From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 129683 invoked by alias); 12 Jul 2019 18:51:53 -0000 Mailing-List: contact bzip2-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Id: Sender: bzip2-devel-owner@sourceware.org Received: (qmail 129674 invoked by uid 89); 12 Jul 2019 18:51:52 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-6.7 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.1 spammy=invasive, configurations X-Spam-Status: No, score=-6.7 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org X-Spam-Level: X-HELO: gnu.wildebeest.org Message-ID: Subject: 1.0.8 release (Was: [PATCH] Replace project contact email with bzip2-devel@sourceware.org) From: Mark Wielaard To: jseward@acm.org, bzip2-devel@sourceware.org Date: Tue, 01 Jan 2019 00:00:00 -0000 In-Reply-To: <06d57235-b5c4-fd7c-6471-656735420e8c@acm.org> References: <1562868211-28019-1-git-send-email-mark@klomp.org> <06d57235-b5c4-fd7c-6471-656735420e8c@acm.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Evolution 3.28.5 (3.28.5-2.el7) Mime-Version: 1.0 X-Spam-Flag: NO X-SW-Source: 2019-q3/txt/msg00029.txt.bz2 Hi, On Fri, 2019-07-12 at 09:50 +0200, Julian Seward wrote: > That's all absolutely fine. Please do update as per your patch. Thanks. I also applied the last three distro patches for the bzgrep and bzdiff script cleanups. There are not many updates since 1.0.7, but that seems good if we just intend this to be a fixup release to. The nSelectors relaxation is probably something we want to get out asap, so people can unbzip2 all files again they could before (even if they were technically "broken"). Unless someone objects I would like to do a 1.0.8 release this weekend. With the updates this should all be automated now by running and following the instructions with the ./prepare-release.sh 1.0.8 and ./release-update.sh 1.0.8 scripts. I feel we did lots of testing now and the integration of the bzip2- tests in the buildbot really helps. I have been using a fuzzer (afl) for a week on various configurations, but did not find any issues. I am working on better fuzzer targets for better coverage, but that can wait till after the release (it is also a bit invasive since it requires new build targets). The one thing that might have been nice to integrate is the O_CLOEXEC fix, especially for multi-threaded programs that use libbzip2 and might fork/exec. But while O_CLOEXEC is now in POSIX, the fopen "e" mode as used in the proposed patches is GNU/Linux specific. I don't believe the guards proposed (just define BZ_UNIX to 1 and hope for the best) is the most conservative option possible. In summary the (important) fixes for 1.0.8 are: * Accept as many selectors as the file format allows. This relaxes the fix for CVE-2019-12900 from 1.0.7 so that bzip2 allows decompression of bz2 that use (too) many selectors again. * Fix handling of large (> 4GB) files on Windows. * Cleanup of bzdiff and bzgrep scripts so they don't use any bash extensions and handle multiple archives correctly. * There is now a bz2-files testsuite at https://sourceware.org/git/bzip2-tests.git Cheers, Mark