[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: calibre / CVE-2018-7889

On 2018-04-10 17:28:26, Brian May wrote:
> If I understand the upstream patch correctly, this replaces pickle with
> json for bookmarks and metadata information. It looks like this patch
> was applied to sid.
> Won't this break existing installs by making existing data inaccessible?
> Maybe we don't have much choice in the matter however. Any automatic
> conversion tool is likely to have the same vulnerability we are
> attempting to resolve.

I would personnally suggest removing calibre from LTS-supported packages
completely. I'm an occasional Calibre user and I almost exclusively rely
on backports to do anything. I would assume that most people use Calibre
to talk to ebook readers (although that might not be a fair assumption),
which are frequently updated, even in older devices. Even in stretch
right now I built an unpublished backport from testing to get it talk
with my Kobo.

So long story short, the package is not requested by sponsors and I
would be very surprised if anyone was running the actual version that is
in wheezy (0.8.51!). If anything, people on wheezy are more likely to
run the version from wheezy-backports which is also seriously outdated
(1.22, not present in any other suite).

So I would propose:

 1. removing the package from dla-needed.txt

 2. adding the package as unsupported in debian-security-support

 3. (do we send end-of-life announcements to debian-lts-announce when we
 do that?)

That said, I haven't looked at the details of the patch, but metadata
information is constantly rewritten by calibre. I've always considered
it was disposable data that Calibre regenerates on a whim.

Besides, my feeling with Calibre is that it is a security liability: it
has a fairly "interesting" history, shipping a suid helper that (if i
remember correctly) could be abused for local arbitrary code execution,
for example. I would be weary of any untrusted data input into Calibre,
in general. I'm personally looking for alternatives to manage my media
library at this point.


We build our computer (systems) the way we build our cities: over
time, without a plan, on top of ruins.
                        - Ellen Ullman

Reply to: