Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1517572 - Please add unar dependency/configuration for *.rar and comment *.lrz support
Summary: Please add unar dependency/configuration for *.rar and comment *.lrz support
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: amavisd-new
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Juan Orti Alcaine
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-26 23:26 UTC by Robert Scheck
Modified: 2018-05-16 09:15 UTC (History)
7 users (show)

Fixed In Version: amavisd-new-2.11.0-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-02 15:58:51 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1449179 None None None Never

Internal Links: 1449179

Description Robert Scheck 2017-11-26 23:26:36 UTC
Description of problem:
Please add unar dependency/configuration for *.rar and comment *.lrz support.

Version-Release number of selected component (if applicable):
amavisd-new-2.11.0-1.el7
unar-1.10.1-1.el7

Expected results:
--- snipp ---
--- amavisd-new-2.11.0/amavisd.conf       2016-04-26 21:24:26.000000000 +0200
+++ amavisd-new-2.11.0/amavisd.conf.rsc   2017-11-27 00:24:38.000000000 +0100
@@ -326,8 +326,8 @@
   ['lzma', \&do_uncompress,
            ['lzmadec', 'xz -dc --format=lzma',
             'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
-  ['lrz',  \&do_uncompress,
-           ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
+#  ['lrz',  \&do_uncompress,
+#           ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
   ['lzo',  \&do_uncompress, 'lzop -d'],
   ['lz4',  \&do_uncompress, ['lz4c -d'] ],
   ['rpm',  \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
@@ -335,7 +335,7 @@
            # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
   ['deb',  \&do_ar, 'ar'],
 # ['a',    \&do_ar, 'ar'],  # unpacking .a seems an overkill
-  ['rar',  \&do_unrar, ['unrar', 'rar'] ],
+  ['rar',  \&do_unrar, ['unrar', 'rar', 'unar'] ],
   ['arj',  \&do_unarj, ['unarj', 'arj'] ],
   ['arc',  \&do_arc,   ['nomarch', 'arc'] ],
   ['zoo',  \&do_zoo,   ['zoo', 'unzoo'] ],
--- snapp ---

--- snipp ---
--- a/amavisd-new.spec
+++ b/amavisd-new.spec
@@ -47,6 +47,7 @@ Requires:       nomarch
 Requires:       p7zip, p7zip-plugins
 Requires:       tar
 Requires:       unzoo
+Requires:       unar
 # We probably should parse the fetch_modules() code in amavisd for this list.
 # These are just the dependencies that don't get picked up otherwise.
 Requires:       perl(Archive::Tar)
--- snapp ---

Comment 1 Robert Scheck 2017-12-03 23:41:32 UTC
Juan, ping?

Comment 2 Juan Orti Alcaine 2017-12-11 20:42:46 UTC
Hi, I'll submit an update soon.

Why to comment lrz? doesn't if fail gracefully when the decoder is not present?

Comment 3 Robert Scheck 2017-12-11 20:55:17 UTC
(In reply to Juan Orti from comment #2)
> Why to comment lrz? doesn't if fail gracefully when the decoder is not
> present?

Yes and no. It gracefully fails, but it still leaves a message mentioning
a lack of a decoder (which can not be satisfied due to orphaned lrzip).

Comment 4 Petr Pisar 2017-12-12 07:28:54 UTC
lrzip is not only orphaned. It's actually retired. The reason is it contains various security flaws, the upstream is not willing to fix them, other maintainers cannot because the format of the archive has never been specified and moreover it bundles ancient zpaq library (that's part of the vulnerability) that even the lrzip's author cannot unbundle or replace with an up-to-date version because he does not understand the zpaq internals to adjust it to lrzip's needs.

In my opinion, amavis should not hard-require various unpacking tools. There are myriads of obscure formats that would drag in obscure and usually unmaintained tools and many of them are not even packaged in the distribution. Using these crappy tools would actually create a new attack vector against the SMTP server and thus actually lowered the security of the whole system.

I would prefer if these dependencies were made optional (Recommends or Suggests on RPM level) and amavis should be able to cope with their unavailability (to log that it saw an message that it was unable to unpack, or per an configuration to discard the message because it was unable to inspect it).

Comment 5 Juan Orti Alcaine 2017-12-12 08:49:17 UTC
unar is not working as-is, it uses different arguments. I'm looking into it.

dic 12 09:36:40 helio amavis[3002]: (03002-01) (!)Decoding of p003 (RAR archive data, v4, os: Win32) failed, leaving it unpacked: do_unrar: can't get a list of archive members: exit 1; Unknown option -idcdp

Comment 6 Juan Orti Alcaine 2017-12-12 12:25:53 UTC
I still can download lrzip from the epel7 repositories, shouldn't it be removed?

I'm going to submit the removal of lrzip. I've also made the dependencies weak in rawhide.

I'm holding the unar update because it doesn't support pipes and doesn't seem to work with amavis. We may need a wrapper to support it.

Comment 7 Fedora Update System 2017-12-12 12:28:49 UTC
amavisd-new-2.11.0-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5f6d89febd

Comment 8 Petr Pisar 2017-12-12 13:19:51 UTC
(In reply to Juan Orti from comment #6)
> I still can download lrzip from the epel7 repositories, shouldn't it be
> removed?
> 
Probably. "robert" is a maintainer in EPEL.

Comment 9 Robert Scheck 2017-12-12 13:39:13 UTC
(In reply to Petr Pisar from comment #8)
> Probably. "robert" is a maintainer in EPEL.

Yes, that's me...

Comment 10 Fedora Update System 2017-12-12 14:01:45 UTC
amavisd-new-2.9.1-3.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0f72359c5d

Comment 11 Fedora Update System 2017-12-14 05:43:21 UTC
amavisd-new-2.11.0-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5f6d89febd

Comment 12 Fedora Update System 2017-12-14 10:21:59 UTC
amavisd-new-2.9.1-3.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0f72359c5d

Comment 13 Fedora Update System 2018-01-02 15:58:51 UTC
amavisd-new-2.11.0-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2018-01-02 18:53:11 UTC
amavisd-new-2.9.1-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Robert Scheck 2018-01-03 01:27:00 UTC
Well, *.lrz is done, but the unar part is still left.

Comment 17 Juan Orti Alcaine 2018-05-16 09:15:58 UTC
I'd need to package the unar-wrapper, which I don't see the code around. I also think it will be better to be included in the unar package.


Note You need to log in before you can comment on or make changes to this bug.