diff options
author | Bertrand Jacquin <bertrand@jacquin.bzh> | 2024-03-29 19:53:25 +0000 |
---|---|---|
committer | Bertrand Jacquin <bertrand@jacquin.bzh> | 2024-04-06 00:33:51 +0100 |
commit | e71c7350c4e74182658bdac4602adedf1c4cfc4d (patch) | |
tree | 36d0a36c6cdadadf0accc9506e54d938cb76d0d3 /.github | |
parent | CVE-2024-3094: doxygen (diff) | |
download | xz-e71c7350c4e74182658bdac4602adedf1c4cfc4d.tar.xz |
CVE-2024-3094: import xz-5.6.0.tar.xzjiatan/v5.6.0/autofoo
Diffstat (limited to '.github')
-rw-r--r-- | .github/SECURITY.md | 29 | ||||
-rw-r--r-- | .github/workflows/ci.yml | 160 | ||||
-rw-r--r-- | .github/workflows/windows-ci.yml | 124 |
3 files changed, 0 insertions, 313 deletions
diff --git a/.github/SECURITY.md b/.github/SECURITY.md deleted file mode 100644 index e9b3458a..00000000 --- a/.github/SECURITY.md +++ /dev/null @@ -1,29 +0,0 @@ -# Security Policy - -## Supported Versions - -We provide security updates to the development branch and the stable -branches. Security patches for old releases are available on the -[project website](https://xz.tukaani.org/xz-utils/). - -## Reporting a Vulnerability - -If you discover a security vulnerability in this project, please -report it privately. **Do not disclose it as a public issue.** This gives -us time to work with you to fix the issue before public exposure, reducing -the chance that the exploit will be used before a patch is released. - -You may submit a report by emailing us at -[xz@tukaani.org](mailto:xz@tukaani.org), or through -[Security Advisories](https://github.com/tukaani-project/xz/security/advisories/new). -While both options are available, we prefer email. In any case, please -provide a clear description of the vulnerability including: - -- Affected versions of XZ Utils -- Estimated severity (low, moderate, high, critical) -- Steps to recreate the vulnerability -- All relevant files (core dumps, build logs, input files, etc.) - -This project is maintained by a team of volunteers on a reasonable-effort -basis. As such, please give us 90 days to work on a fix before -public exposure. diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 95fa5af6..00000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,160 +0,0 @@ -# SPDX-License-Identifier: 0BSD - -############################################################################# -# -# Author: Jia Tan -# -############################################################################# - -name: CI - -on: - # Triggers the workflow on push or pull request events but only for the master branch - push: - branches: [ master ] - pull_request: - branches: [ master ] - - # Allows running workflow manually - workflow_dispatch: - -jobs: - POSIX: - strategy: - matrix: - os: [ubuntu-latest, macos-latest] - build_system: [autotools, cmake] - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 #v4.1.0 - - ######################## - # Install Dependencies # - ######################## - - # Install Autotools on Linux - - name: Install Dependencies - if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }} - run: | - sudo apt-get update - sudo apt-get install -y autoconf automake build-essential po4a autopoint gcc-multilib doxygen musl-tools - - # Install Autotools on Mac - - name: Install Dependencies - if: ${{ matrix.os == 'macos-latest' && matrix.build_system == 'autotools' }} - run: brew install autoconf automake libtool po4a doxygen - - # Install CMake on Linux - - name: Install Dependencies - if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'cmake' }} - run: | - sudo apt-get update - sudo apt-get install -y build-essential cmake musl-tools - - # Install CMake on Mac - - name: Install Dependencies - if: ${{ matrix.os == 'macos-latest' && matrix.build_system == 'cmake' }} - run: brew install cmake - - ################## - # Build and Test # - ################## - - # -b specifies the build system to use. - # -p specifies the phase (build or test) to help narrow down an error - # if one occurs. - # - # The first two builds/tests are only run on Autotools Linux and - # affect the CFLAGS. Resetting the CFLAGS requires clearing the - # config cache between runs, so the tests that require CFLAGS are - # done first. - - name: Build 32-bit - if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }} - run: ./build-aux/ci_build.sh -b autotools -p build -f "-m32" - - name: Test 32-bit - if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }} - run: | - ./build-aux/ci_build.sh -b autotools -p test -f "-m32" -n 32_bit - cd ../xz_build && make distclean - - # ifunc must be disabled for this test because __attribute__ ifunc is - # incompatible with -fsanitize=address. - # - # The sandbox must also be disabled because it will prevent access to - # the /proc/ filesystem on Linux, which is used by the sanitizer's - # instrumentation. - - name: Build with -fsanitize=address,undefined - if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }} - run: ./build-aux/ci_build.sh -b autotools -p build -f "-fsanitize=address,undefined" -d ifunc,sandbox - - name: Test with -fsanitize=address,undefined - if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }} - run: | - ./build-aux/ci_build.sh -b autotools -p test -f "-fsanitize=address,undefined" -d ifunc,sandbox - cd ../xz_build && make distclean - - # musl libc has some slight differences compared to glibc, including - # the lack of ifunc support. This tests if the ifunc detection - # functions properly since musl-gcc can compile with ifunc support, - # but will fail at runtime. - - name: Build with musl libc - if: ${{ matrix.os == 'ubuntu-latest'}} - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -p build -m "/usr/bin/musl-gcc" - - name: Test with musl libc - if: ${{ matrix.os == 'ubuntu-latest'}} - run: | - ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -p test -m "/usr/bin/musl-gcc" - - name: Clean up musl libc run - if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }} - run: cd ../xz_build && make distclean - - - name: Build with full features - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -p build - - name: Test with full features - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -p test -n full_features - - - name: Build without encoders - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d encoders,shared -p build - - name: Test without encoders - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d encoders,shared -p test -n no_encoders - - - name: Build without decoders - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d decoders,shared -p build - - name: Test without decoders - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d decoders,shared -p test -n no_decoders - - - name: Build without threads - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d threads,shared -p build - - name: Test without threads - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d threads,shared -p test -n no_threads - - - name: Build without BCJ filters - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d bcj,shared,nls -p build - - name: Test without BCJ filters - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d bcj,shared,nls -p test -n no_bcj - - - name: Build without Delta filters - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d delta,shared,nls -p build - - name: Test without Delta filters - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d delta,shared,nls -p test -n no_delta - - - name: Build without sha256 check - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -c crc32,crc64 -d shared,nls -p build - - name: Test without sha256 check - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -c crc32,crc64 -d shared,nls -p test -n no_sha256 - - - name: Build without crc64 check - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -c crc32,sha256 -d shared,nls -p build - - name: Test without crc64 check - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -c crc32,sha256 -d shared,nls -p test -n no_crc64 - - - name: Build small - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d small -p build - - name: Test small - run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d small -p test -n small - - # Attempt to upload the test logs as artifacts if any step has failed - - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 #v4.0.0 - if: ${{ failure() }} - with: - name: ${{ matrix.os }} ${{ matrix.build_system }} Test Logs - path: build-aux/artifacts diff --git a/.github/workflows/windows-ci.yml b/.github/workflows/windows-ci.yml deleted file mode 100644 index 7285a78f..00000000 --- a/.github/workflows/windows-ci.yml +++ /dev/null @@ -1,124 +0,0 @@ -# SPDX-License-Identifier: 0BSD - -############################################################################# -# -# Author: Jia Tan -# -############################################################################# - -name: Windows-CI - -# Only run the Windows CI manually since it takes much longer than the others. -on: workflow_dispatch - -jobs: - POSIX: - strategy: - matrix: - # Test different environments since the code may change between - # them and we want to ensure that we support all potential users. - # clang64 builds are currently broken when building static libraries - # due to a bug in ldd search path: - # https://github.com/llvm/llvm-project/issues/67779 - # TODO - re-enable clang64 when this is resolved. - msys2_env: [mingw64, mingw32, ucrt64, msys] - build_system: [autotools, cmake] - - # Set the shell to be msys2 as a default to avoid setting it for - # every individual run command. - defaults: - run: - shell: msys2 {0} - - runs-on: windows-latest - - steps: - ##################### - # Setup Environment # - ##################### - - # Rely on the msys2 GitHub Action to set up the msys2 environment. - - name: Setup MSYS2 - uses: msys2/setup-msys2@27b3aa77f672cb6b3054121cfd80c3d22ceebb1d #v2.20.1 - with: - msystem: ${{ matrix.msys2_env }} - update: true - install: pactoys make - - - name: Checkout code - # Need to explicitly set the shell here since we set the default - # shell as msys2 earlier. This avoids an extra msys2 dependency on - # git. - shell: powershell - # Avoid Windows line endings. Otherwise test_scripts.sh will fail - # because the expected output is stored in the test framework as a - # text file and will not match the output from xzgrep. - run: git config --global core.autocrlf false - - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 #v4.1.0 - - - ######################## - # Install Dependencies # - ######################## - - # The pacman repository has a different naming scheme for default - # msys packages than the others. The pacboy tool allows installing - # the packages possible in matrix setup without a burdensome amount - # of ifs. - - name: Install Dependencies - if: ${{ matrix.msys2_env == 'msys' && matrix.build_system == 'autotools' }} - run: pacman --noconfirm -S --needed autotools base-devel doxygen gettext-devel gcc - - - name: Install Dependencies - if: ${{ matrix.msys2_env != 'msys' && matrix.build_system == 'autotools' }} - run: pacboy --noconfirm -S --needed autotools:p toolchain:p doxygen:p - - - name: Install Dependencies - if: ${{ matrix.msys2_env == 'msys' && matrix.build_system == 'cmake' }} - run: pacman --noconfirm -S --needed cmake base-devel gcc - - - name: Install Dependencies - if: ${{ matrix.msys2_env != 'msys' && matrix.build_system == 'cmake' }} - run: pacboy --noconfirm -S --needed cmake:p toolchain:p - - ################## - # Build and Test # - ################## - - - name: Build with full features - run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -p build - - name: Test with full features - run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -p test -n full_features - - - name: Build without threads - run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -d threads,shared -p build - - name: Test without threads - run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -d threads,shared -p test -n no_threads - - - name: Build without encoders - run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -d encoders,shared -p build - - name: Test without encoders - run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -d encoders,shared -p test -n no_encoders - - - name: Build without decoders - run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -d decoders,shared -p build - - name: Test without decoders - run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -d decoders,shared -p test -n no_decoders - - - name: Build with only crc32 check - run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -c crc32 -d shared,nls -p build - - name: Test with only crc32 check - run: ./build-aux/ci_build.sh -a "--no-po4a" -b ${{ matrix.build_system }} -c crc32 -d shared,nls -p test -n crc32_only - - - ############### - # Upload Logs # - ############### - - # Upload the test logs as artifacts if any step has failed. - - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 #v4.0.0 - if: ${{ failure() }} - with: - name: ${{ matrix.msys2_env }} ${{ matrix.build_system }} Test Logs - path: build-aux/artifacts |