[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: calibre / CVE-2018-7889

Brian May <bam@debian.org> writes:

> Won't this break existing installs by making existing data inaccessible?

Maybe not. If I am reading the code correctly, for bookmarks this only
affects imports/exports. Not the datastore for bookmarks.

Possibly the same for the metadata.db data too, although as far as I can
tell, CVE-2018-7889 doesn't actually cover this vulnerability. Not sure
there is a CVE for this however.

As far as I can tell, the upstream patch for CVE-2018-7889 has changes
that aren't related to the security issue. Or it could be a fix for the
metadata.db issue, but if so I am completely confused because it doesn't
actually appear to touch the vulnerable call to cPickle.

Brian May <bam@debian.org>

Reply to: