Bug 22814

Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => tarakbumba

Reassigning to all packagers collectively as the original maintainer is not available anymore (thanks for all your work Atilla!).

Assignee: tarakbumba => pkg-bugs

version 3.27.1 pushed also to mga6 to solve that issue.

CC: (none) => bruno
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Besides calibre-3.27.1-1.mga6, IIRC, I saw you push some other packages to mga6 updates_testing in the last few days that were deps for this package.  You need to list those packages (SRPMS and RPMS) and provide a note as to why they needed to be updated.

Keywords: (none) => feedback

Indeed David python-html5-parser had to be added to MGA6 as it's a new dependency for calibre since version 3.5.0 and was required to allow calibre to be built. 

I pushed the SRPM python-html5-parser-0.4.4-2.mga6.src.rpm and the corresponding RPMS python-html5-parser-0.4.4-1.1.mga6.x86_64.rpm & python3-html5-parser-0.4.4-2.mga6.x86_64.rpm

Thanks :D

Advisory:
========================

Updated calibre package fixes security vulnerability:

gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported
bookmark data, which allows remote attackers to execute arbitrary code via a
crafted .pickle file, as demonstrated by Python code that contains an os.system
call (CVE-2018-7889).

The python-html5-parser package is a new dependency for the updated calibre
package and has been included with this update.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7889
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VUNMTXK3UTN636LOBG63UDSTVM4AF26T/
========================

Updated packages in core/updates_testing:
========================
python-html5-parser-0.4.4-1.1.mga6
python3-html5-parser-0.4.4-1.1.mga6
calibre-3.27.1-1.mga6

from SRPMS:
python-html5-parser-0.4.4-1.1.mga6.src.rpm
calibre-3.27.1-1.mga6.src.rpm

Keywords: feedback => (none)

Installed and tested with ONE ISSUE FOUND.

TL;DR:
The package calibre needs to depend on the package python-msgpack to fix a missing package error.


Tests included:
- Reading books;
- Adding books;
- Deleting books;
- Managing metadata;
- Downloading metadata from google and amazon;
- Converting formats;
- FAILED: Content server DOES NOT WORK due to a missing package "python-msgpack" (see error below). After installing the missing package the issue is resolved. To solve this a dependency is needs to be added to the calibre package.

Missing package error:
=========================================================calibre, version 3.27.1
ERRO: Exceção não tratada: <b>ImportError</b>:No module named msgpack

calibre 3.27.1  embedded-python: False is64bit: True
Linux-4.14.70-desktop-2.mga6-x86_64-with-mageia-6-Official Linux ('64bit', 'ELF')
('Linux', '4.14.70-desktop-2.mga6', '#1 SMP Thu Sep 20 22:05:46 UTC 2018')
Python 2.7.15
Linux: ('Mageia', '6', 'Official')
Interface language: pt
Traceback (most recent call last):
  File "/usr/lib64/calibre/calibre/gui2/actions/device.py", line 215, in toggle_content_server
    self.gui.start_content_server()
  File "/usr/lib64/calibre/calibre/gui2/ui.py", line 482, in start_content_server
    from calibre.srv.embedded import Server
  File "/usr/lib64/calibre/calibre/srv/embedded.py", line 13, in <module>
    from calibre.srv.handler import Handler
  File "/usr/lib64/calibre/calibre/srv/handler.py", line 13, in <module>
    from calibre.srv.routes import Router
  File "/usr/lib64/calibre/calibre/srv/routes.py", line 15, in <module>
    from calibre.utils.serialize import msgpack_dumps, json_dumps, MSGPACK_MIME
  File "/usr/lib64/calibre/calibre/utils/serialize.py", line 10, in <module>
    import msgpack
ImportError: No module named msgpack
=========================================================

$ uname -a
Linux marte 4.14.70-desktop-2.mga6 #1 SMP Thu Sep 20 22:05:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ LANGUAGE=C urpmi calibre
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  python-chardet                 2.3.0        3.mga6        noarch  
  python-regex                   2015.11.22   1.mga6        x86_64  
(medium "Core Updates Testing")
  calibre                        3.27.1       1.mga6        x86_64  
  python-html5-parser            0.4.4        1.1.mga6      x86_64  
  python-lxml                    3.8.0        1.1.mga6      x86_64  
3.8MB of additional disk space will be used.
29MB of packages will be retrieved.
Proceed with the installation of the 5 packages? (Y/n) 
<SNIP>

CC: (none) => mageia

Thanks for your test. Package updated to include the missing dep in  calibre-3.27.1-2.mga6

Installed and tested without issues.

The issue, missing dependency for package python-msgpack, referred in comment #7 is fixed.

$ LANGUAGE=C urpmi calibre 
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  python-msgpack                 0.4.6        3.mga6        x86_64  
(medium "Core Updates Testing")
  calibre                        3.27.1       2.mga6        x86_64  
253KB of additional disk space will be used.
28MB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n)

Whiteboard: (none) => MGA6-64-OK

Bruno, please remember to use a subrel when making such fixes the future instead of bumping the rel (but thanks for fix).

I'm not sure I get the rule :-( For lilypond you asked me to *not* use subrel to avoid the mga7 version to be lower than the mga6 so that's what I applied here. (BTW calibre in mga7 has the tag 3, so will be higher). Let me know what I'm missing.

It's very simple.  When you upgrade a package to a new version (as you did with lilypond), the release tag is 1 and there is no subrel, just as in Cauldron.  For stable releases, whenever you rebuild an existing version of a package, you always increment the subrel (or add it if there isn't one).  At no time do you ever increment a release tag in stable releases.

Validating. Suggested advisory in Comment 6 needs to be updated to include the missing dep from the first test.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0399.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

python-lxml-3.8.0-1.1.mga6 was missed from the advisory, causing bug 23737...

now fixed