Your message dated Fri, 01 Sep 2017 11:49:59 +0000
with message-id <e1dnksv-0000rw...@fasolo.debian.org>
and subject line Bug#872595: fixed in calibre 3.7.0+dfsg-1
has caused the Debian Bug report #872595,
regarding calibre: please use system libmspack instead of embedded copy
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
872595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872595
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: calibre
Version: 3.4.0+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-CC: t...@security.debian.org
Quack,
Sorry for the bad news, but Calibre embed a very old version of
libmspack to build a plugin: /usr/lib/calibre/calibre/plugins/lzx.so
Unfortunately, this library had a few security issues over time, and
recently:
https://security-tracker.debian.org/tracker/source-package/libmspack
So this means Calibre is affected (all versions is Debian) by these two
security bugs and probably other older ones. The proper solution would
be to use the libmspack library which has been fixed with all the fixes
backported to stable and oldstable.
It is defined in 'setup/extensions.json' but I have no idea how to make
it use the system library so I have no patch to suggest.
Btw it seems 'src/calibre/utils/' contains a lot of borrowed code which
might lead to security problems too, so I would suggest to have a look
and work things out with upstream to at least have build flags to use
system libraries when available.
Regards.
--
Marc Dequènes
--- End Message ---
--- Begin Message ---
Source: calibre
Source-Version: 3.7.0+dfsg-1
We believe that the bug you reported is fixed in the latest version of
calibre, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 872...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Norbert Preining <prein...@debian.org> (supplier of updated calibre package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 30 Aug 2017 20:40:23 +0900
Source: calibre
Binary: calibre calibre-bin
Architecture: source amd64 all
Version: 3.7.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Miriam Ruiz <little_m...@yahoo.es>
Changed-By: Norbert Preining <prein...@debian.org>
Description:
calibre - e-book converter and library management
calibre-bin - e-book converter and library management
Closes: 872595
Changes:
calibre (3.7.0+dfsg-1) unstable; urgency=medium
.
[ Martin Pitt ]
* Whitespace fixes
.
[ Norbert Preining ]
* New upstream version 3.7.0+dfsg
* Rework .pyc generation using pycompile in postinst/postrm
code copied from dh_python generated debhelper snippets.
* do not delete _ui.py files in clean action
* update list of installed files
* add source override for wrong lintian check
* add python-html5-parser to deps
* bump standards version, no changes necessary
* cherrypick upstream fix for mspack security issues (Closes: #872595)
Checksums-Sha1:
5c717980606c2719b02deda328978dc97ef8cbc8 2447 calibre_3.7.0+dfsg-1.dsc
1e3221a7cc1b2ed6045eeecffbffbaf1a9335aae 35995564
calibre_3.7.0+dfsg.orig.tar.xz
5054a77ab93afd82153a1ba70b0b92445f50cb40 52976
calibre_3.7.0+dfsg-1.debian.tar.xz
af575b173da54d51404c5912c799066e1f866bd7 943170
calibre-bin-dbgsym_3.7.0+dfsg-1_amd64.deb
b7ec885e121fd7b32e89a841e3089e5114191ea7 410016
calibre-bin_3.7.0+dfsg-1_amd64.deb
8e061ccb5d529df2b653aacd90c6ba49bb2b1775 22909424 calibre_3.7.0+dfsg-1_all.deb
af8330e10162a681a2664e063fbb5e5a5292beda 16634
calibre_3.7.0+dfsg-1_amd64.buildinfo
Checksums-Sha256:
0d379919aff038568e5883f9428935d8758a5a6478c5fc400f3de141bea8ea6d 2447
calibre_3.7.0+dfsg-1.dsc
e8a9534bdc71a9537f4a6d24b2df760dd4a1099479f8e5a65aaad974eed9b297 35995564
calibre_3.7.0+dfsg.orig.tar.xz
72f6957e35cb7db5bf7647aeb0633009c6ab781ee7a02a62101f0423c85199bc 52976
calibre_3.7.0+dfsg-1.debian.tar.xz
2b3bf5006282e47a2327420bd49559b253c67f430a93a79571ddddb3780e7743 943170
calibre-bin-dbgsym_3.7.0+dfsg-1_amd64.deb
a8047b7a6cc5944b997367ceee6f18ac8a17b90220810ddb30b755b7d8621648 410016
calibre-bin_3.7.0+dfsg-1_amd64.deb
76dad9afd03b082de5ab55437592e1601e49bb4f31c373065477b8bd8aa2cb99 22909424
calibre_3.7.0+dfsg-1_all.deb
92f5e46141050c98458a62d5933a03aafa7408a71f73fca2aacb9afb8ff07b0f 16634
calibre_3.7.0+dfsg-1_amd64.buildinfo
Files:
d4b59417ead44558fba61da986d517ae 2447 text extra calibre_3.7.0+dfsg-1.dsc
afbe741030d7b5075e01b3cb6e15259f 35995564 text extra
calibre_3.7.0+dfsg.orig.tar.xz
365927620ddec380d399ca4fefab474b 52976 text extra
calibre_3.7.0+dfsg-1.debian.tar.xz
3d689c844d303d5872e12731e23bb602 943170 debug extra
calibre-bin-dbgsym_3.7.0+dfsg-1_amd64.deb
72610915a666e3a0ca67458e30a319c6 410016 text extra
calibre-bin_3.7.0+dfsg-1_amd64.deb
b2ce02364062f92feaf885951c295ce9 22909424 text extra
calibre_3.7.0+dfsg-1_all.deb
0477b30208e280ae39999473a3e9194e 16634 text extra
calibre_3.7.0+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEWHH4JC3MNmAjYr597AC42tMiZqoFAlmpQj4ACgkQ7AC42tMi
Zqovvgf/a5JSNmXX+HVwy6sCuMZfJOOp//wF5KGI63ebt2RrTg/v0yGN+21dMRsB
wuu5CRlhLo7+SIRECEUcp0Vw4V/jY/5NzhJOMikqmaroNwvzjadHz5OY9R36ZPYs
k5Bx33UEHtml2pKFrXeCkPU0YZfHgAMicv2fssNUQRAVTTDdyetvudpRLVAUR7eO
KvilqiMstH40jLlbB9ShICODDBXv1ZpbkjP9APm+Ih/Z8VJbs93UJNhudaFlIdXJ
jYUQgUbSzauvhcTSuXnW212aTcSe4fyq2SyahkU6SVZyT38hbOS1osTDi/G7kBVc
AsV18vC9JVhsxH/8wR70ZuBqmMT6IQ==
=rRtJ
-----END PGP SIGNATURE-----
--- End Message ---