Debian Bug report logs - #640026
insecure plugin updater

version graph

Package: calibre; Maintainer for calibre is Miriam Ruiz <little_miry@yahoo.es>; Source for calibre is src:calibre.

Reported by: Joey Hess <joeyh@debian.org>

Date: Thu, 1 Sep 2011 16:09:05 UTC

Severity: normal

Tags: security

Fixed in version calibre/0.8.34+dfsg-1

Done: Martin Pitt <mpitt@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>:
Bug#640026; Package calibre. (Thu, 01 Sep 2011 16:09:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>. (Thu, 01 Sep 2011 16:09:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: insecure plugin updater
Date: Thu, 1 Sep 2011 12:07:29 -0400
[Message part 1 (text/plain, inline)]
Package: calibre
Severity: normal
Tags: security

Calibre contains a plugin updater, which appears to operate by downloading this
url:

MR_URL = 'http://www.mobileread.com/forums/'
MR_INDEX_URL = MR_URL + 'showpost.php?p=1362767&postcount=1'

This is a forum page, accessed in the clear, and belonging to an entity
apparently unrelated to calibre.

To update a plugin calibre downloads an extracts a zip file that
probably contains unsandboxed executable code, with no validation,
beyond this:

        if not question_dialog(self, _('Install %s')%display_plugin.name, '<p>' + \
                _('Installing plugins is a <b>security risk</b>. '
                'Plugins can contain a virus/malware. '
                    'Only install it if you got it from a trusted source.'
                    ' Are you sure you want to proceed?'),

I am not sure if this requires the user to click on something to install
updates or not, but either way this is pretty crap WRT security and
should be disabled.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>:
Bug#640026; Package calibre. (Tue, 20 Dec 2011 18:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>. (Tue, 20 Dec 2011 18:21:03 GMT) Full text and rfc822 format available.

Message #10 received at 640026@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Joey Hess <joeyh@debian.org>, 640026@bugs.debian.org
Subject: Re: Bug#640026: insecure plugin updater
Date: Tue, 20 Dec 2011 19:17:09 +0100
[Message part 1 (text/plain, inline)]
Hello Joey,

Joey Hess [2011-09-01 12:07 -0400]:
> MR_URL = 'http://www.mobileread.com/forums/'
> MR_INDEX_URL = MR_URL + 'showpost.php?p=1362767&postcount=1'
> 
> This is a forum page, accessed in the clear, and belonging to an entity
> apparently unrelated to calibre.
> 
> To update a plugin calibre downloads an extracts a zip file that
> probably contains unsandboxed executable code, with no validation,
> beyond this:
> 
>         if not question_dialog(self, _('Install %s')%display_plugin.name, '<p>' + \
>                 _('Installing plugins is a <b>security risk</b>. '
>                 'Plugins can contain a virus/malware. '
>                     'Only install it if you got it from a trusted source.'
>                     ' Are you sure you want to proceed?'),
> 
> I am not sure if this requires the user to click on something to install
> updates or not, but either way this is pretty crap WRT security and
> should be disabled.

I think once you install a plugin, it should also be able to
auto-update. Otherwise users of them will never get bug fixes or
updates for new calibre versions, and just get a broken calibre.

But what I will do is to disable the menu entry to get to
the plugin dialog in the first place, so that you cannot (easily)
install them in the first place. Does that sound like a reasonable
compromise?

Martin


-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Martin Pitt <martin.pitt@ubuntu.com> to control@bugs.debian.org. (Tue, 20 Dec 2011 18:45:03 GMT) Full text and rfc822 format available.

Reply sent to Martin Pitt <mpitt@debian.org>:
You have taken responsibility. (Sat, 07 Jan 2012 10:51:28 GMT) Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. (Sat, 07 Jan 2012 10:51:30 GMT) Full text and rfc822 format available.

Message #17 received at 640026-close@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 640026-close@bugs.debian.org
Subject: Bug#640026: fixed in calibre 0.8.34+dfsg-1
Date: Sat, 07 Jan 2012 10:47:53 +0000
Source: calibre
Source-Version: 0.8.34+dfsg-1

We believe that the bug you reported is fixed in the latest version of
calibre, which is due to be installed in the Debian FTP archive:

calibre-bin_0.8.34+dfsg-1_amd64.deb
  to main/c/calibre/calibre-bin_0.8.34+dfsg-1_amd64.deb
calibre_0.8.34+dfsg-1.debian.tar.gz
  to main/c/calibre/calibre_0.8.34+dfsg-1.debian.tar.gz
calibre_0.8.34+dfsg-1.dsc
  to main/c/calibre/calibre_0.8.34+dfsg-1.dsc
calibre_0.8.34+dfsg-1_all.deb
  to main/c/calibre/calibre_0.8.34+dfsg-1_all.deb
calibre_0.8.34+dfsg.orig.tar.xz
  to main/c/calibre/calibre_0.8.34+dfsg.orig.tar.xz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 640026@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <mpitt@debian.org> (supplier of updated calibre package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 07 Jan 2012 11:22:54 +0100
Source: calibre
Binary: calibre calibre-bin
Architecture: source all amd64
Version: 0.8.34+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Miriam Ruiz <little_miry@yahoo.es>
Changed-By: Martin Pitt <mpitt@debian.org>
Description: 
 calibre    - e-book converter and library management
 calibre-bin - e-book converter and library management
Closes: 640026 646674 654751
Changes: 
 calibre (0.8.34+dfsg-1) unstable; urgency=low
 .
   * New upstream version. (Closes: #654751)
   * debian/rules: Do not install calibre copy of chardet; instead, add
     build/binary python-chardet dependency.
   * Add disable_plugins.py: Disable plugin dialog. It uses a totally
     non-authenticated and non-trusted way of installing arbitrary code.
     (Closes: #640026)
   * debian/rules: Install with POSIX locale, to avoid installing translated
     manpages into the standard locations. (Closes: #646674)
Checksums-Sha1: 
 587758cf96a0bd9151fe603fd4a991e084abc650 2371 calibre_0.8.34+dfsg-1.dsc
 843d2ef9324013609a14e53cf8f0c4e77d73f23c 20917968 calibre_0.8.34+dfsg.orig.tar.xz
 4375c4e51e8ea0e567512a2f965504c90f59c5b5 19635 calibre_0.8.34+dfsg-1.debian.tar.gz
 e4f12b160070baa2d062cd45d466a1251e985d59 14735330 calibre_0.8.34+dfsg-1_all.deb
 bcc54ad1956d9d221c786bb94c475860f6ed1a9c 209192 calibre-bin_0.8.34+dfsg-1_amd64.deb
Checksums-Sha256: 
 29cc052aa3441e2aa2dede85a0a3f1643883e3009d8b5a2e8e3c136a7326c39d 2371 calibre_0.8.34+dfsg-1.dsc
 5ef4047a8f8b787ada5e629dbafdb777fb8fbd66595ad0ec5b052cb5d3a35ebe 20917968 calibre_0.8.34+dfsg.orig.tar.xz
 a65cb46c4062b435d7df5b7a38f33476d41b02f8d24501cebb9bf5949080519b 19635 calibre_0.8.34+dfsg-1.debian.tar.gz
 d56b27efdbd4e429069a74dba8fda88d60c087d1fda1bd11d32c026cd4906c5f 14735330 calibre_0.8.34+dfsg-1_all.deb
 21c768f5b8a0274e4d64c23c79e39d7605159cc7433be793bbead17e1c5cbb39 209192 calibre-bin_0.8.34+dfsg-1_amd64.deb
Files: 
 e4b5682071237ee3efb5b2bab14f6b2e 2371 text extra calibre_0.8.34+dfsg-1.dsc
 1cf97ae0f3ee2077f68598ecce25b1e7 20917968 text extra calibre_0.8.34+dfsg.orig.tar.xz
 4fc049804f735257923486f2971b56fb 19635 text extra calibre_0.8.34+dfsg-1.debian.tar.gz
 1218c8f77054f41e0799aeceefd06723 14735330 text extra calibre_0.8.34+dfsg-1_all.deb
 476c479b142321dc6c75e4651adacc76 209192 text extra calibre-bin_0.8.34+dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPCB8QAAoJEPmIJawmtHuft8AP/1Yr5CKSnX0fPIaFNzWY4tyO
Xh7pwZAnuZleQGawzpIiTcD+mqItf6E6vO59khJNdxWXSavZosGYtjr3txGNN3t1
9swGsKKUNgAAilNSMIQqwgezHqNq63sI2fHHfch08g3k444j0E7H8sk/5LbuVVl6
otLGD//PXnAuAuoze3nkUzmYfUFKz1dyW9ValKHqLwcSuiWB9ReT2SsJyGRj0khi
iuszYodhXosJBNE1i0j5bazZI/KzJZTgKFxWIwzOY9Q2hDDpUgGI6nh9rXa0X1A0
OSG134bDuJHnmTkmlCZUkJbB2qCi9EEcBJbQ9UuMzBy4VzdJze7hTabjL/6bAz5y
56glHYBSx3dMllApmZupohB8Sr8ZHi4faIrH03Wp5Lo8rT80fGInGEnPtblBeJOp
3YPx3qoT1FA7cGiUY7IeKH6Jmrct/3vCh5ofEJhvd/0XfeGeVoTaLEgfV0DUBz0M
AkYmnDpwdjA4fWPLf3MOyHnWGWGOZmlrgMdTP9BphTFKWDkxj+4DorZFsBksraTB
oY8+AAxQ7fgG8n73jxMSTx0gpPpIysa22qbjl5zkgdr6QmQ8C9WgfrFe7ldVvBh9
nxgeiDexXpPH+z1j3+0FAxUOEyfkrvw2nX8ERiOz8iZsKa21LrgH+5GVC0P47br2
RcmOd6s4xirPJuHajyAn
=iAH3
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 15 Feb 2012 07:36:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:27:57 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.