Re: calibre / CVE-2018-7889

To: debian-lts@lists.debian.org
Subject: Re: calibre / CVE-2018-7889
From: Brian May <bam@debian.org>
Date: Wed, 11 Apr 2018 17:55:54 +1000
Message-id: <[🔎] 87d0z6b2id.fsf@silverfish.pri>
In-reply-to: <[🔎] 87fu42b3e2.fsf@silverfish.pri>
References: <[🔎] 87woxfbjvp.fsf@silverfish.pri> <[🔎] 87fu42b3e2.fsf@silverfish.pri>

Brian May <bam@debian.org> writes:

> As far as I can tell, the upstream patch for CVE-2018-7889 has changes
> that aren't related to the security issue. Or it could be a fix for the
> metadata.db issue, but if so I am completely confused because it doesn't
> actually appear to touch the vulnerable call to cPickle.

It looks like this is the fix for the metada.db issue (and other cPickle
stuff removed):

https://github.com/kovidgoyal/calibre/commit/9adc3b0ffb76092682bb05c8785889520ab83f22
https://github.com/kovidgoyal/calibre/commit/690698170297b7f9a0b3b515ff506605e53e3fb9
-- 
Brian May <bam@debian.org>

Reply to:

References:
- calibre / CVE-2018-7889
  - From: Brian May <bam@debian.org>
- Re: calibre / CVE-2018-7889
  - From: Brian May <bam@debian.org>

Prev by Date: Re: calibre / CVE-2018-7889
Next by Date: finding packages after no-dsa
Previous by thread: Re: calibre / CVE-2018-7889
Next by thread: Re: calibre / CVE-2018-7889
Index(es):
- Date
- Thread