Re: calibre / CVE-2018-7889

[Antoine Beaupré <anarcat@orangeseeds.org>]

On 2018-04-12 10:17:25, Raphael Hertzog wrote:
> Hi,
>
> On Wed, 11 Apr 2018, Antoine Beaupré wrote:
>>  1. removing the package from dla-needed.txt
>>  2. adding the package as unsupported in debian-security-support
>>  3. (do we send end-of-life announcements to debian-lts-announce when we
>>  do that?)
>
> It's easy to mark packages as unsupported and to find many reasons to
> justify this choice but we should refrain from doing so. This is
> a last-resort decision and I don't think it's really warranted here.
>
> We have a patch for the bookmark handling, let's just apply it. The
> other issue about metadata can probably be ignored because it requires
> the user to upload a malicious files as metadata associated to one
> of its book... and it's not like the malicious file could be hidden
> as a modified cover picture or something like this.
>
> We're not short on time, let's handle it properly. While our sponsors
> are mainly companies interested in server software, we strive to support
> all packages and I have heard multiple times stories of desktop users who
> are happy to continue to run what's in their old release.

My concern is that this also applies to the on-disk metadata and that no
one actually dared to look into that specifically.

Of course, all this implies the user loads malicious metadata from the
network, which is not the typical use case. But then this begs the
question of what happens when you load an actual ebook from the network,
and I shiver to think I'm doing that fairly often. ;)

But you're right, maybe we can just patch that out for now. It just
seems the version in calibre is really, really old and I doubt anyone is
actually using it. But I could be wrong!

A.

-- 
Never underestimate the bandwidth of a station wagon full of tapes
hurtling down the highway.
                        - Andrew S. Tanenbaum, "Computer Networks"