Re: calibre / CVE-2018-7889

To: debian-lts@lists.debian.org
Subject: Re: calibre / CVE-2018-7889
From: Brian May <bam@debian.org>
Date: Thu, 12 Apr 2018 16:29:05 +1000
Message-id: <[🔎] 874lkhaqfi.fsf@silverfish.pri>
In-reply-to: <[🔎] 87in8x326u.fsf@curie.anarc.at>
References: <[🔎] 87woxfbjvp.fsf@silverfish.pri> <[🔎] 87in8x326u.fsf@curie.anarc.at>

Antoine Beaupré <anarcat@orangeseeds.org> writes:

> I would personnally suggest removing calibre from LTS-supported packages
> completely. I'm an occasional Calibre user and I almost exclusively rely
> on backports to do anything. I would assume that most people use Calibre
> to talk to ebook readers (although that might not be a fair assumption),
> which are frequently updated, even in older devices. Even in stretch
> right now I built an unpublished backport from testing to get it talk
> with my Kobo.
>
> So long story short, the package is not requested by sponsors and I
> would be very surprised if anyone was running the actual version that is
> in wheezy (0.8.51!). If anything, people on wheezy are more likely to
> run the version from wheezy-backports which is also seriously outdated
> (1.22, not present in any other suite).

My personal (shortsighted?) view is I tend to think of packages like
calibre as desktop applications, and desktop users are probably not
really the target for LTS.

> So I would propose:
>
>  1. removing the package from dla-needed.txt
>
>  2. adding the package as unsupported in debian-security-support
>
>  3. (do we send end-of-life announcements to debian-lts-announce when we
>  do that?)

Sounds good to me. Anyone have any objections?

I don't think we do 3, at least I don't remember ever seeing anything
like that.

> That said, I haven't looked at the details of the patch, but metadata
> information is constantly rewritten by calibre. I've always considered
> it was disposable data that Calibre regenerates on a whim.

Ok, this eases some of my concerns.

> Besides, my feeling with Calibre is that it is a security liability: it
> has a fairly "interesting" history, shipping a suid helper that (if i
> remember correctly) could be abused for local arbitrary code execution,
> for example. I would be weary of any untrusted data input into Calibre,
> in general. I'm personally looking for alternatives to manage my media
> library at this point.

I wasn't aware it needed a suid helper. In any case, sounds like a good
argument for moving calibre to the not supported list.

(if you do find a good alternative, I would be interested as well...)
-- 
Brian May <bam@debian.org>

Reply to:

References:
- calibre / CVE-2018-7889
  - From: Brian May <bam@debian.org>
- Re: calibre / CVE-2018-7889
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: tiff updates
Next by Date: patch / CVE-2018-1000156
Previous by thread: Re: calibre / CVE-2018-7889
Next by thread: Re: calibre / CVE-2018-7889
Index(es):
- Date
- Thread