calibre / CVE-2016-10187

To: debian-lts@lists.debian.org
Subject: calibre / CVE-2016-10187
From: Brian May <brian@linuxpenguins.xyz>
Date: Wed, 15 Mar 2017 17:43:19 +1100
Message-id: <[🔎] 87wpbrf3aw.fsf@prune.linuxpenguins.xyz>

Here is a diff against the wheezy version. Have tested it against the
exploit at https://bugs.launchpad.net/calibre/+bug/1651728 and it solves
the problem for me.

I have also made this available at:
https://people.debian.org/~bam/debian/pool/main/c/calibre/


diff -Nru calibre-0.8.51+dfsg1/debian/changelog calibre-0.8.51+dfsg1/debian/changelog
--- calibre-0.8.51+dfsg1/debian/changelog	2013-01-17 09:53:25.000000000 +1100
+++ calibre-0.8.51+dfsg1/debian/changelog	2017-03-14 17:36:04.000000000 +1100
@@ -1,3 +1,11 @@
+calibre (0.8.51+dfsg1-0.1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2016-10187: Ensure javascript cannot read from local files.
+    Closes: 853004.
+
+ -- Brian May <bam@debian.org>  Tue, 14 Mar 2017 17:36:04 +1100
+
 calibre (0.8.51+dfsg1-0.1) testing-proposed-updates; urgency=low
 
   * Non-maintainer upload.
diff -Nru calibre-0.8.51+dfsg1/debian/patches/js_no_local_file_access.patch calibre-0.8.51+dfsg1/debian/patches/js_no_local_file_access.patch
--- calibre-0.8.51+dfsg1/debian/patches/js_no_local_file_access.patch	1970-01-01 10:00:00.000000000 +1000
+++ calibre-0.8.51+dfsg1/debian/patches/js_no_local_file_access.patch	2017-03-14 17:35:52.000000000 +1100
@@ -0,0 +1,25 @@
+From 3a89718664cb8cce0449d1758eee585ed0d0433c Mon Sep 17 00:00:00 2001
+From: Kovid Goyal <kovid@kovidgoyal.net>
+Date: Wed, 21 Dec 2016 17:59:00 +0530
+Subject: [PATCH] E-book viewer: Prevent javascript in the book from accessing
+ files on the computer using XMLHttpRequest. Fixes #1651728 [Private
+ bug](https://bugs.launchpad.net/calibre/+bug/1651728)
+
+---
+ src/calibre/gui2/tweak_book/preview.py  | 2 ++
+ src/calibre/gui2/viewer/documentview.py | 3 +--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+Bug: https://launchpad.net/bugs/1651728
+Bug-Debian: https://bugs.debian.org/853004
+
+--- a/src/calibre/gui2/viewer/documentview.py
++++ b/src/calibre/gui2/viewer/documentview.py
+@@ -215,6 +215,7 @@
+         settings.setAttribute(QWebSettings.PluginsEnabled, False)
+         settings.setAttribute(QWebSettings.JavascriptCanOpenWindows, False)
+         settings.setAttribute(QWebSettings.JavascriptCanAccessClipboard, False)
++        settings.setAttribute(QWebSettings.LocalContentCanAccessFileUrls, False)  # ensure javascript cannot read from local files
+ 
+         # Miscellaneous
+         settings.setAttribute(QWebSettings.LinksIncludedInFocusChain, True)
diff -Nru calibre-0.8.51+dfsg1/debian/patches/series calibre-0.8.51+dfsg1/debian/patches/series
--- calibre-0.8.51+dfsg1/debian/patches/series	2012-05-14 20:13:47.000000000 +1000
+++ calibre-0.8.51+dfsg1/debian/patches/series	2017-03-14 17:29:33.000000000 +1100
@@ -1,4 +1,5 @@
 # cherrypicked from/accepted into trunk:
+js_no_local_file_access.patch
 
 # sent upstream
 

-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Reply to:

Prev by Date: Re: Wheezy update of r-base?
Next by Date: Re: Wheezy update of calibre?
Previous by thread: Re: Wordpress security update
Next by thread: Re: Wheezy update of calibre?
Index(es):
- Date
- Thread