Bug 15218 - libmspack is bundled into some packages (one package remaining: calibre)
Summary: libmspack is bundled into some packages (one package remaining: calibre)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2015-02-06 20:28 CET by David Walser
Modified: 2020-02-22 00:07 CET (History)
11 users (show)

See Also:
Source RPM:
CVE:
Status comment:


Attachments
Example lit file for calibre (668.73 KB, application/octet-stream)
2020-02-20 10:54 CET, Herman Viaene
Details

Description David Walser 2015-02-06 20:28:46 CET
While investigating a recent vulnerability in libmspack
http://lwn.net/Vulnerabilities/631508/

which we didn't have packaged, we found that it is bundled into some packages like cabextract and clamav.  Oden discovered it in a few more:
- calibre
- evolution-ews
- pidgin-msn-pecan

Oden gave some details on how to potentially fix this:
https://bugs.mageia.org/show_bug.cgi?id=15155#c24

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-02-06 20:31:06 CET
Maybe some other distros like Debian or OpenSuSE have some patches that can help.

CC: (none) => fundawang, shlomif, tarakbumba, thomas

Comment 2 David Walser 2015-02-06 23:32:57 CET
Just FYI, Shlomi fixed cabextract in 1.5-2.mga5.  Thanks Shlomi.

Shlomi, I also CC'd you for pidgin-msn-pecan.
Comment 3 Shlomi Fish 2015-02-07 09:05:13 CET
(In reply to David Walser from comment #2)
> Just FYI, Shlomi fixed cabextract in 1.5-2.mga5.  Thanks Shlomi.
> 
> Shlomi, I also CC'd you for pidgin-msn-pecan.

pidgin-msn-pecan should be fixed now too - at least in Cauldron.

Regards,

-- Shlomi Fish
Comment 4 Thierry Vignaud 2015-02-07 09:56:30 CET
Sophie shows there's other packages linked against it, eg: wxgtk

See http://sophie.zarb.org/search?search=libmspack.so.0&type=bydep&deptype=R&distribution=Fedora&release=20&arch=i386

CC: (none) => thierry.vignaud

Comment 5 David Walser 2015-02-07 16:08:14 CET
Copying a comment from Oden from the clamav bug:
libmspack in cabextract, evolution-ews and pidgin-msn-pecan has been unbundled in cauldron. What remains is calibre who needs hands on by a python wizard.

CC'ing Oden and Philippe on this bug.

CC: (none) => makowski.mageia, oe

Comment 6 Thierry Vignaud 2015-02-07 21:20:23 CET
And wxgtk...
Comment 7 David Walser 2015-02-15 17:22:14 CET
(In reply to Thierry Vignaud from comment #6)
> And wxgtk...

It doesn't appear to bundle the mspack code, but it does support linking to libmspack with the --enable-libmspack option.

CC'ing Jani since he maintains wxgtk.  It also could be updated to 3.0.2.

CC: (none) => jani.valimaa

Comment 8 David Walser 2015-02-15 22:21:08 CET
For calibre, no distro has a patch to make it use the system libmspack.  The bundled code looks really old:
https://github.com/kovidgoyal/calibre/tree/master/src/calibre/utils/lzx

I don't know how the build system for this package works, so I don't know how one would go about making it link to the system libmspack.
Comment 9 Philippe Makowski 2015-02-21 11:02:49 CET
For calibre we can try to disable the extension, or try to build with unbundled, seems that the code is there : https://github.com/kovidgoyal/calibre/blob/master/setup/extensions.py
Debian just don't build the unrar extension http://bazaar.launchpad.net/~calibre-packagers/calibre/debian/view/head:/debian/patches/dont_build_unrar_plugin.patch
Comment 10 Philippe Makowski 2015-02-21 18:52:03 CET
In fact in Calibre the code is only use with the LIT Input plugin.
"LIT is a proprietary file extension for the Microsoft eBook Booklover, based on the chm file format logic."
And I'm even not sure that the code is touched by the vulnerability in libmspack, the code seems to come from http://www.russotto.net/chm/
I suggest to let calibre as is.
Comment 11 David Walser 2015-02-21 18:55:25 CET
The code from the recent libmspack vulnerability isn't even present in this really old version of the code bundled into calibre.  The point is, we don't want bundled libraries at all if we can avoid it.
Comment 12 Philippe Makowski 2015-02-21 19:01:05 CET
(In reply to David Walser from comment #11)
>  The point is, we don't want bundled libraries at all if we can avoid it.

I understand that, but I'm not sure that the code is really from libmspack.
For me it is a code from http://www.russotto.net/chm/
Disabling the extension is possible. Unbundle, I'm not sure.
No other distro unbundle it or disable it for what I know.
I let the maintainer decide.
Comment 13 David Walser 2015-02-21 19:06:44 CET
It is some of the same code that's still in libmspack today, just an older version of it.  libmspack is code for supporting the CHM file format.  I don't know what that rusotto thing is, but it's probably based on the same code (as is cabextract).

