Uses outdated mspack with security problems

Bug #1713716 reported by Norbert Preining on 2017-08-29
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
calibre
Undecided
Unassigned

Bug Description

Dear all,

src/calibre/utils/lzx contains an old version of mspack that is affected by some security bugs (see https://security-tracker.debian.org/tracker/source-package/libmspack). It would be nice if calibre could use updates mspack files and optionally allow for linking against the system mspack library to make security team's work more easy.

Thanks for consideration

Norbert

It's on my TODO list.

However, I have injured my wrist, so i am staying away from
excessive keyboarding for a while. In the meantime you are welcome to
send a PR with patches against the calibre copy to fix the known bugs.

Fixed in branch master. The fix will be in the next release. calibre is usually released every alternate Friday.

 status fixreleased

Changed in calibre:
status: New → Fix Released
information type: Private Security → Public Security
Norbert Preining (preining) wrote :

Hi Kovid,

thanks for the quick fix. I have myself made a shot at building against system libmspack and want to try out whether it worked. Building did work. Do you have a sample book where this extension is necessary?

Thanks

Norbert

It is used for both LIT input and LIT output. Simply convert any file to
LIT and then convert it back.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers