Debian Bug report logs - #892242
calibre: CVE-2018-7889: E-book viewer: use JSON to prevent malicious bookmark files from causing code execution

Package: calibre; Maintainer for calibre is Calibre maintainer team <team+calibre@tracker.debian.org>; Source for calibre is src:calibre (PTS, buildd, popcon).

Reported by: Jonatan Nyberg <jonatan@autistici.org>

Date: Wed, 7 Mar 2018 04:51:01 UTC

Severity: normal

Tags: fixed-upstream, security, upstream

Found in version calibre/3.18.0+dfsg-1

Fixed in version calibre/3.19.0+dfsg-1

Done: Norbert Preining <preining@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.launchpad.net/calibre/+bug/1753870

Display info messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Norbert Preining <preining@debian.org>:
Bug#892242; Package calibre. (Wed, 07 Mar 2018 04:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Jonatan Nyberg <jonatan@autistici.org>:
New Bug report received and forwarded. Copy sent to Norbert Preining <preining@debian.org>.

Your message specified a Severity: in the pseudo-header, but the severity value high was not recognised. The default severity normal is being used instead. The recognised values are: critical, grave, serious, important, normal, minor, wishlist, fixed.

(Wed, 07 Mar 2018 04:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

package: calibre
severity: high

Change the file format used to import/export bookmarks to use JSON in
the E-book viewer. This prevents malicious bookmarks files from causing
code execution.

Commit: https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951
756688b3c72bd68b6e4a7d

Regards,
Jonatan

Reply sent to Norbert Preining <preining@debian.org>:
You have taken responsibility. (Fri, 09 Mar 2018 15:51:07 GMT) (full text, mbox, link).

Notification sent to Jonatan Nyberg <jonatan@autistici.org>:
Bug acknowledged by developer. (Fri, 09 Mar 2018 15:51:07 GMT) (full text, mbox, link).

Message #10 received at 892242-close@bugs.debian.org (full text, mbox, reply):

Source: calibre
Source-Version: 3.19.0+dfsg-1

We believe that the bug you reported is fixed in the latest version of
calibre, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 892242@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Preining <preining@debian.org> (supplier of updated calibre package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 10 Mar 2018 00:16:43 +0900
Source: calibre
Binary: calibre calibre-bin
Architecture: source amd64 all
Version: 3.19.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Norbert Preining <preining@debian.org>
Changed-By: Norbert Preining <preining@debian.org>
Description:
 calibre    - powerful and easy to use e-book manager
 calibre-bin - powerful and easy to use e-book manager
Closes: 892242
Changes:
 calibre (3.19.0+dfsg-1) unstable; urgency=medium
 .
   * New upstream version 3.19.0+dfsg
     - use JSON to prevent malicious bookmark files from causing code execution
       (Closes: #892242)
Checksums-Sha1:
 392853f01bb0a15dc46f482427287f852d439548 2433 calibre_3.19.0+dfsg-1.dsc
 3add00d84fbd35ca8c07fb19cd5cd4cdb2053bcd 37594128 calibre_3.19.0+dfsg.orig.tar.xz
 f78e8b8ac265f7adb09565015f3bf4d2da0bdec4 53332 calibre_3.19.0+dfsg-1.debian.tar.xz
 5ae8d4a4053b8aafeba5cd085e4fd20076c0dc35 940624 calibre-bin-dbgsym_3.19.0+dfsg-1_amd64.deb
 92405f71e2a6c43860f7855a8f0281263123f630 412660 calibre-bin_3.19.0+dfsg-1_amd64.deb
 7df105df8a86f670e9698edcbd516bbdf8d1783a 24633120 calibre_3.19.0+dfsg-1_all.deb
 5cd597f4b320934d26682edfbe4096980a31fee8 16936 calibre_3.19.0+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 35964a4d9dea6a00239ea5c1ca993099f30636b4e565fe0ea436c79a39eab52f 2433 calibre_3.19.0+dfsg-1.dsc
 321b27f18174715b7c8cfd9d7df5506f4539f15928988d4a84346a8c2adde32e 37594128 calibre_3.19.0+dfsg.orig.tar.xz
 547448aef040e41f2ca0cdf3bc86e89749de3781a52312e94b72b812ff9cac67 53332 calibre_3.19.0+dfsg-1.debian.tar.xz
 297e37c4fa20c390b435a3e2ec100f9af3e56d8f2b3700f030a630adfe822bc4 940624 calibre-bin-dbgsym_3.19.0+dfsg-1_amd64.deb
 5440ac000429c90e2f626df1d1dd0df5ba6df01d0718cc8be78679968a102125 412660 calibre-bin_3.19.0+dfsg-1_amd64.deb
 8716daa6ed4ce4ba91b2a4bc4da5cd8b8fd773d02632e1d7a7faa8f35645cd57 24633120 calibre_3.19.0+dfsg-1_all.deb
 44b7d525f13e5b12444c110fd754fe4343836f6de8b034b8ac745b8a82cdb934 16936 calibre_3.19.0+dfsg-1_amd64.buildinfo
Files:
 5e1e0dd4749b1c44a602ad828ae46d7f 2433 text optional calibre_3.19.0+dfsg-1.dsc
 dc481872759c398aef536916f3f8241d 37594128 text optional calibre_3.19.0+dfsg.orig.tar.xz
 78f7d82b13077758e30f95b06f79286a 53332 text optional calibre_3.19.0+dfsg-1.debian.tar.xz
 354bd9e908266ea1892c424b00ffbd70 940624 debug optional calibre-bin-dbgsym_3.19.0+dfsg-1_amd64.deb
 8ab061e34d5d0ab0d2f2bc6d95e7131c 412660 text optional calibre-bin_3.19.0+dfsg-1_amd64.deb
 61df1fa5309a60b27de089f2ba0939da 24633120 text optional calibre_3.19.0+dfsg-1_all.deb
 b38f93ac66f7150cc7a6d3ae41886636 16936 text optional calibre_3.19.0+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE68ws0vrA2voQX53I2A4JsIcUAGYFAlqiqKQACgkQ2A4JsIcU
AGYOHggAkYpxLgcQu8Lr7m9jsTqOtiUWkNb3HkZQnh59NSSTPPptj3SEzWaAOGDO
WVTgDL1wX6wS5Itz4AyzquFAFbYV8EZ06lf534bWnqLk8Mp3bB/8IojFLuYg9tHh
veIEqbjNfLfg8BWJReR8igP2ewEbVFWqIWPdRdE3XWU2AwNDRbuAMD6K65/SdqKK
w8v7BWBhJB26ijbeFMfgIJeG7FaGScELEKZZvbO5hy64/X0clt11EKzsQS2pl8qU
1mAkaApS9KqCxPENp0oh7UDl0ghNvoLD2s1kdB2t3K+s2M1pRd/7xgby5QvOIJ7+
8TayktCV5ycJWjG81GpXxc0JofktVg==
=1Uye
-----END PGP SIGNATURE-----

Marked as found in versions calibre/3.18.0+dfsg-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 10 Mar 2018 07:45:04 GMT) (full text, mbox, link).

Added tag(s) upstream, fixed-upstream, and security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 10 Mar 2018 07:45:04 GMT) (full text, mbox, link).

Changed Bug title to 'calibre: CVE-2018-7889: E-book viewer: use JSON to prevent malicious bookmark files from causing code execution' from 'calibre: E-book viewer: use JSON to prevent malicious bookmark files from causing code execution'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 10 Mar 2018 07:45:05 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://bugs.launchpad.net/calibre/+bug/1753870'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 10 Mar 2018 07:45:06 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 12 Apr 2018 07:28:38 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Nov 21 22:33:18 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #892242 calibre: CVE-2018-7889: E-book viewer: use JSON to prevent malicious bookmark files from causing code execution

Debian Bug report logs - #892242
calibre: CVE-2018-7889: E-book viewer: use JSON to prevent malicious bookmark files from causing code execution