[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: calibre / CVE-2018-7889

Antoine Beaupré <anarcat@orangeseeds.org> writes:

> I would personnally suggest removing calibre from LTS-supported packages
> completely. I'm an occasional Calibre user and I almost exclusively rely
> on backports to do anything. I would assume that most people use Calibre
> to talk to ebook readers (although that might not be a fair assumption),
> which are frequently updated, even in older devices. Even in stretch
> right now I built an unpublished backport from testing to get it talk
> with my Kobo.
> So long story short, the package is not requested by sponsors and I
> would be very surprised if anyone was running the actual version that is
> in wheezy (0.8.51!). If anything, people on wheezy are more likely to
> run the version from wheezy-backports which is also seriously outdated
> (1.22, not present in any other suite).

My personal (shortsighted?) view is I tend to think of packages like
calibre as desktop applications, and desktop users are probably not
really the target for LTS.

> So I would propose:
>  1. removing the package from dla-needed.txt
>  2. adding the package as unsupported in debian-security-support
>  3. (do we send end-of-life announcements to debian-lts-announce when we
>  do that?)

Sounds good to me. Anyone have any objections?

I don't think we do 3, at least I don't remember ever seeing anything
like that.

> That said, I haven't looked at the details of the patch, but metadata
> information is constantly rewritten by calibre. I've always considered
> it was disposable data that Calibre regenerates on a whim.

Ok, this eases some of my concerns.

> Besides, my feeling with Calibre is that it is a security liability: it
> has a fairly "interesting" history, shipping a suid helper that (if i
> remember correctly) could be abused for local arbitrary code execution,
> for example. I would be weary of any untrusted data input into Calibre,
> in general. I'm personally looking for alternatives to manage my media
> library at this point.

I wasn't aware it needed a suid helper. In any case, sounds like a good
argument for moving calibre to the not supported list.

(if you do find a good alternative, I would be interested as well...)
Brian May <bam@debian.org>

Reply to: