Bug 1212457

Summary: chmlib is unmaintained and has multiple vulnerabilities
Product: [openSUSE] openSUSE Tumbleweed Reporter: Bruno Pitrus <brunopitrus>
Component: SecurityAssignee: Dirk Mueller <dmueller>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None    
Version: Current   
Target Milestone: ---   
Hardware: All   
OS: openSUSE Tumbleweed   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Bruno Pitrus 2023-06-16 16:33:18 UTC 
The last release of chmlib was in 2009 and upstream has been unresponsible ever since.

There have been vulnerabilities discovered in this library eg. https://www.exploit-db.com/exploits/18771

Most of the issues were reported against a Windows-only program called SumatraPDF which has forked chmlib at https://github.com/GerHobbelt/CHMLib and apparently patched the bugs.

Unfortunately the fork completely changes its API compared to the version of chmlib we ship and so the following apps CANNOT use the well-maintained version as-is:

> repoquery --whatrequires libchm0
calibre-0:6.17.0-1.3.x86_64
chmlib-devel-0:0.40-24.8.x86_64
chmlib-examples-0:0.40-24.8.x86_64
kchmviewer-0:8.0-3.1.x86_64
okular-0:23.04.2-1.1.x86_64
python310-pychm-0:0.8.6-1.18.x86_64
python311-pychm-0:0.8.6-1.18.x86_64
python39-pychm-0:0.8.6-1.18.x86_64
xchm-0:1.35-1.3.x86_64

A possible alternate solution would be to try re-adding the APIs and ABIs which were dropped in https://github.com/GerHobbelt/CHMLib/commit/f0f5b0f63e4341382bb0b379ba776f1795f7c208