diff --git a/LICENSE.liblzma.txt b/LICENSE.liblzma.txt
index 4590b3a2..2d788519 100644
--- a/LICENSE.liblzma.txt
+++ b/LICENSE.liblzma.txt
@@ -1 +1,13 @@
-liblzma is in the public domain.
+Copyright (C) The XZ Utils authors and contributors
+
+Permission to use, copy, modify, and/or distribute this
+software for any purpose with or without fee is hereby granted.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
+WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
diff --git a/cpython-unix/build-xz.sh b/cpython-unix/build-xz.sh
index 01e71e9f..ddd6d073 100755
--- a/cpython-unix/build-xz.sh
+++ b/cpython-unix/build-xz.sh
@@ -13,7 +13,16 @@ tar -xf xz-${XZ_VERSION}.tar.gz
pushd xz-${XZ_VERSION}
-CFLAGS="${EXTRA_TARGET_CFLAGS} -fPIC" CPPFLAGS="${EXTRA_TARGET_CFLAGS} -fPIC" CCASFLAGS="${EXTRA_TARGET_CFLAGS} -fPIC" LDFLAGS="${EXTRA_TARGET_LDFLAGS}" ./configure \
+skip_werror_check=no
+
+# musl-clang injects flags that are not used during compilation,
+# e.g. -fuse-ld=musl-clang. These raise warnings that can be ignored but
+# cause the -Werror check to fail. Skip the check.
+if [ "${CC}" = "musl-clang" ]; then
+ skip_werror_check=yes
+fi
+
+SKIP_WERROR_CHECK="${skip_werror_check}" CFLAGS="${EXTRA_TARGET_CFLAGS} -fPIC" CPPFLAGS="${EXTRA_TARGET_CFLAGS} -fPIC" CCASFLAGS="${EXTRA_TARGET_CFLAGS} -fPIC" LDFLAGS="${EXTRA_TARGET_LDFLAGS}" ./configure \
--build=${BUILD_TRIPLE} \
--host=${TARGET_TRIPLE} \
--prefix=/tools/deps \
diff --git a/cpython-windows/build.py b/cpython-windows/build.py
index d113cbbe..903c0233 100644
--- a/cpython-windows/build.py
+++ b/cpython-windows/build.py
@@ -598,26 +598,40 @@ def hack_project_files(
with sqlite3_path.open("wb") as fh:
fh.write(data)
- # Our version of the xz sources is newer than what's in cpython-source-deps
- # and the xz sources changed the path to config.h. Hack the project file
+ # Our version of the xz sources may be newer than what's in cpython-source-deps.
+ # The source files and locations may have changed. Hack the project file
# accordingly.
#
- # ... but CPython finally upgraded liblzma in 2022, so newer CPython releases
- # already have this patch. So we're phasing it out.
- try:
- liblzma_path = pcbuild_path / "liblzma.vcxproj"
- static_replace_in_file(
- liblzma_path,
- rb"$(lzmaDir)windows;$(lzmaDir)src/liblzma/common;",
- rb"$(lzmaDir)windows\vs2019;$(lzmaDir)src/liblzma/common;",
- )
- static_replace_in_file(
- liblzma_path,
- rb'',
- rb'',
- )
- except NoSearchStringError:
- pass
+ # CPython updates xz occasionally. When these changes make it into a release
+ # these modification to the project file are not needed.
+ # The most recent change was an update to version 5.8.1:
+ # https://github.com/python/cpython/pull/141022
+ liblzma_path = pcbuild_path / "liblzma.vcxproj"
+ static_replace_in_file(
+ liblzma_path,
+ rb"$(lzmaDir)windows/vs2019;$(lzmaDir)src/liblzma/common;",
+ rb"$(lzmaDir)windows;$(lzmaDir)src/liblzma/common;",
+ )
+ static_replace_in_file(
+ liblzma_path,
+ b'\r\n \r\n',
+ b'\r\n ',
+ )
+ static_replace_in_file(
+ liblzma_path,
+ b'\r\n \r\n',
+ b'\r\n ',
+ )
+ static_replace_in_file(
+ liblzma_path,
+ b'',
+ b'\r\n '
+ )
+ static_replace_in_file(
+ liblzma_path,
+ rb'',
+ rb'',
+ )
# Our logic for rewriting extension projects gets confused by _sqlite.vcxproj not
# having a `` line in 3.10+. So adjust that.
diff --git a/pythonbuild/downloads.py b/pythonbuild/downloads.py
index b4b28b43..4981e139 100644
--- a/pythonbuild/downloads.py
+++ b/pythonbuild/downloads.py
@@ -414,19 +414,18 @@
"sha256": "936b74c60b19c317c3f3cb1b114575032528dbdaf428740483200ea874c2ca0a",
"version": "1.6.0",
},
- # IMPORTANT: xz 5.6 has a backdoor. Be extremely cautious before taking any xz
- # upgrade since it isn't clear which versions are safe.
+ # IMPORTANT: xz 5.6.0 was released with a backdoor (CVE-2024-3094). This has been resolved.
+ # Be cautious before taking any xz upgrades given this past behavior.
"xz": {
- "url": "https://github.com/astral-sh/python-build-standalone/releases/download/20240224/xz-5.2.12.tar.gz",
- "size": 2190541,
- "sha256": "61bda930767dcb170a5328a895ec74cab0f5aac4558cdda561c83559db582a13",
- "version": "5.2.12",
+ "url": "https://github.com/tukaani-project/xz/releases/download/v5.8.1/xz-5.8.1.tar.gz",
+ "size": 2587189,
+ "sha256": "507825b599356c10dca1cd720c9d0d0c9d5400b9de300af00e4d1ea150795543",
+ "version": "5.8.1",
"library_names": ["lzma"],
- # liblzma is in the public domain. Other parts of code have licenses. But
- # we only use liblzma.
- "licenses": [],
+ # liblzma is licensed as 0BSD. Other parts of code have different licenses.
+ # But we only use liblzma.
+ "licenses": ["0BSD"],
"license_file": "LICENSE.liblzma.txt",
- "license_public_domain": True,
},
"zlib": {
"url": "https://github.com/madler/zlib/releases/download/v1.3.1/zlib-1.3.1.tar.gz",