On 04/28/2014 09:02 AM, Florian Schlichting wrote: > libspreadsheet-parseexcel-perl has been waiting for something like this > to happen for a little over three years now, so I think it's safe to say > it's not going to happen, and it's a lot easier to have an alternative > implementation of the MD5 algorithm packaged, which is clearly marked as > inferior and not used unless specifically requested, but available for > use by libspreadsheet-parseexcel-perl. > > If you want to look at the details of this use of "internal state", it > can be found here: > http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libspreadsheet-parseexcel-perl.git;a=blob;f=lib/Spreadsheet/ParseExcel.pm;h=7285783835427b592bb899578d93469f5afd8f65;hb=a828ce1458524757e2bbf74a18647d382cd8ea5a#l247 wow. md5 state without the finalization step, combined with RC4. What an awesome stack of technology :P > If that link doesn't work, look at lib/Spreadsheet/ParseExcel.pm and > search for "Digest::Perl::MD5"; there's a sub "md5state" in a section > marked "Decryption routines, based on sources of gnumeric (ms-biff.c > ms-excel-read.c)", which is used from both MakeKey() and > VerifyPassword(). I have to admit I don't understand what exactly it's > doing there and whether or how Digest::MD5 in core could be used or > patched to be useable instead; but given how easy and fast it is to just > package Digest::Perl::MD5, and that I cannot see how this is going to > cause any harm (apart from burdening the Debian archive with yet another > package - but maybe I'm overlooking something?), I thought it safe to > resolve the Spreadsheet::Parseexcel stalemate by uploading > libdigest-perl-md5-perl. I don't have time to look into it further myself or fix whatever Spreadsheet::ParseExcel needs in Digest::MD5, so i'm not going to push back any harder on this. If someone has the time and interest to help Spreadsheet::Parseexcel get what it needs out of Digest::MD5, that would be awesome, though. thanks for explaining the state of play and providing some links. fwiw, a quick skim of the source makes me think it should not be too hard for the authors of Digest::MD5 to make an intermediateState function for a Digest::MD5 object. The existence of this function would serve the same role as md5state() in the code you've linked. But i don't see any bug report requesting this functionality in Digest::MD5: https://rt.cpan.org/Public/Dist/Display.html?Name=Digest-MD5 so i just reported a new one: https://rt.cpan.org/Ticket/Display.html?id=95127 if we can get that fixed, then we can update libspreadsheet-excel-perl to use it, and then we can drop libdigest-perl-md5-perl from debian. in the meantime, it sounds like you're already on the right track. thanks for handling this, Florian. Regards, --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature