Re: calibre / CVE-2018-7889
I have a version available for testing:
https://people.debian.org/~bam/debian/pool/main/c/calibre/
I tried to test it myself, but I couldn't find how to start the export
bookmarks or import bookmarks functions from the UI in the short time I
had available.
Attached is the debdiff patch.
--
Brian May <bam@debian.org>
diff -Nru calibre-0.8.51+dfsg1/debian/changelog calibre-0.8.51+dfsg1/debian/changelog
--- calibre-0.8.51+dfsg1/debian/changelog 2017-03-14 17:36:04.000000000 +1100
+++ calibre-0.8.51+dfsg1/debian/changelog 2018-04-16 17:39:37.000000000 +1000
@@ -1,3 +1,9 @@
+calibre (0.8.51+dfsg1-0.1+deb7u2) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+
+ -- Brian May <bam@debian.org> Mon, 16 Apr 2018 17:39:37 +1000
+
calibre (0.8.51+dfsg1-0.1+deb7u1) wheezy-security; urgency=high
* Non-maintainer upload by the LTS Team.
diff -Nru calibre-0.8.51+dfsg1/debian/patches/0006-CVE-2018-7889.patch calibre-0.8.51+dfsg1/debian/patches/0006-CVE-2018-7889.patch
--- calibre-0.8.51+dfsg1/debian/patches/0006-CVE-2018-7889.patch 1970-01-01 10:00:00.000000000 +1000
+++ calibre-0.8.51+dfsg1/debian/patches/0006-CVE-2018-7889.patch 2018-04-16 17:38:28.000000000 +1000
@@ -0,0 +1,50 @@
+From: Brian May <bam@debian.org>
+Date: Mon, 16 Apr 2018 17:33:39 +1000
+Subject: CVE-2018-7889
+
+Origin: https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d
+---
+ src/calibre/gui2/viewer/bookmarkmanager.py | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/calibre/gui2/viewer/bookmarkmanager.py b/src/calibre/gui2/viewer/bookmarkmanager.py
+index c3686bd..ce7c98a 100644
+--- a/src/calibre/gui2/viewer/bookmarkmanager.py
++++ b/src/calibre/gui2/viewer/bookmarkmanager.py
+@@ -3,7 +3,7 @@ from __future__ import with_statement
+ __license__ = 'GPL v3'
+ __copyright__ = '2009, John Schember <john@nachtimwald.com>'
+
+-import cPickle, os
++import json, os
+
+ from PyQt4.Qt import Qt, QDialog, QAbstractTableModel, QVariant, SIGNAL, \
+ QModelIndex, QInputDialog, QLineEdit, QFileDialog
+@@ -51,22 +51,22 @@ class BookmarkManager(QDialog, Ui_BookmarkManager):
+
+ def export_bookmarks(self):
+ filename = QFileDialog.getSaveFileName(self, _("Export Bookmarks"),
+- '%s%suntitled.pickle' % (os.getcwdu(), os.sep),
+- _("Saved Bookmarks (*.pickle)"))
++ '%s%suntitled.calibre-bookmarks' % (os.getcwdu(), os.sep),
++ _("Saved Bookmarks (*.calibre-bookmarks)"))
+ if filename == '':
+ return
+
+ with open(filename, 'w') as fileobj:
+- cPickle.dump(self._model.bookmarks, fileobj)
++ fileobj.write(json.dumps(self._model.bookmarks, indent=True))
+
+ def import_bookmarks(self):
+- filename = QFileDialog.getOpenFileName(self, _("Import Bookmarks"), '%s' % os.getcwdu(), _("Pickled Bookmarks (*.pickle)"))
++ filename = QFileDialog.getOpenFileName(self, _("Import Bookmarks"), '%s' % os.getcwdu(), _("Pickled Bookmarks (*.calibre-bookmarks)"))
+ if filename == '':
+ return
+
+ imported = None
+ with open(filename, 'r') as fileobj:
+- imported = cPickle.load(fileobj)
++ imported = json.load(fileobj)
+
+ if imported != None:
+ bad = False
diff -Nru calibre-0.8.51+dfsg1/debian/patches/series calibre-0.8.51+dfsg1/debian/patches/series
--- calibre-0.8.51+dfsg1/debian/patches/series 2017-03-14 17:29:33.000000000 +1100
+++ calibre-0.8.51+dfsg1/debian/patches/series 2018-04-16 17:39:31.000000000 +1000
@@ -8,3 +8,4 @@
manpages-installation.patch
disable_plugins.py
use-system-feedparser.patch
+0006-CVE-2018-7889.patch
Reply to: