Re: calibre / CVE-2018-7889
On 2018-04-16 17:12:03, Brian May wrote:
> Antoine Beaupré <anarcat@orangeseeds.org> writes:
>
>> But you're right, maybe we can just patch that out for now. It just
>> seems the version in calibre is really, really old and I doubt anyone is
>> actually using it. But I could be wrong!
>
> I am looking at this now. https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d
>
> Antoine: Do you think any of the changes to
> src/pyj/book_list/edit_metadata.pyj are required for the security fix? I
> am struggling to understand how these changes relate to the rest of the
> pull request.
[...]
> Also not really conviced the change to code.py, which appears to sort
> something, is really required.
>
> Neither code.py or edit_metadata.pyj exist in wheezy.
Those do look completely unrelated...
On 2018-04-16 17:30:51, Brian May wrote:
> Brian May <bam@debian.org> writes:
>
>> The remaining file, bookmarkmanager.py fails to apply any hunks, but
>> might be possible to apply some bits manually.
>
> Also noted that the change replaces the "open" calls with "lopen" calls,
> which is just an alias for a locally defined "local_open" call (as far
> as I can see).
>
> Guessin I probably should skip this change too...
For what it's worth, this is "local_open":
https://github.com/kovidgoyal/calibre/blob/565073136200e05e65e785af478339e40c2bb3eb/src/calibre/startup.py#L112
Extract:
# local_open() opens a file that wont be inherited by child processes
I don't see how that would change anything in this context especially
since `lopen` is in a context manager, which means the file is closed
before any child process could possibly be executed.
A.
Reply to: