Debian Bug report logs - #873795
calibre: Security risk and possible backdoor when fetching news

Reply or subscribe to this bug.

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jens Schmidt <crashdump@meine-dateien.info>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: calibre: Security risk and possible backdoor when fetching news

Date: Thu, 31 Aug 2017 10:07:25 +0200

Package: calibre
Version: 3.4.0+dfsg-1
Severity: normal

Dear Maintainer,

I'm using cron and /usr/bin/ebook-convert to fetch RSS news daily. Some
generated ebooks are containing typos. The mistakes are located in a so-called
"news fetching recipe" in Zip archive /usr/share/calibre/builtin_recipes.zip. I
tried to edit the recipe code but the mistakes remain in ebooks. I wrote an own
custom recipe, I edited built-in recipe in ZIP archive - nothing helps. As a
last try I switched off network and had success. That maked me curious, so I
repeated the procedures with Wireshark logging network traffic. The result:

Calibre completely ignores built-in recipes and loads python scripts from a
server in Mumbai/India: https://code.calibre-ebook.com:443/... ( using self-
signed wildcard certificate)

It's a absolute taboo to load scripts in background from an untrusted server
and execute them on a Linux computer without user permission and without
informing user. This is a Debian OS not Windows. What if the scripts are
containing malware or spyware?


My workarond is to remove /usr/share/calibre/calibre-ebook-root-CA.crt. That
breaks unwanted HTTPS connections.


Here is a test script for verifying. It runs in a terminal without the need of
starting Calibre:

-----
#!/bin/sh

# test directory
TARGET="$HOME/test"

LABEL="Pro-Physik"
RECIPE="Pro Physik.recipe"
PROFILE="kindle"
FORMAT="mobi"
EBOOK="$TARGET/$LABEL.$FORMAT"
EXEC="/usr/bin/ebook-convert"

LOG="$HOME/test/fetch.log"

exec >> "$LOG" 2>&1

echo -e "\n*** fetching $LABEL ****"

$EXEC "$RECIPE" "$EBOOK" --output-profile "$PROFILE"
-----

BTW: "Pro Physik.recipe" is a python script archived in
/usr/share/calibre/builtin_recipes.zip and contains some typos.




-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.6-bulldozer (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages calibre depends on:
ii  calibre-bin                      3.4.0+dfsg-1
ii  fonts-liberation                 1:1.07.4-2
ii  imagemagick                      8:6.9.7.4+dfsg-16
ii  imagemagick-6.q16 [imagemagick]  8:6.9.7.4+dfsg-16
ii  libjs-coffeescript               1.10.0~dfsg-1
ii  libjs-mathjax                    2.7.0-2
ii  poppler-utils                    0.48.0-2
ii  python-apsw                      3.16.2-r1-2+b1
ii  python-beautifulsoup             3.2.1-1
ii  python-chardet                   3.0.4-1
ii  python-cherrypy3                 3.5.0-2
ii  python-cssselect                 1.0.1-1
ii  python-cssutils                  1.0-4.1
ii  python-dateutil                  2.6.0-1
ii  python-dbus                      1.2.4-1+b2
ii  python-feedparser                5.1.3-3
ii  python-lxml                      3.8.0-1+b1
ii  python-markdown                  2.6.9-1
ii  python-mechanize                 1:0.2.5-3
ii  python-msgpack                   0.4.8-1+b1
ii  python-netifaces                 0.10.4-0.1+b3
ii  python-pil                       4.2.1-1
ii  python-pkg-resources             36.2.7-2
ii  python-pyparsing                 2.1.10+dfsg1-1
ii  python-pyqt5                     5.7+dfsg-5+b1
ii  python-pyqt5.qtsvg               5.7+dfsg-5+b1
ii  python-pyqt5.qtwebkit            5.7+dfsg-5+b1
ii  python-regex                     0.1.20170117-1+b1
ii  python-routes                    2.4.1-1
ii  python2.7                        2.7.13-2
ii  xdg-utils                        1.1.1-1

Versions of packages calibre recommends:
ii  python-dnspython  1.15.0-1

calibre suggests no packages.

-- no debconf information

Message #10 received at 873795@bugs.debian.org (full text, mbox, reply):

From: Nicholas D Steeves <nsteeves@gmail.com>

To: 873795@bugs.debian.org, 873795-submitter@bugs.debian.org

Subject: Please confirm if bug affects a supported Calibre version

Date: Sat, 9 Feb 2019 21:08:44 -0700

Control: tag -1 + moreinfo

Hi,

This bug refers to an old (or ancient!) version of Calibre.  If you're
running Debian 10 (Stretch), please update this bug by confirming if
it exists in calibre-2.75.1+dfsg-1 (version in Debian 9/Stretch).  If
that version is bad, please enable stretch-backports and confirm
whether 3.31.0+dfsg-1~bpo9+1 is affected.

Alternatively, if you're running buster/sid, please confirm if 
3.39.1+dfsg-1 is affected.


Thanks!
Nicholas

Message #24 received at 873795@bugs.debian.org (full text, mbox, reply):

From: Nicholas D Steeves <nsteeves@gmail.com>

To: Jens Schmidt <crashdump@meine-dateien.info>, 873795@bugs.debian.org

Cc: Norbert Preining <norbert@preining.info>

Subject: Re: Bug#873795: calibre: Security risk and possible backdoor when fetching news

Date: Sat, 21 Sep 2019 14:06:28 -0400

[Message part 1 (text/plain, inline)]

Control: tags = confirmed
Control: severity = important

On Thu, Aug 31, 2017 at 10:07:25AM +0200, Jens Schmidt wrote:
> Package: calibre
> Version: 3.4.0+dfsg-1
> Severity: normal
> 
> Dear Maintainer,
> 
> I'm using cron and /usr/bin/ebook-convert to fetch RSS news daily. Some
> generated ebooks are containing typos. The mistakes are located in a so-called
> "news fetching recipe" in Zip archive /usr/share/calibre/builtin_recipes.zip. I
> tried to edit the recipe code but the mistakes remain in ebooks. I wrote an own
> custom recipe, I edited built-in recipe in ZIP archive - nothing helps. As a
> last try I switched off network and had success. That maked me curious, so I
> repeated the procedures with Wireshark logging network traffic. The result:
> 
> Calibre completely ignores built-in recipes and loads python scripts from a
> server in Mumbai/India: https://code.calibre-ebook.com:443/... ( using self-
> signed wildcard certificate)
> 
> It's a absolute taboo to load scripts in background from an untrusted server
> and execute them on a Linux computer without user permission and without
> informing user. This is a Debian OS not Windows. What if the scripts are
> containing malware or spyware?
> 

Assuming good faith in the upstream, this is still a privacy breach,
so I agree we ought to do something about this.  Here is everywhere
the this website is mentioned in the source code for debian/3.48.0+dfsg-1.

$ ag code.calibre-ebook.com
  setup/linux-installer.py
  644:            'https://code.calibre-ebook.com/tarball-info/' + ('x86_64' if is64bit else 'i686'))
  666:        calibre_version = urlopen('http://code.calibre-ebook.com/latest').read()

  setup/linux-installer.sh
  693:            'https://code.calibre-ebook.com/tarball-info/' + ('x86_64' if is64bit else 'i686'))
  715:        calibre_version = urlopen('http://code.calibre-ebook.com/latest').read()

  src/calibre/ebooks/metadata/sources/update.py
  95:        'https://code.calibre-ebook.com/metadata-sources/hashes.json')
  112:    raw = get_https_resource_securely('https://code.calibre-ebook.com/metadata-sources/' + name)

  src/calibre/gui2/dialogs/plugin_updater.py
  28:SERVER = 'https://code.calibre-ebook.com/plugins/'

  src/calibre/gui2/store/loader.py
  29:def download_updates(ver_map={}, server='https://code.calibre-ebook.com'):

  src/calibre/gui2/update.py
  24:URL = 'https://code.calibre-ebook.com/latest'

  src/calibre/gui2/icon_theme.py
  48:BASE_URL = 'https://code.calibre-ebook.com/icon-themes/'

  src/calibre/utils/https.py
  217:    print(get_https_resource_securely('https://code.calibre-ebook.com/latest'))

  src/calibre/web/feeds/recipes/collection.py
  224:        'https://code.calibre-ebook.com/recipe-compressed/'+urn,
  headers={'CALIBRE-INSTALL-UUID':prefs['installation_uuid']}))

Norbert, do you agree the best thing to do would be to

  1. Provide user confirmation dialogue (for consent)
  2. Disable access (users would need to use backports to get new
     recipes)


Regards,
Nicholas

[signature.asc (application/pgp-signature, inline)]

Message #33 received at 873795@bugs.debian.org (full text, mbox, reply):

From: "Dev Null" <devnull@iamdevnull.info>

To: 873795@bugs.debian.org

Subject: Re: Bug#873795: calibre: Security risk and possible backdoor when fetching news

Date: Thu, 3 Oct 2019 23:52:18 -0400

On Sat, 21 Sep 2019 14:06:28 -0400 Nicholas D Steeves <nsteeves@gmail.com>
wrote:
> Control: tags = confirmed
> Control: severity = important
>
> On Thu, Aug 31, 2017 at 10:07:25AM +0200, Jens Schmidt wrote:
> > Package: calibre
> > Version: 3.4.0+dfsg-1
> > Severity: normal
> >
> > Dear Maintainer,
> >
> > I'm using cron and /usr/bin/ebook-convert to fetch RSS news daily. Some
> > generated ebooks are containing typos. The mistakes are located in a
so-called
> > "news fetching recipe" in Zip archive
/usr/share/calibre/builtin_recipes.zip. I
> > tried to edit the recipe code but the mistakes remain in ebooks. I
wrote an own
> > custom recipe, I edited built-in recipe in ZIP archive - nothing
helps. As a
> > last try I switched off network and had success. That maked me
curious, so I
> > repeated the procedures with Wireshark logging network traffic. The
result:
> >
> > Calibre completely ignores built-in recipes and loads python scripts
from a
> > server in Mumbai/India: https://code.calibre-ebook.com:443/... ( using
self-
> > signed wildcard certificate)
> >
> > It's a absolute taboo to load scripts in background from an untrusted
server
> > and execute them on a Linux computer without user permission and without
> > informing user. This is a Debian OS not Windows. What if the scripts are
> > containing malware or spyware?
> >
>
> Assuming good faith in the upstream, this is still a privacy breach,
> so I agree we ought to do something about this.  Here is everywhere
> the this website is mentioned in the source code for debian/3.48.0+dfsg-1.
>
> $ ag code.calibre-ebook.com
>   setup/linux-installer.py
>   644:            'https://code.calibre-ebook.com/tarball-info/' +
('x86_64' if is64bit else 'i686'))
>   666:        calibre_version =
urlopen('http://code.calibre-ebook.com/latest').read()
>
>   setup/linux-installer.sh
>   693:            'https://code.calibre-ebook.com/tarball-info/' +
('x86_64' if is64bit else 'i686'))
>   715:        calibre_version =
urlopen('http://code.calibre-ebook.com/latest').read()
>
>   src/calibre/ebooks/metadata/sources/update.py
>   95:        'https://code.calibre-ebook.com/metadata-sources/hashes.json')
>   112:    raw =
get_https_resource_securely('https://code.calibre-ebook.com/metadata-sources/'
+ name)
>
>   src/calibre/gui2/dialogs/plugin_updater.py
>   28:SERVER = 'https://code.calibre-ebook.com/plugins/'
>
>   src/calibre/gui2/store/loader.py
>   29:def download_updates(ver_map={},
server='https://code.calibre-ebook.com'):
>
>   src/calibre/gui2/update.py
>   24:URL = 'https://code.calibre-ebook.com/latest'
>
>   src/calibre/gui2/icon_theme.py
>   48:BASE_URL = 'https://code.calibre-ebook.com/icon-themes/'
>
>   src/calibre/utils/https.py
>   217:   
print(get_https_resource_securely('https://code.calibre-ebook.com/latest'))
>

Dear Maintainer,

I hope I'm not following up on this bug too soon, but I'm curious as to
the status of this bug, as I am a current user of calibre. Are there any
changes either upstream or written by yourself to stop this third-party
code execution?

I was notified of this bug during a routine 'apt-get upgrade' to the most
recent backported version of this program. (3.39.1+dfsg-3!bpo9+1)


-- 
/dev/null
4057 0DA0 0983 FFA1 8756  670F 754A 0CB9 A367 275B
https://devnull.iamdevnull.info/devnull.gpg

Message #38 received at 873795@bugs.debian.org (full text, mbox, reply):

From: Nicholas D Steeves <nsteeves@gmail.com>

To: devnull@iamdevnull.info, 873795@bugs.debian.org

Subject: Re: Bug#873795: calibre: Security risk and possible backdoor when fetching news

Date: Tue, 4 Aug 2020 09:37:03 -0400

[Message part 1 (text/plain, inline)]

Control: noowner -1
Justification: lack of free time

Hi,

On Thu, Oct 03, 2019 at 11:52:18PM -0400, Dev Null wrote:
> On Sat, 21 Sep 2019 14:06:28 -0400 Nicholas D Steeves <nsteeves@gmail.com>
> wrote:
[snip]
> > On Thu, Aug 31, 2017 at 10:07:25AM +0200, Jens Schmidt wrote:
> > > Package: calibre
> > > Version: 3.4.0+dfsg-1
> > > Severity: normal
> > >
> > > Dear Maintainer,
> > >
> > > I'm using cron and /usr/bin/ebook-convert to fetch RSS news daily. Some
> > > generated ebooks are containing typos. The mistakes are located in a
> so-called
> > > "news fetching recipe" in Zip archive
> /usr/share/calibre/builtin_recipes.zip. I
> > > tried to edit the recipe code but the mistakes remain in ebooks. I
> wrote an own
> > > custom recipe, I edited built-in recipe in ZIP archive - nothing
> helps. As a
> > > last try I switched off network and had success. That maked me
> curious, so I
> > > repeated the procedures with Wireshark logging network traffic. The
> result:
> > >
> > > Calibre completely ignores built-in recipes and loads python scripts
> from a
> > > server in Mumbai/India: https://code.calibre-ebook.com:443/... ( using
> self-
> > > signed wildcard certificate)
> > >
> > > It's a absolute taboo to load scripts in background from an untrusted
> server
> > > and execute them on a Linux computer without user permission and without
> > > informing user. This is a Debian OS not Windows. What if the scripts are
> > > containing malware or spyware?
> > >
> >
> > Assuming good faith in the upstream, this is still a privacy breach,
> > so I agree we ought to do something about this.  Here is everywhere
> > the this website is mentioned in the source code for debian/3.48.0+dfsg-1.
> >
> > $ ag code.calibre-ebook.com
> >   setup/linux-installer.py
> >   644:            'https://code.calibre-ebook.com/tarball-info/' +
> ('x86_64' if is64bit else 'i686'))
> >   666:        calibre_version =
> urlopen('http://code.calibre-ebook.com/latest').read()
> >
> >   setup/linux-installer.sh
> >   693:            'https://code.calibre-ebook.com/tarball-info/' +
> ('x86_64' if is64bit else 'i686'))
> >   715:        calibre_version =
> urlopen('http://code.calibre-ebook.com/latest').read()
> >
> >   src/calibre/ebooks/metadata/sources/update.py
> >   95:        'https://code.calibre-ebook.com/metadata-sources/hashes.json')
> >   112:    raw =
> get_https_resource_securely('https://code.calibre-ebook.com/metadata-sources/'
> + name)
> >
> >   src/calibre/gui2/dialogs/plugin_updater.py
> >   28:SERVER = 'https://code.calibre-ebook.com/plugins/'
> >
> >   src/calibre/gui2/store/loader.py
> >   29:def download_updates(ver_map={},
> server='https://code.calibre-ebook.com'):
> >
> >   src/calibre/gui2/update.py
> >   24:URL = 'https://code.calibre-ebook.com/latest'
> >
> >   src/calibre/gui2/icon_theme.py
> >   48:BASE_URL = 'https://code.calibre-ebook.com/icon-themes/'
> >
> >   src/calibre/utils/https.py
> >   217:   
> print(get_https_resource_securely('https://code.calibre-ebook.com/latest'))
> >
> 
> Dear Maintainer,
> 
> I hope I'm not following up on this bug too soon, but I'm curious as to
> the status of this bug, as I am a current user of calibre. Are there any
> changes either upstream or written by yourself to stop this third-party
> code execution?
>

You're not following up on it too soon :-) As far as I know, nothing
has been done yet, but I could be wrong.  From what I can tell, the
available options at this time is a patch to 1) present user with a
warning yes||no confirmation box  2) disable the fetch & execution--I
this would effectively break news fetching functionality if a news
website changed, and would block access to the new news website
options  3) Convince upstream to update in a more secure way.  Given
that they consider our package "buggy/outdated" and advocate a "wget
-nv -O- https://foo.com/please-root-me.sh | sudo sh /dev/stdin"
installation method I'm not sure how successful this will be.

> I was notified of this bug during a routine 'apt-get upgrade' to the most
> recent backported version of this program. (3.39.1+dfsg-3!bpo9+1)
> 

Sorry that it's not possible to backport a newer version; that's not
possible because the Calibre in testing requires a newer version of
Qt5, and backporting that would break buster (Debian 10).  Thus,
blocked.  From what I've been able to gather it's not possible to
flatpak a Debian package, nor provide an appImage consisting of Debian
packages, so it's starting to look like there are no good solution for
buster...  Maybe someone with experience containerising Debian
packages in Docker could provide a solution; due to lack of free time
it's unlikely I will be that person.

I'm not sure how effective flatpak isolation is in Debian buster, nor
who maintains this package, but a flatpak package for Calibre 4.22
does exist:

  https://www.flathub.org/apps/details/com.calibre_ebook.calibre


Regards,
Nicholas

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 873795@bugs.debian.org (full text, mbox, reply):

From: Norbert Preining <norbert@preining.info>

To: Nicholas D Steeves <nsteeves@gmail.com>, 873795@bugs.debian.org

Cc: devnull@iamdevnull.info

Subject: Re: Bug#873795: calibre: Security risk and possible backdoor when fetching news

Date: Wed, 5 Aug 2020 00:01:03 +0900

Hi all,

On Tue, 04 Aug 2020, Nicholas D Steeves wrote:
> options  3) Convince upstream to update in a more secure way.  Given
> that they consider our package "buggy/outdated" and advocate a "wget
> -nv -O- https://foo.com/please-root-me.sh | sudo sh /dev/stdin"
> installation method I'm not sure how successful this will be.

Here I have to disagree. I have worked with upstream and they are quite
content with the current state of calibre in Debian since it is very
close to what they ship. So, if we want something done, it can be
proposed, but of course providing patches would always be better.

Best

Norbert

--
PREINING Norbert                              https://www.preining.info
Accelia Inc. + IFMGA ProGuide + TU Wien + JAIST + TeX Live + Debian Dev
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

Send a report that this bug log contains spam.