aboutsummaryrefslogtreecommitdiff
path: root/.github
diff options
context:
space:
mode:
authorBertrand Jacquin <bertrand@jacquin.bzh>2024-03-29 19:53:25 +0000
committerBertrand Jacquin <bertrand@jacquin.bzh>2024-04-06 00:33:51 +0100
commite71c7350c4e74182658bdac4602adedf1c4cfc4d (patch)
tree36d0a36c6cdadadf0accc9506e54d938cb76d0d3 /.github
parentCVE-2024-3094: doxygen (diff)
downloadxz-e71c7350c4e74182658bdac4602adedf1c4cfc4d.tar.xz
CVE-2024-3094: import xz-5.6.0.tar.xzjiatan/v5.6.0/autofoo
Diffstat (limited to '.github')
-rw-r--r--.github/SECURITY.md29
-rw-r--r--.github/workflows/ci.yml160
-rw-r--r--.github/workflows/windows-ci.yml124
3 files changed, 0 insertions, 313 deletions
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
deleted file mode 100644
index e9b3458a..00000000
--- a/.github/SECURITY.md
+++ /dev/null
@@ -1,29 +0,0 @@
-# Security Policy
-
-## Supported Versions
-
-We provide security updates to the development branch and the stable
-branches. Security patches for old releases are available on the
-[project website](https://xz.tukaani.org/xz-utils/).
-
-## Reporting a Vulnerability
-
-If you discover a security vulnerability in this project, please
-report it privately. **Do not disclose it as a public issue.** This gives
-us time to work with you to fix the issue before public exposure, reducing
-the chance that the exploit will be used before a patch is released.
-
-You may submit a report by emailing us at
-[xz@tukaani.org](mailto:xz@tukaani.org), or through
-[Security Advisories](https://github.com/tukaani-project/xz/security/advisories/new).
-While both options are available, we prefer email. In any case, please
-provide a clear description of the vulnerability including:
-
-- Affected versions of XZ Utils
-- Estimated severity (low, moderate, high, critical)
-- Steps to recreate the vulnerability
-- All relevant files (core dumps, build logs, input files, etc.)
-
-This project is maintained by a team of volunteers on a reasonable-effort
-basis. As such, please give us 90 days to work on a fix before
-public exposure.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
deleted file mode 100644
index 95fa5af6..00000000
--- a/.github/workflows/ci.yml
+++ /dev/null
@@ -1,160 +0,0 @@
-# SPDX-License-Identifier: 0BSD
-
-#############################################################################
-#
-# Author: Jia Tan
-#
-#############################################################################
-
-name: CI
-
-on:
- # Triggers the workflow on push or pull request events but only for the master branch
- push:
- branches: [ master ]
- pull_request:
- branches: [ master ]
-
- # Allows running workflow manually
- workflow_dispatch:
-
-jobs:
- POSIX:
- strategy:
- matrix:
- os: [ubuntu-latest, macos-latest]
- build_system: [autotools, cmake]
- runs-on: ${{ matrix.os }}
- steps:
- - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 #v4.1.0
-
- ########################
- # Install Dependencies #
- ########################
-
- # Install Autotools on Linux
- - name: Install Dependencies
- if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }}
- run: |
- sudo apt-get update
- sudo apt-get install -y autoconf automake build-essential po4a autopoint gcc-multilib doxygen musl-tools
-
- # Install Autotools on Mac
- - name: Install Dependencies
- if: ${{ matrix.os == 'macos-latest' && matrix.build_system == 'autotools' }}
- run: brew install autoconf automake libtool po4a doxygen
-
- # Install CMake on Linux
- - name: Install Dependencies
- if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'cmake' }}
- run: |
- sudo apt-get update
- sudo apt-get install -y build-essential cmake musl-tools
-
- # Install CMake on Mac
- - name: Install Dependencies
- if: ${{ matrix.os == 'macos-latest' && matrix.build_system == 'cmake' }}
- run: brew install cmake
-
- ##################
- # Build and Test #
- ##################
-
- # -b specifies the build system to use.
- # -p specifies the phase (build or test) to help narrow down an error
- # if one occurs.
- #
- # The first two builds/tests are only run on Autotools Linux and
- # affect the CFLAGS. Resetting the CFLAGS requires clearing the
- # config cache between runs, so the tests that require CFLAGS are
- # done first.
- - name: Build 32-bit
- if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }}
- run: ./build-aux/ci_build.sh -b autotools -p build -f "-m32"
- - name: Test 32-bit
- if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }}
- run: |
- ./build-aux/ci_build.sh -b autotools -p test -f "-m32" -n 32_bit
- cd ../xz_build && make distclean
-
- # ifunc must be disabled for this test because __attribute__ ifunc is
- # incompatible with -fsanitize=address.
- #
- # The sandbox must also be disabled because it will prevent access to
- # the /proc/ filesystem on Linux, which is used by the sanitizer's
- # instrumentation.
- - name: Build with -fsanitize=address,undefined
- if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }}
- run: ./build-aux/ci_build.sh -b autotools -p build -f "-fsanitize=address,undefined" -d ifunc,sandbox
- - name: Test with -fsanitize=address,undefined
- if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }}
- run: |
- ./build-aux/ci_build.sh -b autotools -p test -f "-fsanitize=address,undefined" -d ifunc,sandbox
- cd ../xz_build && make distclean
-
- # musl libc has some slight differences compared to glibc, including
- # the lack of ifunc support. This tests if the ifunc detection
- # functions properly since musl-gcc can compile with ifunc support,
- # but will fail at runtime.
- - name: Build with musl libc
- if: ${{ matrix.os == 'ubuntu-latest'}}
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -p build -m "/usr/bin/musl-gcc"
- - name: Test with musl libc
- if: ${{ matrix.os == 'ubuntu-latest'}}
- run: |
- ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -p test -m "/usr/bin/musl-gcc"
- - name: Clean up musl libc run
- if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }}
- run: cd ../xz_build && make distclean
-
- - name: Build with full features
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -p build
- - name: Test with full features
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -p test -n full_features
-
- - name: Build without encoders
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d encoders,shared -p build
- - name: Test without encoders
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d encoders,shared -p test -n no_encoders
-
- - name: Build without decoders
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d decoders,shared -p build
- - name: Test without decoders
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d decoders,shared -p test -n no_decoders
-
- - name: Build without threads
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d threads,shared -p build
- - name: Test without threads
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d threads,shared -p test -n no_threads
-
- - name: Build without BCJ filters
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d bcj,shared,nls -p build
- - name: Test without BCJ filters
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d bcj,shared,nls -p test -n no_bcj
-
- - name: Build without Delta filters
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d delta,shared,nls -p build
- - name: Test without Delta filters
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d delta,shared,nls -p test -n no_delta
-
- - name: Build without sha256 check
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -c crc32,crc64 -d shared,nls -p build
- - name: Test without sha256 check
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -c crc32,crc64 -d shared,nls -p test -n no_sha256
-
- - name: Build without crc64 check
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -c crc32,sha256 -d shared,nls -p build
- - name: Test without crc64 check
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -c crc32,sha256 -d shared,nls -p test -n no_crc64
-
- - name: Build small
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d small -p build
- - name: Test small
- run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d small -p test -n small
-
- # Attempt to upload the test logs as artifacts if any step has failed
- - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 #v4.0.0
- if: ${{ failure() }}
- with:
- name: ${{ matrix.os }} ${{ matrix.build_system }} Test Logs
- path: build-aux/artifacts
diff --git a/.github/workflows/windows-ci.yml b/.github/workflows/windows-ci.yml
deleted file mode 100644
index 7285a78f..00000000
--- a/.github/workflows/windows-ci.yml
+++ /dev/null
@@ -1,124 +0,0 @@
-# SPDX-License-Identifier: 0BSD
-
-#############################################################################
-#
-# Author: Jia Tan
-#
-#############################################################################
-
-name: Windows-CI
-
-# Only run the Windows CI manually since it takes much longer than the others.
-on: workflow_dispatch
-
-jobs:
- POSIX:
- strategy:
- matrix:
- # Test different environments since the code may change between
- # them and we want to ensure that we support all potential users.
- # clang64 builds are currently broken when building static libraries
- # due to a bug in ldd search path:
- # https://github.com/llvm/llvm-project/issues/67779
- # TODO - re-enable clang64 when this is resolved.
- msys2_env: [mingw64, mingw32, ucrt64, msys]
- build_system: [autotools, cmake]
-
- # Set the shell to be msys2 as a default to avoid setting it for
- # every individual run command.
- defaults:
- run:
- shell: msys2 {0}
-
- runs-on: windows-latest
-
- steps:
- #####################
- # Setup Environment #
- #####################
-
- # Rely on the msys2 GitHub Action to set up the msys2 environment.
- - name: Setup MSYS2
- uses: msys2/setup-msys2@27b3aa77f672cb6b3054121cfd80c3d22ceebb1d #v2.20.1
- with:
- msystem: ${{ matrix.msys2_env }}
- update: true
- install: pactoys make
-
- - name: Checkout code
- # Need to explicitly set the shell here since we set the default
- # shell as msys2 earlier. This avoids an extra msys2 dependency on
- # git.
- shell: powershell
- # Avoid Windows line endings. Otherwise test_scripts.sh will fail
- # because the expected output is stored in the test framework as a
- # text file and will not match the output from xzgrep.
- run: git config --global core.autocrlf false
-
- - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 #v4.1.0
-
-
- ########################
- # Install Dependencies #
- ########################
-
- # The pacman repository has a different naming scheme for default
- # msys packages than the others. The pacboy tool allows installing
- # the packages possible in matrix setup without a burdensome amount
- # of ifs.
- - name: Install Dependencies
- if: ${{ matrix.msys2_env == 'msys' && matrix.build_system == 'autotools' }}
- run: pacman --noconfirm -S --needed autotools base-devel doxygen gettext-devel gcc
-
- - name: Install Dependencies
- if: ${{ matrix.msys2_env != 'msys' && matrix.build_system == 'autotools' }}
- run: pacboy --noconfirm -S --needed autotools:p toolchain:p doxygen:p
-
- - name: Install Dependencies
- if: ${{ matrix.msys2_env == 'msys' && matrix.build_system == 'cmake' }}
- run: pacman --noconfirm -S --needed cmake base-devel gcc
-
- - name: Install Dependencies
- if: ${{ matrix.msys2_env != 'msys' && matrix.build_system == 'cmake' }}
- run: pacboy --noconfirm -S --needed cmake:p toolchain:p
-
- ##################
- # Build and Test #
- ##################
-
- - name: Build with full features
- run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -p build
- - name: Test with full features
- run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -p test -n full_features
-
- - name: Build without threads
- run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -d threads,shared -p build
- - name: Test without threads
- run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -d threads,shared -p test -n no_threads
-
- - name: Build without encoders
- run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -d encoders,shared -p build
- - name: Test without encoders
- run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -d encoders,shared -p test -n no_encoders
-
- - name: Build without decoders
- run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -d decoders,shared -p build
- - name: Test without decoders
- run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -d decoders,shared -p test -n no_decoders
-
- - name: Build with only crc32 check
- run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -c crc32 -d shared,nls -p build
- - name: Test with only crc32 check
- run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -c crc32 -d shared,nls -p test -n crc32_only
-
-
- ###############
- # Upload Logs #
- ###############
-
- # Upload the test logs as artifacts if any step has failed.
- - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 #v4.0.0
- if: ${{ failure() }}
- with:
- name: ${{ matrix.msys2_env }} ${{ matrix.build_system }} Test Logs
- path: build-aux/artifacts