Josselin Mouette
2011-Nov-12 12:27 UTC
[Secure-testing-team] Bug#648508: cabextract, evolution-ews, msn-pecan, clamav, calibre: Embedded code copies of libmspack
Package: cabextract,evolution-ews,msn-pecan,clamav,calibre Severity: normal Tags: security Hi, the following packages include embedded copies of libmspack: - cabextract can use the external libmspack, but it is not packaged in Debian. - evolution-ews includes a modified version of an older libmspack. - msn-pecan includes a complete copy of an older libmspack, it could probably be made to use it instead. - clamav embeds a modified version of an older libmspack. - calibre embeds a complete copy of an older libmspack, it could probably be made to use an external one instead. There may be other packages impacted. For example I found traces of it in older versions of spamassassin and OOo. I have not conducted a thorough check of the archive. This report is here to track the issue and inform the security team of its existence. If we want it fixed, someone needs to step up and package libmspack so that other packages can use it instead of embedding. Cheers, -- .''''`. Josselin Mouette : :'' : `. `'' `-
Josselin Mouette
2011-Nov-12 16:21 UTC
[Secure-testing-team] Bug#648508: cabextract, evolution-ews, msn-pecan, clamav, calibre: Embedded code copies of libmspack
reassign 648508 cabextract,evolution-ews,msn-pecan,clamav,calibre,wine,wine-unstable,chmlib,convlit thanks A more thorough check gave me hits on 4 more new source packages: wine, wine-unstable, chmlib and convlit. All of them use modified copies of an older version of a subset of libmspack. Cheers, -- .''''`. Josselin Mouette : :'' : `. `'' `- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111112/0a99affc/attachment.pgp>