Debian Bug report logs - #608822
Two potential security issues

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Two potential security issues

Date: Mon, 03 Jan 2011 19:11:04 +0100

Package: calibre
Severity: important
Tags: security

Hi,
there's been an advisory on calibre. I'm not sure, whether it
actually applies to the Debian package, is the content server
distributed in the Debian package? Please check.

http://www.waraxe.us/advisory-77.html

Cheers,                                                                                                                                                                                     
        Moritz

-- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Message #10 received at 608822@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 608822@bugs.debian.org

Subject: Re: Bug#608822: Two potential security issues

Date: Sun, 9 Jan 2011 11:39:42 -0600

tag 608822 confirmed upstream
forwarded 608822 http://bugs.calibre-ebook.com/ticket/7980
thanks

Hello Moritz,

Moritz Muehlenhoff [2011-01-03 19:11 +0100]:
> there's been an advisory on calibre. I'm not sure, whether it
> actually applies to the Debian package, is the content server
> distributed in the Debian package? Please check.
> 
> http://www.waraxe.us/advisory-77.html

Thanks for pointing this out. This indeed affects the Debian packages
as well. The first described vuln (path traversal) got fixed upstream
in 0.7.35, I have 0.7.38 ready for upload.

However, it seems that upstream missed the second one (the XSS). I
pinged him again in the corresponding bug:

  http://bugs.calibre-ebook.com/ticket/7980

The path traversal is fixed with this patch:

  http://bazaar.launchpad.net/~kovid/calibre/trunk/revision/7302

which looks easily backportable to the 0.7.7 version in testing. But
before I prepare this, I'd like to see the XSS fixed as well.

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Message #19 received at 608822-close@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: 608822-close@bugs.debian.org

Subject: Bug#608822: fixed in calibre 0.7.38+dfsg-1

Date: Mon, 10 Jan 2011 15:47:17 +0000

Source: calibre
Source-Version: 0.7.38+dfsg-1

We believe that the bug you reported is fixed in the latest version of
calibre, which is due to be installed in the Debian FTP archive:

calibre-bin_0.7.38+dfsg-1_amd64.deb
  to main/c/calibre/calibre-bin_0.7.38+dfsg-1_amd64.deb
calibre_0.7.38+dfsg-1.debian.tar.gz
  to main/c/calibre/calibre_0.7.38+dfsg-1.debian.tar.gz
calibre_0.7.38+dfsg-1.dsc
  to main/c/calibre/calibre_0.7.38+dfsg-1.dsc
calibre_0.7.38+dfsg-1_all.deb
  to main/c/calibre/calibre_0.7.38+dfsg-1_all.deb
calibre_0.7.38+dfsg.orig.tar.gz
  to main/c/calibre/calibre_0.7.38+dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 608822@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <mpitt@debian.org> (supplier of updated calibre package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 10 Jan 2011 09:18:13 -0600
Source: calibre
Binary: calibre calibre-bin
Architecture: source all amd64
Version: 0.7.38+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Miriam Ruiz <little_miry@yahoo.es>
Changed-By: Martin Pitt <mpitt@debian.org>
Description: 
 calibre    - e-book converter and library management
 calibre-bin - e-book converter and library management
Closes: 608822
Changes: 
 calibre (0.7.38+dfsg-1) unstable; urgency=low
 .
   * New upstream release:
     - Fix path traversal vulnerability in the content server (not enabled by
       default). See http://bugs.calibre-ebook.com/ticket/7980,
       http://www.waraxe.us/advisory-77.html. First half of #608822
   * debian/control: Add new build dependency libicu-dev.
   * Add 00upstream_content_server_xss.patch: Fix XSS vulnerability in the
     content server, the other half of above issue. (Closes: #608822) Patch
     cherrypicked from upstream bzr (r7531)
Checksums-Sha1: 
 10bf07904d86a7cc650c73de9f34447fcfed28eb 2329 calibre_0.7.38+dfsg-1.dsc
 61c3a78d9dc8139cf5f3da5b70231ad682cd0c26 19936418 calibre_0.7.38+dfsg.orig.tar.gz
 a9aeaef3ec88a15c33faa873db215be043ffe6b1 17894 calibre_0.7.38+dfsg-1.debian.tar.gz
 80e3615cbdfc69898045bcaba83c9ef0c1deeb27 9460206 calibre_0.7.38+dfsg-1_all.deb
 066f4ef399d2a37b0d20d5c7659adf58ae032a57 183272 calibre-bin_0.7.38+dfsg-1_amd64.deb
Checksums-Sha256: 
 24797a48909ba71658332ba5a14ffc1015cfc8fffb9865f74704cd4231325932 2329 calibre_0.7.38+dfsg-1.dsc
 deef68ce2bc6f0884a600a2e931507db0af7f1734b10139c88a1c375c3b8272a 19936418 calibre_0.7.38+dfsg.orig.tar.gz
 d8864cf8e8482a8fe7ddbcfd11281fade19505a1c2323d3dc7f86d2eeb4ff7e0 17894 calibre_0.7.38+dfsg-1.debian.tar.gz
 e486326b51a993eb3e9d6b9e26b9ec5dd4deca94c685dfabed52ecf66939d20e 9460206 calibre_0.7.38+dfsg-1_all.deb
 027486bbb9cd1acc0fda12016cf13ccb5626ef316c88059e009fab0ae12baaa9 183272 calibre-bin_0.7.38+dfsg-1_amd64.deb
Files: 
 077f8a0b0035c5b8ec439738b8922cda 2329 text extra calibre_0.7.38+dfsg-1.dsc
 d38a327703999744492b08d425e60667 19936418 text extra calibre_0.7.38+dfsg.orig.tar.gz
 06f5a397b6a8be9fc34e0f81fc2e62ce 17894 text extra calibre_0.7.38+dfsg-1.debian.tar.gz
 b9dcd0d72fc340c9aad1e52bff31d2ed 9460206 text extra calibre_0.7.38+dfsg-1_all.deb
 2eba3d19a1d34b7d1b2f84e69ff54b68 183272 text extra calibre-bin_0.7.38+dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJNKyS/AAoJEPmIJawmtHufqJIP/1BqVAAGOl5XKJE2V9/0zkiB
xxUpHob0Q/W9tyooVRtW8qoESUGqM7inbygLAjyP08LGuL0sboY0qU1Dc3DOsDXH
J5LaV4pTYmasGneyRRlc+S3o6Bq17IHwReajPDPvMJrcefB+qlUUOkFt66zX0VGV
1T1f+dKkV8T8asYnNmiiuXshl4fkEomNvuSX6LYIdRWdNZyauWfEs4t7vuGd7uBv
RrPwIMV0Vc3DMQ+wHeUkfyyd/plEThRNWtU9BmwGMZDTwJRkxbsHUt+QeRAuL7EQ
HWkVXT9+t/lYdXtAQ0m+U3tciOJQ7DKcw/AK4ebuAU4Qc1pxMS2WVm8vjysCSY67
MgFRZZrR3fHAs3Awhv58PiG+KLbhCzSwrRCqG/JdHoCoCwLTE279OTMCsOCQs2xY
/5I8IRf46F3yrh3M44I3eV/xoc4BSDrsrRcCxCtIVNG8yruXU4qYtRxP4unIPhu8
k7RbX8bwzk/3FzMMipv1yaocB945vUuPhl8gX8pzGKyK15PcQARlObZCUDschSEK
hrKgfDG7UUWrHSE+pFJ3gDx0zfzYNyjObE8Q80oVBMpNT47yCjbRO2Ae+jlSD3ct
9PenXVOjRCAtfJR/N792k5K4Dyv0pBejWnTdiwkcKN2bsygjL+omWYQvqI/WSFux
+3c2GRtVasDt1mjt4BV2
=z1Iq
-----END PGP SIGNATURE-----

Message #24 received at 608822@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Martin Pitt <mpitt@debian.org>

