Uses outdated mspack with security problems

Bug #1713716 reported by Norbert Preining on 2017-08-29
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

Dear all,

src/calibre/utils/lzx contains an old version of mspack that is affected by some security bugs (see It would be nice if calibre could use updates mspack files and optionally allow for linking against the system mspack library to make security team's work more easy.

Thanks for consideration


It's on my TODO list.

However, I have injured my wrist, so i am staying away from
excessive keyboarding for a while. In the meantime you are welcome to
send a PR with patches against the calibre copy to fix the known bugs.

Fixed in branch master. The fix will be in the next release. calibre is usually released every alternate Friday.

 status fixreleased

Changed in calibre:
status: New → Fix Released
information type: Private Security → Public Security
Norbert Preining (preining) wrote :

Hi Kovid,

thanks for the quick fix. I have myself made a shot at building against system libmspack and want to try out whether it worked. Building did work. Do you have a sample book where this extension is necessary?



It is used for both LIT input and LIT output. Simply convert any file to
LIT and then convert it back.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers