[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: calibre / CVE-2018-7889



On 2018-04-10 17:28:26, Brian May wrote:
> If I understand the upstream patch correctly, this replaces pickle with
> json for bookmarks and metadata information. It looks like this patch
> was applied to sid.
>
> Won't this break existing installs by making existing data inaccessible?
>
> Maybe we don't have much choice in the matter however. Any automatic
> conversion tool is likely to have the same vulnerability we are
> attempting to resolve.

I would personnally suggest removing calibre from LTS-supported packages
completely. I'm an occasional Calibre user and I almost exclusively rely
on backports to do anything. I would assume that most people use Calibre
to talk to ebook readers (although that might not be a fair assumption),
which are frequently updated, even in older devices. Even in stretch
right now I built an unpublished backport from testing to get it talk
with my Kobo.

So long story short, the package is not requested by sponsors and I
would be very surprised if anyone was running the actual version that is
in wheezy (0.8.51!). If anything, people on wheezy are more likely to
run the version from wheezy-backports which is also seriously outdated
(1.22, not present in any other suite).

So I would propose:

 1. removing the package from dla-needed.txt

 2. adding the package as unsupported in debian-security-support

 3. (do we send end-of-life announcements to debian-lts-announce when we
 do that?)

That said, I haven't looked at the details of the patch, but metadata
information is constantly rewritten by calibre. I've always considered
it was disposable data that Calibre regenerates on a whim.

Besides, my feeling with Calibre is that it is a security liability: it
has a fairly "interesting" history, shipping a suid helper that (if i
remember correctly) could be abused for local arbitrary code execution,
for example. I would be weary of any untrusted data input into Calibre,
in general. I'm personally looking for alternatives to manage my media
library at this point.

A.

-- 
We build our computer (systems) the way we build our cities: over
time, without a plan, on top of ruins.
                        - Ellen Ullman


Reply to: