Acknowledgement sent
to Antoine Beaupre <anarcat@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, little_miry@yahoo.es, mpitt@debian.org, Miriam Ruiz <little_miry@yahoo.es>.
(Sat, 28 Jan 2017 21:00:04 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: security: javascript in the book can access files on the computer using XMLHttpRequest?
Date: Sat, 28 Jan 2017 15:56:38 -0500
Package: calibre
Version: 2.71.0+dfsg-1
Severity: critical
File: /usr/bin/ebook-viewer
Tags: security
Hi,
Someone pointed me to this note in the 2.75.1 changelog:
E-book viewer: Prevent javascript in the book from accessing files
on the computer using XMLHttpRequest.
The ticket link (#1651728) is dead so I don't have extra details for
this.
This does seem like a security issue. Considering how little followup
is done by upstream on security issues, I suspect this is not properly
documented anywhere either.
So this is the first step in opening up an investigation about this.
The next step is to figure out which versions are affected and the
severity of this bug.
Someone should also request a CVE at the oss-security mailing list
once this is clarified.
It seems to me we should review the upstream changelog more thoroughly
when a new version is packaged. This way we would have found out about
this issue, which probably affect Debian users already.
A.
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages calibre depends on:
ii calibre-bin 2.75.1+dfsg-1
ii fonts-liberation 1:1.07.4-2
ii imagemagick 8:6.9.7.0+dfsg-2
ii imagemagick-6.q16 [imagemagick] 8:6.9.6.6+dfsg-1
ii libjs-mathjax 2.7.0-1
ii poppler-utils 0.48.0-2
ii python-apsw 3.13.0-r1-1
ii python-beautifulsoup 3.2.1-1
ii python-chardet 2.3.0-2
ii python-cherrypy3 3.5.0-2
ii python-cssselect 1.0.0-1
ii python-cssutils 1.0-4.1
ii python-dateutil 2.5.3-2
ii python-dbus 1.2.4-1
ii python-feedparser 5.1.3-3
ii python-imaging 3.4.2-1
ii python-lxml 3.7.1-1
ii python-markdown 2.6.7-1
ii python-mechanize 1:0.2.5-3
ii python-netifaces 0.10.4-0.1+b2
ii python-pil 3.4.2-1
ii python-pkg-resources 32.3.1-1
ii python-pyparsing 2.1.10+dfsg1-1
ii python-pyqt5 5.7+dfsg-4
ii python-pyqt5.qtsvg 5.7+dfsg-4
ii python-pyqt5.qtwebkit 5.7+dfsg-4
ii python-routes 2.3.1-2
ii python2.7 2.7.13-1
ii xdg-utils 1.1.1-1
Versions of packages calibre recommends:
ii python-dnspython 1.15.0-1
calibre suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>: Bug#853004; Package calibre.
(Sun, 29 Jan 2017 08:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(Sun, 29 Jan 2017 08:39:02 GMT) (full text, mbox, link).
To: Antoine Beaupre <anarcat@debian.org>, 853004@bugs.debian.org
Subject: Re: Bug#853004: security: javascript in the book can access files on
the computer using XMLHttpRequest?
Date: Sun, 29 Jan 2017 09:35:18 +0100
Control: notfound -1 2.75.1+dfsg-1
Hello Antoine,
Antoine Beaupre [2017-01-28 15:56 -0500]:
> Someone pointed me to this note in the 2.75.1 changelog:
>
> E-book viewer: Prevent javascript in the book from accessing files
> on the computer using XMLHttpRequest.
I did mention this in the 2.75.1 changelog
(https://tracker.debian.org/news/827355), so marking as fixed in the current
testing/unstable version.
The corresponding upstream commit is:
https://github.com/kovidgoyal/calibre/commit/3a89718664cb8c
Martin
Information forwarded
to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>: Bug#853004; Package calibre.
(Sun, 29 Jan 2017 15:51:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(Sun, 29 Jan 2017 15:51:08 GMT) (full text, mbox, link).
To: Martin Pitt <mpitt@debian.org>, 853004@bugs.debian.org
Subject: Re: Bug#853004: security: javascript in the book can access files on the computer using XMLHttpRequest?
Date: Sun, 29 Jan 2017 10:48:07 -0500
On 2017-01-29 09:35:18, Martin Pitt wrote:
> Control: notfound -1 2.75.1+dfsg-1
>
> Hello Antoine,
>
> Antoine Beaupre [2017-01-28 15:56 -0500]:
>> Someone pointed me to this note in the 2.75.1 changelog:
>>
>> E-book viewer: Prevent javascript in the book from accessing files
>> on the computer using XMLHttpRequest.
>
> I did mention this in the 2.75.1 changelog
> (https://tracker.debian.org/news/827355), so marking as fixed in the current
> testing/unstable version.
Right, okay.
Next time could you coordinate more closely with the security team?
