Re: calibre / CVE-2018-7889
On 2018-04-10 17:28:26, Brian May wrote:
> If I understand the upstream patch correctly, this replaces pickle with
> json for bookmarks and metadata information. It looks like this patch
> was applied to sid.
>
> Won't this break existing installs by making existing data inaccessible?
>
> Maybe we don't have much choice in the matter however. Any automatic
> conversion tool is likely to have the same vulnerability we are
> attempting to resolve.
I would personnally suggest removing calibre from LTS-supported packages
completely. I'm an occasional Calibre user and I almost exclusively rely
on backports to do anything. I would assume that most people use Calibre
to talk to ebook readers (although that might not be a fair assumption),
which are frequently updated, even in older devices. Even in stretch
right now I built an unpublished backport from testing to get it talk
with my Kobo.
So long story short, the package is not requested by sponsors and I
would be very surprised if anyone was running the actual version that is
in wheezy (0.8.51!). If anything, people on wheezy are more likely to
run the version from wheezy-backports which is also seriously outdated
(1.22, not present in any other suite).
So I would propose:
1. removing the package from dla-needed.txt
2. adding the package as unsupported in debian-security-support
3. (do we send end-of-life announcements to debian-lts-announce when we
do that?)
That said, I haven't looked at the details of the patch, but metadata
information is constantly rewritten by calibre. I've always considered
it was disposable data that Calibre regenerates on a whim.
Besides, my feeling with Calibre is that it is a security liability: it
has a fairly "interesting" history, shipping a suid helper that (if i
remember correctly) could be abused for local arbitrary code execution,
for example. I would be weary of any untrusted data input into Calibre,
in general. I'm personally looking for alternatives to manage my media
library at this point.
A.
--
We build our computer (systems) the way we build our cities: over
time, without a plan, on top of ruins.
- Ellen Ullman
Reply to: