[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: calibre / CVE-2018-7889

On 2018-04-18 17:14:33, Brian May wrote:
> I have a version available for testing:
> https://people.debian.org/~bam/debian/pool/main/c/calibre/
>
> I tried to test it myself, but I couldn't find how to start the export
> bookmarks or import bookmarks functions from the UI in the short time I
> had available.

I'm not sure where that happens. The only thing I could find in a recent
Calibre install is in "Books -> Export/import all Calibre
data". Presumably that also imports bookmarks and so on.

The only problem I can see with this patch is if someone made a backup
of their Calibre metadata in .pickle and are trying to import it back
again as JSON: this will fail, obviously. So there's clearly a
backwards-compatibility concern here.

Maybe we should state explicitly in the advisory that people need to
re-export their backups before doing this upgrade?

Otherwise the patch looks sound.

A.
-- 
Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are, by
definition, not smart enough to debug it.
                        - Brian W. Kernighan
Reply to: