Debian Bug report logs - #872595
calibre: please use system libmspack instead of embedded copy

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marc Dequènes (duck) <duck@duckcorp.org>

To: Debian BTS <submit@bugs.debian.org>

Subject: calibre: please use system libmspack instead of embedded copy

Date: Sat, 19 Aug 2017 08:25:18 +0900

Source: calibre
Version: 3.4.0+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-CC: team@security.debian.org


Quack,

Sorry for the bad news, but Calibre embed a very old version of 
libmspack to build a plugin: /usr/lib/calibre/calibre/plugins/lzx.so

Unfortunately, this library had a few security issues over time, and 
recently:
  https://security-tracker.debian.org/tracker/source-package/libmspack

So this means Calibre is affected (all versions is Debian) by these two 
security bugs and probably other older ones. The proper solution would 
be to use the libmspack library which has been fixed with all the fixes 
backported to stable and oldstable.

It is defined in 'setup/extensions.json' but I have no idea how to make 
it use the system library so I have no patch to suggest.

Btw it seems 'src/calibre/utils/' contains a lot of borrowed code which 
might lead to security problems too, so I would suggest to have a look 
and work things out with upstream to at least have build flags to use 
system libraries when available.

Regards.

-- 
Marc Dequènes

Message #12 received at 872595-close@bugs.debian.org (full text, mbox, reply):

From: Norbert Preining <preining@debian.org>

To: 872595-close@bugs.debian.org

Subject: Bug#872595: fixed in calibre 3.7.0+dfsg-1

Date: Fri, 01 Sep 2017 11:49:59 +0000

Source: calibre
Source-Version: 3.7.0+dfsg-1

We believe that the bug you reported is fixed in the latest version of
calibre, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 872595@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Preining <preining@debian.org> (supplier of updated calibre package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 30 Aug 2017 20:40:23 +0900
Source: calibre
Binary: calibre calibre-bin
Architecture: source amd64 all
Version: 3.7.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Miriam Ruiz <little_miry@yahoo.es>
Changed-By: Norbert Preining <preining@debian.org>
Description:
 calibre    - e-book converter and library management
 calibre-bin - e-book converter and library management
Closes: 872595
Changes:
 calibre (3.7.0+dfsg-1) unstable; urgency=medium
 .
   [ Martin Pitt ]
   * Whitespace fixes
 .
   [ Norbert Preining ]
   * New upstream version 3.7.0+dfsg
   * Rework .pyc generation using pycompile in postinst/postrm
     code copied from dh_python generated debhelper snippets.
   * do not delete _ui.py files in clean action
   * update list of installed files
   * add source override for wrong lintian check
   * add python-html5-parser to deps
   * bump standards version, no changes necessary
   * cherrypick upstream fix for mspack security issues (Closes: #872595)
Checksums-Sha1:
 5c717980606c2719b02deda328978dc97ef8cbc8 2447 calibre_3.7.0+dfsg-1.dsc
 1e3221a7cc1b2ed6045eeecffbffbaf1a9335aae 35995564 calibre_3.7.0+dfsg.orig.tar.xz
 5054a77ab93afd82153a1ba70b0b92445f50cb40 52976 calibre_3.7.0+dfsg-1.debian.tar.xz
 af575b173da54d51404c5912c799066e1f866bd7 943170 calibre-bin-dbgsym_3.7.0+dfsg-1_amd64.deb
 b7ec885e121fd7b32e89a841e3089e5114191ea7 410016 calibre-bin_3.7.0+dfsg-1_amd64.deb
 8e061ccb5d529df2b653aacd90c6ba49bb2b1775 22909424 calibre_3.7.0+dfsg-1_all.deb
 af8330e10162a681a2664e063fbb5e5a5292beda 16634 calibre_3.7.0+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 0d379919aff038568e5883f9428935d8758a5a6478c5fc400f3de141bea8ea6d 2447 calibre_3.7.0+dfsg-1.dsc
 e8a9534bdc71a9537f4a6d24b2df760dd4a1099479f8e5a65aaad974eed9b297 35995564 calibre_3.7.0+dfsg.orig.tar.xz
 72f6957e35cb7db5bf7647aeb0633009c6ab781ee7a02a62101f0423c85199bc 52976 calibre_3.7.0+dfsg-1.debian.tar.xz
 2b3bf5006282e47a2327420bd49559b253c67f430a93a79571ddddb3780e7743 943170 calibre-bin-dbgsym_3.7.0+dfsg-1_amd64.deb
 a8047b7a6cc5944b997367ceee6f18ac8a17b90220810ddb30b755b7d8621648 410016 calibre-bin_3.7.0+dfsg-1_amd64.deb
 76dad9afd03b082de5ab55437592e1601e49bb4f31c373065477b8bd8aa2cb99 22909424 calibre_3.7.0+dfsg-1_all.deb
 92f5e46141050c98458a62d5933a03aafa7408a71f73fca2aacb9afb8ff07b0f 16634 calibre_3.7.0+dfsg-1_amd64.buildinfo
Files:
 d4b59417ead44558fba61da986d517ae 2447 text extra calibre_3.7.0+dfsg-1.dsc
 afbe741030d7b5075e01b3cb6e15259f 35995564 text extra calibre_3.7.0+dfsg.orig.tar.xz
 365927620ddec380d399ca4fefab474b 52976 text extra calibre_3.7.0+dfsg-1.debian.tar.xz
 3d689c844d303d5872e12731e23bb602 943170 debug extra calibre-bin-dbgsym_3.7.0+dfsg-1_amd64.deb
 72610915a666e3a0ca67458e30a319c6 410016 text extra calibre-bin_3.7.0+dfsg-1_amd64.deb
 b2ce02364062f92feaf885951c295ce9 22909424 text extra calibre_3.7.0+dfsg-1_all.deb
 0477b30208e280ae39999473a3e9194e 16634 text extra calibre_3.7.0+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEWHH4JC3MNmAjYr597AC42tMiZqoFAlmpQj4ACgkQ7AC42tMi
Zqovvgf/a5JSNmXX+HVwy6sCuMZfJOOp//wF5KGI63ebt2RrTg/v0yGN+21dMRsB
wuu5CRlhLo7+SIRECEUcp0Vw4V/jY/5NzhJOMikqmaroNwvzjadHz5OY9R36ZPYs
k5Bx33UEHtml2pKFrXeCkPU0YZfHgAMicv2fssNUQRAVTTDdyetvudpRLVAUR7eO
KvilqiMstH40jLlbB9ShICODDBXv1ZpbkjP9APm+Ih/Z8VJbs93UJNhudaFlIdXJ
jYUQgUbSzauvhcTSuXnW212aTcSe4fyq2SyahkU6SVZyT38hbOS1osTDi/G7kBVc
AsV18vC9JVhsxH/8wR70ZuBqmMT6IQ==
=rRtJ
-----END PGP SIGNATURE-----

Message #17 received at 872595@bugs.debian.org (full text, mbox, reply):

From: Marc Dequènes (duck) <duck@duckcorp.org>

To: 872595@bugs.debian.org

Subject: Re: Bug#872595 closed by Norbert Preining <preining@debian.org> (Bug#872595: fixed in calibre 3.7.0+dfsg-1)

Date: Fri, 01 Sep 2017 23:38:02 +0900

Control: -1 reopen


Quack,

Upstream ported the patch which fixes this one-off security problem, 
very well. Unfortunately this bug report is not about it, even if it was 
an example of how harmful having a copy of the code is.

So it seems you don't get me right and I would encourage you to read the 
Debian Policy section 4.13 about this problem. Calibre has no good 
reason to borrow code from a maintained and packaged library. This 
library is lightweight and does not drag any other dependency, so 
upstream should not be shy about it.

I'm adding the security team so they don't miss this problem and how 
this package (all versions) is affected by the libmspack security issues 
(part of).

Regards.
\_o<

-- 
Marc Dequènes

Message #28 received at 872595-close@bugs.debian.org (full text, mbox, reply):

From: yokota <yokota.hgml@gmail.com>

To: 872595-close@bugs.debian.org

Subject: Bug#872595: fixed in calibre 3.7.0+dfsg-1

Date: Sun, 13 Feb 2022 13:11:29 +0900

Tags: wontfix

"libmspack" only exports top-level function symbols.
And low-level functions like LZX are not usable from other programs
like Calibre.

So, Calibre can't use "libmspack".

Thanks.
--
YOKOTA

Send a report that this bug log contains spam.