php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63765 unrar should be unbundled
Submitted: 2012-12-14 00:22 UTC Modified: 2017-10-24 05:06 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: mattsch at gmail dot com Assigned: cataphract (profile)
Status: Assigned Package: rar (PECL)
PHP Version: 5.4.9 OS: Gentoo
Private report: No CVE-ID: None
 [2012-12-14 00:22 UTC] mattsch at gmail dot com
Description:
------------
It is a lot more cumbersome for distros to create packages for bundled software especially from a QA and security standpoint.  The security standpoint stands out the most because modified bundled libraries have not been fully vetted by software security teams and their vulnerabilities can easily be leveraged by attackers if the bundled library is older and contains known vulnerabilities or if the internal modifications to them create vulnerabilities.

It is better not to bundle unrar and use the actual unrar library that is provided by rarlabs.  According to the README, some modifications were made to this bundled library:

"Some modifications have been applied to the UnRAR library, mainly to allow
streaming extraction of files without using threads."

Is there any reason why hese changes cannot be committed upstream and turned on/off using a configure flag so that you don't have to bundle this library?


Expected result:
----------------
package should depend on unrar library with needed patches pushed upstream.

Actual result:
--------------
package bundles unrar

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-12-14 08:45 UTC] tony2001@php.net
AFAIK vanilla unrar sources didn't even compile with PHP since it uses the same 
constants in its headers, so at least one modification is indeed required.
I didn't contact the authors of unrar mostly because I thought they would feel 
reluctant to change their sources just because somebody else happens to use similar 
constants, but I guess we can try to do it after all.
 [2014-08-22 13:57 UTC] neweracracker at gmail dot com
One question.

Is it possible for you to issue a patch file to convert a version downloaded from rarlab into a suitable version for this library?

For example. Fileinfo extension provides a libmagic.patch to convert upstream into  a version able to be used to PHP.

Something like this could be useful to help backporting newer versions in the future.

Regards,
NewEraCracker
 [2014-08-22 14:14 UTC] tony2001@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: tony2001
 [2014-08-22 14:14 UTC] tony2001@php.net
Sure, it's pretty simple. I'll look into it on the next week.
 [2017-10-24 05:06 UTC] kalle@php.net
-Assigned To: tony2001 +Assigned To: cataphract
 [2017-10-24 05:06 UTC] kalle@php.net
Re-assigning this to the current maintainer (so he can get some notice that this bug is now available!)
 [2022-12-06 06:29 UTC] melindaetinw81 at gmail dot com
Same issue here and i cant find any solutions (https://www.expresshr.onl/)github.com
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 08:01:27 2024 UTC