[bug#28972] [PATCH] gnu: Remove unrar.

[bug#28972] [PATCH] gnu: Remove unrar.

[Leo Famulari]

This package is abandoned upstream and contains serious bugs:

http://seclists.org/oss-sec/2017/q3/329
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14122

* gnu/packages/compression.scm (unrar): Remove variable.
---
 gnu/packages/compression.scm | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index a2bf3a186..c06c3c52e 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -1285,24 +1285,6 @@ or junctions, and always follows hard links.")
  archives from InstallShield installers.")
     (license license:expat)))
 
-(define-public unrar
-  (package
-    (name "unrar")
-    (version "0.0.1")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append
-                    "http://download.gna.org/unrar/unrar-" version ".tar.gz"))
-              (sha256
-               (base32
-                "1fgmjaxffj3shyxgy765jhxwz1cq88hk0fih1bsdzyvymyyz6mz7"))))
-    (build-system gnu-build-system)
-    (home-page "http://download.gna.org/unrar")
-    (synopsis "RAR archive extraction tool")
-    (description "Unrar is a simple command-line program to list and extract
-RAR archives.")
-    (license license:gpl2+)))
-
 (define-public zstd
   (package
     (name "zstd")
-- 
2.14.3

[bug#28972] [PATCH] gnu: Remove unrar.

[ng0]

[-- Attachment #1: Type: text/plain, Size: 1901 bytes --]

Leo Famulari transcribed 1.4K bytes:
> This package is abandoned upstream and contains serious bugs:
> 
> http://seclists.org/oss-sec/2017/q3/329
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14120
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14121
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14122

Oh oh. Do we have another package providing the binar(ies) and function
unrar has?

> * gnu/packages/compression.scm (unrar): Remove variable.
> ---
>  gnu/packages/compression.scm | 18 ------------------
>  1 file changed, 18 deletions(-)
> 
> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
> index a2bf3a186..c06c3c52e 100644
> --- a/gnu/packages/compression.scm
> +++ b/gnu/packages/compression.scm
> @@ -1285,24 +1285,6 @@ or junctions, and always follows hard links.")
>   archives from InstallShield installers.")
>      (license license:expat)))
>  
> -(define-public unrar
> -  (package
> -    (name "unrar")
> -    (version "0.0.1")
> -    (source (origin
> -              (method url-fetch)
> -              (uri (string-append
> -                    "http://download.gna.org/unrar/unrar-" version ".tar.gz"))
> -              (sha256
> -               (base32
> -                "1fgmjaxffj3shyxgy765jhxwz1cq88hk0fih1bsdzyvymyyz6mz7"))))
> -    (build-system gnu-build-system)
> -    (home-page "http://download.gna.org/unrar")
> -    (synopsis "RAR archive extraction tool")
> -    (description "Unrar is a simple command-line program to list and extract
> -RAR archives.")
> -    (license license:gpl2+)))
> -
>  (define-public zstd
>    (package
>      (name "zstd")
> -- 
> 2.14.3
> 
> 
> 
> 
> 

-- 
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://dist.ng0.infotropique.org/dist/keys/
https://www.infotropique.org https://ng0.infotropique.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#28972] [PATCH] gnu: Remove unrar.

[Adonay Felipe Nogueira]

Perhaps The Unarchiver (unar, no R in the middle)?

See <https://directory.fsf.org/wiki/Unar>

ng0 <ng0@infotropique.org> writes:

> Leo Famulari transcribed 1.4K bytes:
>> This package is abandoned upstream and contains serious bugs:
>> 
>> http://seclists.org/oss-sec/2017/q3/329
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14120
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14121
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14122
>
> Oh oh. Do we have another package providing the binar(ies) and function
> unrar has?
>
>> * gnu/packages/compression.scm (unrar): Remove variable.
>> ---
>>  gnu/packages/compression.scm | 18 ------------------
>>  1 file changed, 18 deletions(-)
>> 
>> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
>> index a2bf3a186..c06c3c52e 100644
>> --- a/gnu/packages/compression.scm
>> +++ b/gnu/packages/compression.scm
>> @@ -1285,24 +1285,6 @@ or junctions, and always follows hard links.")
>>   archives from InstallShield installers.")
>>      (license license:expat)))
>>  
>> -(define-public unrar
>> -  (package
>> -    (name "unrar")
>> -    (version "0.0.1")
>> -    (source (origin
>> -              (method url-fetch)
>> -              (uri (string-append
>> -                    "http://download.gna.org/unrar/unrar-" version ".tar.gz"))
>> -              (sha256
>> -               (base32
>> -                "1fgmjaxffj3shyxgy765jhxwz1cq88hk0fih1bsdzyvymyyz6mz7"))))
>> -    (build-system gnu-build-system)
>> -    (home-page "http://download.gna.org/unrar")
>> -    (synopsis "RAR archive extraction tool")
>> -    (description "Unrar is a simple command-line program to list and extract
>> -RAR archives.")
>> -    (license license:gpl2+)))
>> -
>>  (define-public zstd
>>    (package
>>      (name "zstd")
>> -- 
>> 2.14.3
>> 
>> 
>> 
>> 
>> 

-- 
- https://libreplanet.org/wiki/User:Adfeno
- Palestrante e consultor sobre /software/ livre (não confundir com
  gratis).
- "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar
  instantaneamente comigo no endereço abaixo.
- Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
  Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
  GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
  (apenas sem DRM), PNG, TXT, WEBM.

[bug#28972] [PATCH] gnu: Remove unrar.

[ng0]

[-- Attachment #1: Type: text/plain, Size: 3035 bytes --]

Adonay Felipe Nogueira transcribed 2.4K bytes:
> Perhaps The Unarchiver (unar, no R in the middle)?
> 
> See <https://directory.fsf.org/wiki/Unar>

Well it exists, but we certainly don't have it in Guix.
I want to have this packaged first before we drop unrar
to avoid any sudden surprises.

> ng0 <ng0@infotropique.org> writes:
> 
> > Leo Famulari transcribed 1.4K bytes:
> >> This package is abandoned upstream and contains serious bugs:
> >> 
> >> http://seclists.org/oss-sec/2017/q3/329
> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14120
> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14121
> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14122
> >
> > Oh oh. Do we have another package providing the binar(ies) and function
> > unrar has?
> >
> >> * gnu/packages/compression.scm (unrar): Remove variable.
> >> ---
> >>  gnu/packages/compression.scm | 18 ------------------
> >>  1 file changed, 18 deletions(-)
> >> 
> >> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
> >> index a2bf3a186..c06c3c52e 100644
> >> --- a/gnu/packages/compression.scm
> >> +++ b/gnu/packages/compression.scm
> >> @@ -1285,24 +1285,6 @@ or junctions, and always follows hard links.")
> >>   archives from InstallShield installers.")
> >>      (license license:expat)))
> >>  
> >> -(define-public unrar
> >> -  (package
> >> -    (name "unrar")
> >> -    (version "0.0.1")
> >> -    (source (origin
> >> -              (method url-fetch)
> >> -              (uri (string-append
> >> -                    "http://download.gna.org/unrar/unrar-" version ".tar.gz"))
> >> -              (sha256
> >> -               (base32
> >> -                "1fgmjaxffj3shyxgy765jhxwz1cq88hk0fih1bsdzyvymyyz6mz7"))))
> >> -    (build-system gnu-build-system)
> >> -    (home-page "http://download.gna.org/unrar")
> >> -    (synopsis "RAR archive extraction tool")
> >> -    (description "Unrar is a simple command-line program to list and extract
> >> -RAR archives.")
> >> -    (license license:gpl2+)))
> >> -
> >>  (define-public zstd
> >>    (package
> >>      (name "zstd")
> >> -- 
> >> 2.14.3
> >> 
> >> 
> >> 
> >> 
> >> 
> 
> -- 
> - https://libreplanet.org/wiki/User:Adfeno
> - Palestrante e consultor sobre /software/ livre (não confundir com
>   gratis).
> - "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar
>   instantaneamente comigo no endereço abaixo.
> - Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
> - Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
>   Office, MP3, MP4, WMA, WMV.
> - Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
>   GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
>   (apenas sem DRM), PNG, TXT, WEBM.
> 
> 
> 
> 

-- 
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://dist.ng0.infotropique.org/dist/keys/
https://www.infotropique.org https://ng0.infotropique.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#28972] [PATCH] gnu: Remove unrar.

