GNU bug report logs -
#28972
[PATCH] gnu: Remove unrar.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Tue, 24 Oct 2017 18:53:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28972 in the body.
You can then email your comments to 28972 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#28972; Package
guix-patches.
(Tue, 24 Oct 2017 18:53:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 24 Oct 2017 18:53:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
This package is abandoned upstream and contains serious bugs:
http://seclists.org/oss-sec/2017/q3/329
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14122
* gnu/packages/compression.scm (unrar): Remove variable.
---
gnu/packages/compression.scm | 18 ------------------
1 file changed, 18 deletions(-)
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index a2bf3a186..c06c3c52e 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -1285,24 +1285,6 @@ or junctions, and always follows hard links.")
archives from InstallShield installers.")
(license license:expat)))
-(define-public unrar
- (package
- (name "unrar")
- (version "0.0.1")
- (source (origin
- (method url-fetch)
- (uri (string-append
- "http://download.gna.org/unrar/unrar-" version ".tar.gz"))
- (sha256
- (base32
- "1fgmjaxffj3shyxgy765jhxwz1cq88hk0fih1bsdzyvymyyz6mz7"))))
- (build-system gnu-build-system)
- (home-page "http://download.gna.org/unrar")
- (synopsis "RAR archive extraction tool")
- (description "Unrar is a simple command-line program to list and extract
-RAR archives.")
- (license license:gpl2+)))
-
(define-public zstd
(package
(name "zstd")
--
2.14.3
Information forwarded
to
guix-patches <at> gnu.org:
bug#28972; Package
guix-patches.
(Tue, 24 Oct 2017 19:09:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 28972 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari transcribed 1.4K bytes:
> This package is abandoned upstream and contains serious bugs:
>
> http://seclists.org/oss-sec/2017/q3/329
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14120
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14121
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14122
Oh oh. Do we have another package providing the binar(ies) and function
unrar has?
> * gnu/packages/compression.scm (unrar): Remove variable.
> ---
> gnu/packages/compression.scm | 18 ------------------
> 1 file changed, 18 deletions(-)
>
> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
> index a2bf3a186..c06c3c52e 100644
> --- a/gnu/packages/compression.scm
> +++ b/gnu/packages/compression.scm
> @@ -1285,24 +1285,6 @@ or junctions, and always follows hard links.")
> archives from InstallShield installers.")
> (license license:expat)))
>
> -(define-public unrar
> - (package
> - (name "unrar")
> - (version "0.0.1")
> - (source (origin
> - (method url-fetch)
> - (uri (string-append
> - "http://download.gna.org/unrar/unrar-" version ".tar.gz"))
> - (sha256
> - (base32
> - "1fgmjaxffj3shyxgy765jhxwz1cq88hk0fih1bsdzyvymyyz6mz7"))))
> - (build-system gnu-build-system)
> - (home-page "http://download.gna.org/unrar")
> - (synopsis "RAR archive extraction tool")
> - (description "Unrar is a simple command-line program to list and extract
> -RAR archives.")
> - (license license:gpl2+)))
> -
> (define-public zstd
> (package
> (name "zstd")
> --
> 2.14.3
>
>
>
>
>
--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://dist.ng0.infotropique.org/dist/keys/
https://www.infotropique.org https://ng0.infotropique.org
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#28972; Package
guix-patches.
(Tue, 24 Oct 2017 19:23:02 GMT)
Full text and
rfc822 format available.
Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):
Perhaps The Unarchiver (unar, no R in the middle)?
See <https://directory.fsf.org/wiki/Unar>
ng0 <ng0 <at> infotropique.org> writes:
> Leo Famulari transcribed 1.4K bytes:
>> This package is abandoned upstream and contains serious bugs:
>>
>> http://seclists.org/oss-sec/2017/q3/329
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14120
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14121
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14122
>
> Oh oh. Do we have another package providing the binar(ies) and function
> unrar has?
>
>> * gnu/packages/compression.scm (unrar): Remove variable.
>> ---
>> gnu/packages/compression.scm | 18 ------------------
>> 1 file changed, 18 deletions(-)
>>
>> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
>> index a2bf3a186..c06c3c52e 100644
>> --- a/gnu/packages/compression.scm
>> +++ b/gnu/packages/compression.scm
>> @@ -1285,24 +1285,6 @@ or junctions, and always follows hard links.")
>> archives from InstallShield installers.")