As a reminder, here's how security bugs should be handled in Debian:
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security
In particular, in this case, I believe the process should have been:
1. file a bug in the BTS describing the issue (done now)
2. notify team@security.debian.org of the issue (you can assume this is
done now, as I have noticed the issue, but it would have been
preferable to be proactive)
3. (optionnally) request a CVE at OSS-security with a CC upstream:
http://oss-security.openwall.org/wiki/mailing-lists/oss-security
4. upload the package fixing the aforementionned bug (done)
5. (optionnally) help the security team backporting the patch to stable
and (even more optionnally) to Debian LTS
Point #2, above, is especially important. It's a pure coincidence that a
developer with access to the security tracker (me, in this case) noticed
this issue. I believe it is your responsibility, as package maintainer,
to make sure security issues do not go unnoticed in Debian, so you
should have at least sent an email to team@security.debian.org with this
issue.
Do you want to take care of requesting the CVE?
Are you available to help backporting the patch to jessie?
I am the person that uploaded the backport, so I can take care of that
bit. :)
> The corresponding upstream commit is:
> https://github.com/kovidgoyal/calibre/commit/3a89718664cb8c
I have added this information in the security tracker, thanks!
Are you aware of any other issues in Calibre's history that is not
reflected in the security tracker that could affect currently supported
Debian releases (which go all the way back to Wheezy now, 0.8.51!!):
https://security-tracker.debian.org/tracker/source-package/calibre
Thanks for any feedback!
A.
--
We tend to overestimate the effect of a technology in the short run and
underestimate the effect in the long run.
- Roy Amara
Marked as fixed in versions calibre/2.75.1+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 29 Jan 2017 15:54:11 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 29 Jan 2017 15:54:11 GMT) (full text, mbox, link).
Notification sent
to Antoine Beaupre <anarcat@debian.org>:
Bug acknowledged by developer.
(Sun, 29 Jan 2017 15:54:12 GMT) (full text, mbox, link).
Message sent on
to Antoine Beaupre <anarcat@debian.org>:
Bug#853004.
(Sun, 29 Jan 2017 15:54:14 GMT) (full text, mbox, link).
# mark as fixed in version 2.75.1+dfsg-1
close 853004 2.75.1+dfsg-1
thanks
Information forwarded
to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>: Bug#853004; Package calibre.
(Sun, 29 Jan 2017 17:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(Sun, 29 Jan 2017 17:15:06 GMT) (full text, mbox, link).
Hello Antoine,
Antoine Beaupré [2017-01-29 10:48 -0500]:
> Next time could you coordinate more closely with the security team?
Point taken, sorry about that.
> 3. (optionnally) request a CVE at OSS-security with a CC upstream:
> http://oss-security.openwall.org/wiki/mailing-lists/oss-security
Mail sent, you were in CC. Kovid (upstream) already made the original bug
public, which has a reproducer.
> 5. (optionnally) help the security team backporting the patch to stable
> and (even more optionnally) to Debian LTS
Stretch debdiff with the backported patch attached, this still has some XXXXes
for the pending CVE.
Martin
Information forwarded
to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>: Bug#853004; Package calibre.
(Tue, 31 Jan 2017 16:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(Tue, 31 Jan 2017 16:18:02 GMT) (full text, mbox, link).
Changed Bug title to 'calibre: CVE-2016-10187: javascript in the book can access files on the computer using XMLHttpRequest' from 'security: javascript in the book can access files on the computer using XMLHttpRequest?'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 853004-submit@bugs.debian.org.
(Tue, 31 Jan 2017 16:18:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>: Bug#853004; Package calibre.
(Wed, 01 Feb 2017 11:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(Wed, 01 Feb 2017 11:45:02 GMT) (full text, mbox, link).
To: Salvatore Bonaccorso <carnil@debian.org>, 853004@bugs.debian.org
Cc: Antoine Beaupre <anarcat@debian.org>
Subject: Re: Bug#853004: security: javascript in the book can access files on
the computer using XMLHttpRequest?
Date: Wed, 1 Feb 2017 12:43:02 +0100
Hello Salvatore,
Salvatore Bonaccorso [2017-01-31 17:15 +0100]:
> This has been assigned CVE-2016-10187, in
Want me to upload the previously sent patch to the queue (with adding the CVE
to the patch/changelog)?
Martin
Information forwarded
to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>: Bug#853004; Package calibre.
(Thu, 16 Feb 2017 22:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(Thu, 16 Feb 2017 22:39:03 GMT) (full text, mbox, link).
Cc: Salvatore Bonaccorso <carnil@debian.org>, 853004@bugs.debian.org,
Antoine Beaupre <anarcat@debian.org>
Subject: Re: Bug#853004: security: javascript in the book can access files on
the computer using XMLHttpRequest?
Date: Thu, 16 Feb 2017 23:34:32 +0100
On Wed, Feb 01, 2017 at 12:43:02PM +0100, Martin Pitt wrote:
> Hello Salvatore,
>
> Salvatore Bonaccorso [2017-01-31 17:15 +0100]:
> > This has been assigned CVE-2016-10187, in
>
> Want me to upload the previously sent patch to the queue (with adding the CVE
> to the patch/changelog)?
Yes, could you please prepare a jessie update for
https://security-tracker.debian.org/tracker/CVE-2016-10187?
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 17 Mar 2017 07:24:43 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.