Bug 15218 - libmspack is bundled into some packages (one package remaining: calibre)
Summary: libmspack is bundled into some packages (one package remaining: calibre)
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: i586 Linux
: Normal normal
Target Milestone: Mageia 6
Assignee: Atilla ÖNTAŞ
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-06 20:28 CET by David Walser
Modified: 2016-10-10 23:03 CEST (History)
6 users (show)

See Also:
Source RPM:
CVE:
Status comment: Lib has been unbundled from all packages except Calibre for now.


Attachments

Description David Walser 2015-02-06 20:28:46 CET
While investigating a recent vulnerability in libmspack
http://lwn.net/Vulnerabilities/631508/

which we didn't have packaged, we found that it is bundled into some packages like cabextract and clamav.  Oden discovered it in a few more:
- calibre
- evolution-ews
- pidgin-msn-pecan

Oden gave some details on how to potentially fix this:
https://bugs.mageia.org/show_bug.cgi?id=15155#c24

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-02-06 20:31:06 CET
Maybe some other distros like Debian or OpenSuSE have some patches that can help.
Comment 2 David Walser 2015-02-06 23:32:57 CET
Just FYI, Shlomi fixed cabextract in 1.5-2.mga5.  Thanks Shlomi.

Shlomi, I also CC'd you for pidgin-msn-pecan.
Comment 3 Shlomi Fish 2015-02-07 09:05:13 CET
(In reply to David Walser from comment #2)
> Just FYI, Shlomi fixed cabextract in 1.5-2.mga5.  Thanks Shlomi.
> 
> Shlomi, I also CC'd you for pidgin-msn-pecan.

pidgin-msn-pecan should be fixed now too - at least in Cauldron.

Regards,

-- Shlomi Fish
Comment 4 Thierry Vignaud 2015-02-07 09:56:30 CET
Sophie shows there's other packages linked against it, eg: wxgtk

See http://sophie.zarb.org/search?search=libmspack.so.0&type=bydep&deptype=R&distribution=Fedora&release=20&arch=i386
Comment 5 David Walser 2015-02-07 16:08:14 CET
Copying a comment from Oden from the clamav bug:
libmspack in cabextract, evolution-ews and pidgin-msn-pecan has been unbundled in cauldron. What remains is calibre who needs hands on by a python wizard.

CC'ing Oden and Philippe on this bug.
Comment 6 Thierry Vignaud 2015-02-07 21:20:23 CET
And wxgtk...
Comment 7 David Walser 2015-02-15 17:22:14 CET
(In reply to Thierry Vignaud from comment #6)
> And wxgtk...

It doesn't appear to bundle the mspack code, but it does support linking to libmspack with the --enable-libmspack option.

CC'ing Jani since he maintains wxgtk.  It also could be updated to 3.0.2.
Comment 8 David Walser 2015-02-15 22:21:08 CET
For calibre, no distro has a patch to make it use the system libmspack.  The bundled code looks really old:
https://github.com/kovidgoyal/calibre/tree/master/src/calibre/utils/lzx

I don't know how the build system for this package works, so I don't know how one would go about making it link to the system libmspack.
Comment 9 Philippe Makowski 2015-02-21 11:02:49 CET
For calibre we can try to disable the extension, or try to build with unbundled, seems that the code is there : https://github.com/kovidgoyal/calibre/blob/master/setup/extensions.py
Debian just don't build the unrar extension http://bazaar.launchpad.net/~calibre-packagers/calibre/debian/view/head:/debian/patches/dont_build_unrar_plugin.patch
Comment 10 Philippe Makowski 2015-02-21 18:52:03 CET
In fact in Calibre the code is only use with the LIT Input plugin.
"LIT is a proprietary file extension for the Microsoft eBook Booklover, based on the chm file format logic."
And I'm even not sure that the code is touched by the vulnerability in libmspack, the code seems to come from http://www.russotto.net/chm/
I suggest to let calibre as is.
Comment 11 David Walser 2015-02-21 18:55:25 CET
The code from the recent libmspack vulnerability isn't even present in this really old version of the code bundled into calibre.  The point is, we don't want bundled libraries at all if we can avoid it.
Comment 12 Philippe Makowski 2015-02-21 19:01:05 CET
(In reply to David Walser from comment #11)
>  The point is, we don't want bundled libraries at all if we can avoid it.

I understand that, but I'm not sure that the code is really from libmspack.
For me it is a code from http://www.russotto.net/chm/
Disabling the extension is possible. Unbundle, I'm not sure.
No other distro unbundle it or disable it for what I know.
I let the maintainer decide.
Comment 13 David Walser 2015-02-21 19:06:44 CET
It is some of the same code that's still in libmspack today, just an older version of it.  libmspack is code for supporting the CHM file format.  I don't know what that rusotto thing is, but it's probably based on the same code (as is cabextract).

As far as unbundling it, looking at the code, it's not obvious to me at all how you would do that.
Comment 14 Philippe Makowski 2015-02-21 19:23:26 CET
For what I see in calibre, the produced lxc.so is only use by this thin wrapper :
https://github.com/kovidgoyal/calibre/blob/master/src/calibre/ebooks/lit/lzx.py

if you can load a lib generated by libmspack instead of lxc.so, then it will be possible to unbundle. 
Just don't build lxc.so (remove it from  https://github.com/kovidgoyal/calibre/blob/master/setup/extensions.py) and change calibre/ebooks/lit/lzx.py to load your system lib, or symlink your system lib to calibre/plugins/lzx.so and test with a LIT file ?

Installing calibre and test with symlink to libmspack system lib instead of calibre/plugins/lzx.so can be the first test to see if we can easily unbundle.
but I have to LIT file to test.
Comment 15 David Walser 2015-03-05 21:25:29 CET
FYI, wxgtk was updated to 3.0.2 and linked against system libmspack.
Comment 16 Philippe Makowski 2015-04-16 18:36:33 CEST
(In reply to Philippe Makowski from comment #14)
> Installing calibre and test with symlink to libmspack system lib instead of
> calibre/plugins/lzx.so can be the first test to see if we can easily
> unbundle.
> but I have to LIT file to test.

But I don't have any  LIT file to test, if someone get one ...
Comment 17 Atilla ÖNTAŞ 2015-04-16 20:57:49 CEST
(In reply to Philippe Makowski from comment #16)
> (In reply to Philippe Makowski from comment #14)
> > Installing calibre and test with symlink to libmspack system lib instead of
> > calibre/plugins/lzx.so can be the first test to see if we can easily
> > unbundle.
> > but I have to LIT file to test.
> 
> But I don't have any  LIT file to test, if someone get one ...

I was long time looking this but i can not find a solution. Symlinking does not work. Also calibre developer doesn't a packager friendly one:
"WARNING: calibre is a highly complex piece of software with lots of very finicky dependencies. If you install from source, you are on your own. Please do not open bug reports or expect any form of support. You have been warned" from http://calibre-ebook.com/download_linux

Here is a link to a lit format file; altough the file is written in Turkish it should not be a problem playing with it. 

http://www.ormansu.gov.tr/COB/Files/ekitap/m_02.lit

Calibre uses libmspack source code not as is but a modified version of them. I think we have two choices; one is disabling lzx support which is not a thing that i want to do, other is let calibre continues to use internal lzx module.
Comment 18 Atilla ÖNTAŞ 2015-10-15 11:09:55 CEST
Philippe, would you mind to inform me if you had tested provided .lit document against system libmspack or had found a solution for this?
Comment 19 Philippe Makowski 2015-10-15 11:27:05 CEST
no solution for now, Calibre use old code, so we keep bundle
Comment 20 Samuel Verschelde 2016-10-10 23:03:30 CEST
Assigning to calibre maintainer since it's the only one remaining now.

Note You need to log in before you can comment on or make changes to this bug.