Re: calibre / CVE-2018-7889
Antoine Beaupré <email@example.com> writes:
> I would personnally suggest removing calibre from LTS-supported packages
> completely. I'm an occasional Calibre user and I almost exclusively rely
> on backports to do anything. I would assume that most people use Calibre
> to talk to ebook readers (although that might not be a fair assumption),
> which are frequently updated, even in older devices. Even in stretch
> right now I built an unpublished backport from testing to get it talk
> with my Kobo.
> So long story short, the package is not requested by sponsors and I
> would be very surprised if anyone was running the actual version that is
> in wheezy (0.8.51!). If anything, people on wheezy are more likely to
> run the version from wheezy-backports which is also seriously outdated
> (1.22, not present in any other suite).
My personal (shortsighted?) view is I tend to think of packages like
calibre as desktop applications, and desktop users are probably not
really the target for LTS.
> So I would propose:
> 1. removing the package from dla-needed.txt
> 2. adding the package as unsupported in debian-security-support
> 3. (do we send end-of-life announcements to debian-lts-announce when we
> do that?)
Sounds good to me. Anyone have any objections?
I don't think we do 3, at least I don't remember ever seeing anything
> That said, I haven't looked at the details of the patch, but metadata
> information is constantly rewritten by calibre. I've always considered
> it was disposable data that Calibre regenerates on a whim.
Ok, this eases some of my concerns.
> Besides, my feeling with Calibre is that it is a security liability: it
> has a fairly "interesting" history, shipping a suid helper that (if i
> remember correctly) could be abused for local arbitrary code execution,
> for example. I would be weary of any untrusted data input into Calibre,
> in general. I'm personally looking for alternatives to manage my media
> library at this point.
I wasn't aware it needed a suid helper. In any case, sounds like a good
argument for moving calibre to the not supported list.
(if you do find a good alternative, I would be interested as well...)
Brian May <firstname.lastname@example.org>