Debian Bug report logs - #684229
feedparser code embedded in calibre and possibly may be out of date and vulnerable

Package: calibre; Maintainer for calibre is Calibre maintainer team <team+calibre@tracker.debian.org>; Source for calibre is src:calibre (PTS, buildd, popcon).

Reported by: Silvio Cesare <silvio.cesare@gmail.com>

Date: Wed, 8 Aug 2012 00:03:02 UTC

Severity: important

Tags: security

Done: Martin Pitt <mpitt@debian.org>

Bug is archived. No further changes may be made.

Display info messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>:
Bug#684229; Package calibre. (Wed, 08 Aug 2012 00:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Silvio Cesare <silvio.cesare@gmail.com>:
New Bug report received and forwarded. Copy sent to Miriam Ruiz <little_miry@yahoo.es>. (Wed, 08 Aug 2012 00:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: calibre
Severity: important
Tags: security

I have been working on a tool called Clonewise to automatically identify
embedded code copies in Debian packages and determine if they are out of
date and vulnerable. Ideally, embedding code and libraries should be
avoided and a system wide library should be used instead.

I recently ran the tool on Debian 6 stable. The results are here at
http://www.foocodechu.com/downloads/Clonewise-report.txt*

*The calibre package reported potential issues appended to this message.

Apologies if these are false positives. Your help in advising me on whether
these issues are real will help me improve the analysis for the future.

--
Silvio Cesare
Deakin University

### Summary:
###

feedparser CLONED_IN_SOURCE calibre <unfixed> CVE-2011-1156
feedparser CLONED_IN_SOURCE calibre <unfixed> CVE-2011-1157
feedparser CLONED_IN_SOURCE calibre <unfixed> CVE-2011-1158

### Reports by package:
###

# Package calibre may be vulnerable to the following issues:
#
	CVE-2011-1156
	CVE-2011-1157
	CVE-2011-1158


# SUMMARY: feedparser.py in Universal Feed Parser (aka feedparser or
python-feedparser) before 5.0.1 allows remote attackers to cause a
denial of service (application crash) via a malformed DOCTYPE
declaration.
#

# CVE-2011-1156 relates to a vulnerability in package feedparser.
# The following source filenames are likely responsible:
#	feedparser.py
#

# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#

feedparser CLONED_IN_SOURCE calibre <unfixed> CVE-2011-1156


# SUMMARY: Cross-site scripting (XSS) vulnerability in feedparser.py
in Universal Feed Parser (aka feedparser or python-feedparser) 5.x
before 5.0.1 allows remote attackers to inject arbitrary web script or
HTML via malformed XML comments.
#

# CVE-2011-1157 relates to a vulnerability in package feedparser.
# The following source filenames are likely responsible:
#	feedparser.py
#

# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#

feedparser CLONED_IN_SOURCE calibre <unfixed> CVE-2011-1157


# SUMMARY: Cross-site scripting (XSS) vulnerability in feedparser.py
in Universal Feed Parser (aka feedparser or python-feedparser) 5.x
before 5.0.1 allows remote attackers to inject arbitrary web script or
HTML via an unexpected URI scheme, as demonstrated by a javascript:
URI.
#

# CVE-2011-1158 relates to a vulnerability in package feedparser.
# The following source filenames are likely responsible:
#	feedparser.py
#

# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#

feedparser CLONED_IN_SOURCE calibre <unfixed> CVE-2011-1158




**

[Message part 2 (text/html, inline)]

Reply sent to Martin Pitt <mpitt@debian.org>:
You have taken responsibility. (Thu, 16 Aug 2012 07:54:05 GMT) (full text, mbox, link).

Notification sent to Silvio Cesare <silvio.cesare@gmail.com>:
Bug acknowledged by developer. (Thu, 16 Aug 2012 07:54:05 GMT) (full text, mbox, link).

Message #10 received at 684229-done@bugs.debian.org (full text, mbox, reply):

Hello Silvio,

Silvio Cesare [2012-08-08 10:01 +1000]:
> *The calibre package reported potential issues appended to this message.

Indeed calibre's source package contains a copy of feedparser, but we
have a debian/patches/use-system-feedparser.patch to use the
python-feedparser package and to be double-sure, debian/rules does

  rm debian/tmp/usr/lib/calibre/calibre/web/feeds/feedparser.py

> Apologies if these are false positives. Your help in advising me on
> whether these issues are real will help me improve the analysis for
> the future.

Perhaps you can check the .debs if the code copies are actually
packaged? That wouldn't work for C libraries, but should work well for
scripting languages like Perl, Python, etc.

Closing this bug as the calibre package is not actually affected.

Thanks for doing these scans though, it's really great to have tools
like this! Is there a way to mark this particular issue as "checked,
not a problem" in your tool?

Thanks,

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 14 Sep 2012 07:27:00 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Nov 21 22:33:22 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #684229 feedparser code embedded in calibre and possibly may be out of date and vulnerable

Debian Bug report logs - #684229
feedparser code embedded in calibre and possibly may be out of date and vulnerable