[nee]

Am 24.10.2017 um 21:07 schrieb ng0:
> Leo Famulari transcribed 1.4K bytes:
>> This package is abandoned upstream and contains serious bugs:
>>
>> http://seclists.org/oss-sec/2017/q3/329
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14120
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14121
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14122
> 
> Oh oh. Do we have another package providing the binar(ies) and function
> unrar has?
> 
Is anything actually using unrar?

grep -r unrar in guix-git/gnu/ gives me no relevant hits

I tried to add it as input for the mcomix package when I packaged
mcomix, but it was unusable and couldn't open a single file.
I remember that it behaved weird and unexpected and sometimes asked for
passwords on stdin when the file wasn't encrypted.

It is very outdated and the rar standard it supports has been replaced
around 15 years ago.

The closest replacement that I know is libarchive, it's not a
commandline utility like unrar, but it is used in  file-roller which can
open some rars.

[bug#28972] [PATCH] gnu: Remove unrar.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1222 bytes --]

On Tue, Oct 24, 2017 at 10:09:00PM +0200, nee wrote:
> Am 24.10.2017 um 21:07 schrieb ng0:
> > Leo Famulari transcribed 1.4K bytes:
> >> This package is abandoned upstream and contains serious bugs:
> > 
> > Oh oh. Do we have another package providing the binar(ies) and function
> > unrar has?
> > 
> Is anything actually using unrar?
> 
> grep -r unrar in guix-git/gnu/ gives me no relevant hits
> 
> I tried to add it as input for the mcomix package when I packaged
> mcomix, but it was unusable and couldn't open a single file.
> I remember that it behaved weird and unexpected and sometimes asked for
> passwords on stdin when the file wasn't encrypted.
> 
> It is very outdated and the rar standard it supports has been replaced
> around 15 years ago.

Agreed, I don't know if this software is useful anymore, and it isn't
used by any of our packages.

> The closest replacement that I know is libarchive, it's not a
> commandline utility like unrar, but it is used in  file-roller which can
> open some rars.

There is also the Python module packaged in Guix as python-rarfile.

Is anyone using this unrar package? Please speak up. And, please check
if file-roller will work for you.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#28972] [PATCH] gnu: Remove unrar.

[ng0]

[-- Attachment #1: Type: text/plain, Size: 1492 bytes --]

nee transcribed 1.0K bytes:
> Am 24.10.2017 um 21:07 schrieb ng0:
> > Leo Famulari transcribed 1.4K bytes:
> >> This package is abandoned upstream and contains serious bugs:
> >>
> >> http://seclists.org/oss-sec/2017/q3/329
> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14120
> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14121
> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14122
> > 
> > Oh oh. Do we have another package providing the binar(ies) and function
> > unrar has?
> > 
> Is anything actually using unrar?
> 
> grep -r unrar in guix-git/gnu/ gives me no relevant hits

There is a using and using.
Some applications make use of unrar without us rewriting every occurence
of "unrar" in them (for example 'mc').

> I tried to add it as input for the mcomix package when I packaged
> mcomix, but it was unusable and couldn't open a single file.
> I remember that it behaved weird and unexpected and sometimes asked for
> passwords on stdin when the file wasn't encrypted.
> 
> It is very outdated and the rar standard it supports has been replaced
> around 15 years ago.
> 
> The closest replacement that I know is libarchive, it's not a
> commandline utility like unrar, but it is used in  file-roller which can
> open some rars.
> 

-- 
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://dist.ng0.infotropique.org/dist/keys/
https://www.infotropique.org https://ng0.infotropique.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#28972] [PATCH] gnu: Remove unrar.

[ng0]

[-- Attachment #1: Type: text/plain, Size: 2002 bytes --]

Leo Famulari transcribed 2.2K bytes:
> On Tue, Oct 24, 2017 at 10:09:00PM +0200, nee wrote:
> > Am 24.10.2017 um 21:07 schrieb ng0:
> > > Leo Famulari transcribed 1.4K bytes:
> > >> This package is abandoned upstream and contains serious bugs:
> > > 
> > > Oh oh. Do we have another package providing the binar(ies) and function
> > > unrar has?
> > > 
> > Is anything actually using unrar?
> > 
> > grep -r unrar in guix-git/gnu/ gives me no relevant hits
> > 
> > I tried to add it as input for the mcomix package when I packaged
> > mcomix, but it was unusable and couldn't open a single file.
> > I remember that it behaved weird and unexpected and sometimes asked for
> > passwords on stdin when the file wasn't encrypted.
> > 
> > It is very outdated and the rar standard it supports has been replaced
> > around 15 years ago.
> 
> Agreed, I don't know if this software is useful anymore, and it isn't
> used by any of our packages.
> 
> > The closest replacement that I know is libarchive, it's not a
> > commandline utility like unrar, but it is used in  file-roller which can
> > open some rars.

The problem is "some".

> There is also the Python module packaged in Guix as python-rarfile.
> 
> Is anyone using this unrar package? Please speak up. And, please check
> if file-roller will work for you.

As I pointed out in the previous email, mc uses it.
I personally use unrar for some files which are older than 15 years,
but I'm okay with just taking our unrar and maintain it in my repository.

The reason why I'm asking to reconsider until we have a replament is
software such as mc. We can not[*] search every line of sourcecode
of packages we have to see where unrar is implicitly used without
a store reference.

*: We could, but that's a good way to waste resources.
-- 
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://dist.ng0.infotropique.org/dist/keys/
https://www.infotropique.org https://ng0.infotropique.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#28972] [PATCH] gnu: Remove unrar.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1451 bytes --]

On Tue, Oct 24, 2017 at 08:40:32PM +0000, ng0 wrote:
> > On Tue, Oct 24, 2017 at 10:09:00PM +0200, nee wrote:
> > > The closest replacement that I know is libarchive, it's not a
> > > commandline utility like unrar, but it is used in  file-roller which can
> > > open some rars.
> 
> The problem is "some".

Does anyone know what the problem is that prevents "some" from becoming
"all"?

File-roller is a graphical application, so it's not really a replacement
for unrar anyways, even if it could handle all the same files. Is there
really no command-line alternative to our buggy unrar?

> As I pointed out in the previous email, mc uses it.
> I personally use unrar for some files which are older than 15 years,
> but I'm okay with just taking our unrar and maintain it in my repository.
> 
> The reason why I'm asking to reconsider until we have a replament is
> software such as mc. We can not[*] search every line of sourcecode
> of packages we have to see where unrar is implicitly used without
> a store reference.

Okay, thanks for this information. It's true that we can't effectively
search for this kind of command-line use.

We had mc packaged for a few years before unrar was added, so the fact
that mc can use unrar does not mean that we must keep unrar.

My opinion is that keeping unrar packaged even though it can be
exploited by attackers who can provide a crafted RAR file does not help
Guix users.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#28972] [PATCH] gnu: Remove unrar.

[Ricardo Wurmus]

Adonay Felipe Nogueira <adfeno@hyperbola.info> writes:

> Perhaps The Unarchiver (unar, no R in the middle)?
>
> See <https://directory.fsf.org/wiki/Unar>

I tried packaging this once, but it is quite difficult as it depends on
an Objective C compiler (which is currently broken in Guix due to the
fact that GCC doesn’t find it) and GNUstep (which is not fully packaged
yet).

I agree with Leo to remove the outdated unrar package.  Waiting for the
alternative to be packaged would not be reasonable, given the size of
the task.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

bug#28972: [PATCH] gnu: Remove unrar.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1271 bytes --]

On Wed, Oct 25, 2017 at 04:30:43PM +0200, Ricardo Wurmus wrote:
> 
> Adonay Felipe Nogueira <adfeno@hyperbola.info> writes:
> 
> > Perhaps The Unarchiver (unar, no R in the middle)?
> >
> > See <https://directory.fsf.org/wiki/Unar>
> 
> I tried packaging this once, but it is quite difficult as it depends on
> an Objective C compiler (which is currently broken in Guix due to the
> fact that GCC doesn’t find it) and GNUstep (which is not fully packaged
> yet).
> 
> I agree with Leo to remove the outdated unrar package.  Waiting for the
> alternative to be packaged would not be reasonable, given the size of
> the task.

Removed with commit 2560aa7adbfcb46306e8b19180bd48d39c2da6dc.

If anyone is interested in maintaining a package outside of Guix, Debian
has written some patches for the recently discovered bugs, distributed
in their package version 1:0.0.1+cvs20140707-4:

https://packages.debian.org/sid/unrar-free
http://http.debian.net/debian/pool/main/u/unrar-free/unrar-free_0.0.1+cvs20140707-4.debian.tar.xz

I thought about taking these patches, but the bug reporter said it took
them only "a few minutes" to find these bugs, so I'm not optimistic
about the state of this program, at least if it is not maintained
upstream.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]