calibre / CVE-2016-10187
Here is a diff against the wheezy version. Have tested it against the
exploit at https://bugs.launchpad.net/calibre/+bug/1651728 and it solves
the problem for me.
I have also made this available at:
https://people.debian.org/~bam/debian/pool/main/c/calibre/
diff -Nru calibre-0.8.51+dfsg1/debian/changelog calibre-0.8.51+dfsg1/debian/changelog
--- calibre-0.8.51+dfsg1/debian/changelog 2013-01-17 09:53:25.000000000 +1100
+++ calibre-0.8.51+dfsg1/debian/changelog 2017-03-14 17:36:04.000000000 +1100
@@ -1,3 +1,11 @@
+calibre (0.8.51+dfsg1-0.1+deb7u1) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2016-10187: Ensure javascript cannot read from local files.
+ Closes: 853004.
+
+ -- Brian May <bam@debian.org> Tue, 14 Mar 2017 17:36:04 +1100
+
calibre (0.8.51+dfsg1-0.1) testing-proposed-updates; urgency=low
* Non-maintainer upload.
diff -Nru calibre-0.8.51+dfsg1/debian/patches/js_no_local_file_access.patch calibre-0.8.51+dfsg1/debian/patches/js_no_local_file_access.patch
--- calibre-0.8.51+dfsg1/debian/patches/js_no_local_file_access.patch 1970-01-01 10:00:00.000000000 +1000
+++ calibre-0.8.51+dfsg1/debian/patches/js_no_local_file_access.patch 2017-03-14 17:35:52.000000000 +1100
@@ -0,0 +1,25 @@
+From 3a89718664cb8cce0449d1758eee585ed0d0433c Mon Sep 17 00:00:00 2001
+From: Kovid Goyal <kovid@kovidgoyal.net>
+Date: Wed, 21 Dec 2016 17:59:00 +0530
+Subject: [PATCH] E-book viewer: Prevent javascript in the book from accessing
+ files on the computer using XMLHttpRequest. Fixes #1651728 [Private
+ bug](https://bugs.launchpad.net/calibre/+bug/1651728)
+
+---
+ src/calibre/gui2/tweak_book/preview.py | 2 ++
+ src/calibre/gui2/viewer/documentview.py | 3 +--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+Bug: https://launchpad.net/bugs/1651728
+Bug-Debian: https://bugs.debian.org/853004
+
+--- a/src/calibre/gui2/viewer/documentview.py
++++ b/src/calibre/gui2/viewer/documentview.py
+@@ -215,6 +215,7 @@
+ settings.setAttribute(QWebSettings.PluginsEnabled, False)
+ settings.setAttribute(QWebSettings.JavascriptCanOpenWindows, False)
+ settings.setAttribute(QWebSettings.JavascriptCanAccessClipboard, False)
++ settings.setAttribute(QWebSettings.LocalContentCanAccessFileUrls, False) # ensure javascript cannot read from local files
+
+ # Miscellaneous
+ settings.setAttribute(QWebSettings.LinksIncludedInFocusChain, True)
diff -Nru calibre-0.8.51+dfsg1/debian/patches/series calibre-0.8.51+dfsg1/debian/patches/series
--- calibre-0.8.51+dfsg1/debian/patches/series 2012-05-14 20:13:47.000000000 +1000
+++ calibre-0.8.51+dfsg1/debian/patches/series 2017-03-14 17:29:33.000000000 +1100
@@ -1,4 +1,5 @@
# cherrypicked from/accepted into trunk:
+js_no_local_file_access.patch
# sent upstream
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Reply to: