calibre

Uses outdated mspack with security problems

Bug #1713716 reported by Norbert Preining
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
calibre
Fix Released
Undecided
Unassigned

Bug Description

Dear all,

src/calibre/utils/lzx contains an old version of mspack that is affected by some security bugs (see https://security-tracker.debian.org/tracker/source-package/libmspack). It would be nice if calibre could use updates mspack files and optionally allow for linking against the system mspack library to make security team's work more easy.

Thanks for consideration

Norbert

Revision history for this message
Kovid Goyal (kovid) wrote : Re: calibre bug 1713716

It's on my TODO list.

However, I have injured my wrist, so i am staying away from
excessive keyboarding for a while. In the meantime you are welcome to
send a PR with patches against the calibre copy to fix the known bugs.

Revision history for this message
Kovid Goyal (kovid) wrote : Fixed in master

Fixed in branch master. The fix will be in the next release. calibre is usually released every alternate Friday.

 status fixreleased

Changed in calibre:
status: New → Fix Released
information type: Private Security → Public Security
Revision history for this message
Norbert Preining (preining) wrote :

Hi Kovid,

thanks for the quick fix. I have myself made a shot at building against system libmspack and want to try out whether it worked. Building did work. Do you have a sample book where this extension is necessary?

Thanks

Norbert

Revision history for this message
Kovid Goyal (kovid) wrote : Re: calibre bug 1713716

It is used for both LIT input and LIT output. Simply convert any file to
LIT and then convert it back.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.