Cc: 608822@bugs.debian.org

Subject: Re: Bug#608822: Two potential security issues

Date: Sat, 15 Jan 2011 14:57:37 +0100

On Sun, Jan 09, 2011 at 11:39:42AM -0600, Martin Pitt wrote:
> tag 608822 confirmed upstream
> forwarded 608822 http://bugs.calibre-ebook.com/ticket/7980
> thanks
> 
> Hello Moritz,
> 
> Moritz Muehlenhoff [2011-01-03 19:11 +0100]:
> > there's been an advisory on calibre. I'm not sure, whether it
> > actually applies to the Debian package, is the content server
> > distributed in the Debian package? Please check.
> > 
> > http://www.waraxe.us/advisory-77.html
> 
> Thanks for pointing this out. This indeed affects the Debian packages
> as well. The first described vuln (path traversal) got fixed upstream
> in 0.7.35, I have 0.7.38 ready for upload.
> 
> However, it seems that upstream missed the second one (the XSS). I
> pinged him again in the corresponding bug:
> 
>   http://bugs.calibre-ebook.com/ticket/7980
> 
> The path traversal is fixed with this patch:
> 
>   http://bazaar.launchpad.net/~kovid/calibre/trunk/revision/7302
> 
> which looks easily backportable to the 0.7.7 version in testing. But
> before I prepare this, I'd like to see the XSS fixed as well.

Now that both issues are adressed, could you please prepare a tpu
fix?

Thanks,
        Moritz

Message #29 received at 608822@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 608822@bugs.debian.org

Subject: Re: Bug#608822: Two potential security issues

Date: Sat, 15 Jan 2011 10:31:45 -0600

Hello Moritz,

Moritz Mühlenhoff [2011-01-15 14:57 +0100]:
> Now that both issues are adressed, could you please prepare a tpu
> fix?

I can, but due to the licensing problem in bug 609581 I asked Julien
what he thinks about a freeze exception for the current version. If I
can get this, it won't be necessary.

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Message #34 received at 608822@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 608822@bugs.debian.org

Subject: Re: Bug#608822: Two potential security issues

Date: Tue, 25 Jan 2011 12:45:20 +0100

[Message part 1 (text/plain, inline)]

notfound 608822 0.7.7+dfsg-1
thanks

Hello again,

Moritz Muehlenhoff [2011-01-03 19:11 +0100]:
> there's been an advisory on calibre. I'm not sure, whether it
> actually applies to the Debian package, is the content server
> distributed in the Debian package? Please check.
> 
> http://www.waraxe.us/advisory-77.html

I checked both vulnerabilities, and cannot reproduce either of them in
the 0.7.7 version that current testing has. The "browse" module
doesn't exist at all (for the XSS), and no matter which path I request
for the path traversal, in this version it already only searches in
the static contents dir.

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

[signature.asc (application/pgp-signature, inline)]

Message #39 received at 608822@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Martin Pitt <mpitt@debian.org>

Cc: 608822@bugs.debian.org

Subject: Re: Bug#608822: Two potential security issues

Date: Tue, 25 Jan 2011 18:26:42 +0100

On Tue, Jan 25, 2011 at 12:45:20PM +0100, Martin Pitt wrote:
> notfound 608822 0.7.7+dfsg-1
> thanks
> 
> Hello again,
> 
> Moritz Muehlenhoff [2011-01-03 19:11 +0100]:
> > there's been an advisory on calibre. I'm not sure, whether it
> > actually applies to the Debian package, is the content server
> > distributed in the Debian package? Please check.
> > 
> > http://www.waraxe.us/advisory-77.html
> 
> I checked both vulnerabilities, and cannot reproduce either of them in
> the 0.7.7 version that current testing has. The "browse" module
> doesn't exist at all (for the XSS), and no matter which path I request
> for the path traversal, in this version it already only searches in
> the static contents dir.

Thanks, I've updated the Security Tracker.

Cheers,
        Moritz

Send a report that this bug log contains spam.