Re: calibre / CVE-2018-7889
Brian May <firstname.lastname@example.org> writes:
> Won't this break existing installs by making existing data inaccessible?
Maybe not. If I am reading the code correctly, for bookmarks this only
affects imports/exports. Not the datastore for bookmarks.
Possibly the same for the metadata.db data too, although as far as I can
tell, CVE-2018-7889 doesn't actually cover this vulnerability. Not sure
there is a CVE for this however.
As far as I can tell, the upstream patch for CVE-2018-7889 has changes
that aren't related to the security issue. Or it could be a fix for the
metadata.db issue, but if so I am completely confused because it doesn't
actually appear to touch the vulnerable call to cPickle.
Brian May <email@example.com>