From b0d307bc7f1a5972b602905d5420f3ca0b2da880 Mon Sep 17 00:00:00 2001 From: Jonathan Helmus Date: Wed, 12 Nov 2025 15:32:37 -0600 Subject: [PATCH 1/6] Upgrade xz from 5.2.12 -> 5.8.1 --- LICENSE.liblzma.txt | 14 +++++++++++++- pythonbuild/downloads.py | 19 +++++++++---------- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/LICENSE.liblzma.txt b/LICENSE.liblzma.txt index 4590b3a23..2d7885199 100644 --- a/LICENSE.liblzma.txt +++ b/LICENSE.liblzma.txt @@ -1 +1,13 @@ -liblzma is in the public domain. +Copyright (C) The XZ Utils authors and contributors + +Permission to use, copy, modify, and/or distribute this +software for any purpose with or without fee is hereby granted. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL +WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL +THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR +CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN +CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/pythonbuild/downloads.py b/pythonbuild/downloads.py index b4b28b434..4981e1399 100644 --- a/pythonbuild/downloads.py +++ b/pythonbuild/downloads.py @@ -414,19 +414,18 @@ "sha256": "936b74c60b19c317c3f3cb1b114575032528dbdaf428740483200ea874c2ca0a", "version": "1.6.0", }, - # IMPORTANT: xz 5.6 has a backdoor. Be extremely cautious before taking any xz - # upgrade since it isn't clear which versions are safe. + # IMPORTANT: xz 5.6.0 was released with a backdoor (CVE-2024-3094). This has been resolved. + # Be cautious before taking any xz upgrades given this past behavior. "xz": { - "url": "https://github.com/astral-sh/python-build-standalone/releases/download/20240224/xz-5.2.12.tar.gz", - "size": 2190541, - "sha256": "61bda930767dcb170a5328a895ec74cab0f5aac4558cdda561c83559db582a13", - "version": "5.2.12", + "url": "https://github.com/tukaani-project/xz/releases/download/v5.8.1/xz-5.8.1.tar.gz", + "size": 2587189, + "sha256": "507825b599356c10dca1cd720c9d0d0c9d5400b9de300af00e4d1ea150795543", + "version": "5.8.1", "library_names": ["lzma"], - # liblzma is in the public domain. Other parts of code have licenses. But - # we only use liblzma. - "licenses": [], + # liblzma is licensed as 0BSD. Other parts of code have different licenses. + # But we only use liblzma. + "licenses": ["0BSD"], "license_file": "LICENSE.liblzma.txt", - "license_public_domain": True, }, "zlib": { "url": "https://github.com/madler/zlib/releases/download/v1.3.1/zlib-1.3.1.tar.gz", From a9c60acbe2c3c48c691493f63b809d0019996e34 Mon Sep 17 00:00:00 2001 From: Jonathan Helmus Date: Thu, 13 Nov 2025 09:56:18 -0600 Subject: [PATCH 2/6] skip -Werror check when building xz with musl-clang This check was added to xz v5.7.2beta: https://github.com/tukaani-project/xz/commit/1780bba74075da5e7764615bd323e95e19057dee --- cpython-unix/build-xz.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/cpython-unix/build-xz.sh b/cpython-unix/build-xz.sh index 01e71e9fb..ddd6d0730 100755 --- a/cpython-unix/build-xz.sh +++ b/cpython-unix/build-xz.sh @@ -13,7 +13,16 @@ tar -xf xz-${XZ_VERSION}.tar.gz pushd xz-${XZ_VERSION} -CFLAGS="${EXTRA_TARGET_CFLAGS} -fPIC" CPPFLAGS="${EXTRA_TARGET_CFLAGS} -fPIC" CCASFLAGS="${EXTRA_TARGET_CFLAGS} -fPIC" LDFLAGS="${EXTRA_TARGET_LDFLAGS}" ./configure \ +skip_werror_check=no + +# musl-clang injects flags that are not used during compilation, +# e.g. -fuse-ld=musl-clang. These raise warnings that can be ignored but +# cause the -Werror check to fail. Skip the check. +if [ "${CC}" = "musl-clang" ]; then + skip_werror_check=yes +fi + +SKIP_WERROR_CHECK="${skip_werror_check}" CFLAGS="${EXTRA_TARGET_CFLAGS} -fPIC" CPPFLAGS="${EXTRA_TARGET_CFLAGS} -fPIC" CCASFLAGS="${EXTRA_TARGET_CFLAGS} -fPIC" LDFLAGS="${EXTRA_TARGET_LDFLAGS}" ./configure \ --build=${BUILD_TRIPLE} \ --host=${TARGET_TRIPLE} \ --prefix=/tools/deps \ From 503b09be709e2c4c9f3549d7bf515e9070d6ac92 Mon Sep 17 00:00:00 2001 From: Jonathan Helmus Date: Thu, 13 Nov 2025 11:57:47 -0600 Subject: [PATCH 3/6] update modification to liblzma.vcxproj for xz 5.8.1 Adjust modification to apply changes to the project file from: python/cpython#141022 --- cpython-windows/build.py | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/cpython-windows/build.py b/cpython-windows/build.py index d113cbbed..6e8ce2b7b 100644 --- a/cpython-windows/build.py +++ b/cpython-windows/build.py @@ -598,23 +598,40 @@ def hack_project_files( with sqlite3_path.open("wb") as fh: fh.write(data) - # Our version of the xz sources is newer than what's in cpython-source-deps - # and the xz sources changed the path to config.h. Hack the project file + # Our version of the xz sources may be newer than what's in cpython-source-deps. + # The source files and locations may have changed. Hack the project file # accordingly. # - # ... but CPython finally upgraded liblzma in 2022, so newer CPython releases - # already have this patch. So we're phasing it out. + # CPython updates xz occasionally. When these changes make it into a release + # these modification to the project file are not needed. + # The most recent change was an update to version 5.8.1: + # https://github.com/python/cpython/pull/141022 try: liblzma_path = pcbuild_path / "liblzma.vcxproj" static_replace_in_file( liblzma_path, - rb"$(lzmaDir)windows;$(lzmaDir)src/liblzma/common;", rb"$(lzmaDir)windows\vs2019;$(lzmaDir)src/liblzma/common;", + rb"$(lzmaDir)windows;$(lzmaDir)src/liblzma/common;", + ) + static_replace_in_file( + liblzma_path, + rb'\r\n \r\n', + rb'\r\n ', + ) + static_replace_in_file( + liblzma_path, + rb'\r\n \r\n', + rb'\r\n ', + ) + static_replace_in_file( + liblzma_path, + rb'', + rb'\r\n ' ) static_replace_in_file( liblzma_path, - rb'', rb'', + rb'', ) except NoSearchStringError: pass From 18d8ae9f679e4dc4e4146ac6f7ac9802e4ff9f28 Mon Sep 17 00:00:00 2001 From: Jonathan Helmus Date: Thu, 13 Nov 2025 12:31:58 -0600 Subject: [PATCH 4/6] DEBUG: revert before merging --- cpython-windows/build.py | 55 +++++++++++++++++++--------------------- 1 file changed, 26 insertions(+), 29 deletions(-) diff --git a/cpython-windows/build.py b/cpython-windows/build.py index 6e8ce2b7b..ee99cd48b 100644 --- a/cpython-windows/build.py +++ b/cpython-windows/build.py @@ -606,35 +606,32 @@ def hack_project_files( # these modification to the project file are not needed. # The most recent change was an update to version 5.8.1: # https://github.com/python/cpython/pull/141022 - try: - liblzma_path = pcbuild_path / "liblzma.vcxproj" - static_replace_in_file( - liblzma_path, - rb"$(lzmaDir)windows\vs2019;$(lzmaDir)src/liblzma/common;", - rb"$(lzmaDir)windows;$(lzmaDir)src/liblzma/common;", - ) - static_replace_in_file( - liblzma_path, - rb'\r\n \r\n', - rb'\r\n ', - ) - static_replace_in_file( - liblzma_path, - rb'\r\n \r\n', - rb'\r\n ', - ) - static_replace_in_file( - liblzma_path, - rb'', - rb'\r\n ' - ) - static_replace_in_file( - liblzma_path, - rb'', - rb'', - ) - except NoSearchStringError: - pass + liblzma_path = pcbuild_path / "liblzma.vcxproj" + static_replace_in_file( + liblzma_path, + rb"$(lzmaDir)windows\vs2019;$(lzmaDir)src/liblzma/common;", + rb"$(lzmaDir)windows;$(lzmaDir)src/liblzma/common;", + ) + static_replace_in_file( + liblzma_path, + rb'\r\n \r\n', + rb'\r\n ', + ) + static_replace_in_file( + liblzma_path, + rb'\r\n \r\n', + rb'\r\n ', + ) + static_replace_in_file( + liblzma_path, + rb'', + rb'\r\n ' + ) + static_replace_in_file( + liblzma_path, + rb'', + rb'', + ) # Our logic for rewriting extension projects gets confused by _sqlite.vcxproj not # having a `` line in 3.10+. So adjust that. From 32dbd1137ed20d60863c11471911a4f5867cda5a Mon Sep 17 00:00:00 2001 From: Jonathan Helmus Date: Thu, 13 Nov 2025 12:54:05 -0600 Subject: [PATCH 5/6] fix slash --- cpython-windows/build.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpython-windows/build.py b/cpython-windows/build.py index ee99cd48b..1e465805e 100644 --- a/cpython-windows/build.py +++ b/cpython-windows/build.py @@ -609,7 +609,7 @@ def hack_project_files( liblzma_path = pcbuild_path / "liblzma.vcxproj" static_replace_in_file( liblzma_path, - rb"$(lzmaDir)windows\vs2019;$(lzmaDir)src/liblzma/common;", + rb"$(lzmaDir)windows/vs2019;$(lzmaDir)src/liblzma/common;", rb"$(lzmaDir)windows;$(lzmaDir)src/liblzma/common;", ) static_replace_in_file( From 81996229862d393bfa7276873f1715cb09594ff0 Mon Sep 17 00:00:00 2001 From: Jonathan Helmus Date: Thu, 13 Nov 2025 13:59:26 -0600 Subject: [PATCH 6/6] escape characters in lzma replacements --- cpython-windows/build.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cpython-windows/build.py b/cpython-windows/build.py index 1e465805e..903c0233b 100644 --- a/cpython-windows/build.py +++ b/cpython-windows/build.py @@ -614,18 +614,18 @@ def hack_project_files( ) static_replace_in_file( liblzma_path, - rb'\r\n \r\n', - rb'\r\n ', + b'\r\n \r\n', + b'\r\n ', ) static_replace_in_file( liblzma_path, - rb'\r\n \r\n', - rb'\r\n ', + b'\r\n \r\n', + b'\r\n ', ) static_replace_in_file( liblzma_path, - rb'', - rb'\r\n ' + b'', + b'\r\n ' ) static_replace_in_file( liblzma_path,