Your message dated Sun, 13 Feb 2022 13:11:29 +0900
with message-id
<ca+0c0dutp3gorka0kninvoqczo3bt5qmjsklnn9h9pv6pum...@mail.gmail.com>
and subject line Bug#872595: fixed in calibre 3.7.0+dfsg-1
has caused the Debian Bug report #872595,
regarding calibre: please use system libmspack instead of embedded copy
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
872595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872595
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: calibre
Version: 3.4.0+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-CC: [email protected]
Quack,
Sorry for the bad news, but Calibre embed a very old version of
libmspack to build a plugin: /usr/lib/calibre/calibre/plugins/lzx.so
Unfortunately, this library had a few security issues over time, and
recently:
https://security-tracker.debian.org/tracker/source-package/libmspack
So this means Calibre is affected (all versions is Debian) by these two
security bugs and probably other older ones. The proper solution would
be to use the libmspack library which has been fixed with all the fixes
backported to stable and oldstable.
It is defined in 'setup/extensions.json' but I have no idea how to make
it use the system library so I have no patch to suggest.
Btw it seems 'src/calibre/utils/' contains a lot of borrowed code which
might lead to security problems too, so I would suggest to have a look
and work things out with upstream to at least have build flags to use
system libraries when available.
Regards.
--
Marc Dequènes
--- End Message ---
--- Begin Message ---
Tags: wontfix
"libmspack" only exports top-level function symbols.
And low-level functions like LZX are not usable from other programs
like Calibre.
So, Calibre can't use "libmspack".
Thanks.
--
YOKOTA
--- End Message ---