>> (license license:expat)))
>>
>> -(define-public unrar
>> - (package
>> - (name "unrar")
>> - (version "0.0.1")
>> - (source (origin
>> - (method url-fetch)
>> - (uri (string-append
>> - "http://download.gna.org/unrar/unrar-" version ".tar.gz"))
>> - (sha256
>> - (base32
>> - "1fgmjaxffj3shyxgy765jhxwz1cq88hk0fih1bsdzyvymyyz6mz7"))))
>> - (build-system gnu-build-system)
>> - (home-page "http://download.gna.org/unrar")
>> - (synopsis "RAR archive extraction tool")
>> - (description "Unrar is a simple command-line program to list and extract
>> -RAR archives.")
>> - (license license:gpl2+)))
>> -
>> (define-public zstd
>> (package
>> (name "zstd")
>> --
>> 2.14.3
>>
>>
>>
>>
>>
--
- https://libreplanet.org/wiki/User:Adfeno
- Palestrante e consultor sobre /software/ livre (não confundir com
gratis).
- "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar
instantaneamente comigo no endereço abaixo.
- Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
(apenas sem DRM), PNG, TXT, WEBM.
Information forwarded
to
guix-patches <at> gnu.org:
bug#28972; Package
guix-patches.
(Tue, 24 Oct 2017 19:31:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 28972 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Adonay Felipe Nogueira transcribed 2.4K bytes:
> Perhaps The Unarchiver (unar, no R in the middle)?
>
> See <https://directory.fsf.org/wiki/Unar>
Well it exists, but we certainly don't have it in Guix.
I want to have this packaged first before we drop unrar
to avoid any sudden surprises.
> ng0 <ng0 <at> infotropique.org> writes:
>
> > Leo Famulari transcribed 1.4K bytes:
> >> This package is abandoned upstream and contains serious bugs:
> >>
> >> http://seclists.org/oss-sec/2017/q3/329
> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14120
> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14121
> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14122
> >
> > Oh oh. Do we have another package providing the binar(ies) and function
> > unrar has?
> >
> >> * gnu/packages/compression.scm (unrar): Remove variable.
> >> ---
> >> gnu/packages/compression.scm | 18 ------------------
> >> 1 file changed, 18 deletions(-)
> >>
> >> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
> >> index a2bf3a186..c06c3c52e 100644
> >> --- a/gnu/packages/compression.scm
> >> +++ b/gnu/packages/compression.scm
> >> @@ -1285,24 +1285,6 @@ or junctions, and always follows hard links.")
> >> archives from InstallShield installers.")
> >> (license license:expat)))
> >>
> >> -(define-public unrar
> >> - (package
> >> - (name "unrar")
> >> - (version "0.0.1")
> >> - (source (origin
> >> - (method url-fetch)
> >> - (uri (string-append
> >> - "http://download.gna.org/unrar/unrar-" version ".tar.gz"))
> >> - (sha256
> >> - (base32
> >> - "1fgmjaxffj3shyxgy765jhxwz1cq88hk0fih1bsdzyvymyyz6mz7"))))
> >> - (build-system gnu-build-system)
> >> - (home-page "http://download.gna.org/unrar")
> >> - (synopsis "RAR archive extraction tool")
> >> - (description "Unrar is a simple command-line program to list and extract
> >> -RAR archives.")
> >> - (license license:gpl2+)))
> >> -
> >> (define-public zstd
> >> (package
> >> (name "zstd")
> >> --
> >> 2.14.3
> >>
> >>
> >>
> >>
> >>
>
> --
> - https://libreplanet.org/wiki/User:Adfeno
> - Palestrante e consultor sobre /software/ livre (não confundir com
> gratis).
> - "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar
> instantaneamente comigo no endereço abaixo.
> - Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
> - Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
> Office, MP3, MP4, WMA, WMV.
> - Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
> GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
> (apenas sem DRM), PNG, TXT, WEBM.
>
>
>
>
--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://dist.ng0.infotropique.org/dist/keys/
https://www.infotropique.org https://ng0.infotropique.org
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#28972; Package
guix-patches.
(Tue, 24 Oct 2017 20:10:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 28972 <at> debbugs.gnu.org (full text, mbox):
Am 24.10.2017 um 21:07 schrieb ng0:
> Leo Famulari transcribed 1.4K bytes:
>> This package is abandoned upstream and contains serious bugs:
>>
>> http://seclists.org/oss-sec/2017/q3/329
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14120
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14121
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14122
>
> Oh oh. Do we have another package providing the binar(ies) and function
> unrar has?
