PHP :: Bug #63765 :: unrar should be unbundled

Bug #63765

unrar should be unbundled

Submitted:

2012-12-14 00:22 UTC

Modified:

2017-10-24 05:06 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

mattsch at gmail dot com

Assigned:

cataphract (profile)

Status:

Assigned

Package:

rar (PECL)

PHP Version:

5.4.9

OS:

Gentoo

Private report:

CVE-ID:

None

[2012-12-14 00:22 UTC] mattsch at gmail dot com

Description:
------------
It is a lot more cumbersome for distros to create packages for bundled software especially from a QA and security standpoint.  The security standpoint stands out the most because modified bundled libraries have not been fully vetted by software security teams and their vulnerabilities can easily be leveraged by attackers if the bundled library is older and contains known vulnerabilities or if the internal modifications to them create vulnerabilities.

It is better not to bundle unrar and use the actual unrar library that is provided by rarlabs.  According to the README, some modifications were made to this bundled library:

"Some modifications have been applied to the UnRAR library, mainly to allow
streaming extraction of files without using threads."

Is there any reason why hese changes cannot be committed upstream and turned on/off using a configure flag so that you don't have to bundle this library?


Expected result:
----------------
package should depend on unrar library with needed patches pushed upstream.

Actual result:
--------------
package bundles unrar

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-12-14 08:45 UTC] tony2001@php.net

AFAIK vanilla unrar sources didn't even compile with PHP since it uses the same 
constants in its headers, so at least one modification is indeed required.
I didn't contact the authors of unrar mostly because I thought they would feel 
reluctant to change their sources just because somebody else happens to use similar 
constants, but I guess we can try to do it after all.

[2014-08-22 13:57 UTC] neweracracker at gmail dot com

One question.

Is it possible for you to issue a patch file to convert a version downloaded from rarlab into a suitable version for this library?

For example. Fileinfo extension provides a libmagic.patch to convert upstream into  a version able to be used to PHP.

Something like this could be useful to help backporting newer versions in the future.

Regards,
NewEraCracker

[2014-08-22 14:14 UTC] tony2001@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: tony2001

[2014-08-22 14:14 UTC] tony2001@php.net

Sure, it's pretty simple. I'll look into it on the next week.

[2017-10-24 05:06 UTC] kalle@php.net

-Assigned To: tony2001 +Assigned To: cataphract

[2017-10-24 05:06 UTC] kalle@php.net

Re-assigning this to the current maintainer (so he can get some notice that this bug is now available!)

[2022-12-06 06:29 UTC] melindaetinw81 at gmail dot com

Same issue here and i cant find any solutions (https://www.expresshr.onl/)github.com