Bug 1212457 - chmlib is unmaintained and has multiple vulnerabilities
Summary: chmlib is unmaintained and has multiple vulnerabilities
Status: NEW
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: All openSUSE Tumbleweed
: P5 - None : Major (vote)
Target Milestone: ---
Assignee: Dirk Mueller
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-16 16:33 UTC by Bruno Pitrus
Modified: 2023-06-17 11:37 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Bruno Pitrus 2023-06-16 16:33:18 UTC 
The last release of chmlib was in 2009 and upstream has been unresponsible ever since.

There have been vulnerabilities discovered in this library eg. https://www.exploit-db.com/exploits/18771

Most of the issues were reported against a Windows-only program called SumatraPDF which has forked chmlib at https://github.com/GerHobbelt/CHMLib and apparently patched the bugs.

Unfortunately the fork completely changes its API compared to the version of chmlib we ship and so the following apps CANNOT use the well-maintained version as-is:

> repoquery --whatrequires libchm0
calibre-0:6.17.0-1.3.x86_64
chmlib-devel-0:0.40-24.8.x86_64
chmlib-examples-0:0.40-24.8.x86_64
kchmviewer-0:8.0-3.1.x86_64
okular-0:23.04.2-1.1.x86_64
python310-pychm-0:0.8.6-1.18.x86_64
python311-pychm-0:0.8.6-1.18.x86_64
python39-pychm-0:0.8.6-1.18.x86_64
xchm-0:1.35-1.3.x86_64

A possible alternate solution would be to try re-adding the APIs and ABIs which were dropped in https://github.com/GerHobbelt/CHMLib/commit/f0f5b0f63e4341382bb0b379ba776f1795f7c208