>
Is anything actually using unrar?
grep -r unrar in guix-git/gnu/ gives me no relevant hits
I tried to add it as input for the mcomix package when I packaged
mcomix, but it was unusable and couldn't open a single file.
I remember that it behaved weird and unexpected and sometimes asked for
passwords on stdin when the file wasn't encrypted.
It is very outdated and the rar standard it supports has been replaced
around 15 years ago.
The closest replacement that I know is libarchive, it's not a
commandline utility like unrar, but it is used in file-roller which can
open some rars.
Information forwarded
to
guix-patches <at> gnu.org:
bug#28972; Package
guix-patches.
(Tue, 24 Oct 2017 20:26:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 28972 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Oct 24, 2017 at 10:09:00PM +0200, nee wrote:
> Am 24.10.2017 um 21:07 schrieb ng0:
> > Leo Famulari transcribed 1.4K bytes:
> >> This package is abandoned upstream and contains serious bugs:
> >
> > Oh oh. Do we have another package providing the binar(ies) and function
> > unrar has?
> >
> Is anything actually using unrar?
>
> grep -r unrar in guix-git/gnu/ gives me no relevant hits
>
> I tried to add it as input for the mcomix package when I packaged
> mcomix, but it was unusable and couldn't open a single file.
> I remember that it behaved weird and unexpected and sometimes asked for
> passwords on stdin when the file wasn't encrypted.
>
> It is very outdated and the rar standard it supports has been replaced
> around 15 years ago.
Agreed, I don't know if this software is useful anymore, and it isn't
used by any of our packages.
> The closest replacement that I know is libarchive, it's not a
> commandline utility like unrar, but it is used in file-roller which can
> open some rars.
There is also the Python module packaged in Guix as python-rarfile.
Is anyone using this unrar package? Please speak up. And, please check
if file-roller will work for you.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#28972; Package
guix-patches.
(Tue, 24 Oct 2017 20:37:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 28972 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
nee transcribed 1.0K bytes:
> Am 24.10.2017 um 21:07 schrieb ng0:
> > Leo Famulari transcribed 1.4K bytes:
> >> This package is abandoned upstream and contains serious bugs:
> >>
> >> http://seclists.org/oss-sec/2017/q3/329
> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14120
> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14121
> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14122
> >
> > Oh oh. Do we have another package providing the binar(ies) and function
> > unrar has?
> >
> Is anything actually using unrar?
>
> grep -r unrar in guix-git/gnu/ gives me no relevant hits
There is a using and using.
Some applications make use of unrar without us rewriting every occurence
of "unrar" in them (for example 'mc').
> I tried to add it as input for the mcomix package when I packaged
> mcomix, but it was unusable and couldn't open a single file.
> I remember that it behaved weird and unexpected and sometimes asked for
> passwords on stdin when the file wasn't encrypted.
>
> It is very outdated and the rar standard it supports has been replaced
> around 15 years ago.
>
> The closest replacement that I know is libarchive, it's not a
> commandline utility like unrar, but it is used in file-roller which can
> open some rars.
>
--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://dist.ng0.infotropique.org/dist/keys/
https://www.infotropique.org https://ng0.infotropique.org
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#28972; Package
guix-patches.
(Tue, 24 Oct 2017 20:41:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 28972 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari transcribed 2.2K bytes:
> On Tue, Oct 24, 2017 at 10:09:00PM +0200, nee wrote:
> > Am 24.10.2017 um 21:07 schrieb ng0:
> > > Leo Famulari transcribed 1.4K bytes:
> > >> This package is abandoned upstream and contains serious bugs:
> > >
> > > Oh oh. Do we have another package providing the binar(ies) and function
> > > unrar has?
> > >
> > Is anything actually using unrar?
> >
> > grep -r unrar in guix-git/gnu/ gives me no relevant hits
> >
> > I tried to add it as input for the mcomix package when I packaged
> > mcomix, but it was unusable and couldn't open a single file.
> > I remember that it behaved weird and unexpected and sometimes asked for
> > passwords on stdin when the file wasn't encrypted.
> >
> > It is very outdated and the rar standard it supports has been replaced
> > around 15 years ago.
>
> Agreed, I don't know if this software is useful anymore, and it isn't
> used by any of our packages.
>
> > The closest replacement that I know is libarchive, it's not a
> > commandline utility like unrar, but it is used in file-roller which can
> > open some rars.
The problem is "some".
> There is also the Python module packaged in Guix as python-rarfile.
>
> Is anyone using this unrar package? Please speak up. And, please check
> if file-roller will work for you.
As I pointed out in the previous email, mc uses it.
I personally use unrar for some files which are older than 15 years,
but I'm okay with just taking our unrar and maintain it in my repository.
The reason why I'm asking to reconsider until we have a replament is
software such as mc. We can not[*] search every line of sourcecode
of packages we have to see where unrar is implicitly used without
a store reference.
*: We could, but that's a good way to waste resources.
--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://dist.ng0.infotropique.org/dist/keys/
https://www.infotropique.org https://ng0.infotropique.org
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#28972; Package
guix-patches.
(Tue, 24 Oct 2017 21:15:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 28972 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Oct 24, 2017 at 08:40:32PM +0000, ng0 wrote:
> > On Tue, Oct 24, 2017 at 10:09:00PM +0200, nee wrote:
> > > The closest replacement that I know is libarchive, it's not a
> > > commandline utility like unrar, but it is used in file-roller which can
> > > open some rars.
>
> The problem is "some".
Does anyone know what the problem is that prevents "some" from becoming
"all"?
File-roller is a graphical application, so it's not really a replacement
for unrar anyways, even if it could handle all the same files. Is there
really no command-line alternative to our buggy unrar?
> As I pointed out in the previous email, mc uses it.
> I personally use unrar for some files which are older than 15 years,
> but I'm okay with just taking our unrar and maintain it in my repository.
>
> The reason why I'm asking to reconsider until we have a replament is
> software such as mc. We can not[*] search every line of sourcecode
> of packages we have to see where unrar is implicitly used without
> a store reference.
Okay, thanks for this information. It's true that we can't effectively
search for this kind of command-line use.
We had mc packaged for a few years before unrar was added, so the fact
that mc can use unrar does not mean that we must keep unrar.
My opinion is that keeping unrar packaged even though it can be
exploited by attackers who can provide a crafted RAR file does not help
Guix users.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#28972; Package
guix-patches.
(Wed, 25 Oct 2017 14:47:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 28972 <at> debbugs.gnu.org (full text, mbox):
Adonay Felipe Nogueira <adfeno <at> hyperbola.info> writes:
> Perhaps The Unarchiver (unar, no R in the middle)?
>
> See <https://directory.fsf.org/wiki/Unar>
I tried packaging this once, but it is quite difficult as it depends on
an Objective C compiler (which is currently broken in Guix due to the
fact that GCC doesn’t find it) and GNUstep (which is not fully packaged
yet).
I agree with Leo to remove the outdated unrar package. Waiting for the
alternative to be packaged would not be reasonable, given the size of
the task.
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Sun, 12 Nov 2017 21:21:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Sun, 12 Nov 2017 21:21:02 GMT)
Full text and
rfc822 format available.
Message #37 received at 28972-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, Oct 25, 2017 at 04:30:43PM +0200, Ricardo Wurmus wrote:
>
> Adonay Felipe Nogueira <adfeno <at> hyperbola.info> writes:
>
> > Perhaps The Unarchiver (unar, no R in the middle)?
> >
> > See <https://directory.fsf.org/wiki/Unar>
>
> I tried packaging this once, but it is quite difficult as it depends on
> an Objective C compiler (which is currently broken in Guix due to the
> fact that GCC doesn’t find it) and GNUstep (which is not fully packaged
> yet).
>
> I agree with Leo to remove the outdated unrar package. Waiting for the
> alternative to be packaged would not be reasonable, given the size of
> the task.
Removed with commit 2560aa7adbfcb46306e8b19180bd48d39c2da6dc.
If anyone is interested in maintaining a package outside of Guix, Debian
has written some patches for the recently discovered bugs, distributed
in their package version 1:0.0.1+cvs20140707-4:
https://packages.debian.org/sid/unrar-free
http://http.debian.net/debian/pool/main/u/unrar-free/unrar-free_0.0.1+cvs20140707-4.debian.tar.xz
I thought about taking these patches, but the bug reporter said it took
them only "a few minutes" to find these bugs, so I'm not optimistic
about the state of this program, at least if it is not maintained
upstream.
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 11 Dec 2017 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 138 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.