As far as unbundling it, looking at the code, it's not obvious to me at all how you would do that.
Thierry Vignaud 2015-02-21 19:13:55 CET

CC: thierry.vignaud => (none)

Comment 14 Philippe Makowski 2015-02-21 19:23:26 CET
For what I see in calibre, the produced lxc.so is only use by this thin wrapper :
https://github.com/kovidgoyal/calibre/blob/master/src/calibre/ebooks/lit/lzx.py

if you can load a lib generated by libmspack instead of lxc.so, then it will be possible to unbundle. 
Just don't build lxc.so (remove it from  https://github.com/kovidgoyal/calibre/blob/master/setup/extensions.py) and change calibre/ebooks/lit/lzx.py to load your system lib, or symlink your system lib to calibre/plugins/lzx.so and test with a LIT file ?

Installing calibre and test with symlink to libmspack system lib instead of calibre/plugins/lzx.so can be the first test to see if we can easily unbundle.
but I have to LIT file to test.
Comment 15 David Walser 2015-03-05 21:25:29 CET
FYI, wxgtk was updated to 3.0.2 and linked against system libmspack.
Comment 16 Philippe Makowski 2015-04-16 18:36:33 CEST
(In reply to Philippe Makowski from comment #14)
> Installing calibre and test with symlink to libmspack system lib instead of
> calibre/plugins/lzx.so can be the first test to see if we can easily
> unbundle.
> but I have to LIT file to test.

But I don't have any  LIT file to test, if someone get one ...
Comment 17 Atilla ÖNTAŞ 2015-04-16 20:57:49 CEST
(In reply to Philippe Makowski from comment #16)
> (In reply to Philippe Makowski from comment #14)
> > Installing calibre and test with symlink to libmspack system lib instead of
> > calibre/plugins/lzx.so can be the first test to see if we can easily
> > unbundle.
> > but I have to LIT file to test.
> 
> But I don't have any  LIT file to test, if someone get one ...

I was long time looking this but i can not find a solution. Symlinking does not work. Also calibre developer doesn't a packager friendly one:
"WARNING: calibre is a highly complex piece of software with lots of very finicky dependencies. If you install from source, you are on your own. Please do not open bug reports or expect any form of support. You have been warned" from http://calibre-ebook.com/download_linux

Here is a link to a lit format file; altough the file is written in Turkish it should not be a problem playing with it. 

http://www.ormansu.gov.tr/COB/Files/ekitap/m_02.lit

Calibre uses libmspack source code not as is but a modified version of them. I think we have two choices; one is disabling lzx support which is not a thing that i want to do, other is let calibre continues to use internal lzx module.
Jani Välimaa 2015-05-21 19:33:25 CEST

CC: jani.valimaa => (none)

Samuel Verschelde 2015-06-06 16:26:24 CEST

Target Milestone: --- => Mageia 6

Comment 18 Atilla ÖNTAŞ 2015-10-15 11:09:55 CEST
Philippe, would you mind to inform me if you had tested provided .lit document against system libmspack or had found a solution for this?
Comment 19 Philippe Makowski 2015-10-15 11:27:05 CEST
no solution for now, Calibre use old code, so we keep bundle
Comment 20 Samuel Verschelde 2016-10-10 23:03:30 CEST
Assigning to calibre maintainer since it's the only one remaining now.

Summary: libmspack is bundled into some packages => libmspack is bundled into some packages (one package remaining: calibre)
Assignee: bugsquad => tarakbumba
Status comment: (none) => Lib has been unbundled from all packages except Calibre for now.

Comment 21 Samuel Verschelde 2018-09-21 09:40:15 CEST
Reassigning to all packagers collectively as the original maintainer is not available anymore (thanks for all your work Atilla!).

Assignee: tarakbumba => pkg-bugs

Comment 22 David GEIGER 2020-02-17 13:38:33 CET
I'd say calibre now unbundled libmspack in Cauldron!

http://svnweb.mageia.org/packages/cauldron/calibre/current/SPECS/calibre.spec?r1=1488177&r2=1488889&pathrev=1536911

CC: (none) => geiger.david68210

Comment 23 David Walser 2020-02-17 14:08:24 CET
Nice!  Any chance we can do this for Mageia 7?
Comment 24 David GEIGER 2020-02-17 14:36:48 CET
Done also for mga7!
Comment 25 David Walser 2020-02-18 14:24:09 CET
Updated package is calibre-3.42.0-3.1.mga7.  Advisory to come later.

Status comment: Lib has been unbundled from all packages except Calibre for now. => (none)
Version: Cauldron => 7
Target Milestone: Mageia 6 => ---
Assignee: pkg-bugs => qa-bugs

Comment 26 David Walser 2020-02-19 20:55:15 CET
Advisory:
----------------------------------------

The calibre package has been fixed to use the system libmspack library, rather
than an old bundled copy of the code.  This will ensure that the CHM file
support stays current with regard to security fixes.
Comment 27 Herman Viaene 2020-02-20 10:53:25 CET
MGA7-64 Plasma on Lenovo B50
No installation issues
Link to an example lit file in Comment 17 is broken, but found another example in https://www.online-convert.com/file-format/lit.
Downloaded that one (will upload as attachment) and opened it with calibre. Both the example file as the Quick Start Guide from calibre display correctly.
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 28 Herman Viaene 2020-02-20 10:54:13 CET
Created attachment 11512 [details]
Example lit file for calibre
Comment 29 Thomas Andrews 2020-02-20 18:00:39 CET
Validating. Advisory in Comment 26.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-02-21 22:12:40 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 30 Mageia Robot 2020-02-22 00:07:16 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2020-0058.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.