While investigating a recent vulnerability in libmspack http://lwn.net/Vulnerabilities/631508/ which we didn't have packaged, we found that it is bundled into some packages like cabextract and clamav. Oden discovered it in a few more: - calibre - evolution-ews - pidgin-msn-pecan Oden gave some details on how to potentially fix this: https://bugs.mageia.org/show_bug.cgi?id=15155#c24 Reproducible: Steps to Reproduce:
Maybe some other distros like Debian or OpenSuSE have some patches that can help.
CC: (none) => fundawang, shlomif, tarakbumba, thomas
Just FYI, Shlomi fixed cabextract in 1.5-2.mga5. Thanks Shlomi. Shlomi, I also CC'd you for pidgin-msn-pecan.
(In reply to David Walser from comment #2) > Just FYI, Shlomi fixed cabextract in 1.5-2.mga5. Thanks Shlomi. > > Shlomi, I also CC'd you for pidgin-msn-pecan. pidgin-msn-pecan should be fixed now too - at least in Cauldron. Regards, -- Shlomi Fish
Sophie shows there's other packages linked against it, eg: wxgtk See http://sophie.zarb.org/search?search=libmspack.so.0&type=bydep&deptype=R&distribution=Fedora&release=20&arch=i386
CC: (none) => thierry.vignaud
Copying a comment from Oden from the clamav bug: libmspack in cabextract, evolution-ews and pidgin-msn-pecan has been unbundled in cauldron. What remains is calibre who needs hands on by a python wizard. CC'ing Oden and Philippe on this bug.
CC: (none) => makowski.mageia, oe
And wxgtk...
(In reply to Thierry Vignaud from comment #6) > And wxgtk... It doesn't appear to bundle the mspack code, but it does support linking to libmspack with the --enable-libmspack option. CC'ing Jani since he maintains wxgtk. It also could be updated to 3.0.2.
CC: (none) => jani.valimaa
For calibre, no distro has a patch to make it use the system libmspack. The bundled code looks really old: https://github.com/kovidgoyal/calibre/tree/master/src/calibre/utils/lzx I don't know how the build system for this package works, so I don't know how one would go about making it link to the system libmspack.
For calibre we can try to disable the extension, or try to build with unbundled, seems that the code is there : https://github.com/kovidgoyal/calibre/blob/master/setup/extensions.py Debian just don't build the unrar extension http://bazaar.launchpad.net/~calibre-packagers/calibre/debian/view/head:/debian/patches/dont_build_unrar_plugin.patch
In fact in Calibre the code is only use with the LIT Input plugin. "LIT is a proprietary file extension for the Microsoft eBook Booklover, based on the chm file format logic." And I'm even not sure that the code is touched by the vulnerability in libmspack, the code seems to come from http://www.russotto.net/chm/ I suggest to let calibre as is.
The code from the recent libmspack vulnerability isn't even present in this really old version of the code bundled into calibre. The point is, we don't want bundled libraries at all if we can avoid it.
(In reply to David Walser from comment #11) > The point is, we don't want bundled libraries at all if we can avoid it. I understand that, but I'm not sure that the code is really from libmspack. For me it is a code from http://www.russotto.net/chm/ Disabling the extension is possible. Unbundle, I'm not sure. No other distro unbundle it or disable it for what I know. I let the maintainer decide.
It is some of the same code that's still in libmspack today, just an older version of it. libmspack is code for supporting the CHM file format. I don't know what that rusotto thing is, but it's probably based on the same code (as is cabextract). As far as unbundling it, looking at the code, it's not obvious to me at all how you would do that.
CC: thierry.vignaud => (none)
For what I see in calibre, the produced lxc.so is only use by this thin wrapper : https://github.com/kovidgoyal/calibre/blob/master/src/calibre/ebooks/lit/lzx.py if you can load a lib generated by libmspack instead of lxc.so, then it will be possible to unbundle. Just don't build lxc.so (remove it from https://github.com/kovidgoyal/calibre/blob/master/setup/extensions.py) and change calibre/ebooks/lit/lzx.py to load your system lib, or symlink your system lib to calibre/plugins/lzx.so and test with a LIT file ? Installing calibre and test with symlink to libmspack system lib instead of calibre/plugins/lzx.so can be the first test to see if we can easily unbundle. but I have to LIT file to test.
FYI, wxgtk was updated to 3.0.2 and linked against system libmspack.
(In reply to Philippe Makowski from comment #14) > Installing calibre and test with symlink to libmspack system lib instead of > calibre/plugins/lzx.so can be the first test to see if we can easily > unbundle. > but I have to LIT file to test. But I don't have any LIT file to test, if someone get one ...
(In reply to Philippe Makowski from comment #16) > (In reply to Philippe Makowski from comment #14) > > Installing calibre and test with symlink to libmspack system lib instead of > > calibre/plugins/lzx.so can be the first test to see if we can easily > > unbundle. > > but I have to LIT file to test. > > But I don't have any LIT file to test, if someone get one ... I was long time looking this but i can not find a solution. Symlinking does not work. Also calibre developer doesn't a packager friendly one: "WARNING: calibre is a highly complex piece of software with lots of very finicky dependencies. If you install from source, you are on your own. Please do not open bug reports or expect any form of support. You have been warned" from http://calibre-ebook.com/download_linux Here is a link to a lit format file; altough the file is written in Turkish it should not be a problem playing with it. http://www.ormansu.gov.tr/COB/Files/ekitap/m_02.lit Calibre uses libmspack source code not as is but a modified version of them. I think we have two choices; one is disabling lzx support which is not a thing that i want to do, other is let calibre continues to use internal lzx module.
CC: jani.valimaa => (none)
Target Milestone: --- => Mageia 6
Philippe, would you mind to inform me if you had tested provided .lit document against system libmspack or had found a solution for this?
no solution for now, Calibre use old code, so we keep bundle
Assigning to calibre maintainer since it's the only one remaining now.
Summary: libmspack is bundled into some packages => libmspack is bundled into some packages (one package remaining: calibre)Assignee: bugsquad => tarakbumbaStatus comment: (none) => Lib has been unbundled from all packages except Calibre for now.
Reassigning to all packagers collectively as the original maintainer is not available anymore (thanks for all your work Atilla!).
Assignee: tarakbumba => pkg-bugs
I'd say calibre now unbundled libmspack in Cauldron! http://svnweb.mageia.org/packages/cauldron/calibre/current/SPECS/calibre.spec?r1=1488177&r2=1488889&pathrev=1536911
CC: (none) => geiger.david68210
Nice! Any chance we can do this for Mageia 7?
Done also for mga7!
Updated package is calibre-3.42.0-3.1.mga7. Advisory to come later.
Status comment: Lib has been unbundled from all packages except Calibre for now. => (none)Version: Cauldron => 7Target Milestone: Mageia 6 => ---Assignee: pkg-bugs => qa-bugs
Advisory: ---------------------------------------- The calibre package has been fixed to use the system libmspack library, rather than an old bundled copy of the code. This will ensure that the CHM file support stays current with regard to security fixes.
MGA7-64 Plasma on Lenovo B50 No installation issues Link to an example lit file in Comment 17 is broken, but found another example in https://www.online-convert.com/file-format/lit. Downloaded that one (will upload as attachment) and opened it with calibre. Both the example file as the Quick Start Guide from calibre display correctly. OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Created attachment 11512 [details] Example lit file for calibre
Validating. Advisory in Comment 26.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2020-0058.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED