSD # xz{,dec}, lzma{dec,info} - 0BSD @@ -26,9 +26,11 @@ Source101: colorxzgrep.csh # https://github.com/tukaani-project/xz/issues/199 # https://issues.redhat.com/browse/RHEL-125143 -# (Upstream, but in the rhel9landlock branch) +# Upstream in > 5.8.1 Patch: 0001-Landlock-Cache-the-ABI-version.patch Patch: 0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch +#Patch: 0003-Update-THANKS.patch +Patch: 0004-Landlock-Add-missing-ifdefs.patch URL: https://tukaani.org/%{name}/ Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} @@ -186,6 +188,9 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check %changelog +* Sun Nov 23 2025 Richard W.M. Jones - 1:5.8.1-4 +- Add final workaround for "Failed to enable the sandbox" (RHEL-125143) + * Sat Nov 22 2025 Richard W.M. Jones - 1:5.8.1-3 - Add workaround for "Failed to enable the sandbox" (RHEL-125143) From b3257761cf2028e4a01679211d8868657f5333ed Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 5 Jan 2026 11:51:24 +0000 Subject: [PATCH 7/8] New upstream version 5.8.2 (RHBZ#2423317) Remove patches which are included in this release. --- 0001-Landlock-Cache-the-ABI-version.patch | 46 ---------- ...ck-Workaround-a-bug-in-RHEL-9-kernel.patch | 87 ------------------- 0004-Landlock-Add-missing-ifdefs.patch | 59 ------------- sources | 4 +- xz.spec | 16 ++-- 5 files changed, 8 insertions(+), 204 deletions(-) delete mode 100644 0001-Landlock-Cache-the-ABI-version.patch delete mode 100644 0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch delete mode 100644 0004-Landlock-Add-missing-ifdefs.patch diff --git a/0001-Landlock-Cache-the-ABI-version.patch b/0001-Landlock-Cache-the-ABI-version.patch deleted file mode 100644 index 0caa634..0000000 --- a/0001-Landlock-Cache-the-ABI-version.patch +++ /dev/null @@ -1,46 +0,0 @@ -From ee75c76958dd891906745125590563ab64e85995 Mon Sep 17 00:00:00 2001 -From: Lasse Collin -Date: Sun, 23 Nov 2025 20:13:37 +0200 -Subject: [PATCH 1/4] Landlock: Cache the ABI version - -In xz it can avoid up to two syscalls that query the ABI version. ---- - src/common/my_landlock.h | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/src/common/my_landlock.h b/src/common/my_landlock.h -index e135d08c..379d7bd4 100644 ---- a/src/common/my_landlock.h -+++ b/src/common/my_landlock.h -@@ -4,6 +4,10 @@ - // - /// \file my_landlock.h - /// \brief Linux Landlock sandbox helper functions -+/// -+/// \note This uses static variables to cache the Landlock ABI version. -+/// Only one file in an application should include this header. -+/// Only one thread should call these functions. - // - // Author: Lasse Collin - // -@@ -32,8 +36,16 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr) - { - memzero(attr, sizeof(*attr)); - -- const int abi_version = syscall(SYS_landlock_create_ruleset, -+ // Cache the Landlock ABI version: -+ // 0 = not checked yet -+ // -1 = Landlock not supported -+ // >0 = Landlock ABI version -+ static int abi_version = 0; -+ -+ if (abi_version == 0) -+ abi_version = syscall(SYS_landlock_create_ruleset, - (void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); -+ - if (abi_version <= 0) - return -1; - --- -2.51.1 - diff --git a/0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch b/0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch deleted file mode 100644 index ec3fe51..0000000 --- a/0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 2b2652e914b1c38d4c009a8dcac11dfee9c7e008 Mon Sep 17 00:00:00 2001 -From: Lasse Collin -Date: Sun, 23 Nov 2025 20:13:49 +0200 -Subject: [PATCH 2/4] Landlock: Workaround a bug in RHEL 9 kernel - -If one runs xz 5.8.0 or 5.8.1 from some other distribution in a container -on RHEL 9, xz will fail with the message "Failed to enable the sandbox". - -RHEL 9 kernel since 5.14.0-603.el9 (2025-07-30) claims to support -Landlock ABI version 6, but it lacks support for LANDLOCK_SCOPE_SIGNAL. -The issue is still present in 5.14.0-643.el9 (2025-11-22). Red Hat is -aware of the issue, but I don't know when it will be fixed. - -The sandbox is meant to be transparent to users, thus there isn't and -won't be a command line option to disable it. Instead, add a workaround -to keep xz working on the buggy RHEL 9 kernels. - -Reported-by: Richard W.M. Jones -Thanks-to: Pavel Raiskup -Tested-by: Orgad Shaneh -Tested-by: Richard W.M. Jones -Fixes: https://github.com/tukaani-project/xz/issues/199 -Link: https://issues.redhat.com/browse/RHEL-125143 -Link: https://bugzilla.redhat.com/show_bug.cgi?id=2407105 -Link: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/65BDSY56R5ZJRTUC4B6CIVCVLY4LG4ME/ ---- - src/common/my_landlock.h | 27 ++++++++++++++++++++++++++- - 1 file changed, 26 insertions(+), 1 deletion(-) - -diff --git a/src/common/my_landlock.h b/src/common/my_landlock.h -index 379d7bd4..0f8e04e0 100644 ---- a/src/common/my_landlock.h -+++ b/src/common/my_landlock.h -@@ -21,6 +21,7 @@ - #include - #include - #include -+#include - - - /// \brief Initialize Landlock ruleset attributes to forbid everything -@@ -42,10 +43,28 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr) - // >0 = Landlock ABI version - static int abi_version = 0; - -- if (abi_version == 0) -+ // Red Hat Enterprise Linux 9 kernel since 5.14.0-603.el9 (2025-07-30) -+ // claims ABI version 6 support, but as of 5.14.0-643.el9 (2025-11-22) -+ // it lacks LANDLOCK_SCOPE_SIGNAL. ABI version 6 was added in upstream -+ // Linux 6.12 while RHEL 9 has Linux 5.14 with lots of backports. -+ // We assume that any kernel version 5.14 with ABI version 6 is buggy. -+ static bool is_rhel9 = false; -+ -+ if (abi_version == 0) { - abi_version = syscall(SYS_landlock_create_ruleset, - (void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); - -+ if (abi_version == 6) { -+ static const char rel[] = "5.14."; -+ const size_t rel_len = sizeof(rel) - 1; -+ -+ struct utsname un; -+ if (uname(&un) == 0 && strncmp( -+ un.release, rel, rel_len) == 0) -+ is_rhel9 = true; -+ } -+ } -+ - if (abi_version <= 0) - return -1; - -@@ -121,6 +140,12 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr) - #endif - FALLTHROUGH; - -+ case 6: -+ if (is_rhel9) -+ attr->scoped &= ~LANDLOCK_SCOPE_SIGNAL; -+ -+ FALLTHROUGH; -+ - default: - // We only know about the features of the ABIs 1-6. - break; --- -2.51.1 - diff --git a/0004-Landlock-Add-missing-ifdefs.patch b/0004-Landlock-Add-missing-ifdefs.patch deleted file mode 100644 index 977ce96..0000000 --- a/0004-Landlock-Add-missing-ifdefs.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 8bb516887c1912106a72db96216cab46954e6190 Mon Sep 17 00:00:00 2001 -From: Lasse Collin -Date: Sun, 23 Nov 2025 20:39:28 +0200 -Subject: [PATCH 4/4] Landlock: Add missing #ifdefs - -The build was broken on distros that have an old . - -Fixes: 2b2652e914b1 ("Landlock: Workaround a bug in RHEL 9 kernel") ---- - src/common/my_landlock.h | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/common/my_landlock.h b/src/common/my_landlock.h -index 0f8e04e0..5f761695 100644 ---- a/src/common/my_landlock.h -+++ b/src/common/my_landlock.h -@@ -43,17 +43,20 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr) - // >0 = Landlock ABI version - static int abi_version = 0; - -+#ifdef LANDLOCK_SCOPE_SIGNAL - // Red Hat Enterprise Linux 9 kernel since 5.14.0-603.el9 (2025-07-30) - // claims ABI version 6 support, but as of 5.14.0-643.el9 (2025-11-22) - // it lacks LANDLOCK_SCOPE_SIGNAL. ABI version 6 was added in upstream - // Linux 6.12 while RHEL 9 has Linux 5.14 with lots of backports. - // We assume that any kernel version 5.14 with ABI version 6 is buggy. - static bool is_rhel9 = false; -+#endif - - if (abi_version == 0) { - abi_version = syscall(SYS_landlock_create_ruleset, - (void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); - -+#ifdef LANDLOCK_SCOPE_SIGNAL - if (abi_version == 6) { - static const char rel[] = "5.14."; - const size_t rel_len = sizeof(rel) - 1; -@@ -63,6 +66,7 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr) - un.release, rel, rel_len) == 0) - is_rhel9 = true; - } -+#endif - } - - if (abi_version <= 0) -@@ -141,8 +145,10 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr) - FALLTHROUGH; - - case 6: -+#ifdef LANDLOCK_SCOPE_SIGNAL - if (is_rhel9) - attr->scoped &= ~LANDLOCK_SCOPE_SIGNAL; -+#endif - - FALLTHROUGH; - --- -2.51.1 - diff --git a/sources b/sources index 5e6df97..f0abd9a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (xz-5.8.1.tar.gz) = 151b2a47fdf00274c4fd71ceada8fb6c892bdac44070847ebf3259e602b97c95ee5ee88974e03d7aa821ab4f16d5c38e50dfb2baf660cf39c199878a666e19ad -SHA512 (xz-5.8.1.tar.gz.sig) = 4a67ed623841d64a5826cef1d5e21f3567ba275ee8f725a1217f76ce2ba25a41c6e22e62f8c7cca74d0d6e8398e8ee8926eab722cc8c1b10c42e990c32765efd +SHA512 (xz-5.8.2.tar.gz) = 0b808fc8407e7c50da3a7b2db05be732c2fcd41850b92c7f5647181443483848ff359e176c816ce2038c115273f51575877c14f1356417cc9d53845841acb063 +SHA512 (xz-5.8.2.tar.gz.sig) = 91c8d49d8ad0eb1e128203cf2c051fb200ec0e2b5eebea10a39945a998d24f11652a000faefa688d129327593043271314cbf115d78c21eeed738476dd2defb6 diff --git a/xz.spec b/xz.spec index 9631178..12f2654 100644 --- a/xz.spec +++ b/xz.spec @@ -4,8 +4,8 @@ Summary: LZMA compression utilities Name: xz Epoch: 1 -Version: 5.8.1 -Release: 4%{?dist} +Version: 5.8.2 +Release: 1%{?dist} # liblzma - 0BSD # xz{,dec}, lzma{dec,info} - 0BSD @@ -24,14 +24,6 @@ Source2: https://tukaani.org/misc/lasse_collin_pubkey.txt Source100: colorxzgrep.sh Source101: colorxzgrep.csh -# https://github.com/tukaani-project/xz/issues/199 -# https://issues.redhat.com/browse/RHEL-125143 -# Upstream in > 5.8.1 -Patch: 0001-Landlock-Cache-the-ABI-version.patch -Patch: 0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch -#Patch: 0003-Update-THANKS.patch -Patch: 0004-Landlock-Add-missing-ifdefs.patch - URL: https://tukaani.org/%{name}/ Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} @@ -188,6 +180,10 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check %changelog +* Mon Jan 05 2026 Richard W.M. Jones - 1:5.8.2-1 +- New upstream version 5.8.2 (RHBZ#2423317) +- Remove patches which are included in this release. + * Sun Nov 23 2025 Richard W.M. Jones - 1:5.8.1-4 - Add final workaround for "Failed to enable the sandbox" (RHEL-125143) From 8829c783ae6726a78d030f5be0ae76c0970ff696 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 5 Jan 2026 12:03:32 +0000 Subject: [PATCH 8/8] Add sv (Swedish) translations of man pages --- xz.spec | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/xz.spec b/xz.spec index 12f2654..d75d810 100644 --- a/xz.spec +++ b/xz.spec @@ -138,12 +138,13 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check %{_mandir}/man1/*xz* %lang(de) %{_mandir}/de/man1/*xz* %lang(fr) %{_mandir}/fr/man1/*xz* -%lang(ko) %{_mandir}/ko/man1/*xz* -%lang(ro) %{_mandir}/ro/man1/*xz* -%lang(uk) %{_mandir}/uk/man1/*xz* %lang(it) %{_mandir}/it/man1/*xz* -%lang(sr) %{_mandir}/sr/man1/*xz* +%lang(ko) %{_mandir}/ko/man1/*xz* %lang(pt_BR) %{_mandir}/pt_BR/man1/*xz* +%lang(ro) %{_mandir}/ro/man1/*xz* +%lang(sr) %{_mandir}/sr/man1/*xz* +%lang(sv) %{_mandir}/sv/man1/*xz* +%lang(uk) %{_mandir}/uk/man1/*xz* %{profiledir}/* @@ -171,12 +172,13 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check %{_mandir}/man1/*lz* %lang(de) %{_mandir}/de/man1/*lz* %lang(fr) %{_mandir}/fr/man1/*lz* -%lang(ko) %{_mandir}/ko/man1/*lz* -%lang(ro) %{_mandir}/ro/man1/*lz* -%lang(uk) %{_mandir}/uk/man1/*lz* %lang(it) %{_mandir}/it/man1/*lz* -%lang(sr) %{_mandir}/sr/man1/*lz* +%lang(ko) %{_mandir}/ko/man1/*lz* %lang(pt_BR) %{_mandir}/pt_BR/man1/*lz* +%lang(ro) %{_mandir}/ro/man1/*lz* +%lang(sr) %{_mandir}/sr/man1/*lz* +%lang(sv) %{_mandir}/sv/man1/*lz* +%lang(uk) %{_mandir}/uk/man1/*lz* %changelog