public inbox for bzip2-devel@sourceware.org
 help / color / mirror / Atom feed
From: Mark Wielaard <mark@klomp.org>
To: jseward@acm.org, bzip2-devel@sourceware.org
Subject: 1.0.8 release (Was: [PATCH] Replace project contact email with bzip2-devel@sourceware.org)
Date: Tue, 01 Jan 2019 00:00:00 -0000	[thread overview]
Message-ID: <a4ff3e56dfcd35f8cc2fb30aed4eeecaf1a1701d.camel@klomp.org> (raw)
In-Reply-To: <06d57235-b5c4-fd7c-6471-656735420e8c@acm.org>

Hi,

On Fri, 2019-07-12 at 09:50 +0200, Julian Seward wrote:
> That's all absolutely fine.  Please do update as per your patch.

Thanks. I also applied the last three distro patches for the bzgrep and
bzdiff script cleanups. There are not many updates since 1.0.7, but
that seems good if we just intend this to be a fixup release to. The
nSelectors relaxation is probably something we want to get out asap, so
people can unbzip2 all files again they could before (even if they were
technically "broken").

Unless someone objects I would like to do a 1.0.8 release this weekend.
With the updates this should all be automated now by running and
following the instructions with the ./prepare-release.sh 1.0.8 and
./release-update.sh 1.0.8 scripts.

I feel we did lots of testing now and the integration of the bzip2-
tests in the buildbot really helps. I have been using a fuzzer (afl)
for a week on various configurations, but did not find any issues. I am
working on better fuzzer targets for better coverage, but that can wait
till after the release (it is also a bit invasive since it requires new
build targets).

The one thing that might have been nice to integrate is the O_CLOEXEC
fix, especially for multi-threaded programs that use libbzip2 and might
fork/exec. But while O_CLOEXEC is now in POSIX, the fopen "e" mode as
used in the proposed patches is GNU/Linux specific. I don't believe the
guards proposed (just define BZ_UNIX to 1 and hope for the best) is the
most conservative option possible.

In summary the (important) fixes for 1.0.8 are:

* Accept as many selectors as the file format allows.
  This relaxes the fix for CVE-2019-12900 from 1.0.7
  so that bzip2 allows decompression of bz2 that use
  (too) many selectors again.

* Fix handling of large (> 4GB) files on Windows.

* Cleanup of bzdiff and bzgrep scripts so they don't use
  any bash extensions and handle multiple archives correctly.

* There is now a bz2-files testsuite at
  https://sourceware.org/git/bzip2-tests.git

Cheers,

Mark

      reply	other threads:[~2019-07-12 18:51 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-01  0:00 [PATCH] Replace project contact email with bzip2-devel@sourceware.org Mark Wielaard
2019-01-01  0:00 ` Mark Wielaard
2019-01-01  0:00 ` Julian Seward
2019-01-01  0:00   ` Mark Wielaard [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a4ff3e56dfcd35f8cc2fb30aed4eeecaf1a1701d.camel@klomp.org \
    --to=mark@klomp.org \
    --cc=bzip2-devel@sourceware.org \
    --cc=jseward@acm.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).