Public bug reported:
Availability: libmspack is already be in Ubuntu universe and built
for all architectures.
Rationale: Clamav has used an embedded copy of libmspack for some
time. In the current release, the ability to use an external, system
version has been added. This would be better. Effectively the code is
in Main already via clamav. Moving the libmspack package to Main is a
better, more maintainable way to have it there. This is also used in
LibreOffice, so having the system version in Main should help there too.
Security: The security history and the current state of security
issues in the package must allow us to support the package for at least
9 months (60 for LTS support) without exposing its users to an
inappropriate level of security risks. This requires checking of several
things that are explained in detail in the subsection Security checks.
Quality assurance: Package is a library that needs no configuration
and asks no questions. There are no open bugs in Debian or Ubuntu.
Upstream seems quiescent, but not dead. There do not appear to be any
long term issues that would impact supportability.
There are no open bugs in Ubuntu or Debian, but I couldn't find an upstream bug
tracker:
https://bugs.launchpad.net/ubuntu/+source/libmspack
https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=libmspack
The package is well done and meets standard MIR requirements such a
symbols file, watch file, etc.
The package does not deal with exotic hardware.
UI standards: N/A
Dependencies: All depends/build-dep are in Main
Standards compliance/Maintenance: Standards compliance is good.
Packaging is a very vanilla dh7 with autofoo package that is trivial to
understand. Maintained in Debian and synced. If approved, I'll
subscribe the clamav team to bugs. This is a pretty simple package.
Background information: See above. Already in Main due to embedding in
clamav and other packages.
Security checks
Check how many vulnerabilities the package had in the past and how
they were handled by upstream and the Debian/Ubuntu package:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libmspack -
Three CVEs one in 2005 (of the embedded copy in clamav) and two in 2010.
Nothing since.
http://secunia.com/advisories/search/?search=libmspack reports
are similar. All are resolved.
Ubuntu CVE Tracker: Nothing listed.
Security relevant binaries: This is a package that unpacks various
formats of often untrusted data (particularly in the clamav use) so it's
inherently security sensitive to a degree.
** Affects: libmspack (Ubuntu)
Importance: Medium
Status: New
** Changed in: libmspack (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1386991
Title:
[MIR] libmspack
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libmspack/+bug/1386991/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
